[o/external-secrets-operator] ESO-399: Updates configs for new releases of ESO and CM

[bharath-b-rh]

The PR has below changes

• Adds new prow configs for cert-manager-1.20 and release-1.2 branches.
• Adds both the branches to write protected list.
• Updates the base image versions and clusters versions in the configs.

Summary by CodeRabbit

This PR adds CI infrastructure support for new branches across two projects (cert-manager-operator and external-secrets-operator) and updates cluster/image versions in their existing pipelines.

New branch support:

• Creates CI operator configuration for cert-manager-operator on the cert-manager-1.20 branch, establishing the full build and test pipeline for this release (E2E tests across AWS/GCP/Azure, FIPS scanning, verification and unit tests)
• Creates CI operator configuration for external-secrets-operator on the release-1.2 branch with similar pipeline structure
• Adds both new branches to the write-protected list in Prow configuration to prevent unprotected pushes

Version updates:

• Updates cert-manager-operator master branch pipeline to reference OpenShift 4.22 (previously 4.20/4.19) in base images and release metadata
• Updates external-secrets-operator main branch to use OpenShift 4.22 (previously 4.21) and modifies E2E test filters to include both AWS and Generic test subsets (while excluding Proxy-related tests and TechPreview variants)

The changes establish proper CI/CD scaffolding for the new release branches while keeping the main development branches current with the latest OpenShift cluster versions.

[openshift-ci-robot]

@bharath-b-rh: This pull request references ESO-399 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the epic to target the "5.0.0" version, but no target version was set.

Details

In response to this:

The PR has below changes

• Adds new prow configs for cert-manager-1.20 and release-1.2 branches.
• Adds both the branches to write protected list.
• Updates the base image versions and clusters versions in the configs.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

Adds new CI operator configurations for cert-manager-operator branch cert-manager-1.20 and external-secrets-operator branch release-1.2, each defining images, bundles, test jobs, and E2E variants targeting OCP 4.22. Updates Prow branch protection for both new branches and bumps OCP release versions from 4.20/4.21 to 4.22 on the existing master/main configs.

Changes

cert-manager-operator: new 1.20 branch CI and master version bump

Layer / File(s)	Summary
cert-manager-1.20 CI config and branch protection ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.20.yaml, core-services/prow/02_config/openshift/cert-manager-operator/_prowconfig.yaml	New CI config defining base images, image builds, operator bundle with pullspec substitutions, OCP 4.22 nightly release candidate, resource defaults, verify/unit/FIPS jobs, and a full E2E matrix across AWS/GCP/Azure (tech preview, STS, workload-identity, OVN variants). Branch protection enabled for cert-manager-1.20.
master config: version bump 4.20 → 4.22 ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml	base_images.base-rhel9.name and two releases.latest.candidate.version fields updated from 4.20 to 4.22.

external-secrets-operator: new release-1.2 branch CI and main version/filter updates

Layer / File(s)	Summary
release-1.2 CI config and branch protection ci-operator/config/openshift/external-secrets-operator/openshift-external-secrets-operator-release-1.2.yaml, core-services/prow/02_config/openshift/external-secrets-operator/_prowconfig.yaml	New CI config defining base images, operator and operand image builds, operator bundle with pullspec substitutions, OCP 4.22 nightly multi-arch release, resource defaults, verify/unit/FIPS jobs, and an AWS-based E2E job with bundle install steps and make test-e2e using a Ginkgo label filter. Branch protection enabled for release-1.2.
main config: version bump 4.21 → 4.22 and E2E filter expansion ci-operator/config/openshift/external-secrets-operator/openshift-external-secrets-operator-main.yaml	base_images.base-rhel9.name and three releases.latest.candidate.version fields bumped from 4.21 to 4.22. Both E2E_GINKGO_LABEL_FILTER occurrences expanded from AWS-only to {AWS, Generic} with added exclusion of the Proxy feature.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

lgtm, approved, rehearsals-ack

🚥 Pre-merge checks | ✅ 15

✅ Passed checks (15 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main changes: configuration updates for external-secrets-operator and cert-manager to support new releases (ESO-399).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	The PR modifies only YAML CI configuration files with no Ginkgo test definitions. The check for stable/deterministic test names is not applicable to this PR.
Test Structure And Quality	✅ Passed	This PR contains only YAML configuration files for CI systems, not Ginkgo test code. The custom check is not applicable to configuration-only changes.
Microshift Test Compatibility	✅ Passed	PR contains only CI configuration (YAML) and prow configuration changes; no Ginkgo e2e test code (It(), Describe(), etc.) is added, so MicroShift test compatibility check is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	PR contains only YAML CI configuration files; no Ginkgo e2e tests (It, Describe, etc.) are added. Check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains only CI/CD configuration files (ci-operator configs, prow configs) and branch protection settings—not deployment manifests, operator code, or controllers. No scheduling constraints are...
Ote Binary Stdout Contract	✅ Passed	PR contains only YAML/JSON CI configuration files and documentation; no executable test code or OTE binary code that could violate the stdout contract.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains only CI/prow configuration changes (YAML files), not new Ginkgo test code. Custom check applies only to new test implementations, not test orchestration configuration.
No-Weak-Crypto	✅ Passed	PR contains only YAML CI/CD configuration files with no cryptographic implementations, weak crypto usage (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto code, or insecure secret comparisons.
Container-Privileges	✅ Passed	No privileged container configurations found. All operator bundle installations use --security-context-config=restricted, preventing privilege escalation, privileged containers, and host access.
No-Sensitive-Data-In-Logs	✅ Passed	No sensitive data (passwords, tokens, API keys, PII, session IDs, hostnames, customer data) found in logging or configuration. All credential references are to CI system-managed secrets, not expose...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bharath-b-rh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/cert-manager-operator/OWNERS [bharath-b-rh]
• ci-operator/config/openshift/external-secrets-operator/OWNERS [bharath-b-rh]
• ci-operator/jobs/openshift/cert-manager-operator/OWNERS [bharath-b-rh]
• ci-operator/jobs/openshift/external-secrets-operator/OWNERS [bharath-b-rh]
• core-services/prow/02_config/openshift/cert-manager-operator/OWNERS [bharath-b-rh]
• core-services/prow/02_config/openshift/external-secrets-operator/OWNERS [bharath-b-rh]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[bharath-b-rh]

/pj-rehearse auto-ack

[openshift-merge-bot]

@bharath-b-rh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

[REHEARSALNOTIFIER]
@bharath-b-rh: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-ci-bundle-cert-manager-operator-bundle	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-e2e-operator	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-e2e-operator-aws-proxy	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-e2e-operator-aws-sts	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-e2e-operator-aws-upi-proxy	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-e2e-operator-azure-ovn	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-e2e-operator-azure-workload-identity	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-e2e-operator-gcp-ovn	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-e2e-operator-gcp-workload-identity	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-e2e-operator-tech-preview	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-fips-image-scan-cert-manager	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-fips-image-scan-istio-csr	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-fips-image-scan-operator	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-fips-image-scan-trust-manager	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-images	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-unit	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-cert-manager-1.20-verify	openshift/cert-manager-operator	presubmit	Presubmit changed
pull-ci-openshift-cert-manager-operator-master-ci-bundle-cert-manager-operator-bundle	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-aws-proxy	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-aws-sts	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-aws-upi-proxy	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-azure-ovn	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-azure-workload-identity	openshift/cert-manager-operator	presubmit	Ci-operator config changed
pull-ci-openshift-cert-manager-operator-master-e2e-operator-gcp-ovn	openshift/cert-manager-operator	presubmit	Ci-operator config changed

A total of 48 jobs have been affected by this change. The above listing is non-exhaustive and limited to 25 jobs.

A full list of affected jobs can be found here
Prior to this PR being merged, you will need to either run and acknowledge or opt to skip these rehearsals.

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@ci-operator/config/openshift/external-secrets-operator/openshift-external-secrets-operator-release-1.2.yaml`:
- Line 74: In the skip_if_only_changed regex pattern, escape all literal dots
that should match file extensions or names precisely. The unescaped dots in
`.dockerignore`, `.golangci.yml`, `.gitignore`, and `.md` are currently being
interpreted as regex wildcards matching any character, which can cause
unintended file matches. Add a backslash before each literal dot (e.g.,
`\.dockerignore` instead of `.dockerignore`, `\.golangci\.yml` instead of
`.golangci.yml`, etc.) to ensure only exact filenames are matched and
skip_if_only_changed behaves as intended.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: d87161bb-53c8-456a-b4c1-5a09e950fdf8

📥 Commits

Reviewing files that changed from the base of the PR and between 95f4479 and 7158760.

⛔ Files ignored due to path filters (5)

• ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.20-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/cert-manager-operator/openshift-cert-manager-operator-master-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/external-secrets-operator/openshift-external-secrets-operator-main-postsubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/external-secrets-operator/openshift-external-secrets-operator-main-presubmits.yaml is excluded by !ci-operator/jobs/**
• ci-operator/jobs/openshift/external-secrets-operator/openshift-external-secrets-operator-release-1.2-presubmits.yaml is excluded by !ci-operator/jobs/**

📒 Files selected for processing (6)

• ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-cert-manager-1.20.yaml
• ci-operator/config/openshift/cert-manager-operator/openshift-cert-manager-operator-master.yaml
• ci-operator/config/openshift/external-secrets-operator/openshift-external-secrets-operator-main.yaml
• ci-operator/config/openshift/external-secrets-operator/openshift-external-secrets-operator-release-1.2.yaml
• core-services/prow/02_config/openshift/cert-manager-operator/_prowconfig.yaml
• core-services/prow/02_config/openshift/external-secrets-operator/_prowconfig.yaml

[bharath-b-rh]

/pj-rehearse pull-ci-openshift-external-secrets-operator-release-1.2-e2e-operator
/pj-rehearse pull-ci-openshift-external-secrets-operator-main-e2e-operator

[openshift-merge-bot]

@bharath-b-rh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[bharath-b-rh]

/pj-rehearse pull-ci-openshift-external-secrets-operator-main-publish-e2e-coverage

[openshift-merge-bot]

@bharath-b-rh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@bharath-b-rh: requesting more than one rehearsal in one comment is not supported. If you would like to rehearse multiple specific jobs, please separate the job names by a space in a single command.

[bharath-b-rh]

/pj-rehearse pull-ci-openshift-external-secrets-operator-main-e2e-operator

[openshift-merge-bot]

@bharath-b-rh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-merge-bot]

@bharath-b-rh: job(s): pull-ci-openshift-external-secrets-operator-main-publish-e2e-coverage either don't exist or were not found to be affected, and cannot be rehearsed

[bharath-b-rh]

/pj-rehearse pull-ci-openshift-external-secrets-operator-main-e2e-operator pull-ci-openshift-external-secrets-operator-release-1.2-e2e-operator

[openshift-merge-bot]

@bharath-b-rh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[openshift-ci]

@bharath-b-rh: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/external-secrets-operator/release-1.2/e2e-operator	7158760	link	unknown	/pj-rehearse pull-ci-openshift-external-secrets-operator-release-1.2-e2e-operator
ci/rehearse/openshift/external-secrets-operator/main/e2e-operator	7158760	link	unknown	/pj-rehearse pull-ci-openshift-external-secrets-operator-main-e2e-operator

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[bharath-b-rh]

Both pull-ci-openshift-external-secrets-operator-main-e2e-operator and pull-ci-openshift-external-secrets-operator-release-1.2-e2e-operator jobs are failing due to the label filtering issue which needs a change in parent repository and hence ignoring the failure here.

[bharath-b-rh]

/pj-rehearse ack

[openshift-merge-bot]

@bharath-b-rh: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.