CMP-3834: Added cis-profile test cases 46100, 46302, 54323, 6679 from downstream

[taimurhafeez]

The test case requires encryption to be enabled on the cluster first, which might take some time. The command to enable encryption is
oc patch apiserver cluster --type=merge -p '{"spec":{"encryption":{"type":"aesgcm"}}}'
It will take some time. To know if the next command can be executed, in a seperate terminal we can monitor it for every 30 seconds:
watch -n 30 "oc get co kube-apiserver openshift-apiserver"
And when progressing is False for both kube-apiserver and openshift-apiserver, then we can run the test with the following command
To run the test
make e2e-cis-profile E2E_GO_TEST_FLAGS="-v -timeout 120m -run TestCISProfiles"

output:

=== RUN   TestCISProfiles
    main_test.go:330: Waiting for initial scans to complete
2026/02/04 14:19:00 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: RUNNING
2026/02/04 14:19:05 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: RUNNING
2026/02/04 14:19:10 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: RUNNING
2026/02/04 14:19:15 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: RUNNING
2026/02/04 14:19:20 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: RUNNING
2026/02/04 14:19:25 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: RUNNING
2026/02/04 14:19:30 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: AGGREGATING
2026/02/04 14:19:35 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: AGGREGATING
2026/02/04 14:19:40 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: AGGREGATING
2026/02/04 14:19:45 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: AGGREGATING
2026/02/04 14:19:55 ComplianceScan ready (DONE)
2026/02/04 14:20:00 ComplianceScan ready (DONE)
2026/02/04 14:20:00 All scans in ComplianceSuite have finished (test-c-i-s-profiles-cis)
    main_test.go:351: Scan ocp4-cis has result: NON-COMPLIANT
    main_test.go:351: Scan ocp4-cis-node-wrscan has result: COMPLIANT
    main_test.go:375: KubeletConfig has raw config: {"protectKernelDefaults":true,"streamConnectionIdleTimeout":"5m"}
    main_test.go:380: KubeletConfig tlsCipherSuites doesn't contain expected cipher TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    main_test.go:395: Found 2 remediations, waiting for auto-application
    main_test.go:422: Remediation ocp4-cis-audit-profile-set is not a MachineConfig type (auto-apply=true)
    main_test.go:422: Remediation ocp4-cis-kubelet-configure-tls-cipher-suites-ingresscontroller is not a MachineConfig type (auto-apply=true)
    main_test.go:426: Found 0 MachineConfig-based remediations out of 2 total
    main_test.go:446: No MachineConfig remediations found, skipping pool update wait
    main_test.go:452: Triggering rescan to verify remediations
2026/02/04 14:20:34 rerunning scan ocp4-cis
2026/02/04 14:20:34 rerunning scan ocp4-cis-node-wrscan
    main_test.go:463: Waiting for rescan to complete
2026/02/04 14:20:40 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: RUNNING
2026/02/04 14:20:45 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: RUNNING
2026/02/04 14:20:50 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: RUNNING
2026/02/04 14:20:55 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: RUNNING
2026/02/04 14:21:00 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: RUNNING
2026/02/04 14:21:04 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: RUNNING
2026/02/04 14:21:10 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: AGGREGATING
2026/02/04 14:21:15 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: AGGREGATING
2026/02/04 14:21:20 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: AGGREGATING
2026/02/04 14:21:24 waiting until suite test-c-i-s-profiles-cis reaches target status 'DONE'. Current status: AGGREGATING
    main_test.go:466: Rescan completed but not all scans are compliant: expecting COMPLIANT got NON-COMPLIANT
    main_test.go:470: Verifying all automated checks pass after rescan
    main_test.go:485: All 13 automated checks passed after remediation
    main_test.go:494: CIS profiles test completed successfully
--- PASS: TestCISProfiles (188.13s)
PASS

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: taimurhafeez

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [taimurhafeez]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1077-8d728596e076b332a35a22d8a0f92626f812e20c

[openshift-ci-robot]

@taimurhafeez: This pull request references CMP-3834 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1077-ec430c8c7104f8fa8430f8f96d15c0c72a0309e1

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1077-b1fbb174f399b4155da36d11b81710e0e47576da

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1077-6ad3ac4db3f3a9d3ced85230454e15443ccd1c28

[openshift-ci]

@taimurhafeez: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-rosa	6ad3ac4	link	true	/test e2e-rosa

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[rhmdnd]

I'm wondering if we want to take this approach here, or instead rely on https://github.com/complianceascode/ocp4e2e for this level of content testing (where we're asserting specific rules pass after applying remediations). The main thing it appears we're testing here are the contents of the rule and the remediation, both of which exist in a separate repository.

Thoughts?

[rhmdnd]

I wonder if we want to take this approach in the project e2e suite when we have ocp4e2e, which does something very similar. It will provision a cluster, run a scan, apply remediations, and then assert rules states after the remediations have taken affect.

Thoughts on using that existing workflow? Also - coupling this type of content testing into the compliance-oeprator functional testing will make it so content updates in ComplianceAsCode/content can break this test (we'll be required to orchestrate changes between content and operator to unblock CI in those cases - which we experience else where when we rely on specific rules in content images that change over time).

[taimurhafeez]

Thanks, @rhmdnd! I see the issue now.
So, should I move these test cases entirely to ocp4e2e?