From 697073c5ea7ac67b90ab243a204c057ea40c91ca Mon Sep 17 00:00:00 2001 From: miyadav Date: Thu, 5 Feb 2026 10:15:47 +0000 Subject: [PATCH 1/8] test --- ...cluster-machine-approver-release-4.22.yaml | 22 ++++++ ...hine-approver-release-4.22-presubmits.yaml | 74 +++++++++++++++++++ 2 files changed, 96 insertions(+) diff --git a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml index 6575448c155cd..99fbb8166671a 100644 --- a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml +++ b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml @@ -1,3 +1,12 @@ +base_images: + cluster-api-actuator-pkg-test: + name: cluster-api-actuator-pkg-test + namespace: ci + tag: "4.22" + tests-private: + name: tests-private + namespace: ci + tag: "4.22" build_root: from_repository: true images: @@ -77,6 +86,19 @@ tests: cpu: 100m timeout: 3h0m0s workflow: ipi-gcp +- as: regression-clusterinfra-gcp-ipi-mapi-tls + optional: true + run_if_changed: ^(go\.mod|go\.sum)$ + steps: + cluster_profile: gcp + env: + CUSTOM_OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: registry.build10.ci.openshift.org/ci-ln-sjfd8wb/release:latest + E2E_RUN_TAGS: '@mapi' + TEST_FILTERS_CLUSTERINFRASTRUCTURE: periodic&&!qe-only&&mapi + TEST_SCENARIOS: Cluster_Infrastructure CMA + test: + - chain: openshift-e2e-test-clusterinfra-qe-regression + workflow: cucushift-installer-rehearse-gcp-ipi - as: e2e-upgrade skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ steps: diff --git a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml index 259abc1e4d8d2..589d034a7bd31 100644 --- a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml +++ b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml @@ -491,6 +491,80 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )images,?($|\s.*) + - agent: kubernetes + always_run: false + branches: + - ^release-4\.22$ + - ^release-4\.22- + cluster: build02 + context: ci/prow/regression-clusterinfra-gcp-ipi-mapi-tls + decorate: true + labels: + ci-operator.openshift.io/cloud: gcp + ci-operator.openshift.io/cloud-cluster-profile: gcp + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-cluster-machine-approver-release-4.22-regression-clusterinfra-gcp-ipi-mapi-tls + optional: true + rerun_command: /test regression-clusterinfra-gcp-ipi-mapi-tls + run_if_changed: ^(go\.mod|go\.sum)$ + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=regression-clusterinfra-gcp-ipi-mapi-tls + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )regression-clusterinfra-gcp-ipi-mapi-tls,?($|\s.*) - agent: kubernetes always_run: true branches: From b61e9b1d40ed7ce676b4c0d27950aad1763910c1 Mon Sep 17 00:00:00 2001 From: miyadav Date: Thu, 5 Feb 2026 10:52:13 +0000 Subject: [PATCH 2/8] fix build issue --- .../openshift-cluster-machine-approver-release-4.22.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml index 99fbb8166671a..efab343a6ec6c 100644 --- a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml +++ b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml @@ -7,6 +7,7 @@ base_images: name: tests-private namespace: ci tag: "4.22" +binary_build_commands: NO_DOCKER=1 make build build_root: from_repository: true images: From e194cba86a7b35362ecb777e08658621d858458e Mon Sep 17 00:00:00 2001 From: miyadav Date: Thu, 5 Feb 2026 11:35:54 +0000 Subject: [PATCH 3/8] tag change --- .../openshift-cluster-machine-approver-release-4.22.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml index efab343a6ec6c..4fdcfbda016d5 100644 --- a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml +++ b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml @@ -2,11 +2,11 @@ base_images: cluster-api-actuator-pkg-test: name: cluster-api-actuator-pkg-test namespace: ci - tag: "4.22" + tag: latest tests-private: name: tests-private namespace: ci - tag: "4.22" + tag: latest binary_build_commands: NO_DOCKER=1 make build build_root: from_repository: true From 953a56e16e14b5a9b7f190f7b206db6a30006e57 Mon Sep 17 00:00:00 2001 From: miyadav Date: Mon, 9 Feb 2026 11:57:33 +0000 Subject: [PATCH 4/8] tls scanner run --- ...cluster-machine-approver-release-4.22.yaml | 6 ++ ...hine-approver-release-4.22-presubmits.yaml | 72 +++++++++++++++++++ 2 files changed, 78 insertions(+) diff --git a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml index 4fdcfbda016d5..fb597a60eb1de 100644 --- a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml +++ b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml @@ -100,6 +100,12 @@ tests: test: - chain: openshift-e2e-test-clusterinfra-qe-regression workflow: cucushift-installer-rehearse-gcp-ipi +- as: tls13-conformance-cma + steps: + cluster_profile: aws-5 + test: + - ref: tls-scanner-run + workflow: cucushift-installer-rehearse-gcp-ipi - as: e2e-upgrade skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ steps: diff --git a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml index 589d034a7bd31..b366d6cbe7b1b 100644 --- a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml +++ b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml @@ -565,6 +565,78 @@ presubmits: secret: secretName: result-aggregator trigger: (?m)^/test( | .* )regression-clusterinfra-gcp-ipi-mapi-tls,?($|\s.*) + - agent: kubernetes + always_run: true + branches: + - ^release-4\.22$ + - ^release-4\.22- + cluster: build01 + context: ci/prow/tls13-conformance-cma + decorate: true + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-5 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: pull-ci-openshift-cluster-machine-approver-release-4.22-tls13-conformance-cma + rerun_command: /test tls13-conformance-cma + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=tls13-conformance-cma + command: + - ci-operator + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator + trigger: (?m)^/test( | .* )tls13-conformance-cma,?($|\s.*) - agent: kubernetes always_run: true branches: From 55f0347be9e2fc759c2249ab0fa5b212c2b62dd8 Mon Sep 17 00:00:00 2001 From: miyadav Date: Mon, 9 Feb 2026 13:17:22 +0000 Subject: [PATCH 5/8] profile fixed --- .../openshift-cluster-machine-approver-release-4.22.yaml | 2 +- ...hift-cluster-machine-approver-release-4.22-presubmits.yaml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml index fb597a60eb1de..31c7165451c1a 100644 --- a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml +++ b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml @@ -102,7 +102,7 @@ tests: workflow: cucushift-installer-rehearse-gcp-ipi - as: tls13-conformance-cma steps: - cluster_profile: aws-5 + cluster_profile: gcp test: - ref: tls-scanner-run workflow: cucushift-installer-rehearse-gcp-ipi diff --git a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml index b366d6cbe7b1b..d50f2ac7e9731 100644 --- a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml +++ b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml @@ -574,8 +574,8 @@ presubmits: context: ci/prow/tls13-conformance-cma decorate: true labels: - ci-operator.openshift.io/cloud: aws - ci-operator.openshift.io/cloud-cluster-profile: aws-5 + ci-operator.openshift.io/cloud: gcp + ci-operator.openshift.io/cloud-cluster-profile: gcp ci.openshift.io/generator: prowgen pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-openshift-cluster-machine-approver-release-4.22-tls13-conformance-cma From c2d709286be869ecf85ffca5e20403f7aa374729 Mon Sep 17 00:00:00 2001 From: miyadav Date: Mon, 9 Feb 2026 15:20:47 +0000 Subject: [PATCH 6/8] use aws workflow --- .../openshift-cluster-machine-approver-release-4.22.yaml | 6 ++++-- ...ft-cluster-machine-approver-release-4.22-presubmits.yaml | 4 ++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml index 31c7165451c1a..b375ed5fd26ac 100644 --- a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml +++ b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml @@ -102,10 +102,12 @@ tests: workflow: cucushift-installer-rehearse-gcp-ipi - as: tls13-conformance-cma steps: - cluster_profile: gcp + cluster_profile: aws-5 + env: + CUSTOM_OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: registry.build10.ci.openshift.org/ci-ln-sjfd8wb/release:latest test: - ref: tls-scanner-run - workflow: cucushift-installer-rehearse-gcp-ipi + workflow: openshift-e2e-aws-ovn-tls-13 - as: e2e-upgrade skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$ steps: diff --git a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml index d50f2ac7e9731..b366d6cbe7b1b 100644 --- a/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml +++ b/ci-operator/jobs/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22-presubmits.yaml @@ -574,8 +574,8 @@ presubmits: context: ci/prow/tls13-conformance-cma decorate: true labels: - ci-operator.openshift.io/cloud: gcp - ci-operator.openshift.io/cloud-cluster-profile: gcp + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-5 ci.openshift.io/generator: prowgen pj-rehearse.openshift.io/can-be-rehearsed: "true" name: pull-ci-openshift-cluster-machine-approver-release-4.22-tls13-conformance-cma From 15e53aaa79a72cb957848ac5f85c76135d9b9455 Mon Sep 17 00:00:00 2001 From: miyadav Date: Tue, 10 Feb 2026 08:10:12 +0000 Subject: [PATCH 7/8] using latest tag for tls-scanner --- .../openshift-cluster-machine-approver-release-4.22.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml index b375ed5fd26ac..250abdd7295f4 100644 --- a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml +++ b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml @@ -7,6 +7,10 @@ base_images: name: tests-private namespace: ci tag: latest + tls-scanner-tool: + name: "4.22" + namespace: ocp + tag: latest binary_build_commands: NO_DOCKER=1 make build build_root: from_repository: true From 4ec4e18971f05e4a0c41984c024065410ee11e70 Mon Sep 17 00:00:00 2001 From: miyadav Date: Tue, 10 Feb 2026 09:50:01 +0000 Subject: [PATCH 8/8] using dockerfile instead of image location --- ...cluster-machine-approver-release-4.22.yaml | 29 ++++++++++++++++--- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml index 250abdd7295f4..91b1a96aead2b 100644 --- a/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml +++ b/ci-operator/config/openshift/cluster-machine-approver/openshift-cluster-machine-approver-release-4.22.yaml @@ -7,16 +7,37 @@ base_images: name: tests-private namespace: ci tag: latest - tls-scanner-tool: - name: "4.22" - namespace: ocp - tag: latest binary_build_commands: NO_DOCKER=1 make build build_root: from_repository: true images: - dockerfile_path: Dockerfile.rhel to: cluster-machine-approver +- dockerfile_literal: | + FROM registry.ci.openshift.org/ocp/builder:rhel-9-golang-1.24-openshift-4.22 AS builder + WORKDIR /app + RUN git clone --depth=1 --branch=main https://github.com/openshift/tls-scanner.git . && \ + make + + FROM registry.ci.openshift.org/ocp/4.22:base-rhel9 + ARG OC_VERSION=latest + ARG UMOCI_VERSION=latest + RUN dnf -y update && \ + dnf install -y binutils file go podman runc jq skopeo nmap tar lsof && \ + dnf clean all + RUN wget -O "openshift-client-linux-${OC_VERSION}.tar.gz" "https://mirror.openshift.com/pub/openshift-v4/amd64/clients/ocp/${OC_VERSION}/openshift-client-linux.tar.gz" && \ + tar -C /usr/local/bin -xzvf "openshift-client-linux-$OC_VERSION.tar.gz" oc && \ + rm -f "openshift-client-linux-$OC_VERSION.tar.gz" + RUN curl --fail --retry 3 -LJO https://mirror.openshift.com/pub/openshift-v4/x86_64/clients/ocp/latest-4.14/opm-linux.tar.gz && \ + tar -xzf opm-linux.tar.gz && \ + mv ./opm /usr/local/bin/ && \ + rm -f opm-linux.tar.gz + RUN wget -O /usr/local/bin/umoci "https://github.com/opencontainers/umoci/releases/$UMOCI_VERSION/download/umoci.linux.amd64" && \ + chmod +x /usr/local/bin/umoci + COPY --from=builder /app/bin/tls-scanner /usr/local/bin/tls-scanner + ENTRYPOINT ["/usr/local/bin/tls-scanner"] + LABEL com.redhat.component="tls-scanner" + to: tls-scanner-tool promotion: to: - disabled: true