Make FIPS presubmit tests optional on main branch

[redhat-chai-bot]

With the RHCOS 10 migration, there is an outstanding FIPS bug that causes FIPS presubmit tests to fail on main. This PR marks all non-cron FIPS presubmit tests as optional: true in the ci-operator configs for the main branch to unblock PRs.

This affects 40 tests across 30 ci-operator config files (openshift, openshift-priv, backube orgs). Tests that already had optional: true or use cron scheduling are left unchanged.

A companion revert PR will be opened to restore these tests to required status once the FIPS bug is resolved.

Summary by CodeRabbit

This PR marks FIPS presubmit tests as optional across 30 CI configuration files spanning the openshift, openshift-priv, and backube organizations. Approximately 40 FIPS-related tests—primarily FIPS-focused e2e tests and FIPS image scan tests—are being updated to include optional: true in their test definitions.

Context: A FIPS regression was introduced during the RHCOS 10 migration, causing FIPS presubmit tests to fail on the main branch. This PR temporarily unblocks PRs from being gated by these failing tests while the underlying bug is resolved. The changes affect CI operator configurations for component repositories including Origin, CLI Manager, External Secrets Operator, Secrets Store CSI Driver, JobSet Operator, Kubernetes Workload Scheduling, and Lightspeed Service, among others.

Scope: Only non-cron FIPS tests are marked optional; tests already configured as optional or using cron scheduling are left unchanged. A companion revert PR will restore these tests to required status once the FIPS issue is fixed.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 98526922-b540-45a0-907e-950f7e805ab8

📥 Commits

Reviewing files that changed from the base of the PR and between 6fa0aef and fb64b46.

⛔ Files ignored due to path filters (30)

• ci-operator/jobs/backube/volsync/backube-volsync-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-priv/cli-manager-operator/openshift-priv-cli-manager-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-priv/cli-manager/openshift-priv-cli-manager-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-priv/console-dashboards-plugin/openshift-priv-console-dashboards-plugin-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-priv/external-secrets-operator/openshift-priv-external-secrets-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-priv/jobset-operator/openshift-priv-jobset-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-priv/kubernetes-sigs-jobset/openshift-priv-kubernetes-sigs-jobset-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-priv/kubernetes-sigs-lws/openshift-priv-kubernetes-sigs-lws-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-priv/lws-operator/openshift-priv-lws-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-priv/openshift-mcp-server/openshift-priv-openshift-mcp-server-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-priv/origin/openshift-priv-origin-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-priv/secrets-store-csi-driver-operator/openshift-priv-secrets-store-csi-driver-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift-priv/secrets-store-csi-driver/openshift-priv-secrets-store-csi-driver-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/cli-manager-operator/openshift-cli-manager-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/cli-manager/openshift-cli-manager-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/console-dashboards-plugin/openshift-console-dashboards-plugin-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/external-secrets-operator/openshift-external-secrets-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/jobset-operator/openshift-jobset-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/kubernetes-sigs-jobset/openshift-kubernetes-sigs-jobset-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/kubernetes-sigs-lws/openshift-kubernetes-sigs-lws-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/kueue-operator/openshift-kueue-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/lightspeed-operator/openshift-lightspeed-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/lightspeed-service/openshift-lightspeed-service-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/logging-view-plugin/openshift-logging-view-plugin-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/lws-operator/openshift-lws-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/openshift-mcp-server/openshift-openshift-mcp-server-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/origin/openshift-origin-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/secrets-store-csi-driver/openshift-secrets-store-csi-driver-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/troubleshooting-panel-console-plugin/openshift-troubleshooting-panel-console-plugin-main-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (30)

• ci-operator/config/backube/volsync/backube-volsync-main.yaml
• ci-operator/config/openshift-priv/cli-manager-operator/openshift-priv-cli-manager-operator-main.yaml
• ci-operator/config/openshift-priv/cli-manager/openshift-priv-cli-manager-main.yaml
• ci-operator/config/openshift-priv/console-dashboards-plugin/openshift-priv-console-dashboards-plugin-main.yaml
• ci-operator/config/openshift-priv/external-secrets-operator/openshift-priv-external-secrets-operator-main.yaml
• ci-operator/config/openshift-priv/jobset-operator/openshift-priv-jobset-operator-main.yaml
• ci-operator/config/openshift-priv/kubernetes-sigs-jobset/openshift-priv-kubernetes-sigs-jobset-main.yaml
• ci-operator/config/openshift-priv/kubernetes-sigs-lws/openshift-priv-kubernetes-sigs-lws-main.yaml
• ci-operator/config/openshift-priv/lws-operator/openshift-priv-lws-operator-main.yaml
• ci-operator/config/openshift-priv/openshift-mcp-server/openshift-priv-openshift-mcp-server-main.yaml
• ci-operator/config/openshift-priv/origin/openshift-priv-origin-main.yaml
• ci-operator/config/openshift-priv/secrets-store-csi-driver-operator/openshift-priv-secrets-store-csi-driver-operator-main.yaml
• ci-operator/config/openshift-priv/secrets-store-csi-driver/openshift-priv-secrets-store-csi-driver-main.yaml
• ci-operator/config/openshift/cli-manager-operator/openshift-cli-manager-operator-main.yaml
• ci-operator/config/openshift/cli-manager/openshift-cli-manager-main.yaml
• ci-operator/config/openshift/console-dashboards-plugin/openshift-console-dashboards-plugin-main.yaml
• ci-operator/config/openshift/external-secrets-operator/openshift-external-secrets-operator-main.yaml
• ci-operator/config/openshift/jobset-operator/openshift-jobset-operator-main.yaml
• ci-operator/config/openshift/kubernetes-sigs-jobset/openshift-kubernetes-sigs-jobset-main.yaml
• ci-operator/config/openshift/kubernetes-sigs-lws/openshift-kubernetes-sigs-lws-main.yaml
• ci-operator/config/openshift/kueue-operator/openshift-kueue-operator-main.yaml
• ci-operator/config/openshift/lightspeed-operator/openshift-lightspeed-operator-main.yaml
• ci-operator/config/openshift/lightspeed-service/openshift-lightspeed-service-main.yaml
• ci-operator/config/openshift/logging-view-plugin/openshift-logging-view-plugin-main.yaml
• ci-operator/config/openshift/lws-operator/openshift-lws-operator-main.yaml
• ci-operator/config/openshift/openshift-mcp-server/openshift-openshift-mcp-server-main.yaml
• ci-operator/config/openshift/origin/openshift-origin-main.yaml
• ci-operator/config/openshift/secrets-store-csi-driver-operator/openshift-secrets-store-csi-driver-operator-main.yaml
• ci-operator/config/openshift/secrets-store-csi-driver/openshift-secrets-store-csi-driver-main.yaml
• ci-operator/config/openshift/troubleshooting-panel-console-plugin/openshift-troubleshooting-panel-console-plugin-main.yaml

---

Walkthrough

This PR marks 37 FIPS-related test entries as optional across CI operator configuration files in both the openshift and openshift-priv organizations, affecting job definitions for VolSync, CLI Manager, Console Dashboards Plugin, External Secrets Operator, JobSet Operator, and multiple other OpenShift projects.

Changes

Mark FIPS tests as optional in CI operator configurations

Layer / File(s)

Summary

Mark FIPS tests optional across operator configs ci-operator/config/backube/volsync/*, ci-operator/config/openshift-priv/*/..., ci-operator/config/openshift/*/...

Add optional: true flag to FIPS-related test entries (e2e-fips, e2e-aws-ovn-fips, fips-image-scan, operator-e2e-fips, operator-e2e-vault-fips, and variants) across 37 CI operator YAML files affecting VolSync, CLI Manager, Console Dashboards Plugin, External Secrets Operator, JobSet Operator, Kubernetes SIGs JobSet/LWS, LWS Operator, MCP Server, Origin, Secrets Store CSI Driver/Operator, Kueue Operator, Lightspeed Operator/Service, Logging View Plugin, and Troubleshooting Panel Console Plugin. Test logic, dependencies, and workflow definitions remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• openshift/release#80487: Both PRs demote FIPS-related CI jobs by adding optional: true to the fips-scan-type job/test entries (main PR in ci-operator YAMLs; retrieved PR in release-controller verify job JSON).

Suggested labels

lgtm, approved, rehearsals-ack, priority/ci-critical

Suggested reviewers

• petr-muller
• deads2k

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the primary change: marking FIPS presubmit tests as optional on the main branch to address blocking failures caused by an outstanding FIPS bug.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR #80489 changes only ci-operator YAML configs (no .go files), and searching the PR diff shows no Ginkgo It/Describe/Context test titles with dynamic values.
Test Structure And Quality	✅ Passed	PR only updates ci-operator YAML config entries (adds optional: true); no Ginkgo test/Go code was modified, so the test-structure quality requirements aren’t applicable.
Microshift Test Compatibility	✅ Passed	PR 80489 only changes ci-operator/config YAML to add optional: true for existing FIPS presubmit entries; no new Ginkgo e2e test code/APIs are introduced.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR #80489 only updates ci-operator YAML configs to add optional: true for existing FIPS presubmit jobs; it does not add/modify any Ginkgo e2e test code, so SNO compatibility is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR diff (GitHub files plain view) only adds optional: true to ci-operator test/presubmit entries; no affinity/topologySpread/replica/nodeSelector scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	PR modifies only YAML CI configuration files; adds optional: true flags to test definitions. No executable code or stdout-writing code is introduced or modified, making the OTE Binary Stdout Contra...
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR only updates ci-operator YAML to add optional: true to existing FIPS presubmit tests; it does not add any new Ginkgo e2e test code with IPv4/Internet assumptions.
No-Weak-Crypto	✅ Passed	Scanned the 30 CI config YAMLs listed for this PR for md5/sha1/DES(weak modes)/RC4/3DES/Blowfish/ECB and constant-time comparison markers; none were found.
Container-Privileges	✅ Passed	PR #80489 only adds optional: true to ci-operator YAML test entries; the PR files diff contains no privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, allowPrivilegeEscalation, or `...
No-Sensitive-Data-In-Logs	✅ Passed	Git diff vs origin/main shows only added optional: true (and one trigger:) in ci-operator YAML; no added logging/script lines or sensitive-value patterns (token/password/keys) detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: redhat-chai-bot
Once this PR has been reviewed and has the lgtm label, please assign ardaguclu, blublinsky, cpmeadors, jnpacker, matzew, peteryurkovich, trilokgeer for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/backube/volsync/OWNERS
• ci-operator/config/openshift/cli-manager/OWNERS
• ci-operator/config/openshift/cli-manager-operator/OWNERS
• ci-operator/config/openshift/console-dashboards-plugin/OWNERS
• ci-operator/config/openshift/external-secrets-operator/OWNERS
• ci-operator/config/openshift/jobset-operator/OWNERS
• ci-operator/config/openshift/kubernetes-sigs-jobset/OWNERS
• ci-operator/config/openshift/kubernetes-sigs-lws/OWNERS
• ci-operator/config/openshift/kueue-operator/OWNERS
• ci-operator/config/openshift/lightspeed-operator/OWNERS
• ci-operator/config/openshift/lightspeed-service/OWNERS
• ci-operator/config/openshift/logging-view-plugin/OWNERS
• ci-operator/config/openshift/lws-operator/OWNERS
• ci-operator/config/openshift/openshift-mcp-server/OWNERS
• ci-operator/config/openshift/origin/OWNERS
• ci-operator/config/openshift/secrets-store-csi-driver/OWNERS
• ci-operator/config/openshift/secrets-store-csi-driver-operator/OWNERS
• ci-operator/config/openshift/troubleshooting-panel-console-plugin/OWNERS
• ci-operator/jobs/backube/volsync/OWNERS
• ci-operator/jobs/openshift/cli-manager/OWNERS
• ci-operator/jobs/openshift/cli-manager-operator/OWNERS
• ci-operator/jobs/openshift/console-dashboards-plugin/OWNERS
• ci-operator/jobs/openshift/external-secrets-operator/OWNERS
• ci-operator/jobs/openshift/jobset-operator/OWNERS
• ci-operator/jobs/openshift/kubernetes-sigs-jobset/OWNERS
• ci-operator/jobs/openshift/kubernetes-sigs-lws/OWNERS
• ci-operator/jobs/openshift/kueue-operator/OWNERS
• ci-operator/jobs/openshift/lightspeed-operator/OWNERS
• ci-operator/jobs/openshift/lightspeed-service/OWNERS
• ci-operator/jobs/openshift/logging-view-plugin/OWNERS
• ci-operator/jobs/openshift/lws-operator/OWNERS
• ci-operator/jobs/openshift/openshift-mcp-server/OWNERS
• ci-operator/jobs/openshift/origin/OWNERS
• ci-operator/jobs/openshift/secrets-store-csi-driver/OWNERS
• ci-operator/jobs/openshift/secrets-store-csi-driver-operator/OWNERS
• ci-operator/jobs/openshift/troubleshooting-panel-console-plugin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@redhat-chai-bot: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-kubernetes-sigs-jobset-main-fips-image-scan-kubernetes-sigs-jobset	openshift/kubernetes-sigs-jobset	presubmit	Ci-operator config changed
pull-ci-openshift-logging-view-plugin-main-fips-image-scan	openshift/logging-view-plugin	presubmit	Ci-operator config changed
pull-ci-openshift-secrets-store-csi-driver-main-e2e-vault-fips	openshift/secrets-store-csi-driver	presubmit	Ci-operator config changed
pull-ci-openshift-secrets-store-csi-driver-main-fips-image-scan-driver	openshift/secrets-store-csi-driver	presubmit	Ci-operator config changed
pull-ci-openshift-origin-main-e2e-aws-ovn-fips	openshift/origin	presubmit	Ci-operator config changed
pull-ci-openshift-console-dashboards-plugin-main-fips-image-scan	openshift/console-dashboards-plugin	presubmit	Ci-operator config changed
pull-ci-openshift-lightspeed-operator-main-fips-image-scan-operator	openshift/lightspeed-operator	presubmit	Ci-operator config changed
pull-ci-openshift-lightspeed-service-main-fips-image-scan-service	openshift/lightspeed-service	presubmit	Ci-operator config changed
pull-ci-openshift-kubernetes-sigs-lws-main-fips-image-scan-kubernetes-sigs-lws	openshift/kubernetes-sigs-lws	presubmit	Ci-operator config changed
pull-ci-openshift-cli-manager-operator-main-fips-image-scan-cli-manager	openshift/cli-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-secrets-store-csi-driver-operator-main-fips-image-scan-mustgather	openshift/secrets-store-csi-driver-operator	presubmit	Ci-operator config changed
pull-ci-openshift-secrets-store-csi-driver-operator-main-fips-image-scan-operator	openshift/secrets-store-csi-driver-operator	presubmit	Ci-operator config changed
pull-ci-openshift-secrets-store-csi-driver-operator-main-operator-e2e-fips	openshift/secrets-store-csi-driver-operator	presubmit	Ci-operator config changed
pull-ci-openshift-secrets-store-csi-driver-operator-main-operator-e2e-vault-fips	openshift/secrets-store-csi-driver-operator	presubmit	Ci-operator config changed
pull-ci-openshift-external-secrets-operator-main-fips-image-scan-external-secrets	openshift/external-secrets-operator	presubmit	Ci-operator config changed
pull-ci-openshift-external-secrets-operator-main-fips-image-scan-operator	openshift/external-secrets-operator	presubmit	Ci-operator config changed
pull-ci-openshift-troubleshooting-panel-console-plugin-main-fips-image-scan	openshift/troubleshooting-panel-console-plugin	presubmit	Ci-operator config changed
pull-ci-openshift-jobset-operator-main-fips-image-scan-jobset-operator	openshift/jobset-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cli-manager-main-fips-image-scan-cli-manager	openshift/cli-manager	presubmit	Ci-operator config changed
pull-ci-openshift-lws-operator-main-fips-image-scan-lws-operator	openshift/lws-operator	presubmit	Ci-operator config changed
pull-ci-backube-volsync-main-e2e-openshift-fips	backube/volsync	presubmit	Ci-operator config changed
pull-ci-openshift-openshift-mcp-server-main-fips-image-scan-openshift-mcp-server	openshift/openshift-mcp-server	presubmit	Ci-operator config changed
pull-ci-openshift-kueue-operator-main-fips-image-scan-kueue-operator	openshift/kueue-operator	presubmit	Ci-operator config changed

Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@redhat-chai-bot: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.