From a0f508efbbd952416fae09c058f05134c9365946 Mon Sep 17 00:00:00 2001
From: Anand Kumar <anankuma@anankuma-thinkpadp1gen7.bengluru.csb>
Date: Thu, 18 Jun 2026 23:35:58 +0530
Subject: [PATCH 1/6] feat: Add CI builds for ocp-secrets-management-console
 images and bundle
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Enable automatic image builds in OpenShift CI for the secrets management
console plugin project, including plugin image, operator image, and
OLM bundle with image substitution.

## Changes

Updated: ci-operator/config/openshift/ocp-secrets-management-console/
         openshift-ocp-secrets-management-console-main.yaml

### Added Image Builds

1. **Plugin Image** (ocp-secrets-management)
   - Dockerfile: Dockerfile (root)
   - Type: Frontend React application
   - Build: Uses node22 build root

2. **Operator Image** (ocp-secrets-management-operator)
   - Dockerfile: operator/images/ci/Dockerfile
   - Type: Go operator binary
   - Base: base-rhel9

### Added Bundle Build with Image Substitution

operator.bundles:
  - as: ocp-secrets-management-operator-bundle
    dockerfile_path: operator/bundle.Dockerfile
    skip_building_index: true

operator.substitutions:
  # Replaces operator image reference in CSV
  - pullspec: openshift.io/ocp-secrets-management-operator:.*
    with: pipeline:ocp-secrets-management-operator

  # Replaces plugin image reference in CSV
  - pullspec: openshift.io/ocp-secrets-management:.*
    with: pipeline:ocp-secrets-management

**Why substitution matters:**
- Bundle CSV contains image references (operator + plugin)
- CI builds fresh images for every PR
- Substitution replaces static refs with CI-built images
- Ensures bundle uses the exact images built in this CI run
- Critical for E2E testing and production deployment

### Added Tests

1. **Unit Tests**
   - Plugin: yarn test
   - Operator: make test

2. **Verify Tests**
   - yarn lint

3. **FIPS Image Scans** (security compliance)
   - Scans plugin image
   - Scans operator image

4. **E2E Tests** (deploy via OLM on real cluster)
   - Claims temporary AWS cluster (4.21)
   - Installs operator via operator-sdk run bundle
   - Creates SecretsManagementConfig CR
   - Verifies plugin deployment
   - Verifies ConsolePlugin resource

### Added Configuration

- base_images: Added base-rhel9, operator-sdk
- binary_build_commands: cd operator && make build
- releases: Added latest 4.21 candidate
- resources: 4Gi memory limit (for webpack build)

## Build Flow in CI

```
PR Opened
  ↓
CI reads config
  ↓
Build images (parallel):
  ├─> Plugin image (Dockerfile)
  └─> Operator image (operator/images/ci/Dockerfile)
  ↓
Build bundle:
  ├─> Reads operator/bundle.Dockerfile
  ├─> Substitutes image references in CSV:
  │   - openshift.io/ocp-secrets-management:.*
  │     → pipeline:ocp-secrets-management
  │   - openshift.io/ocp-secrets-management-operator:.*
  │     → pipeline:ocp-secrets-management-operator
  └─> Creates bundle image (FROM scratch)
  ↓
Run tests (parallel):
  ├─> Unit (plugin)
  ├─> Unit (operator)
  ├─> Verify (lint)
  ├─> FIPS scan (plugin)
  ├─> FIPS scan (operator)
  └─> E2E (deploy via OLM, verify)
  ↓
All tests pass ✓
  → PR can merge
```

## Pattern Consistency

This configuration follows the same pattern as:
- cert-manager-operator
- external-secrets-operator
- other OpenShift console plugins

Key patterns:
- Multi-stage Dockerfiles (builder → runtime)
- Image substitution in bundles
- FIPS compliance scanning
- E2E testing via OLM deployment
- operator-sdk for bundle deployment

## Testing

E2E test workflow:
1. Claims temporary cluster
2. Deploys operator via: operator-sdk run bundle
3. Bundle contains substituted images (CI-built)
4. Creates SecretsManagementConfig CR
5. Verifies plugin deploys with correct image
6. Verifies ConsolePlugin resource created
7. Releases cluster

## Impact

After merge:
- Every PR will build all images
- Every PR will run E2E tests on real cluster
- Every PR will be FIPS-scanned
- Post-merge builds can push to production registry
- Enables production deployment via OperatorHub

## Related

Plugin project PR: feat(ci): Add operator CI Dockerfile
- Creates: operator/images/ci/Dockerfile
- Required by this CI configuration

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 ...t-ocp-secrets-management-console-main.yaml | 94 ++++++++++++++++++-
 1 file changed, 92 insertions(+), 2 deletions(-)

diff --git a/ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml b/ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml
index a3bf29506d874..dd0174ea0b747 100644
--- a/ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml
+++ b/ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml
@@ -1,8 +1,17 @@
 base_images:
+  base-rhel9:
+    name: "4.21"
+    namespace: ocp
+    tag: base-rhel9
   golang:
     name: builder
     namespace: ocp
-    tag: rhel-9-golang-1.23-openshift-4.19
+    tag: rhel-9-golang-1.23-openshift-4.21
+  operator-sdk:
+    name: "4.21"
+    namespace: origin
+    tag: operator-sdk
+binary_build_commands: cd operator && make build
 build_root:
   image_stream_tag:
     name: console-plugin-test-cypress
@@ -10,8 +19,32 @@ build_root:
     tag: node22
 images:
   items:
+  # Plugin image (frontend React app)
   - dockerfile_path: Dockerfile
-    to: ocp-secrets-management-console
+    to: ocp-secrets-management
+  # Operator image (Go operator)
+  - dockerfile_path: operator/images/ci/Dockerfile
+    from: base-rhel9
+    to: ocp-secrets-management-operator
+operator:
+  bundles:
+  - as: ocp-secrets-management-operator-bundle
+    dockerfile_path: operator/bundle.Dockerfile
+    skip_building_index: true
+  substitutions:
+  # Substitute operator image in bundle CSV
+  - pullspec: openshift.io/ocp-secrets-management-operator:.*
+    with: pipeline:ocp-secrets-management-operator
+  # Substitute plugin image in bundle CSV
+  - pullspec: openshift.io/ocp-secrets-management:.*
+    with: pipeline:ocp-secrets-management
+releases:
+  latest:
+    candidate:
+      architecture: multi
+      product: ocp
+      stream: nightly
+      version: "4.21"
 resources:
   '*':
     limits:
@@ -30,6 +63,63 @@ tests:
     unset GOFLAGS && cd operator && make test
   container:
     from: golang
+- as: verify
+  commands: |
+    yarn install && LANG=en_US.UTF-8 yarn lint
+  container:
+    from: src
+- as: fips-image-scan-plugin
+  steps:
+    dependencies:
+      SCAN_IMAGE: ocp-secrets-management
+    test:
+    - ref: fips-check-image-scan
+- as: fips-image-scan-operator
+  steps:
+    dependencies:
+      SCAN_IMAGE: ocp-secrets-management-operator
+    test:
+    - ref: fips-check-image-scan
+- as: e2e-operator
+  cluster_claim:
+    architecture: amd64
+    cloud: aws
+    owner: openshift-ci
+    product: ocp
+    timeout: 2h0m0s
+    version: "4.21"
+  skip_if_only_changed: ^(docs/|scripts/)|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$
+  steps:
+    test:
+    - as: install
+      cli: latest
+      commands: |
+        oc create namespace openshift-secrets-management
+        operator-sdk run bundle --timeout=10m --security-context-config=restricted --install-mode=AllNamespaces -n openshift-secrets-management "$OO_BUNDLE" --verbose
+        oc wait --for condition=Available -n openshift-secrets-management deployment secrets-management-operator
+      dependencies:
+      - env: OO_BUNDLE
+        name: ocp-secrets-management-operator-bundle
+      from: operator-sdk
+      resources:
+        requests:
+          cpu: 100m
+    - as: test
+      cli: latest
+      commands: |
+        # Create SecretsManagementConfig CR
+        oc apply -f operator/config/samples/secrets-management_v1alpha1_secretsmanagementconfig.yaml
+        # Wait for plugin deployment
+        oc wait --for condition=Available -n openshift-secrets-management deployment ocp-secrets-management-plugin --timeout=5m
+        # Verify plugin pods are running
+        oc get pods -n openshift-secrets-management -l app.kubernetes.io/name=ocp-secrets-management
+        # Verify ConsolePlugin resource exists
+        oc get consoleplugin ocp-secrets-management
+      from: src
+      resources:
+        requests:
+          cpu: 100m
+    workflow: generic-claim
 zz_generated_metadata:
   branch: main
   org: openshift

From 321ccae9cfad0d3b0b6625f8c1d351f1309dbc8a Mon Sep 17 00:00:00 2001
From: Anand Kumar <anankuma@anankuma-thinkpadp1gen7.bengluru.csb>
Date: Fri, 19 Jun 2026 15:03:09 +0530
Subject: [PATCH 2/6] fix: Add timeout to operator deployment wait command

Add --timeout=10m flag to oc wait command for secrets-management-operator
deployment to prevent indefinite hanging if deployment never becomes
available. This matches the timeout used in the operator-sdk run bundle
command and ensures fast failure with clear error message.
---
 .../openshift-ocp-secrets-management-console-main.yaml          | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml b/ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml
index dd0174ea0b747..fcf8d8cedc24f 100644
--- a/ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml
+++ b/ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml
@@ -96,7 +96,7 @@ tests:
       commands: |
         oc create namespace openshift-secrets-management
         operator-sdk run bundle --timeout=10m --security-context-config=restricted --install-mode=AllNamespaces -n openshift-secrets-management "$OO_BUNDLE" --verbose
-        oc wait --for condition=Available -n openshift-secrets-management deployment secrets-management-operator
+        oc wait --for condition=Available -n openshift-secrets-management deployment secrets-management-operator --timeout=10m
       dependencies:
       - env: OO_BUNDLE
         name: ocp-secrets-management-operator-bundle

From 9b0694c68a9523f72ec1ee0c2aea20b03ef83a65 Mon Sep 17 00:00:00 2001
From: Anand Kumar <anankuma@anankuma-thinkpadp1gen7.bengluru.csb>
Date: Fri, 19 Jun 2026 16:46:23 +0530
Subject: [PATCH 3/6] chore: Generate Prow job configurations for
 ocp-secrets-management-console

Auto-generated Prow job configurations from CI operator config using
'make jobs'. This includes presubmit jobs for:
- Bundle build (ci-bundle-ocp-secrets-management-operator-bundle)
- E2E operator test (e2e-operator)
- FIPS image scans (fips-image-scan-plugin, fips-image-scan-operator)
- Unit tests (unit, operator-unit)
- Linting (verify)
- Image builds (images)

Generated by: prowgen
Based on: ci-operator/config/openshift/ocp-secrets-management-console/
          openshift-ocp-secrets-management-console-main.yaml
---
 ...ts-management-console-main-presubmits.yaml | 387 ++++++++++++++++++
 1 file changed, 387 insertions(+)

diff --git a/ci-operator/jobs/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main-presubmits.yaml b/ci-operator/jobs/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main-presubmits.yaml
index 000af194c3acf..313e5d82dd609 100644
--- a/ci-operator/jobs/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main-presubmits.yaml
+++ b/ci-operator/jobs/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main-presubmits.yaml
@@ -1,5 +1,320 @@
 presubmits:
   openshift/ocp-secrets-management-console:
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build13
+    context: ci/prow/ci-bundle-ocp-secrets-management-operator-bundle
+    decorate: true
+    decoration_config:
+      sparse_checkout_files:
+      - Dockerfile
+      - operator/images/ci/Dockerfile
+    labels:
+      ci.openshift.io/generator: prowgen
+      job-release: "4.21"
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-ocp-secrets-management-console-main-ci-bundle-ocp-secrets-management-operator-bundle
+    rerun_command: /test ci-bundle-ocp-secrets-management-operator-bundle
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --target=ocp-secrets-management-operator-bundle
+        command:
+        - ci-operator
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )ci-bundle-ocp-secrets-management-operator-bundle,?($|\s.*)
+  - agent: kubernetes
+    always_run: false
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build13
+    context: ci/prow/e2e-operator
+    decorate: true
+    decoration_config:
+      sparse_checkout_files:
+      - Dockerfile
+      - operator/images/ci/Dockerfile
+    labels:
+      ci.openshift.io/generator: prowgen
+      job-release: "4.21"
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-ocp-secrets-management-console-main-e2e-operator
+    rerun_command: /test e2e-operator
+    skip_if_only_changed: ^(docs/|scripts/)|\.md$|^(?:.*/)?(?:\.gitignore|OWNERS|LICENSE)$
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --hive-kubeconfig=/secrets/hive-hive-credentials/kubeconfig
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=e2e-operator
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/hive-hive-credentials
+          name: hive-hive-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: hive-hive-credentials
+        secret:
+          secretName: hive-hive-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )e2e-operator,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build13
+    context: ci/prow/fips-image-scan-operator
+    decorate: true
+    decoration_config:
+      sparse_checkout_files:
+      - Dockerfile
+      - operator/images/ci/Dockerfile
+    labels:
+      ci.openshift.io/generator: prowgen
+      job-release: "4.21"
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-ocp-secrets-management-console-main-fips-image-scan-operator
+    rerun_command: /test fips-image-scan-operator
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=fips-image-scan-operator
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )fips-image-scan-operator,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build13
+    context: ci/prow/fips-image-scan-plugin
+    decorate: true
+    decoration_config:
+      sparse_checkout_files:
+      - Dockerfile
+      - operator/images/ci/Dockerfile
+    labels:
+      ci.openshift.io/generator: prowgen
+      job-release: "4.21"
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-ocp-secrets-management-console-main-fips-image-scan-plugin
+    rerun_command: /test fips-image-scan-plugin
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --lease-server-credentials-file=/etc/boskos/credentials
+        - --report-credentials-file=/etc/report/credentials
+        - --secret-dir=/secrets/ci-pull-credentials
+        - --target=fips-image-scan-plugin
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /etc/boskos
+          name: boskos
+          readOnly: true
+        - mountPath: /secrets/ci-pull-credentials
+          name: ci-pull-credentials
+          readOnly: true
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: boskos
+        secret:
+          items:
+          - key: credentials
+            path: credentials
+          secretName: boskos-credentials
+      - name: ci-pull-credentials
+        secret:
+          secretName: ci-pull-credentials
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )fips-image-scan-plugin,?($|\s.*)
   - agent: kubernetes
     always_run: true
     branches:
@@ -11,8 +326,10 @@ presubmits:
     decoration_config:
       sparse_checkout_files:
       - Dockerfile
+      - operator/images/ci/Dockerfile
     labels:
       ci.openshift.io/generator: prowgen
+      job-release: "4.21"
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
     name: pull-ci-openshift-ocp-secrets-management-console-main-images
     rerun_command: /test images
@@ -67,8 +384,10 @@ presubmits:
     decoration_config:
       sparse_checkout_files:
       - Dockerfile
+      - operator/images/ci/Dockerfile
     labels:
       ci.openshift.io/generator: prowgen
+      job-release: "4.21"
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
     name: pull-ci-openshift-ocp-secrets-management-console-main-operator-unit
     rerun_command: /test operator-unit
@@ -131,8 +450,10 @@ presubmits:
     decoration_config:
       sparse_checkout_files:
       - Dockerfile
+      - operator/images/ci/Dockerfile
     labels:
       ci.openshift.io/generator: prowgen
+      job-release: "4.21"
       pj-rehearse.openshift.io/can-be-rehearsed: "true"
     name: pull-ci-openshift-ocp-secrets-management-console-main-unit
     rerun_command: /test unit
@@ -184,3 +505,69 @@ presubmits:
         secret:
           secretName: result-aggregator
     trigger: (?m)^/test( | .* )unit,?($|\s.*)
+  - agent: kubernetes
+    always_run: true
+    branches:
+    - ^main$
+    - ^main-
+    cluster: build13
+    context: ci/prow/verify
+    decorate: true
+    decoration_config:
+      sparse_checkout_files:
+      - Dockerfile
+      - operator/images/ci/Dockerfile
+    labels:
+      ci.openshift.io/generator: prowgen
+      job-release: "4.21"
+      pj-rehearse.openshift.io/can-be-rehearsed: "true"
+    name: pull-ci-openshift-ocp-secrets-management-console-main-verify
+    rerun_command: /test verify
+    spec:
+      containers:
+      - args:
+        - --gcs-upload-secret=/secrets/gcs/service-account.json
+        - --image-import-pull-secret=/etc/pull-secret/.dockerconfigjson
+        - --report-credentials-file=/etc/report/credentials
+        - --target=verify
+        command:
+        - ci-operator
+        env:
+        - name: HTTP_SERVER_IP
+          valueFrom:
+            fieldRef:
+              fieldPath: status.podIP
+        image: quay-proxy.ci.openshift.org/openshift/ci:ci_ci-operator_latest
+        imagePullPolicy: Always
+        name: ""
+        ports:
+        - containerPort: 8080
+          name: http
+        resources:
+          requests:
+            cpu: 10m
+        volumeMounts:
+        - mountPath: /secrets/gcs
+          name: gcs-credentials
+          readOnly: true
+        - mountPath: /secrets/manifest-tool
+          name: manifest-tool-local-pusher
+          readOnly: true
+        - mountPath: /etc/pull-secret
+          name: pull-secret
+          readOnly: true
+        - mountPath: /etc/report
+          name: result-aggregator
+          readOnly: true
+      serviceAccountName: ci-operator
+      volumes:
+      - name: manifest-tool-local-pusher
+        secret:
+          secretName: manifest-tool-local-pusher
+      - name: pull-secret
+        secret:
+          secretName: registry-pull-credentials
+      - name: result-aggregator
+        secret:
+          secretName: result-aggregator
+    trigger: (?m)^/test( | .* )verify,?($|\s.*)

From 8239f1b46333774a44a5210284a4da2606c60a03 Mon Sep 17 00:00:00 2001
From: Anand Kumar <anankuma@anankuma-thinkpadp1gen7.bengluru.csb>
Date: Fri, 19 Jun 2026 17:00:07 +0530
Subject: [PATCH 4/6] chore: Regenerate CI operator config to remove comments

Run 'make ci-operator-config' to normalize the configuration file format.
The determinize-ci-operator tool removes comments to maintain consistent
formatting across all CI operator configs in the repository.
---
 .../openshift-ocp-secrets-management-console-main.yaml        | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml b/ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml
index fcf8d8cedc24f..7e6a3005f6670 100644
--- a/ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml
+++ b/ci-operator/config/openshift/ocp-secrets-management-console/openshift-ocp-secrets-management-console-main.yaml
@@ -19,10 +19,8 @@ build_root:
     tag: node22
 images:
   items:
-  # Plugin image (frontend React app)
   - dockerfile_path: Dockerfile
     to: ocp-secrets-management
-  # Operator image (Go operator)
   - dockerfile_path: operator/images/ci/Dockerfile
     from: base-rhel9
     to: ocp-secrets-management-operator
@@ -32,10 +30,8 @@ operator:
     dockerfile_path: operator/bundle.Dockerfile
     skip_building_index: true
   substitutions:
-  # Substitute operator image in bundle CSV
   - pullspec: openshift.io/ocp-secrets-management-operator:.*
     with: pipeline:ocp-secrets-management-operator
-  # Substitute plugin image in bundle CSV
   - pullspec: openshift.io/ocp-secrets-management:.*
     with: pipeline:ocp-secrets-management
 releases:

From 59d0ffeb64cb462c3589e08a7e55fa2f7ad8276d Mon Sep 17 00:00:00 2001
From: Anand Kumar <anankuma@anankuma-thinkpadp1gen7.bengluru.csb>
Date: Fri, 19 Jun 2026 17:44:08 +0530
Subject: [PATCH 5/6] chore: Add bharath-b-rh and mytreya-rh as code owners

Update OWNERS file to include additional approvers and reviewers:
- bharath-b-rh
- mytreya-rh

This provides better code review coverage and aligns with the team
structure for the ocp-secrets-management-console project.
---
 .../config/openshift/ocp-secrets-management-console/OWNERS    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ci-operator/config/openshift/ocp-secrets-management-console/OWNERS b/ci-operator/config/openshift/ocp-secrets-management-console/OWNERS
index c8462b85d28a6..80382ad37bc1b 100644
--- a/ci-operator/config/openshift/ocp-secrets-management-console/OWNERS
+++ b/ci-operator/config/openshift/ocp-secrets-management-console/OWNERS
@@ -6,8 +6,12 @@
 
 approvers:
 - anandkuma77
+- bharath-b-rh
+- mytreya-rh
 - sarthakpurohit
 options: {}
 reviewers:
 - anandkuma77
+- bharath-b-rh
+- mytreya-rh
 - sarthakpurohit

From 9214862e9941f62e6f9bb4b598c26f555333ee4d Mon Sep 17 00:00:00 2001
From: Anand Kumar <anankuma@anankuma-thinkpadp1gen7.bengluru.csb>
Date: Fri, 19 Jun 2026 17:48:23 +0530
Subject: [PATCH 6/6] chore: Add bharath-b-rh and mytreya-rh to jobs OWNERS

Update OWNERS file in ci-operator/jobs directory to include the same
approvers and reviewers as the config directory for consistency.
---
 .../jobs/openshift/ocp-secrets-management-console/OWNERS      | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ci-operator/jobs/openshift/ocp-secrets-management-console/OWNERS b/ci-operator/jobs/openshift/ocp-secrets-management-console/OWNERS
index c8462b85d28a6..80382ad37bc1b 100644
--- a/ci-operator/jobs/openshift/ocp-secrets-management-console/OWNERS
+++ b/ci-operator/jobs/openshift/ocp-secrets-management-console/OWNERS
@@ -6,8 +6,12 @@
 
 approvers:
 - anandkuma77
+- bharath-b-rh
+- mytreya-rh
 - sarthakpurohit
 options: {}
 reviewers:
 - anandkuma77
+- bharath-b-rh
+- mytreya-rh
 - sarthakpurohit