osc: Add TLS scanner periodic jobs for sandboxed-containers-operator

[thejasn]

Add two 72h periodic jobs on the devel branch to verify TLS compliance of the sandboxed-containers operator stack with an active peer pod:

• tls-scanner-default: baseline TLS scan (certs, ciphers, protocols)
• tls-scanner-pqc: PQC readiness check (TLS 1.3 + ML-KEM/X25519MLKEM768)

Updates the OpenShift CI periodic configuration for the openshift/sandboxed-containers-operator devel periodics to add TLS-scanning periodic jobs and associated CI image inputs.

Practical impact

• Affects CI for the sandboxed-containers-operator repository (devel variant / periodics). Adds two 72-hour periodic tests that run the tls-scanner against a live peer pod in the aws-sandboxed-containers-operator cluster profile.
• Adds a new CI base image input: base_images.tls-scanner-tool (namespace: tls-scanner, name/tag: tls-scanner-tool).
• Updates base_images.tests-private to point to tag 4.22 in namespace ci.

Jobs added / behavior

• tls-scanner-default: baseline TLS compliance scan (certificates, ciphers, protocols).
• tls-scanner-pqc: PQC readiness scan (enables PQC_CHECK="true" to exercise TLS 1.3 + ML-KEM / X25519MLKEM768).
• Both jobs:
  • Run every 72 hours on the devel periodics variant.
  • Use cluster_profile: aws-sandboxed-containers-operator and workflow: sandboxed-containers-operator-e2e-aws.
  • Create a peer pod named tls-scan-peerpod in namespace openshift-sandboxed-containers-operator using runtimeClassName kata-remote, wait up to 10m for readiness, then run tls-scanner and delete the pod (delete timeout 5m).
  • Set ENABLEPEERPODS="true", RUNTIMECLASS=kata-remote, SCAN_NAMESPACE=openshift-sandboxed-containers-operator, TEST_SCENARIOS=C00113, WORKLOAD_TO_TEST=peer-pods, and AWS_REGION_OVERRIDE=us-east-2.

CI environment and resource defaults

• build_root: builder image stream tag rhel-9-golang-1.25-openshift-4.21.
• releases.latest.integration targets 4.21 in namespace ocp.
• Default test resource requests: 100m CPU, 200Mi memory.

Other notes

• The change is a YAML CI configuration update (no exported code entities).
• Generated metadata identifies branch devel, org openshift, repo sandboxed-containers-operator, variant periodics.

Related to: rhjira#KATA-5101

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ea668115-69c3-40af-a3a1-3dd246494288

📥 Commits

Reviewing files that changed from the base of the PR and between 86c7095 and 31b37be.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__periodics.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__periodics.yaml

---

Walkthrough

Updates the devel periodic CI config for sandboxed-containers-operator: changes tests-private base image to ci:4.22, adds a tls-scanner-tool base image, keeps build_root and integration release pinned to 4.21, and defines two 72-hour TLS scanner periodic jobs (default and PQC) using kata-remote peer-pods.

Changes

OpenShift Sandboxed Containers Operator Periodic Configuration

Layer / File(s)	Summary
Build, release, and base images ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__periodics.yaml	base_images.tests-private updated to ci:4.22; base_images.tls-scanner-tool added; build_root and releases.latest.integration remain pinned to rhel-9-golang-1.25-openshift-4.21 and ocp/4.21.
Default job resources ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__periodics.yaml	Default resource requests applied to all jobs: cpu: 100m, memory: 200Mi.
TLS scanner periodic jobs (default) ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__periodics.yaml	tls-scanner-default 72h periodic job defined: AWS cluster profile, creates kata-remote peer Pod, waits up to 10m for readiness, deletes Pod with 5m timeout; per-step resource requests present.
TLS scanner periodic jobs (PQC) ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__periodics.yaml	tls-scanner-pqc 72h periodic job mirrors default flow and sets PQC_CHECK: "true" in the environment.
Generated metadata ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__periodics.yaml	zz_generated_metadata for branch devel, org openshift, repo sandboxed-containers-operator, variant periodics retained/updated.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• openshift/release#78789: Modifies the TLS scanner run workflow to handle exit codes and clarifies PQC_CHECK behavior.

Suggested reviewers

• smith-xyz
• richardsonnick

Suggested labels

rehearsals-ack

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding TLS scanner periodic jobs for the sandboxed-containers-operator, which matches the actual changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies a YAML CI config file only. No Ginkgo test definitions (It(), Describe(), Context(), etc.) exist in any modified files. Check is not applicable without actual Ginkgo test code.
Test Structure And Quality	✅ Passed	PR modifies only OpenShift CI YAML configuration files, not Ginkgo test code. Custom check for Ginkgo test structure is not applicable.
Microshift Test Compatibility	✅ Passed	PR adds only CI configuration (YAML), not Ginkgo e2e tests. Custom check for MicroShift test compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The PR adds only a YAML CI configuration file with no Ginkgo e2e tests. The SNO compatibility check applies only when new Ginkgo tests are added, which is not the case here.
Topology-Aware Scheduling Compatibility	✅ Passed	PR adds CI configuration with test Pods containing no affinity, node selectors, or topology-specific scheduling constraints. Not applicable to CI-only changes.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML configuration (CI periodic job definitions). OTE Binary Stdout Contract check applies to Go code implementations, not configuration files. No code changes present.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added. PR only modifies CI configuration YAML for job orchestration, not test code.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: thejasn
Once this PR has been reviewed and has the lgtm label, please assign pmores for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/sandboxed-containers-operator/OWNERS
• ci-operator/jobs/openshift/sandboxed-containers-operator/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

🧹 Nitpick comments (1)

ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__periodics.yaml (1)

25-138: 🏗️ Heavy lift

Consider extracting duplicated Pod lifecycle steps to shared step-registry entries.

The two test definitions are 99% identical—they differ only in the PQC_CHECK environment variable (line 89). The entire Pod manifest (lines 42-64 vs 99-121), creation logic, wait command, and deletion logic are duplicated across both tests.

This duplication increases maintenance burden: any change to the Pod spec or lifecycle commands must be applied in two places, risking inconsistency.

Consider refactoring by:

1. Creating a shared step-registry entry for peer-pod creation/deletion
2. Parameterizing the Pod manifest via environment variables if needed
3. Passing test-specific environment variables (like PQC_CHECK) through the step configuration

This would reduce the ~110 lines to approximately half while preserving both test variants.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__periodics.yaml`
around lines 25 - 138, Both periodic tests (as: tls-scanner-default and as:
tls-scanner-pqc) duplicate the peer-pod Pod manifest and lifecycle steps;
extract those into reusable step-registry entries and parameterize them. Create
shared step-registry steps (e.g., create-peer-pod and delete-peer-pod) that
accept env parameters like POD_NAME, SCAN_NAMESPACE (or NAMESPACE),
RUNTIMECLASS, IMAGE, and TIMEOUT, then replace the inline commands in both test
definitions with references to those steps; keep test-specific env (PQC_CHECK)
only in the top-level env for tls-scanner-pqc so the common steps read
parameters from the passed env. Ensure the step names match the existing ref
usages (ref: create-peer-pod and ref: delete-peer-pod) so workflow
sandboxed-containers-operator-e2e-aws continues to work.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__periodics.yaml`:
- Around line 25-138: Both periodic tests (as: tls-scanner-default and as:
tls-scanner-pqc) duplicate the peer-pod Pod manifest and lifecycle steps;
extract those into reusable step-registry entries and parameterize them. Create
shared step-registry steps (e.g., create-peer-pod and delete-peer-pod) that
accept env parameters like POD_NAME, SCAN_NAMESPACE (or NAMESPACE),
RUNTIMECLASS, IMAGE, and TIMEOUT, then replace the inline commands in both test
definitions with references to those steps; keep test-specific env (PQC_CHECK)
only in the top-level env for tls-scanner-pqc so the common steps read
parameters from the passed env. Ensure the step names match the existing ref
usages (ref: create-peer-pod and ref: delete-peer-pod) so workflow
sandboxed-containers-operator-e2e-aws continues to work.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9353e89e-afd5-4951-89ae-1c3d364881f0

📥 Commits

Reviewing files that changed from the base of the PR and between 6d4c827 and 86c7095.

⛔ Files ignored due to path filters (1)

• ci-operator/jobs/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel-periodics.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (1)

• ci-operator/config/openshift/sandboxed-containers-operator/openshift-sandboxed-containers-operator-devel__periodics.yaml

[thejasn]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-periodics-tls-scanner-default

[openshift-merge-bot]

@thejasn: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@thejasn: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
periodic-ci-openshift-sandboxed-containers-operator-devel-periodics-tls-scanner-pqc	N/A	periodic	Periodic changed
periodic-ci-openshift-sandboxed-containers-operator-devel-periodics-tls-scanner-default	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[thejasn]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-periodics-tls-scanner-default

[openshift-merge-bot]

@thejasn: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[thejasn]

/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-periodics-tls-scanner-default

[openshift-merge-bot]

@thejasn: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@thejasn: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/periodic-ci-openshift-sandboxed-containers-operator-devel-periodics-tls-scanner-default	31b37be	link	unknown	/pj-rehearse periodic-ci-openshift-sandboxed-containers-operator-devel-periodics-tls-scanner-default

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.