Add CI tests for ConfigurablePKI installer feature

[hasbro17]

This provides the presubmits for the installer support of the PKI config openshift/installer#10396

Summary

• Adds step-registry components and CI jobs to validate the ConfigurablePKI feature gate, which changes installer-generated signer certificates from RSA-2048 to ECDSA P-384 by default when enabled
• Two test scenarios: default behavior (ECDSA P-384 signers) and explicit RSA-4096 override, each as an optional presubmit and a 72h periodic
• Verification step checks 7 signer CA secrets post-install and validates the PKI custom resource

New step-registry components

openshift-installer-pki-conf (ref) — Adds pki section to install-config.yaml via yq. No-op when PKI_ALGORITHM is unset, allowing the default behavior test.

openshift-installer-pki-verify (ref) — Verifies signer cert algorithms/key params and PKI CR post-install. Outputs a pass/fail summary table to stdout and writes full certificate details to the artifact
directory.

openshift-installer-pki-ipi-conf (chain) — Wraps ipi-conf → openshift-installer-pki-conf to ensure correct ordering.

New CI jobs (openshift/installer, main branch)

Optional presubmits:

• e2e-aws-ovn-pki-default — Feature gate ON, no explicit config → expects ECDSA P-384 signers
• e2e-aws-ovn-pki-rsa — Feature gate ON, explicit RSA-4096 → expects RSA-4096 signers

Periodics (72h):

• periodic-e2e-aws-ovn-pki-default — Same as default presubmit
• periodic-e2e-aws-ovn-pki-rsa — Same as RSA presubmit

All jobs use CustomNoUpgrade with ConfigurablePKI=true, run PKI verification before the full e2e suite (fail fast), and target AWS IPI.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: hasbro17
Once this PR has been reviewed and has the lgtm label, please assign patrickdillon for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• ci-operator/config/openshift/installer/OWNERS
• ci-operator/jobs/openshift/installer/OWNERS
• ci-operator/step-registry/openshift/installer/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[hasbro17]

/pj-rehearse

[openshift-ci-robot]

@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[hasbro17]

The rehearsals will of course fail until the installer support for PKI is actually merged from openshift/installer#10396

The goal is to merge this first and then run the presubmits on the installer PR to validate the PKI featuregate workflow.

[hasbro17]

/pj-rehearse

[openshift-ci-robot]

@hasbro17: now processing your pj-rehearse request. Please allow up to 10 minutes for jobs to trigger or cancel.

[hasbro17]

Alright, the pki cert and CR verification test seems to be checking everything correctly now:

Logs for container test in pod e2e-aws-ovn-pki-rsa-openshift-installer-pki-verify: 
�[36mINFO�[0m[2026-03-30T21:54:35Z] =============================================
PKI Verification
Expected algorithm: RSA
Expected key param: 4096
=============================================

--- Checking: root-ca (openshift-machine-config-operator/machine-config-server-ca) ---
  Algorithm: rsaEncryption - OK
  FAIL: Expected 'Public-Key: (4096 bit)', got 'Public-Key: (2048 bit)'
--- Checking: kube-apiserver-to-kubelet-signer (openshift-kube-apiserver-operator/kube-apiserver-to-kubelet-signer) ---
  Algorithm: rsaEncryption - OK
  FAIL: Expected 'Public-Key: (4096 bit)', got 'Public-Key: (2048 bit)'
--- Checking: kube-apiserver-localhost-signer (openshift-kube-apiserver-operator/localhost-serving-signer) ---
  Algorithm: rsaEncryption - OK
  FAIL: Expected 'Public-Key: (4096 bit)', got 'Public-Key: (2048 bit)'
--- Checking: kube-apiserver-service-network-signer (openshift-kube-apiserver-operator/service-network-serving-signer) ---
  Algorithm: rsaEncryption - OK
  FAIL: Expected 'Public-Key: (4096 bit)', got 'Public-Key: (2048 bit)'
--- Checking: kube-apiserver-lb-signer (openshift-kube-apiserver-operator/loadbalancer-serving-signer) ---
  Algorithm: rsaEncryption - OK
  FAIL: Expected 'Public-Key: (4096 bit)', got 'Public-Key: (2048 bit)'
--- Checking: kube-control-plane-signer (openshift-kube-apiserver-operator/kube-control-plane-signer) ---
  Algorithm: rsaEncryption - OK
  FAIL: Expected 'Public-Key: (4096 bit)', got 'Public-Key: (2048 bit)'
--- Checking: aggregator-signer (openshift-kube-apiserver-operator/aggregator-client-signer) ---
  Algorithm: rsaEncryption - OK
  FAIL: Expected 'Public-Key: (4096 bit)', got 'Public-Key: (2048 bit)'

--- Checking PKI CR ---
  FAIL: PKI CR 'cluster' not found or error retrieving it

[openshift-ci-robot]

[REHEARSALNOTIFIER]
@hasbro17: the pj-rehearse plugin accommodates running rehearsal tests for the changes in this PR. Expand 'Interacting with pj-rehearse' for usage details. The following rehearsable tests have been affected by this change:

Test name	Repo	Type	Reason
pull-ci-openshift-installer-main-e2e-aws-ovn-pki-default	openshift/installer	presubmit	Presubmit changed
pull-ci-openshift-installer-main-e2e-aws-ovn-pki-rsa	openshift/installer	presubmit	Presubmit changed
periodic-ci-openshift-installer-main-periodic-e2e-aws-ovn-pki-rsa	N/A	periodic	Periodic changed
periodic-ci-openshift-installer-main-periodic-e2e-aws-ovn-pki-default	N/A	periodic	Periodic changed

Interacting with pj-rehearse

Comment: /pj-rehearse to run up to 5 rehearsals
Comment: /pj-rehearse skip to opt-out of rehearsals
Comment: /pj-rehearse {test-name}, with each test separated by a space, to run one or more specific rehearsals
Comment: /pj-rehearse more to run up to 10 rehearsals
Comment: /pj-rehearse max to run up to 25 rehearsals
Comment: /pj-rehearse auto-ack to run up to 5 rehearsals, and add the rehearsals-ack label on success
Comment: /pj-rehearse list to get an up-to-date list of affected jobs
Comment: /pj-rehearse abort to abort all active rehearsals
Comment: /pj-rehearse network-access-allowed to allow rehearsals of tests that have the restrict_network_access field set to false. This must be executed by an openshift org member who is not the PR author

Once you are satisfied with the results of the rehearsals, comment: /pj-rehearse ack to unblock merge. When the rehearsals-ack label is present on your PR, merge will no longer be blocked by rehearsals.
If you would like the rehearsals-ack label removed, comment: /pj-rehearse reject to re-block merging.

[openshift-ci]

@hasbro17: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/rehearse/openshift/installer/main/e2e-aws-ovn-pki-default	ada480e	link	unknown	/pj-rehearse pull-ci-openshift-installer-main-e2e-aws-ovn-pki-default
ci/rehearse/periodic-ci-openshift-installer-main-periodic-e2e-aws-ovn-pki-rsa	ada480e	link	unknown	/pj-rehearse periodic-ci-openshift-installer-main-periodic-e2e-aws-ovn-pki-rsa
ci/rehearse/periodic-ci-openshift-installer-main-periodic-e2e-aws-ovn-pki-default	ada480e	link	unknown	/pj-rehearse periodic-ci-openshift-installer-main-periodic-e2e-aws-ovn-pki-default
ci/rehearse/openshift/installer/main/e2e-aws-ovn-pki-rsa	ada480e	link	unknown	/pj-rehearse pull-ci-openshift-installer-main-e2e-aws-ovn-pki-rsa

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.