OCPBUGS-65730: add --tls-cipher-suites to oauth-apiserver deployment

[vsolanki12]

What this PR does / why we need it:

The openshift-oauth-apiserver deployed by the HyperShift Control Plane Operator (CPO) was started with --tls-min-version but without --tls-cipher-suites. In standalone OCP, the authentication-operator configures both flags. Other CPO-managed components like kube-controller-manager and kube-scheduler already include cipher suites.

This PR adds the --tls-cipher-suites argument to the oauth-apiserver deployment using config.CipherSuites(), following the same pattern as kube-controller-manager (v2/kcm/deployment.go).

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-65730

Special notes for your reviewer:

• The fix follows the existing pattern used by KCM and kube-scheduler for setting cipher suites.
• config.CipherSuites() defaults to Intermediate TLS profile when no profile is explicitly configured.
• Verified on a live KubeVirt HCP cluster with a custom CPO image — --tls-cipher-suites is now present on the oauth-apiserver deployment.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

  • OAuth API server deployment now adds a TLS cipher-suites parameter only when the selected TLS security profile provides a non-empty cipher list.
  • Ensures the OAuth API server enforces the appropriate minimum TLS version for each profile.

• Tests

  • Added and updated tests to validate presence or absence of the cipher-suites parameter and correct TLS minimum version behavior across TLS profiles.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci-robot]

@vsolanki12: This pull request references Jira Issue OCPBUGS-65730, which is invalid:

• expected the bug to target either version "5.0." or "openshift-5.0.", but it targets "4.21.z" instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

What this PR does / why we need it:

The openshift-oauth-apiserver deployed by the HyperShift Control Plane Operator (CPO) was started with --tls-min-version but without --tls-cipher-suites. In standalone OCP, the authentication-operator configures both flags. Other CPO-managed components like kube-controller-manager and kube-scheduler already include cipher suites.

This PR adds the --tls-cipher-suites argument to the oauth-apiserver deployment using config.CipherSuites(), following the same pattern as kube-controller-manager (v2/kcm/deployment.go).

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-65730

Special notes for your reviewer:

• The fix follows the existing pattern used by KCM and kube-scheduler for setting cipher suites.
• config.CipherSuites() defaults to Intermediate TLS profile when no profile is explicitly configured.
• Verified on a live KubeVirt HCP cluster with a custom CPO image — --tls-cipher-suites is now present on the oauth-apiserver deployment.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 06a707f7-389d-4ad1-8e13-3dc5911b55b0

📥 Commits

Reviewing files that changed from the base of the PR and between 6e74cbe and f6e4761.

⛔ Files ignored due to path filters (5)

• control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/AROSwift/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/GCP/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/IBMCloud/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/TechPreviewNoUpgrade/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml is excluded by !**/testdata/**
• control-plane-operator/controllers/hostedcontrolplane/testdata/openshift-oauth-apiserver/zz_fixture_TestControlPlaneComponents_openshift_oauth_apiserver_deployment.yaml is excluded by !**/testdata/**

📒 Files selected for processing (2)

• control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment.go
• control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go

---

📝 Walkthrough

Walkthrough

This PR updates adaptDeployment to read cipher suites from the configured TLSSecurityProfile and append a --tls-cipher-suites= argument only when the returned list is non-empty (placed after --tls-min-version). Tests were updated: the existing TLS case now asserts the cipher-suites arg is absent for profiles that return no suites, and a new Intermediate profile case asserts --tls-min-version=VersionTLS12 and that --tls-cipher-suites= is present.

🚥 Pre-merge checks | ✅ 7 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Test Structure And Quality	❓ Inconclusive	Tests use standard Go unit testing with Gomega matchers, not Ginkgo BDD-style. Custom check references Ginkgo patterns (It, Describe, BeforeEach). Applicability unclear.	Clarify whether check applies to table-driven Go tests or only Ginkgo tests with BDD structure.

✅ Passed checks (7 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding the --tls-cipher-suites argument to the oauth-apiserver deployment, which is clearly reflected in both the implementation and test changes.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names in deployment_test.go are stable string literals with no dynamic content. Tests follow descriptive patterns without timestamps, UUIDs, pod names, or other changing identifiers.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only adds --tls-cipher-suites argument; introduces no scheduling constraints, affinity rules, topology constraints, replica changes, or nodeSelectors affecting topology compatibility.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added. Changes only modify standard Go unit tests (TestAdaptDeployment), not Ginkgo-style tests, so IPv6/disconnected check does not apply.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci-robot]

@vsolanki12: This pull request references Jira Issue OCPBUGS-65730, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (yli2@redhat.com), skipping review request.

Details

In response to this:

What this PR does / why we need it:

The openshift-oauth-apiserver deployed by the HyperShift Control Plane Operator (CPO) was started with --tls-min-version but without --tls-cipher-suites. In standalone OCP, the authentication-operator configures both flags. Other CPO-managed components like kube-controller-manager and kube-scheduler already include cipher suites.

This PR adds the --tls-cipher-suites argument to the oauth-apiserver deployment using config.CipherSuites(), following the same pattern as kube-controller-manager (v2/kcm/deployment.go).

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-65730

Special notes for your reviewer:

• The fix follows the existing pattern used by KCM and kube-scheduler for setting cipher suites.
• config.CipherSuites() defaults to Intermediate TLS profile when no profile is explicitly configured.
• Verified on a live KubeVirt HCP cluster with a custom CPO image — --tls-cipher-suites is now present on the oauth-apiserver deployment.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features
• OAuth API server deployment now supports applying TLS cipher suite configurations based on the selected TLS security profile. This enables operators to enforce specific cipher requirements for enhanced SSL/TLS security control, providing granular configuration capabilities for deployments with particular compliance and security standards.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vsolanki12]

/jira refresh

[openshift-ci-robot]

@vsolanki12: This pull request references Jira Issue OCPBUGS-65730, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (5.0.0) matches configured target version for branch (5.0.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

No GitHub users were found matching the public email listed for the QA contact in Jira (yli2@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

🧹 Nitpick comments (1)

control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go (1)

111-152: 💤 Low value

Consider adding a negative assertion for cipher suites in the Modern TLS profile test.

The Modern TLS profile test validates --tls-min-version=VersionTLS13 but doesn't explicitly verify that --tls-cipher-suites is absent. While the test would likely fail if cipher suites were incorrectly added, a negative assertion would make the expected behavior clearer and improve test coverage.

💡 Suggested enhancement

 container := podspec.FindContainer(ComponentName, deployment.Spec.Template.Spec.Containers)
 g.Expect(container).ToNot(BeNil())
 g.Expect(container.Args).To(ContainElement("--tls-min-version=VersionTLS13"))
+g.Expect(container.Args).ToNot(ContainElement(ContainSubstring("--tls-cipher-suites=")))

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go`
around lines 111 - 152, Add a negative assertion to the Modern TLS profile test
to verify that cipher suites are not set: after locating the OAuth APIServer
container (using podspec.FindContainer with ComponentName) and asserting the
tls-min-version flag, also assert that container.Args does NOT contain any
"--tls-cipher-suites=..." entry (e.g., check for absence of the exact
"--tls-cipher-suites" argument or any arg prefixing with that string) so
adaptDeployment and the container args are validated for the absence of
cipher-suite configuration.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go`:
- Around line 111-152: Add a negative assertion to the Modern TLS profile test
to verify that cipher suites are not set: after locating the OAuth APIServer
container (using podspec.FindContainer with ComponentName) and asserting the
tls-min-version flag, also assert that container.Args does NOT contain any
"--tls-cipher-suites=..." entry (e.g., check for absence of the exact
"--tls-cipher-suites" argument or any arg prefixing with that string) so
adaptDeployment and the container args are validated for the absence of
cipher-suite configuration.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7d3ec71e-95a9-4394-bf2b-6d4e743a9f91

📥 Commits

Reviewing files that changed from the base of the PR and between 9e283ae and d2388a6.

📒 Files selected for processing (2)

• control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment.go
• control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 40.53%. Comparing base (7625684) to head (f6e4761).
⚠️ Report is 26 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8554      +/-   ##
==========================================
+ Coverage   40.41%   40.53%   +0.12%     
==========================================
  Files         755      755              
  Lines       93235    93238       +3     
==========================================
+ Hits        37679    37797     +118     
+ Misses      52854    52740     -114     
+ Partials     2702     2701       -1     

Files with missing lines	Coverage Δ
...ostedcontrolplane/v2/oauth_apiserver/deployment.go	100.00% <100.00%> (ø)

... and 3 files with indirect coverage changes

Flag	Coverage Δ
cmd-support	34.45% <ø> (+<0.01%)	⬆️
cpo-hostedcontrolplane	41.77% <100.00%> (+0.01%)	⬆️
cpo-other	41.23% <ø> (+0.91%)	⬆️
hypershift-operator	50.72% <ø> (ø)
other	31.58% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[coderabbitai]

🧹 Nitpick comments (2)

control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go (2)

111-152: 💤 Low value

Consider verifying that Modern TLS profile does not include --tls-cipher-suites argument.

The existing Modern profile test validates --tls-min-version=VersionTLS13 but doesn't explicitly verify the absence of the --tls-cipher-suites argument. Since Modern profile (TLS 1.3) uses a different cipher suite mechanism and the implementation only adds --tls-cipher-suites when the list is non-empty, adding an assertion for absence would make the test coverage more complete and explicitly document the expected behavior.

🧪 Optional: Add assertion for cipher suites absence

 				container := podspec.FindContainer(ComponentName, deployment.Spec.Template.Spec.Containers)
 				g.Expect(container).ToNot(BeNil())
 				g.Expect(container.Args).To(ContainElement("--tls-min-version=VersionTLS13"))
+				// Modern profile (TLS 1.3) should not include cipher suites argument
+				for _, arg := range container.Args {
+					g.Expect(arg).ToNot(ContainSubstring("--tls-cipher-suites"), "Modern profile should not configure cipher suites")
+				}

This explicitly documents that TLS 1.3 (Modern) doesn't use the --tls-cipher-suites flag, making the test suite's coverage of both positive and negative cases clearer.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go`
around lines 111 - 152, The Modern TLS profile test currently asserts
--tls-min-version=VersionTLS13 but not the absence of the cipher-suites flag;
update the validation inside the test's validate function (where it calls
adaptDeployment and locates the container via
podspec.FindContainer(ComponentName, ...)) to also assert that container.Args
does NOT contain any --tls-cipher-suites entry (e.g., use the test framework's
negative containment assertion on container.Args to ensure no
"--tls-cipher-suites=" flag is present for ModernTLSProfile/Modern).

---

194-194: 💤 Low value

Consider validating the actual cipher suite values in addition to argument presence.

The test currently uses ContainElement(ContainSubstring("--tls-cipher-suites=")) which only verifies the argument is present but not that it contains the expected Intermediate profile cipher suites. While this approach avoids brittleness if the cipher suite list changes, it doesn't catch potential issues where the argument is present but has incorrect or empty values.

💡 Optional: More robust assertion

 				g.Expect(container.Args).To(ContainElement("--tls-min-version=VersionTLS12"))
-				g.Expect(container.Args).To(ContainElement(ContainSubstring("--tls-cipher-suites=")))
+				// Verify cipher suites argument exists and is non-empty
+				var cipherSuitesArg string
+				for _, arg := range container.Args {
+					if strings.HasPrefix(arg, "--tls-cipher-suites=") {
+						cipherSuitesArg = arg
+						break
+					}
+				}
+				g.Expect(cipherSuitesArg).ToNot(BeEmpty(), "should have --tls-cipher-suites argument")
+				g.Expect(strings.TrimPrefix(cipherSuitesArg, "--tls-cipher-suites=")).ToNot(BeEmpty(), "cipher suites list should not be empty")

Note: This is optional since the current substring match is simpler and sufficient for verifying the feature works correctly.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go`
at line 194, Test only checks presence of the --tls-cipher-suites= argument;
update the assertion in deployment_test.go so it validates the actual value
rather than just the flag name (locate the assertion that inspects
container.Args). Replace the current
ContainElement(ContainSubstring("--tls-cipher-suites=")) check with a stricter
assertion that either (a) matches a non-empty value via a regexp like
--tls-cipher-suites=.+ or (b) compares against the expected Intermediate-profile
cipher string (e.g. build expectedCipherSuites and assert
ContainElement(ContainSubstring("--tls-cipher-suites="+expectedCipherSuites))).
Ensure the change uses the same container.Args target so the test still finds
the arg but now validates its value.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In
`@control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go`:
- Around line 111-152: The Modern TLS profile test currently asserts
--tls-min-version=VersionTLS13 but not the absence of the cipher-suites flag;
update the validation inside the test's validate function (where it calls
adaptDeployment and locates the container via
podspec.FindContainer(ComponentName, ...)) to also assert that container.Args
does NOT contain any --tls-cipher-suites entry (e.g., use the test framework's
negative containment assertion on container.Args to ensure no
"--tls-cipher-suites=" flag is present for ModernTLSProfile/Modern).
- Line 194: Test only checks presence of the --tls-cipher-suites= argument;
update the assertion in deployment_test.go so it validates the actual value
rather than just the flag name (locate the assertion that inspects
container.Args). Replace the current
ContainElement(ContainSubstring("--tls-cipher-suites=")) check with a stricter
assertion that either (a) matches a non-empty value via a regexp like
--tls-cipher-suites=.+ or (b) compares against the expected Intermediate-profile
cipher string (e.g. build expectedCipherSuites and assert
ContainElement(ContainSubstring("--tls-cipher-suites="+expectedCipherSuites))).
Ensure the change uses the same container.Args target so the test still finds
the arg but now validates its value.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 4f83572e-787e-45ca-a557-520fcf1fd1d0

📥 Commits

Reviewing files that changed from the base of the PR and between d2388a6 and c2fd13b.

📒 Files selected for processing (2)

• control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment.go
• control-plane-operator/controllers/hostedcontrolplane/v2/oauth_apiserver/deployment_test.go

[muraee]

/approve

[sdminonne]

This is a short solid security improvement PR. It follows other components flags/config.
Thanks

[sdminonne]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: muraee, sdminonne, vsolanki12

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [muraee]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[vsolanki12]

/retest

[hypershift-jira-solve-ci]

Test Failure Analysis Complete

Job Information

• Prow Job: Red Hat Konflux / hypershift-operator-main-enterprise-contract / hypershift-operator-main
• Build ID: hypershift-operator-main-enterprise-contract-lmrmk
• Second Job: Red Hat Konflux / hypershift-operator-enterprise-contract / hypershift-operator-main
• Second Build ID: hypershift-operator-enterprise-contract-qvg82
• PR: #8554 — OCPBUGS-65730: add --tls-cipher-suites to oauth-apiserver deployment
• Snapshot: hypershift-operator-20260526-152926-000
• Component: hypershift-operator-main

Test Failure Analysis

Error

Enterprise Contract verify step: 250 success(es), 20 warning(s), 6 failure(s)

Rule violations (3 policy rules × 2 SLSA provenance attestations = 6 failures):
1. prefetch_dependencies.package_registry_proxy_enabled — Task 'prefetch-dependencies-oci-ta'
   does not have the enable-package-registry-proxy parameter set to true
2. Outdated Tekton task bundle digests (38 tasks at stale SHAs)
3. build-image-index task at deprecated version 0.2 with removed params COMMIT_SHA
   and IMAGE_EXPIRES_AFTER (should be version 0.3)

Summary

Both Enterprise Contract checks fail because PR #8554's branch was created from commit 294fa41 (2026-05-19), which predates two critical .tekton/ pipeline fixes that were merged to main on 2026-05-20. Pipelines-as-Code reads the .tekton/ configuration from the PR branch itself, not the target branch, so the stale pipeline definition triggers 6 EC policy violations. The PR's actual code changes (adding --tls-cipher-suites to the oauth-apiserver deployment) are completely unrelated to the failures. All other CI checks (unit tests, lint, verify, envtest) passed.

Root Cause

The PR branch is missing two sets of .tekton/ pipeline fixes that were merged to main after the branch was created:

1. PR #8552 (merged 2026-05-20T13:52Z): Added the enable-package-registry-proxy: "true" parameter to the prefetch-dependencies-oci-ta task in both .tekton/pipelines/common-operator-build.yaml and .tekton/hypershift-operator-main-tag.yaml. This parameter became mandatory via the EC policy rule prefetch_dependencies.package_registry_proxy_enabled (effective 2026-05-13). Without it, the EC check flags a failure for each SLSA provenance attestation that references the prefetch-dependencies task invocation.

2. PR #8557 (merged 2026-05-20T16:05Z): Updated 38 Tekton task bundle digests to their latest trusted versions and migrated build-image-index from version 0.2 to 0.3 (removing the deprecated COMMIT_SHA and IMAGE_EXPIRES_AFTER parameters per the 0.3 migration notes). The outdated bundles and deprecated parameters trigger additional EC policy violations.

The 6 failures break down as 3 distinct policy violations evaluated against 2 SLSA provenance attestations (one for the buildah-remote task and one for the build-image-index task), producing 3 × 2 = 6 failure entries.

Why earlier runs only showed 2 failures: The previous EC run for this PR (and for PRs #8541, #8549, #8553) executed on 2026-05-19/20 and only flagged the prefetch_dependencies.package_registry_proxy_enabled rule (2 failures = 1 rule × 2 attestations). Between May 20 and May 26, additional EC policy rules related to task bundle freshness and deprecated parameter usage became effective or were updated, increasing the failure count from 2 to 6.

This is not caused by the PR's code changes. The PR only modifies deployment.go, deployment_test.go, and test fixture YAMLs — none of which are .tekton/ files.

Recommendations

1. Rebase PR OCPBUGS-65730: add --tls-cipher-suites to oauth-apiserver deployment #8554 on main — This picks up both .tekton/ fixes (PR OCPBUGS-86238: set limits for aro.openshift.io/swift-nic in request overrides for ARO swift #8552 and PR NO-JIRA: Update Konflux Tekton task bundles #8557) and resolves all 6 EC failures:

   git fetch upstream main
   git rebase upstream/main
   git push --force-with-lease

   (Note: a force-push to f6e4761c was already detected — verify whether the latest push includes the rebase. As of this analysis, the new commit's Konflux build was still running.)

2. No changes to the PR's code are needed — The --tls-cipher-suites addition is correct and all functional CI checks (unit tests, lint, verify, envtest) passed.

3. Other affected PRs — Any PR branched before 2026-05-20T16:05Z that triggers the hypershift-operator-main Konflux build will encounter the same EC failures until rebased. Confirmed affected: PRs feat(webhookcerts): add --enable-webhook-cert-reconciler flag #8541, AROSLSRE-830: Mitigate etcd cascading quorum loss during node drains #8549, NO-JIRA: fix(e2e): lower pull secret in-place propagation test gate to 4.22 #8553.

Evidence

Evidence	Detail
Failing EC rule #1	prefetch_dependencies.package_registry_proxy_enabled — missing enable-package-registry-proxy: "true" on prefetch-dependencies-oci-ta task
Failing EC rule #2	Outdated Tekton task bundle digests (38 tasks at stale SHAs, e.g., prefetch-dependencies-oci-ta:0.3@sha256:a579d00f... vs current sha256:a2efbcdc...)
Failing EC rule #3	build-image-index at v0.2 with deprecated COMMIT_SHA/IMAGE_EXPIRES_AFTER params (should be v0.3 without those params)
Fix PR #1	#8552 — enable-package-registry-proxy (merged 2026-05-20T13:52Z)
Fix PR #2	#8557 — Tekton task bundle updates + build-image-index migration (merged 2026-05-20T16:05Z)
PR #8554 base commit	294fa4130bc88d6811d7a1e5ec058f9636a50f22 (2026-05-19, predates both fixes)
Main branch after fixes	neutral — 512 successes, 36 warnings, 0 failures
PR #8554 (stale branch)	failure — 250 successes, 20 warnings, 6 failures
PR #8552 (rebased, passes)	neutral — 256 successes, 24 warnings, 0 failures
Same failure on PR #8549	✅ Confirmed — 254/24/2 pattern (May 20 run, pre-bundle-update)
Same failure on PR #8553	✅ Confirmed — 254/24/2 pattern (May 20 run, pre-bundle-update)
PR code changes unrelated	Only modifies: deployment.go, deployment_test.go, 5 testdata YAML fixtures
All functional CI checks	✅ Passed (unit tests, lint, verify, envtest, gitlint)

---

[sdminonne]

/lgtm

[openshift-merge-bot]

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

[cwbotbot]

Test Results

e2e-aws

• Status: ✅ PASS
• Started: 2026-05-26T17:11:44Z
• View Job
• View Job History

e2e-aks

• Status: ✅ PASS
• Started: 2026-05-26T17:11:43Z
• View Job
• View Job History

[vsolanki12]

/verified by me

[openshift-ci-robot]

@vsolanki12: This PR has been marked as verified by me.

Details

In response to this:

/verified by me

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[vsolanki12]

Before fix:

$ oc get deployment openshift-oauth-apiserver -n clusters-ocpbugs-65730 \
  -o jsonpath='{.spec.template.spec.containers[?(@.name=="openshift-oauth-apiserver")].args}' | jq .
[
  "start",
  "--authorization-kubeconfig=/etc/kubernetes/secrets/svc-kubeconfig/kubeconfig",
  "--authentication-kubeconfig=/etc/kubernetes/secrets/svc-kubeconfig/kubeconfig",
  ...
  "--tls-min-version=VersionTLS12"
]

After Fix:

--tls-min-version=VersionTLS12
--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

[openshift-ci]

@vsolanki12: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@vsolanki12: Jira Issue Verification Checks: Jira Issue OCPBUGS-65730
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-65730 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

What this PR does / why we need it:

The openshift-oauth-apiserver deployed by the HyperShift Control Plane Operator (CPO) was started with --tls-min-version but without --tls-cipher-suites. In standalone OCP, the authentication-operator configures both flags. Other CPO-managed components like kube-controller-manager and kube-scheduler already include cipher suites.

This PR adds the --tls-cipher-suites argument to the oauth-apiserver deployment using config.CipherSuites(), following the same pattern as kube-controller-manager (v2/kcm/deployment.go).

Which issue(s) this PR fixes:

Fixes https://issues.redhat.com/browse/OCPBUGS-65730

Special notes for your reviewer:

• The fix follows the existing pattern used by KCM and kube-scheduler for setting cipher suites.
• config.CipherSuites() defaults to Intermediate TLS profile when no profile is explicitly configured.
• Verified on a live KubeVirt HCP cluster with a custom CPO image — --tls-cipher-suites is now present on the oauth-apiserver deployment.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

• OAuth API server deployment now adds a TLS cipher-suites parameter only when the selected TLS security profile provides a non-empty cipher list.

• Ensures the OAuth API server enforces the appropriate minimum TLS version for each profile.

• Tests

• Added and updated tests to validate presence or absence of the cipher-suites parameter and correct TLS minimum version behavior across TLS profiles.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-merge-robot]

Fix included in release 5.0.0-0.nightly-2026-05-27-134409