[o/cert-manager-operator] security scanner

ci-operator/config/openshift/cert-manager-istio-csr/OWNERS

@@ -0,0 +1,15 @@
+# DO NOT EDIT; this file is auto-generated using https://github.com/openshift/ci-tools.
+# Fetched from https://github.com/openshift/cert-manager-istio-csr root OWNERS
+# If the repo had OWNERS_ALIASES then the aliases were expanded
+# Logins who are not members of 'openshift' organization were filtered out
+# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md
+
+approvers:
+- deads2k
+- swghosh
+- trilokgeer
+options: {}
+reviewers:
+- deads2k
+- swghosh
+- trilokgeer

ci-operator/config/openshift/cert-manager-istio-csr/openshift-cert-manager-istio-csr-release-1.15.yaml

@@ -0,0 +1,25 @@
+binary_build_commands: echo no-op
+build_root:
+  image_stream_tag:
+    name: release
+    namespace: openshift
+    tag: golang-1.21
+resources:
+  '*':
+    limits:
+      memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 200Mi
+tests:
+- as: security
+  cron: 0 0 * * 0,2,4
+  steps:
+    env:
+      PROJECT_NAME: openshift/cert-manager-istio-csr
+      TARGET_REFERENCE: release-1.15
+    workflow: openshift-ci-security
+zz_generated_metadata:
+  branch: release-1.15
+  org: openshift
+  repo: cert-manager-istio-csr

ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.14.yaml

@@ -111,6 +111,13 @@ tests:
         requests:
           cpu: 50m
           memory: 64Mi
+- as: security
+  optional: true
+  steps:
+    env:
+      PROJECT_NAME: openshift/cert-manager-operator
+      TARGET_REFERENCE: cert-manager-1.14
+    workflow: openshift-ci-security
 - as: e2e-operator
   steps:
     cluster_profile: aws

ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.15.yaml

@@ -85,6 +85,13 @@ tests:
       SCAN_IMAGE: cert-manager
     test:
     - ref: fips-check-image-scan
+- as: security
+  optional: true
+  steps:
+    env:
+      PROJECT_NAME: openshift/cert-manager-operator
+      TARGET_REFERENCE: cert-manager-1.15
+    workflow: openshift-ci-security
 - as: e2e-operator
   steps:
     cluster_profile: aws

ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml

@@ -85,6 +85,13 @@ tests:
       SCAN_IMAGE: cert-manager
     test:
     - ref: fips-check-image-scan
+- as: security
+  optional: true
+  steps:
+    env:
+      PROJECT_NAME: openshift/cert-manager-operator
+      TARGET_REFERENCE: master
+    workflow: openshift-ci-security
 - as: e2e-operator
   steps:
     cluster_profile: aws

ci-operator/config/openshift/jetstack-cert-manager/OWNERS

@@ -0,0 +1,15 @@
+# DO NOT EDIT; this file is auto-generated using https://github.com/openshift/ci-tools.
+# Fetched from https://github.com/openshift/jetstack-cert-manager root OWNERS
+# If the repo had OWNERS_ALIASES then the aliases were expanded
+# Logins who are not members of 'openshift' organization were filtered out
+# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md
+
+approvers:
+- deads2k
+- swghosh
+- trilokgeer
+options: {}
+reviewers:
+- deads2k
+- swghosh
+- trilokgeer

ci-operator/config/openshift/jetstack-cert-manager/openshift-jetstack-cert-manager-release-1.14.yaml

@@ -0,0 +1,25 @@
+binary_build_commands: echo no-op
+build_root:
+  image_stream_tag:
+    name: release
+    namespace: openshift
+    tag: golang-1.20
+resources:
+  '*':
+    limits:
+      memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 200Mi
+tests:
+- as: security
+  cron: 0 0 * * 0,2,4
+  steps:
+    env:
+      PROJECT_NAME: openshift/cert-manager-operator
+      TARGET_REFERENCE: release-1.14
+    workflow: openshift-ci-security
+zz_generated_metadata:
+  branch: release-1.14
+  org: openshift
+  repo: jetstack-cert-manager

ci-operator/config/openshift/jetstack-cert-manager/openshift-jetstack-cert-manager-release-1.15.yaml

@@ -0,0 +1,25 @@
+binary_build_commands: echo no-op
+build_root:
+  image_stream_tag:
+    name: release
+    namespace: openshift
+    tag: golang-1.21
+resources:
+  '*':
+    limits:
+      memory: 1Gi
+    requests:
+      cpu: 100m
+      memory: 200Mi
+tests:
+- as: security
+  cron: 0 0 * * 0,2,4
+  steps:
+    env:
+      PROJECT_NAME: openshift/jetstack-cert-manager
+      TARGET_REFERENCE: release-1.15
+    workflow: openshift-ci-security
+zz_generated_metadata:
+  branch: release-1.15
+  org: openshift
+  repo: jetstack-cert-manager

ci-operator/jobs/openshift/cert-manager-istio-csr/OWNERS

@@ -0,0 +1,15 @@
+# DO NOT EDIT; this file is auto-generated using https://github.com/openshift/ci-tools.
+# Fetched from https://github.com/openshift/cert-manager-istio-csr root OWNERS
+# If the repo had OWNERS_ALIASES then the aliases were expanded
+# Logins who are not members of 'openshift' organization were filtered out
+# See the OWNERS docs: https://git.k8s.io/community/contributors/guide/owners.md
+
+approvers:
+- deads2k
+- swghosh
+- trilokgeer
+options: {}
+reviewers:
+- deads2k
+- swghosh
+- trilokgeer

ci-operator/jobs/openshift/cert-manager-istio-csr/openshift-cert-manager-istio-csr-release-1.15-periodics.yaml

@@ -0,0 +1,54 @@
+periodics:
+- agent: kubernetes
+  cluster: build03
+  cron: 0 0 * * 0,2,4
+  decorate: true
+  decoration_config:
+    skip_cloning: true
+  extra_refs:
+  - base_ref: release-1.15
+    org: openshift
+    repo: cert-manager-istio-csr
+  labels:
+    ci.openshift.io/generator: prowgen
+    pj-rehearse.openshift.io/can-be-rehearsed: "true"
+  name: periodic-ci-openshift-cert-manager-istio-csr-release-1.15-security
+  spec:
+    containers:
+    - args:
+      - --gcs-upload-secret=/secrets/gcs/service-account.json
+      - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+      - --report-credentials-file=/etc/report/credentials
+      - --target=security
+      command:
+      - ci-operator
+      image: ci-operator:latest
+      imagePullPolicy: Always
+      name: ""
+      resources:
+        requests:
+          cpu: 10m
+      volumeMounts:
+      - mountPath: /secrets/gcs
+        name: gcs-credentials
+        readOnly: true
+      - mountPath: /secrets/manifest-tool
+        name: manifest-tool-local-pusher
+        readOnly: true
+      - mountPath: /etc/pull-secret
+        name: pull-secret
+        readOnly: true
+      - mountPath: /etc/report
+        name: result-aggregator
+        readOnly: true
+    serviceAccountName: ci-operator
+    volumes:
+    - name: manifest-tool-local-pusher
+      secret:
+        secretName: manifest-tool-local-pusher
+    - name: pull-secret
+      secret:
+        secretName: registry-pull-credentials
+    - name: result-aggregator
+      secret:
+        secretName: result-aggregator

ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.14-presubmits.yaml

@@ -238,6 +238,67 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )images,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^cert-manager-1\.14$
+    - ^cert-manager-1\.14-
+    cluster: build09
+    context: ci/prow/security
+    decorate: true
+    labels:
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-cert-manager-operator-cert-manager-1.14-security
+    optional: true
+    rerun_command: /test security
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=security
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )security,?($|\s.*)
   - agent: kubernetes
     always_run: true
     branches:

ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.15-presubmits.yaml

@@ -298,6 +298,67 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )images,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^cert-manager-1\.15$
+    - ^cert-manager-1\.15-
+    cluster: build09
+    context: ci/prow/security
+    decorate: true
+    labels:
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-cert-manager-operator-cert-manager-1.15-security
+    optional: true
+    rerun_command: /test security
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=security
+        command:
+        - ci-operator
+        image: ci-operator:latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )security,?($|\s.*)
   - agent: kubernetes
     always_run: true
     branches: