From 0d3be70d9ce8fed1e520bb37ad5291722235de88 Mon Sep 17 00:00:00 2001
From: David Hurta <dhurta@redhat.com>
Date: Wed, 11 Mar 2026 15:43:48 +0100
Subject: [PATCH 1/2] cvo: Add optional tls scanner presubmit job

A failing test of the tls-scanner-run step [1] does not
fail the whole job [2]. At least, as of the moment.
Thus, make the job optional. An always passing job has no significant value.

Thus, the job is intended to be used to verify TLS changes explicitly.
We'll depend on existing periodic testing and fix things
when a regression is reported, if not caught during merging.

Use an AWS cluster profile in combination with stronger compute nodes
to handle the tls-scanner-run step. The default node type fails to
schedule the needed pods by the step. The node type was chosen
based on other tls-scanner jobs in the openshift/release repository.

[1]: https://steps.ci.openshift.org/reference/tls-scanner-run
[2]: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/76044/rehearse-76044-pull-ci-openshift-cluster-version-operator-main-tls-scanner/2031796334276644864
---
 .../openshift-cluster-version-operator-main.yaml      | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/ci-operator/config/openshift/cluster-version-operator/openshift-cluster-version-operator-main.yaml b/ci-operator/config/openshift/cluster-version-operator/openshift-cluster-version-operator-main.yaml
index d611b75ac9447..a70152d72da30 100644
--- a/ci-operator/config/openshift/cluster-version-operator/openshift-cluster-version-operator-main.yaml
+++ b/ci-operator/config/openshift/cluster-version-operator/openshift-cluster-version-operator-main.yaml
@@ -196,6 +196,17 @@ tests:
   container:
     from: src
   skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$
+- always_run: false
+  as: tls-scanner
+  optional: true
+  steps:
+    cluster_profile: aws-5
+    env:
+      COMPUTE_NODE_TYPE: m5.2xlarge
+      SCAN_NAMESPACE: openshift-cluster-version
+    test:
+    - ref: tls-scanner-run
+    workflow: ipi-aws
 zz_generated_metadata:
   branch: main
   org: openshift

From 44c491a81b69f022e72879f591b9201715ab9bdf Mon Sep 17 00:00:00 2001
From: David Hurta <dhurta@redhat.com>
Date: Tue, 17 Mar 2026 02:35:23 +0100
Subject: [PATCH 2/2] Run `make jobs`

---
 ...ster-version-operator-main-presubmits.yaml | 81 +++++++++++++++++++
 1 file changed, 81 insertions(+)

diff --git a/ci-operator/jobs/openshift/cluster-version-operator/openshift-cluster-version-operator-main-presubmits.yaml b/ci-operator/jobs/openshift/cluster-version-operator/openshift-cluster-version-operator-main-presubmits.yaml
index 620895aa7427a..83f150dff5e05 100644
--- a/ci-operator/jobs/openshift/cluster-version-operator/openshift-cluster-version-operator-main-presubmits.yaml
+++ b/ci-operator/jobs/openshift/cluster-version-operator/openshift-cluster-version-operator-main-presubmits.yaml
@@ -1535,6 +1535,87 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )okd-scos-images,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build11
+    context: ci/prow/tls-scanner
+    decorate: true
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: aws-5
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-cluster-version-operator-main-tls-scanner
+    optional: true
+    rerun_command: /test tls-scanner
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=tls-scanner
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )tls-scanner,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches: