OTA-1764: CVO: Add an Optional TLS Scanner Presubmit Job (#76044)

* cvo: Add optional tls scanner presubmit job

A failing test of the tls-scanner-run step [1] does not
fail the whole job [2]. At least, as of the moment.
Thus, make the job optional. An always passing job has no significant value.

Thus, the job is intended to be used to verify TLS changes explicitly.
We'll depend on existing periodic testing and fix things
when a regression is reported, if not caught during merging.

Use an AWS cluster profile in combination with stronger compute nodes
to handle the tls-scanner-run step. The default node type fails to
schedule the needed pods by the step. The node type was chosen
based on other tls-scanner jobs in the openshift/release repository.

[1]: https://steps.ci.openshift.org/reference/tls-scanner-run
[2]: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/76044/rehearse-76044-pull-ci-openshift-cluster-version-operator-main-tls-scanner/2031796334276644864

* Run `make jobs`

Author: DavidHurta

ci-operator/config/openshift/cluster-version-operator/openshift-cluster-version-operator-main.yaml

@@ -196,6 +196,17 @@ tests:
   container:
     from: src
   skip_if_only_changed: ^docs/|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|PROJECT|LICENSE)$
+- always_run: false
+  as: tls-scanner
+  optional: true
+  steps:
+    cluster_profile: aws-5
+    env:
+      COMPUTE_NODE_TYPE: m5.2xlarge
+      SCAN_NAMESPACE: openshift-cluster-version
+    test:
+    - ref: tls-scanner-run
+    workflow: ipi-aws
 zz_generated_metadata:
   branch: main
   org: openshift

ci-operator/jobs/openshift/cluster-version-operator/openshift-cluster-version-operator-main-presubmits.yaml

@@ -1535,6 +1535,87 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )okd-scos-images,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build11
+    context: ci/prow/tls-scanner
+    decorate: true
+    labels:
+      ci-operator.openshift.io/cloud: aws
+      ci-operator.openshift.io/cloud-cluster-profile: aws-5
+      ci.openshift.io/generator: prowgen
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-cluster-version-operator-main-tls-scanner
+    optional: true
+    rerun_command: /test tls-scanner
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=tls-scanner
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )tls-scanner,?($|\s.*)
   - agent: kubernetes
     always_run: false
     branches: