From 320581a6b41efd2cb0d571f00b2c9398f9614d72 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Thu, 12 Feb 2026 15:53:23 -0600 Subject: [PATCH] Add periodic jobs for TLS 1.3 conformance Let's make sure we're getting fresh results of the tls-scanner against OpenShift clusters configured to use 1.3 every few days. This will help track progress of components honoring global TLS configuration options in OpenShift. --- .../openshift-tls-scanner-main.yaml | 21 +++ .../openshift-tls-scanner-main-periodics.yaml | 156 ++++++++++++++++++ 2 files changed, 177 insertions(+) create mode 100644 ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-periodics.yaml diff --git a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml index 728d57be047d6..063cd523a7bb5 100644 --- a/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml +++ b/ci-operator/config/openshift/tls-scanner/openshift-tls-scanner-main.yaml @@ -59,6 +59,27 @@ tests: - ref: tls-scanner-run - ref: openshift-e2e-test workflow: openshift-e2e-aws-ovn-tls-13 +- as: periodic-default-tls + cluster_claim: + architecture: amd64 + cloud: aws + owner: openshift-ci + product: ocp + timeout: 5h0m0s + version: "4.22" + interval: 72h + steps: + test: + - ref: tls-scanner-run + workflow: generic-claim +- as: periodic-tls13-conformance + interval: 72h + steps: + cluster_profile: aws-5 + test: + - ref: tls-scanner-run + - ref: openshift-e2e-test + workflow: openshift-e2e-aws-ovn-tls-13 zz_generated_metadata: branch: main org: openshift diff --git a/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-periodics.yaml b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-periodics.yaml new file mode 100644 index 0000000000000..b1779cc514d9b --- /dev/null +++ b/ci-operator/jobs/openshift/tls-scanner/openshift-tls-scanner-main-periodics.yaml @@ -0,0 +1,156 @@ +periodics: +- agent: kubernetes + cluster: build01 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: main + org: openshift + repo: tls-scanner + interval: 72h + labels: + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-tls-scanner-main-periodic-default-tls + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --hive-kubeconfig=/secrets/hive-hive-credentials/kubeconfig + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=periodic-default-tls + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/hive-hive-credentials + name: hive-hive-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: hive-hive-credentials + secret: + secretName: hive-hive-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator +- agent: kubernetes + cluster: build11 + decorate: true + decoration_config: + skip_cloning: true + extra_refs: + - base_ref: main + org: openshift + repo: tls-scanner + interval: 72h + labels: + ci-operator.openshift.io/cloud: aws + ci-operator.openshift.io/cloud-cluster-profile: aws-5 + ci.openshift.io/generator: prowgen + pj-rehearse.openshift.io/can-be-rehearsed: "true" + name: periodic-ci-openshift-tls-scanner-main-periodic-tls13-conformance + spec: + containers: + - args: + - --gcs-upload-secret=/secrets/gcs/service-account.json + - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson + - --lease-server-credentials-file=/etc/boskos/credentials + - --report-credentials-file=/etc/report/credentials + - --secret-dir=/secrets/ci-pull-credentials + - --target=periodic-tls13-conformance + command: + - ci-operator + env: + - name: HTTP_SERVER_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest + imagePullPolicy: Always + name: "" + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 10m + volumeMounts: + - mountPath: /etc/boskos + name: boskos + readOnly: true + - mountPath: /secrets/ci-pull-credentials + name: ci-pull-credentials + readOnly: true + - mountPath: /secrets/gcs + name: gcs-credentials + readOnly: true + - mountPath: /secrets/manifest-tool + name: manifest-tool-local-pusher + readOnly: true + - mountPath: /etc/pull-secret + name: pull-secret + readOnly: true + - mountPath: /etc/report + name: result-aggregator + readOnly: true + serviceAccountName: ci-operator + volumes: + - name: boskos + secret: + items: + - key: credentials + path: credentials + secretName: boskos-credentials + - name: ci-pull-credentials + secret: + secretName: ci-pull-credentials + - name: manifest-tool-local-pusher + secret: + secretName: manifest-tool-local-pusher + - name: pull-secret + secret: + secretName: registry-pull-credentials + - name: result-aggregator + secret: + secretName: result-aggregator