ci-config: add tls-scan as informing release controller job for 4.22

[redhat-chai-bot]

Summary

Add a dedicated TLS scanner verification job for 4.22 nightly payloads, configured as an informing (non-blocking) release controller job. Uses the existing tls-scanner-run step ref from the step registry — no code duplication.

Supersedes #79625 and #79624 (both closed).

Changes

openshift-release-main__nightly-4.22.yaml

• Add tls-scanner-tool base image (tls-scanner/tls-scanner:tls-scanner-tool)
• Add new tls-scan periodic test using tls-scanner-run step ref on a FIPS-enabled AWS cluster (ipi-aws workflow)

release-ocp-4.22.json

• Add tls-scan to the release controller verify config as informing ("optional": true)

Design

• Models the existing fips-payload-scan / fips-scan pattern: separate job, own cluster, release controller triggered
• Informing only — does not gate payload acceptance
• To make blocking in the future: remove "optional": true from the release controller config

Context

Requested in Slack thread.

/cc @openshift/tls-scanner-maintainers

Summary by CodeRabbit

This PR adds a dedicated, informing TLS scanner verification job for OpenShift 4.22 nightly payloads and the supporting CI image metadata. It affects the OpenShift CI operator config for the 4.22 nightly pipeline and the release-controller verification configuration used by release promotion.

Practical impact:

• Nightly 4.22 payloads will be scanned by an automated TLS scanner job (informing/non-blocking) that reports findings to the release pipeline but does not block promotion.
• The TLS scanner runs on an AWS ipi cluster that is explicitly configured as non‑FIPS (the PR removes FIPS mode for this job so the scanner can observe the full cipher/protocol surface).
• The job reuses the existing tls-scanner-run step ref (no duplicate step code) and can be made blocking later by clearing the "optional" flag.

Configuration changes:

1. CI operator config (ci-operator/config/openshift/release/openshift-release-main__nightly-4.22.yaml)

   • Adds a new base_images entry tls-scanner-tool (name: tls-scanner, namespace: tls-scanner, tag: tls-scanner-tool).
   • Adds a new periodic test job tls-scan that uses the ipi-aws workflow and runs the tls-scanner-run step on an openshift-org-aws cluster. The job does not set FIPS and therefore runs on a non-FIPS cluster.

2. Release controller config (core-services/release-controller/_releases/release-ocp-4.22.json)

   • Registers verify.tls-scan as an optional informing verification job, mapped to the Prow job periodic-ci-openshift-release-main-nightly-4.22-tls-scan.

Notes:

• Mirrors the established pattern of separate, release-controller-triggered verification jobs (similar to fips-scan/fips-payload-scan).
• Supersedes PRs #79625 and #79624 and is currently configured as informing only.

[openshift-ci]

@redhat-chai-bot: GitHub didn't allow me to request PR reviews from the following users: openshift/tls-scanner-maintainers.

Note that only openshift members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

Summary

Add a dedicated TLS scanner verification job for 4.22 nightly payloads, configured as an informing (non-blocking) release controller job. Uses the existing tls-scanner-run step ref from the step registry — no code duplication.

Supersedes #79625 and #79624 (both closed).

Changes

openshift-release-main__nightly-4.22.yaml

• Add tls-scanner-tool base image (tls-scanner/tls-scanner:tls-scanner-tool)
• Add new tls-scan periodic test using tls-scanner-run step ref on a FIPS-enabled AWS cluster (ipi-aws workflow)

release-ocp-4.22.json

• Add tls-scan to the release controller verify config as informing ("optional": true)

Design

• Models the existing fips-payload-scan / fips-scan pattern: separate job, own cluster, release controller triggered
• Informing only — does not gate payload acceptance
• To make blocking in the future: remove "optional": true from the release controller config

Context

Requested in Slack thread.

/cc @openshift/tls-scanner-maintainers

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7a0a7607-3972-416d-8b7e-30f11cb30126

📥 Commits

Reviewing files that changed from the base of the PR and between 4d99e2b and 60795a7.

📒 Files selected for processing (1)

• ci-operator/config/openshift/release/openshift-release-main__nightly-4.22.yaml

💤 Files with no reviewable changes (1)

• ci-operator/config/openshift/release/openshift-release-main__nightly-4.22.yaml

---

Walkthrough

Adds a TLS scanner base image, a yearly tls-scan CI job (runs tls-scanner-run via ipi-aws on openshift-org-aws), and registers an optional verify.tls-scan entry in the 4.22 release-controller.

Changes

TLS Scanner Integration

Layer / File(s)	Summary
ci-operator image and test job ci-operator/config/openshift/release/openshift-release-main__nightly-4.22.yaml	Adds base_images.tls-scanner-tool (name: tls-scanner, namespace: tls-scanner, tag: tls-scanner-tool) and a new tls-scan periodic test job with cron: '@Yearly' targeting openshift-org-aws, running tls-scanner-run via the ipi-aws workflow.
release-controller verification entry core-services/release-controller/_releases/release-ocp-4.22.json	Registers verify.tls-scan as an optional verification job wired to the Prow job periodic-ci-openshift-release-main-nightly-4.22-tls-scan.

Possibly related PRs

• openshift/release#79416: Related TLS-scanner CI job additions and wiring in the same area.
• openshift/release#78981: Adds tls-scanner-tool base image and related TLS-scan job wiring.

Suggested labels

lgtm

Suggested reviewers

• hongkailiu
• fao89
• pruan-rht
• wking

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: adding a TLS scan as an informing release controller job for OpenShift 4.22.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR does not modify any Ginkgo test files; it only changes CI/CD configuration files (YAML and JSON). The custom check for stable test names is not applicable.
Test Structure And Quality	✅ Passed	PR contains only CI/CD configuration files (YAML and JSON), not Ginkgo test code. Custom check is inapplicable as it requires Ginkgo test implementation review.
Microshift Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It only adds CI configuration (YAML and JSON) to reference an existing tls-scanner-run step that uses a shell script scanner, not Ginkgo tests.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR adds only CI configuration files (YAML and JSON), not new Ginkgo e2e test code. The check applies only when new Ginkgo tests are added, which is not the case here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CI/CD configuration files (ci-operator YAML and release-controller JSON), not deployment manifests, operator code, or controllers. Check is not applicable.
Ote Binary Stdout Contract	✅ Passed	PR only modifies configuration files (YAML and JSON), not source code. Check is inapplicable to CI configuration that references pre-existing test steps.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only adds CI configuration and references existing tls-scanner-run step (shell script), not new Ginkgo e2e tests. Check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @redhat-chai-bot. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Tip

We noticed you've done this a few times! Consider joining the org to skip this step and gain /lgtm and other bot rights. We recommend asking approvers on your previous PRs to sponsor you.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: redhat-chai-bot
Once this PR has been reviewed and has the lgtm label, please assign xueqzhan for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/release/OWNERS
• core-services/release-controller/_releases/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@redhat-chai-bot: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-csi-operator-test	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-sno-cert-rotation-suspend-360d	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-4vcpu-32gb-compute-serial	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ipi-serial-ovn-ipv6	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-csi	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-hybrid-env-serial-techpreview-1of2	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-gcp-custom-dns	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-agent-ha-dualstack-conformance	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-sno-cert-rotation-shutdown-360d	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-two-node-arbiter-techpreview	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-upgrade-from-stable-4.20-e2e-aws-ovn-upgrade-paused	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-gcp-ovn-xpn	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-etcd-scaling	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-vsphere-ovn-zones	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-ha-cert-rotation-shutdown-5y-age-90d	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-azure-ovn-kube-apiserver-rollout	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-aws-ovn-single-node-csi	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-azure-ovn-upi	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-gcp-ovn-upi	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-two-node-arbiter-upgrade-day-2-workers	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-azure-ovn-runc	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-telco5g-ptp-upstream	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-single-node-with-worker-live-iso	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-ha-cert-rotation-shutdown-6y-age-90d	N/A	periodic	Ci-operator config changed
periodic-ci-openshift-release-main-nightly-4.22-e2e-metal-ovn-sno-cert-rotation-suspend-60d	N/A	periodic	Ci-operator config changed

A total of 282 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.