CNTRLPLANE-3652: Add TLS ownership for 5 unowned artifacts

[oceanc80]

Add ownership information for 5 TLS artifacts that were listed as missing owners in the TLS registry:

• ns/openshift-ingress secret/router-certs-default → Networking / router
• ns/openshift-ingress-operator secret/router-ca → Networking / router
• ns/kube-system configmap/extension-apiserver-authentication → kube-apiserver
• ns/openshift-config-managed configmap/default-ingress-cert → Networking / router
• ns/openshift-console configmap/default-ingress-cert → Networking / router

Updates ownership.json, ownership.md, all raw-data files, and empties the ownership-violations.json file.

Ref: CNTRLPLANE-3652

Summary by CodeRabbit

• Documentation

  • Populated missing ownership and description metadata for in-cluster CA bundles and certificate key pairs related to aggregated API server authentication and default ingress/router certs.
  • Updated TLS ownership/descriptions/test-case/refresh-period documentation tables to add the new Networking / router section, remove “Unknown Owner” entries, and refresh item counts.

• Bug Fixes

  • Removed outdated ownership-violation entries so the violations lists no longer report stale/unresolved ownership locations.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

[openshift-ci-robot]

@oceanc80: This pull request references CNTRLPLANE-3652 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Add ownership information for 5 TLS artifacts that were listed as missing owners in the TLS registry:

• ns/openshift-ingress secret/router-certs-default → Networking / router
• ns/openshift-ingress-operator secret/router-ca → Networking / router
• ns/kube-system configmap/extension-apiserver-authentication → kube-apiserver
• ns/openshift-config-managed configmap/default-ingress-cert → Networking / router
• ns/openshift-console configmap/default-ingress-cert → Networking / router

Updates ownership.json, ownership.md, all raw-data files, and empties the ownership-violations.json file.

Ref: CNTRLPLANE-3652

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

TLS ownership metadata was populated for kube-apiserver and Networking / router artifacts across canonical JSON, raw snapshot JSON, and generated markdown inventories. Related ownership violations entries were removed.

Changes

TLS ownership metadata population

Layer / File(s)	Summary
Metadata JSON updates tls/ownership/ownership.json, tls/descriptions/descriptions.json, tls/refresh-period/refresh-period.json, tls/autoregenerate-after-expiry/autoregenerate-after-expiry.json, tls/testcase/testcase.json	Populates owningJiraComponent and description for kube-apiserver and router-related CA bundle and cert key pair entries.
Inventory markdown updates tls/ownership/ownership.md, tls/descriptions/descriptions.md, tls/refresh-period/refresh-period.md, tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md, tls/testcase/testcase.md	Removes Unknown Owner sections, adds Networking / router sections, and renumbers kube-apiserver CA bundle listings in the generated inventories.
Raw TLS snapshot updates tls/raw-data/raw-tls-artifacts-*.json	Applies the same ownership and description metadata changes across the platform snapshot JSON files.
Violation list removal tls/violations/ownership/ownership-violations.json	Replaces the populated violation lists with null.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: adding ownership for five previously unowned TLS artifacts.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR only changes TLS JSON/Markdown metadata; no Ginkgo specs or test titles were added/edited in the touched files.
Test Structure And Quality	✅ Passed	PR only updates TLS ownership JSON/Markdown; no Ginkgo test code or test files were changed, so the test-structure check is not applicable.
Microshift Test Compatibility	✅ Passed	PR only updates TLS JSON/Markdown metadata; no new Go/Ginkgo e2e tests were added, so MicroShift compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR only updates TLS ownership/data markdown/JSON files and empties violations; no new Ginkgo e2e tests or Go test code were added, so SNO compatibility isn’t applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates TLS ownership/description JSON and markdown; no deployment manifests, controllers, or scheduling logic were added or changed.
Ote Binary Stdout Contract	✅ Passed	PR only updates TLS registry JSON/Markdown and violations data; no process-level code or stdout writes were introduced.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo/e2e test code was added; the diff only touches TLS ownership/metadata JSON and markdown files, with no Go files changed.
No-Weak-Crypto	✅ Passed	Scanned all touched TLS JSON/MD files; found no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, constant-time, or custom-crypto code.
Container-Privileges	✅ Passed	Changed files are TLS registry JSON/MD only; no K8s/container manifests or privilege fields were added.
No-Sensitive-Data-In-Logs	✅ Passed	Scanned the changed TLS registry/docs files; they only add ownership metadata and cert names, with no passwords, tokens, PII, or host/customer data exposed.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

@oceanc80: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	9a99e04	link	true	/test verify

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[oceanc80]

/lgtm

[openshift-ci]

@oceanc80: you cannot LGTM your own PR.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: oceanc80
Once this PR has been reviewed and has the lgtm label, please assign deads2k for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS
• tls/violations/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@tls/ownership/ownership.md`:
- Around line 23-25: The table of contents links use manually written
title-cased anchor fragments that do not match the generated markdown heading
IDs, so update the TOC entries to use the actual lowercase slug format. Fix the
links for the relevant headings in ownership.md, including the entries
associated with Networking / router and kube-apiserver, and keep the fragment
text consistent with the rendered markdown anchors so the TOC resolves
correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 28e46bfa-6e01-4e2b-89f3-66924722bb99

📥 Commits

Reviewing files that changed from the base of the PR and between 9a99e04 and a9a7155.

📒 Files selected for processing (24)

• tls/autoregenerate-after-expiry/autoregenerate-after-expiry.json
• tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md
• tls/descriptions/descriptions.json
• tls/descriptions/descriptions.md
• tls/ownership/ownership.json
• tls/ownership/ownership.md
• tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-default.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-techpreviewnoupgrade.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-default.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-techpreviewnoupgrade.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-default.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-techpreviewnoupgrade.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-default.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-techpreviewnoupgrade.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-openstack-ovn-default.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-default.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-techpreviewnoupgrade.json
• tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-default.json
• tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-techpreviewnoupgrade.json
• tls/refresh-period/refresh-period.json
• tls/refresh-period/refresh-period.md
• tls/testcase/testcase.json
• tls/testcase/testcase.md
• tls/violations/ownership/ownership-violations.json

✅ Files skipped from review due to trivial changes (10)

• tls/ownership/ownership.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-techpreviewnoupgrade.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-techpreviewnoupgrade.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-default.json
• tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-techpreviewnoupgrade.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-default.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-techpreviewnoupgrade.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-default.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-default.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-techpreviewnoupgrade.json

🚧 Files skipped from review as they are similar to previous changes (4)

• tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-default.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-techpreviewnoupgrade.json
• tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-default.json
• tls/raw-data/raw-tls-artifacts-ha-amd64-openstack-ovn-default.json

[coderabbitai]

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Normalize the TOC anchor fragments.

These new links use title-cased fragments, but the rendered markdown slugs are lowercase/generated. The TOC entries for Networking / router and kube-apiserver will not resolve until the fragments match the actual heading IDs.

Also applies to: 40-42

🧰 Tools

🪛 markdownlint-cli2 (0.22.1)

[warning] 23-23: Link fragments should be valid

(MD051, link-fragments)

---

[warning] 24-24: Link fragments should be valid
Expected: #certificates-2; Actual: #Certificates-2

(MD051, link-fragments)

---

[warning] 25-25: Link fragments should be valid
Expected: #certificate-authority-bundles-2; Actual: #Certificate-Authority-Bundles-2

(MD051, link-fragments)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@tls/ownership/ownership.md` around lines 23 - 25, The table of contents links
use manually written title-cased anchor fragments that do not match the
generated markdown heading IDs, so update the TOC entries to use the actual
lowercase slug format. Fix the links for the relevant headings in ownership.md,
including the entries associated with Networking / router and kube-apiserver,
and keep the fragment text consistent with the rendered markdown anchors so the
TOC resolves correctly.

Source: Linters/SAST tools