Run TLS scanner against webhook, metrics, and visibility endpoints to verify compliance with configured profiles.

Endpoints to scan:

• Webhook server (port 9443)
• Metrics server (port 8443)
• Visibility API server (port 8082, if VisibilityOnDemand enabled)

Scanning tools:

• openssl s_client - Basic TLS verification
• testssl.sh - Comprehensive TLS scanning
• nmap --script ssl-enum-ciphers - Cipher enumeration

Verification steps:

1. For each TLS profile type (Old, Intermediate, Modern):

• Deploy Kueue with the profile
• Scan all HTTPS endpoints
• Verify minimum TLS version matches profile
• Verify only allowed cipher suites are offered
• Verify disallowed TLS versions are rejected

2. Document results:

• Create test report with scan outputs
• Compare against expected profile settings
• Flag any deviations

Example scan command:

# Test TLS 1.2 minimum (should succeed for Intermediate)
openssl s_client -connect kueue-webhook:9443 -tls1_2

# Test TLS 1.1 (should fail for Intermediate)
openssl s_client -connect kueue-webhook:9443 -tls1_1

Acceptance Criteria:

• All endpoints comply with configured TLS profile
• TLS scanner confirms no lower versions accepted
• TLS scanner confirms only allowed ciphers offered
• Test report documents compliance

Depends on: OCPKUEUE-465 (E2E tests)