Move e2e-aws-ovn-tls-13 periodic jobs to nightly configs for releases 4.18-4.22

[wangke19]

Summary

This PR moves TLS 1.3 (Modern profile) periodic test jobs from CI stream configs to nightly stream configs for OpenShift release versions 4.18, 4.19, 4.20, 4.21, and 4.22.

Changes

Removed from CI configs:

• ci-operator/config/openshift/release/openshift-release-master__ci-4.18.yaml
• ci-operator/config/openshift/release/openshift-release-master__ci-4.19.yaml

Added to nightly configs:

• ci-operator/config/openshift/release/openshift-release-master__nightly-4.18.yaml
• ci-operator/config/openshift/release/openshift-release-master__nightly-4.19.yaml
• ci-operator/config/openshift/release/openshift-release-master__nightly-4.20.yaml
• ci-operator/config/openshift/release/openshift-release-master__nightly-4.21.yaml
• ci-operator/config/openshift/release/openshift-release-master__nightly-4.22.yaml

Generated:

• ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml

Job Configuration

Each nightly periodic job:

• Workflow: openshift-e2e-aws-ovn-tls-13
• Test Suite: openshift/conformance/parallel
• Interval: 168h (weekly)
• Test Action: Patches API server to use TLS Modern profile (TLS 1.3) and runs conformance tests
• Observers: observers-resource-watch enabled

Rationale: Why Nightly Instead of CI?

Components Impacted by TLS Security Profile Changes

The TLS 1.3 test modifies the API server's TLS security profile, which propagates to 8+ critical control plane components:

Core Control Plane:

1. kube-apiserver
2. kube-controller-manager
3. kube-scheduler
4. openshift-apiserver
5. openshift-oauth-apiserver
6. openshift-oauth-server
7. etcd
8. Machine Config Operator

Impact Analysis

Category	Impact Level	Details
Control Plane Security	🔴 HIGH	Changes TLS config for all API servers and etcd
Authentication	🔴 HIGH	OAuth server TLS directly affected
API Availability	🔴 HIGH	Tests that APIs remain functional with Modern profile
Platform Stability	🟡 MEDIUM	Runs wait-for-stable-cluster to verify rollout

Why Nightly Stream is More Appropriate

✅ Security-Critical Testing

• Modifies cluster-wide security settings affecting all client-server TLS handshakes
• Changes authentication flows and etcd communications
• Requires comprehensive validation against stable builds

✅ Production-Oriented Testing

• TLS profiles are deployment-time configurations, not code features
• Should be tested against builds that will ship to customers (nightly stream)
• Nightly builds are accepted, stable images closer to what customers use

✅ Comprehensive Coverage

• Nightly configs have ~189 tests vs CI's ~33 tests
• After such significant security configuration changes, broader test coverage is essential
• Aligns with how other security-focused tests (e.g., FIPS) are configured

✅ Appropriate Test Scope

• CI stream tests: Fast feedback for code changes (appropriate for feature development)
• Nightly stream tests: Comprehensive validation of release payloads with various configurations (appropriate for deployment-time settings)

References

• OpenShift TLS Security Profiles Documentation
• TLS Configuration Enhancement Proposal
• TLS Configuration in OpenShift

Testing

• Verified workflow openshift-e2e-aws-ovn-tls-13 exists in step-registry
• Ran make update to generate Prow job definitions
• Generated periodic jobs in ci-operator/jobs/openshift/release/openshift-release-master-periodics.yaml

/assign @wangke19

[wangke19]

/pj-rehearse pull-ci-openshift-origin-main-e2e-aws-ovn-tls-13

[openshift-ci-robot]

@wangke19: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[wangke19]

e2e-aws-ovn-tls-13 is failed because openshift/origin#30746 has been merged.

[openshift-ci-robot]

[REHEARSALNOTIFIER]
@wangke19: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-release-master-nightly-4.19-e2e-aws-ovn-tls-13	N/A	periodic	Periodic changed
periodic-ci-openshift-release-master-nightly-4.22-e2e-aws-ovn-tls-13	N/A	periodic	Periodic changed
periodic-ci-openshift-release-master-nightly-4.20-e2e-aws-ovn-tls-13	N/A	periodic	Periodic changed
periodic-ci-openshift-release-master-nightly-4.18-e2e-aws-ovn-tls-13	N/A	periodic	Periodic changed
periodic-ci-openshift-release-master-nightly-4.21-e2e-aws-ovn-tls-13	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[wangke19]

/pj-rehearse periodic-ci-openshift-release-master-nightly-4.21-e2e-aws-ovn-tls-13

[openshift-ci-robot]

@wangke19: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[wangke19]

From failed CI job periodic-ci-openshift-release-master-nightly-4.21-e2e-aws-ovn-tls-13, we saw,

: [sig-api-machinery][Feature:APIServer] TestTLSDefaults [Suite:openshift/conformance/parallel]

Reason: skip [github.com/openshift/origin/test/extended/apiserver/tls.go:126]: Cluster TLS profile is not default (intermediate), skipping cipher defaults check

That's expected, we need to openshift/origin#30746 merge.

[gangwgr]

/lgtm

[neisw]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gangwgr, neisw, wangke19

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/release/OWNERS [neisw]
• ci-operator/jobs/openshift/release/OWNERS [neisw]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wangke19]

/pj-rehearse ack

[openshift-ci-robot]

@wangke19: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@wangke19: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/origin/main/e2e-aws-ovn-tls-13	7f05982	link	unknown	/pj-rehearse pull-ci-openshift-origin-main-e2e-aws-ovn-tls-13
ci/rehearse/periodic-ci-openshift-release-master-nightly-4.21-e2e-aws-ovn-tls-13	b43769c	link	unknown	/pj-rehearse periodic-ci-openshift-release-master-nightly-4.21-e2e-aws-ovn-tls-13

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.