From 8e146bfe38548a33d93d77d98481685701f3e677 Mon Sep 17 00:00:00 2001
From: borislavr <boris.lavrishchev.qubership@gmail.com>
Date: Wed, 29 Apr 2026 13:24:01 +0300
Subject: [PATCH 01/22] feat: add hardening scan support for multiple services
 and update workflows
 https://github.com/Netcracker/qubership-workflow-hub/issues/684

Co-authored-by: Copilot <copilot@github.com>
---
 .github/workflows/consul.yaml                 | 19 +++-
 .github/workflows/monitoring.yaml             | 23 ++++-
 .github/workflows/opensearch.yaml             | 19 +++-
 .github/workflows/pgskipper.yaml              | 34 ++++++-
 .github/workflows/rabbitmq.yaml               | 19 +++-
 .github/workflows/zookeeper.yaml              | 42 +++++++-
 .../consul_clean_all_on_sc_hardening.yml      | 49 ++++++++++
 templates/monitoring/monitoring_hardening.yml | 39 ++++++++
 .../opensearch_clean_all_on_sc_hardening.yml  | 98 +++++++++++++++++++
 .../pgskipper/patroni-core-hardening.yaml     | 31 ++++++
 .../pgskipper/patroni-services-hardening.yaml | 47 +++++++++
 .../rabbitmq_clean_sc_hardening.yml           | 44 +++++++++
 .../zookeeper_install_hardening.yml           | 46 +++++++++
 workflow-config/consul_hardening.yaml         |  7 ++
 workflow-config/monitoring_hardening.yaml     |  9 ++
 workflow-config/opensearch_hardening.yaml     |  7 ++
 workflow-config/pgskipper_hardening.yaml      |  9 ++
 workflow-config/rabbitmq _hardening.yaml      |  7 ++
 workflow-config/zookeeper_hardening.yaml      |  7 ++
 19 files changed, 540 insertions(+), 16 deletions(-)
 create mode 100644 templates/consul-service/consul_clean_all_on_sc_hardening.yml
 create mode 100644 templates/monitoring/monitoring_hardening.yml
 create mode 100644 templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
 create mode 100644 templates/pgskipper/patroni-core-hardening.yaml
 create mode 100644 templates/pgskipper/patroni-services-hardening.yaml
 create mode 100644 templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml
 create mode 100644 templates/zookeeper-service/zookeeper_install_hardening.yml
 create mode 100644 workflow-config/consul_hardening.yaml
 create mode 100644 workflow-config/monitoring_hardening.yaml
 create mode 100644 workflow-config/opensearch_hardening.yaml
 create mode 100644 workflow-config/pgskipper_hardening.yaml
 create mode 100644 workflow-config/rabbitmq _hardening.yaml
 create mode 100644 workflow-config/zookeeper_hardening.yaml

diff --git a/.github/workflows/consul.yaml b/.github/workflows/consul.yaml
index 14ca037d..53fa361d 100644
--- a/.github/workflows/consul.yaml
+++ b/.github/workflows/consul.yaml
@@ -26,7 +26,7 @@ on:
         required: false
         default: ubuntu-latest
       scope:
-        description: Consul Test Scope (pr or nightly)
+        description: Consul Test Scope (pr, nightly or hardening)
         type: string
         required: false
         default: pr
@@ -57,7 +57,7 @@ on:
         required: false
         default: ubuntu-latest
       scope:
-        description: Consul Test Scope (pr or nightly)
+        description: Consul Test Scope (pr, nightly or hardening)
         type: string
         required: false
         default: pr
@@ -120,8 +120,10 @@ jobs:
             CONFIG_FILE="./workflow-config/consul_nightly.yaml"
           elif [[ "$SCOPE" == "pr" ]]; then
             CONFIG_FILE="./workflow-config/consul.yaml"
+          elif [[ "$SCOPE" == "hardening" ]]; then
+            CONFIG_FILE="./workflow-config/consul_hardening.yaml"
           else
-            echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr' or 'nightly'."
+            echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'."
             exit 1
           fi
           ./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH"
@@ -348,6 +350,17 @@ jobs:
         if: matrix.test.sequence == 'upgrade'
         run: sleep 90s
 
+      - name: Hardening Check
+        if: inputs.scope == 'hardening'
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@e64a1ee2fc2f68ab44a4ef416c27d83ce36ba8e1 # v2.2.1
+        with:
+          namespaces: consul
+          output-file: consul-hardening-scan.json
+          install-kubescape: true
+          execute-trivy-scan: false
+          fail-on-mandatory-checks: true
+          config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml
+
       - name: Verify Consul upgrade
         if: matrix.test.sequence == 'upgrade'
         uses: ./qubership-test-pipelines/actions/shared/verify_installation
diff --git a/.github/workflows/monitoring.yaml b/.github/workflows/monitoring.yaml
index c0bce62f..8e5515f7 100644
--- a/.github/workflows/monitoring.yaml
+++ b/.github/workflows/monitoring.yaml
@@ -30,6 +30,11 @@ on:
         type: string
         required: false
         default: multi-node
+      scope:
+        description: Monitoring Test Scope (pr, nightly or hardening)
+        type: string
+        required: false
+        default: pr
       skip_tests:
         description: Skip all tests (for doc-only changes)
         type: boolean
@@ -62,6 +67,11 @@ on:
         type: string
         required: false
         default: multi-node
+      scope:
+        description: Monitoring Test Scope (pr, nightly or hardening)
+        type: string
+        required: false
+        default: pr
       skip_tests:
         description: Skip all tests (for doc-only changes)
         type: boolean
@@ -100,12 +110,23 @@ jobs:
       - name: Process versions file and matrix generation
         id: process-versions
         env:
+          SCOPE: ${{ inputs.scope }}
           LATEST_TAG: ${{ steps.get-latest-tag.outputs.latest_tag }}
           SERVICE_BRANCH: ${{ inputs.service_branch }}
         working-directory: ${{ github.workspace }}/qubership-test-pipelines
         run: |
           chmod +x ./scripts/matrix.sh
-          ./scripts/matrix.sh "$LATEST_TAG" ./workflow-config/monitoring.yaml "$SERVICE_BRANCH"
+          if [[ "$SCOPE" == "nightly" ]]; then
+            CONFIG_FILE="./workflow-config/monitoring_nightly.yaml"
+          elif [[ "$SCOPE" == "pr" ]]; then
+            CONFIG_FILE="./workflow-config/monitoring.yaml"
+          elif [[ "$SCOPE" == "hardening" ]]; then
+            CONFIG_FILE="./workflow-config/monitoring_hardening.yaml"
+          else
+            echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'."
+            exit 1
+          fi
+          ./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH"
 
   Monitoring-Test-Cases:
     if: ${{ !inputs.skip_tests }}
diff --git a/.github/workflows/opensearch.yaml b/.github/workflows/opensearch.yaml
index 3efac9a4..e7983551 100644
--- a/.github/workflows/opensearch.yaml
+++ b/.github/workflows/opensearch.yaml
@@ -25,7 +25,7 @@ on:
         required: false
         default: ubuntu-latest
       scope:
-        description: Opensearch Test Scope (pr or nightly)
+        description: Opensearch Test Scope (pr, nightly or hardening)
         type: string
         required: false
         default: pr
@@ -55,7 +55,7 @@ on:
         required: false
         default: ubuntu-latest
       scope:
-        description: Opensearch Test Scope (pr or nightly)
+        description: Opensearch Test Scope (pr, nightly or hardening)
         type: string
         required: false
         default: pr
@@ -117,8 +117,10 @@ jobs:
             CONFIG_FILE="./workflow-config/opensearch_nightly.yaml"
           elif [[ "$SCOPE" == "pr" ]]; then
             CONFIG_FILE="./workflow-config/opensearch.yaml"
+          elif [[ "$SCOPE" == "hardening" ]]; then
+            CONFIG_FILE="./workflow-config/opensearch_hardening.yaml"
           else
-            echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr' or 'nightly'."
+            echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'."
             exit 1
           fi
           ./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH"
@@ -351,6 +353,17 @@ jobs:
         if: ${{ matrix.test.sequence == 'upgrade' }}
         run: sleep 1m
 
+      - name: Hardening Check
+        if: inputs.scope == 'hardening'
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@e64a1ee2fc2f68ab44a4ef416c27d83ce36ba8e1 # v2.2.1
+        with:
+          namespaces: opensearch
+          output-file: opensearch-hardening-scan.json
+          install-kubescape: true
+          execute-trivy-scan: false
+          fail-on-mandatory-checks: true
+          config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml
+
       - name: Verify Opensearch upgrade to [${{ matrix.test.upgrade_version }}]
         if: ${{ matrix.test.sequence == 'upgrade' }}
         uses: ./qubership-test-pipelines/actions/shared/verify_installation
diff --git a/.github/workflows/pgskipper.yaml b/.github/workflows/pgskipper.yaml
index 1a0c342e..30dc4bb3 100644
--- a/.github/workflows/pgskipper.yaml
+++ b/.github/workflows/pgskipper.yaml
@@ -25,6 +25,11 @@ on:
         type: string
         required: false
         default: ubuntu-latest
+      scope:
+        description: Pgskipper Test Scope (pr, nightly or hardening)
+        type: string
+        required: false
+        default: pr
       service_versions_json:
         description: PostgreSQL image versions as JSON
         type: string
@@ -62,6 +67,11 @@ on:
         type: string
         required: false
         default: ubuntu-latest
+      scope:
+        description: Pgskipper Test Scope (pr, nightly or hardening)
+        type: string
+        required: false
+        default: pr
       service_versions_json:
         description: PostgreSQL image versions as JSON
         type: string
@@ -123,12 +133,23 @@ jobs:
       - name: Process versions file and matrix generation
         id: process-versions
         env:
+          SCOPE: ${{ inputs.scope }}
           LATEST_TAG: ${{ steps.get-latest-tag.outputs.latest_tag }}
           SERVICE_BRANCH: ${{ inputs.service_branch }}
         working-directory: ${{ github.workspace }}/qubership-test-pipelines
         run: |
           chmod +x ./scripts/matrix.sh
-          ./scripts/matrix.sh "$LATEST_TAG" ./workflow-config/pgskipper.yaml "$SERVICE_BRANCH"
+          if [[ "$SCOPE" == "nightly" ]]; then
+            CONFIG_FILE="./workflow-config/pgskipper_nightly.yaml"
+          elif [[ "$SCOPE" == "pr" ]]; then
+            CONFIG_FILE="./workflow-config/pgskipper.yaml"
+          elif [[ "$SCOPE" == "hardening" ]]; then
+            CONFIG_FILE="./workflow-config/pgskipper_hardening.yaml"
+          else
+            echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'."
+            exit 1
+          fi
+          ./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH"
 
       - name: Parse JSON into matrix
         id: parse-matrix
@@ -344,6 +365,17 @@ jobs:
         if: matrix.test.sequence == 'upgrade'
         run: sleep 10s
 
+      - name: Hardening Check
+        if: inputs.scope == 'hardening'
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@e64a1ee2fc2f68ab44a4ef416c27d83ce36ba8e1 # v2.2.1
+        with:
+          namespaces: pgskipper
+          output-file: pgskipper-hardening-scan.json
+          install-kubescape: true
+          execute-trivy-scan: false
+          fail-on-mandatory-checks: true
+          config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml
+
       - name: Verify Pgskipper Services upgrade
         if: matrix.test.sequence == 'upgrade'
         uses: ./qubership-test-pipelines/actions/shared/verify_installation
diff --git a/.github/workflows/rabbitmq.yaml b/.github/workflows/rabbitmq.yaml
index 9a0a4d51..2f91640c 100644
--- a/.github/workflows/rabbitmq.yaml
+++ b/.github/workflows/rabbitmq.yaml
@@ -26,7 +26,7 @@ on:
         required: false
         default: ubuntu-latest
       scope:
-        description: RabbitMQ Test Scope (pr or nightly)
+        description: RabbitMQ Test Scope (pr, nightly or hardening)
         type: string
         required: false
         default: pr
@@ -56,7 +56,7 @@ on:
         required: false
         default: ubuntu-latest
       scope:
-        description: RabbitMQ Test Scope (pr or nightly)
+        description: RabbitMQ Test Scope (pr, nightly or hardening)
         type: string
         required: false
         default: pr
@@ -119,8 +119,10 @@ jobs:
             CONFIG_FILE="./workflow-config/rabbitmq_nightly.yaml"
           elif [[ "$SCOPE" == "pr" ]]; then
             CONFIG_FILE="./workflow-config/rabbitmq.yaml"
+          elif [[ "$SCOPE" == "hardening" ]]; then
+            CONFIG_FILE="./workflow-config/rabbitmq_hardening.yaml"
           else
-            echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr' or 'nightly'."
+            echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'."
             exit 1
           fi
           ./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH"
@@ -308,6 +310,17 @@ jobs:
         if: ${{ matrix.test.sequence == 'upgrade' }}
         run: sleep 1m
 
+      - name: Hardening Check
+        if: inputs.scope == 'hardening'
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@e64a1ee2fc2f68ab44a4ef416c27d83ce36ba8e1 # v2.2.1
+        with:
+          namespaces: rabbitmq
+          output-file: rabbitmq-hardening-scan.json
+          install-kubescape: true
+          execute-trivy-scan: false
+          fail-on-mandatory-checks: true
+          config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml
+
       - name: Verify RabbitMQ upgrade
         if: ${{ matrix.test.sequence == 'upgrade' }}
         uses: ./qubership-test-pipelines/actions/shared/verify_installation
diff --git a/.github/workflows/zookeeper.yaml b/.github/workflows/zookeeper.yaml
index cfec9fcc..6e24345e 100644
--- a/.github/workflows/zookeeper.yaml
+++ b/.github/workflows/zookeeper.yaml
@@ -24,6 +24,11 @@ on:
         type: string
         required: false
         default: ubuntu-latest
+      scope:
+        description: Zookeeper Test Scope (pr, nightly or hardening)
+        type: string
+        required: false
+        default: pr
       skip_tests:
         description: Skip all tests (for doc-only changes)
         type: boolean
@@ -54,6 +59,11 @@ on:
         type: boolean
         required: false
         default: false
+      scope:
+        description: Zookeeper Test Scope (pr, nightly or hardening)
+        type: string
+        required: false
+        default: pr
 
     secrets:
       AWS_S3_ACCESS_KEY_ID:
@@ -108,10 +118,21 @@ jobs:
         env:
           LATEST_TAG: ${{ steps.get-latest-tag.outputs.latest_tag }}
           SERVICE_BRANCH: ${{ inputs.service_branch }}
+          SCOPE: ${{ inputs.scope }}
         working-directory: ${{ github.workspace }}/qubership-test-pipelines
         run: |
           chmod +x ./scripts/matrix.sh
-          ./scripts/matrix.sh "$LATEST_TAG" ./workflow-config/zookeeper.yaml "$SERVICE_BRANCH"
+          if [[ "$SCOPE" == "nightly" ]]; then
+            CONFIG_FILE="./workflow-config/zookeeper_nightly.yaml"
+          elif [[ "$SCOPE" == "pr" ]]; then
+            CONFIG_FILE="./workflow-config/zookeeper.yaml"
+          elif [[ "$SCOPE" == "hardening" ]]; then
+            CONFIG_FILE="./workflow-config/zookeeper_hardening.yaml"
+          else
+            echo "::error::Invalid scope parameter '$SCOPE'. Must be 'pr', 'nightly' or 'hardening'."
+            exit 1
+          fi
+          ./scripts/matrix.sh "$LATEST_TAG" "$CONFIG_FILE" "$SERVICE_BRANCH"
 
   Zookeeper-Test-Cases:
     if: ${{ !inputs.skip_tests }}
@@ -273,6 +294,17 @@ jobs:
         if: matrix.test.sequence == 'upgrade'
         run: sleep 1m
 
+      - name: Hardening Check
+        if: inputs.scope == 'hardening'
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@e64a1ee2fc2f68ab44a4ef416c27d83ce36ba8e1 # v2.2.1
+        with:
+          namespaces: zookeeper
+          output-file: zookeeper-hardening-scan.json
+          install-kubescape: true
+          execute-trivy-scan: false
+          fail-on-mandatory-checks: true
+          config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml
+
       - name: Verify Zookeeper upgrade
         if: matrix.test.sequence == 'upgrade'
         uses: ./qubership-test-pipelines/actions/shared/verify_installation
@@ -306,7 +338,7 @@ jobs:
 
   # 15-Clean [LATEST] TLS
   Clean-Latest-TLS:
-    if: ${{ !inputs.skip_tests }}
+    if: ${{ !inputs.skip_tests && inputs.scope != 'hardening' }}
     runs-on: ${{ inputs.runner_type }}
     name: Clean [${{ inputs.service_branch }}] TLS
     steps:
@@ -407,7 +439,7 @@ jobs:
 
   # 16-Clean [LATEST] TLS Secrets
   Clean-Latest-TLS-Secrets:
-    if: ${{ !inputs.skip_tests }}
+    if: ${{ !inputs.skip_tests && inputs.scope != 'hardening' }}
     runs-on: ${{ inputs.runner_type }}
     needs: Clean-Latest-TLS
     name: Clean [${{ inputs.service_branch }}] TLS Secrets
@@ -467,7 +499,7 @@ jobs:
 
   # 17-Upgrade [LATEST] TLS Certificates -> Clean [LATEST] TLS Certificates
   Clean-Latest-TLS-Certificates:
-    if: ${{ !inputs.skip_tests }}
+    if: ${{ !inputs.skip_tests && inputs.scope != 'hardening' }}
     runs-on: ${{ inputs.runner_type }}
     needs: Clean-Latest-TLS
     name: Clean [${{ inputs.service_branch }}] TLS Certificates
@@ -529,7 +561,7 @@ jobs:
   final-status-check:
     if: ${{ always() }}
     runs-on: ubuntu-latest
-    needs: [Zookeeper-Test-Cases, Clean-Latest-TLS-Certificates, Clean-Latest-TLS-Secrets]
+    needs: [Zookeeper-Test-Cases, Clean-Latest-TLS,Clean-Latest-TLS-Certificates, Clean-Latest-TLS-Secrets]
     steps:
       - name: Checkout pipeline
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5.1.0
diff --git a/templates/consul-service/consul_clean_all_on_sc_hardening.yml b/templates/consul-service/consul_clean_all_on_sc_hardening.yml
new file mode 100644
index 00000000..9907038d
--- /dev/null
+++ b/templates/consul-service/consul_clean_all_on_sc_hardening.yml
@@ -0,0 +1,49 @@
+global:
+  restrictedEnvironment: true
+  enablePodSecurityPolicies: false
+  enabled: true
+server:
+  replicas: 3
+  bootstrapExpect: 3
+  storage: 1Gi
+  storageClass: standard
+  resources:
+    limits:
+      memory: 300Mi
+      cpu: 100m
+consulAclConfigurator:
+  enabled: true
+dns:
+  enabled: false
+monitoring:
+  enabled: false
+ui:
+  enabled: true
+  ingress:
+    enabled: true
+    hosts:
+      - host: consul-consul-service.qa-kubernetes.openshift.sdntest.qubership.org
+  service:
+    enabled: true
+client:
+  enabled: true
+  resources:
+    requests:
+      memory: 64Mi
+      cpu: 25m
+    limits:
+      memory: 256Mi
+      cpu: 25m
+backupDaemon:
+  enabled: true
+  storage: 1Gi
+  storageClass: standard
+  backupSchedule: "*/15 * * * *"
+  evictionPolicy: 1h/1d,7d/delete
+integrationTests:
+  enabled: true
+  tags: backupORcrudORconsul_images
+statusProvisioner:
+  lifetimeAfterCompletion: 120
+  integrationTestsTimeout: 600
+  podReadinessTimeout: 900
diff --git a/templates/monitoring/monitoring_hardening.yml b/templates/monitoring/monitoring_hardening.yml
new file mode 100644
index 00000000..feaf235f
--- /dev/null
+++ b/templates/monitoring/monitoring_hardening.yml
@@ -0,0 +1,39 @@
+grafana:
+  ingress:
+    host: grafana-monitoring.testdomain.local
+    install: true
+integrationTests:
+  install: true
+  tags: grafanaORsmoke
+  timeoutBeforeStart: 60
+  statusWriting:
+    enabled: false
+kubernetesMonitors:
+  kubeSchedulerServiceMonitor:
+    install: true
+  kubeControllerManagerServiceMonitor:
+    install: true
+victoriametrics:
+  vmAuth:
+    ingress:
+      install: true
+      host: vmauth-monitoring.testdomain.local
+  vmAlert:
+    ingress:
+      install: true
+      host: vmalert-monitoring.testdomain.local
+  vmSingle:
+    ingress:
+      install: true
+      host: vmsingle-monitoring.testdomain.local
+    resources:
+      requests:
+        memory: 768Mi
+        cpu: 100m
+      limits:
+        memory: 2Gi
+        cpu: 1500m
+  vmAlertManager:
+    ingress:
+      install: true
+      host: vmagent-monitoring.testdomain.local
diff --git a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
new file mode 100644
index 00000000..2fec08a7
--- /dev/null
+++ b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
@@ -0,0 +1,98 @@
+global:
+  cloudIntegrationEnabled: false
+  tls:
+    enabled: false
+    generateCerts:
+      certProvider: cert-manager
+      clusterIssuerName: dev-clusterissuer
+  restrictedEnvironment: true
+opensearch:
+  tls:
+    enabled: false
+  securityConfig:
+    authc:
+      basic:
+        username: admin
+        password: Root1234#
+  securityContextCustom:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+  fixMount:
+    enabled: true
+    securityContext:
+      runAsUser: 0
+  master:
+    replicas: 3
+    resources:
+      requests:
+        cpu: 900m
+        memory: 4Gi
+      limits:
+        cpu: 2
+        memory: 4Gi
+    javaOpts: -Xms1024m -Xmx1024m
+    persistence:
+      storageClass: standard
+      size: 10Gi
+  snapshots:
+    enabled: false
+    persistentVolume: ""
+    storageClass: standard
+    size: 2Gi
+    s3:
+      enabled: false
+      pathStyleAccess: true
+  client:
+    enabled: true
+    ingress:
+      enabled: true
+      hosts:
+        - opensearch-opensearch-service.qubership.com
+dbaasAdapter:
+  enabled: false
+  dbaasAggregatorPhysicalDatabaseIdentifier: opensearch
+  opensearchRepo: snapshots
+  opensearchRepoRoot: /usr/share/opensearch/
+  dbaasUsername: dbaas-adapter
+  dbaasPassword: dbaas-adapter
+  registrationAuthUsername: test
+  registrationAuthPassword: test
+  securityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+monitoring:
+  enabled: false
+  includeIndices: true
+  slowQueries:
+    enabled: true
+dashboards:
+  enabled: true
+  ingress:
+    enabled: true
+    hosts:
+      - host: dashboards-opensearch-service.qubership.com
+        paths:
+          - path: /
+curator:
+  enabled: false
+  backupSchedule: 0 * * * *
+  evictionPolicy: 0/1d,7d/delete
+  username: backup
+  password: backup
+  securityContext:
+    runAsUser: 1000
+    runAsGroup: 1000
+    fsGroup: 1000
+integrationTests:
+  enabled: true
+  tags: smokeORhaORopensearch_images
+secret:
+  idp:
+    username: ""
+    password: ""
+    registrationToken: ""
+statusProvisioner:
+  lifetimeAfterCompletion: 30
+  integrationTestsTimeout: 900
+  podReadinessTimeout: 900
diff --git a/templates/pgskipper/patroni-core-hardening.yaml b/templates/pgskipper/patroni-core-hardening.yaml
new file mode 100644
index 00000000..42d90a43
--- /dev/null
+++ b/templates/pgskipper/patroni-core-hardening.yaml
@@ -0,0 +1,31 @@
+postgresUser: postgres
+postgresPassword: p@ssWOrD1
+replicatorPassword: replicator
+operator:
+  resources:
+    limits:
+      cpu: 50m
+      memory: 50Mi
+    requests:
+      cpu: 50m
+      memory: 50Mi
+patroni:
+  install: true
+  replicas: 2
+  securityContext:
+    fsGroup: 26
+    runAsUser: 26
+  resources:
+    requests:
+      cpu: 125m
+      memory: 250Mi
+    limits:
+      cpu: 250m
+      memory: 500Mi
+  storage:
+    type: provisioned
+    size: 1Gi
+    storageClass: standard
+tests:
+  install: true
+  runTestScenarios: basic
diff --git a/templates/pgskipper/patroni-services-hardening.yaml b/templates/pgskipper/patroni-services-hardening.yaml
new file mode 100644
index 00000000..225bf67b
--- /dev/null
+++ b/templates/pgskipper/patroni-services-hardening.yaml
@@ -0,0 +1,47 @@
+postgresUser: postgres
+postgresPassword: p@ssWOrD1
+operator:
+  resources:
+    limits:
+      cpu: 256m
+      memory: 256Mi
+    requests:
+      cpu: 256m
+      memory: 256Mi
+metricCollector:
+  install: false
+  prometheusRules:
+    backupAlertThreshold: 5
+    backupWarningThreshold: 20
+    alertDelay: 3m
+    maxLastBackupAge: 86400
+    locksThreshold: 500
+    queryMaxTimeThreshold: 3600
+  collectionInterval: 60
+  telegrafPluginTimeout: 60
+  ocExecTimeout: 10
+  metricsProfile: prod
+  prometheusMonitoring: false
+  applyGrafanaDashboard: false
+backupDaemon:
+  install: true
+  walArchiving: false
+  backupSchedule: 0 0/7 * * *
+  evictionPolicy: 7d/delete
+  securityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  resources:
+    limits:
+      cpu: 250m
+      memory: 512Mi
+    requests:
+      cpu: 100m
+      memory: 256Mi
+  storage:
+    type: provisioned
+    size: 1Gi
+    storageClass: standard
+tests:
+  install: true
+  runTestScenarios: basic
diff --git a/templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml b/templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml
new file mode 100644
index 00000000..47b04b26
--- /dev/null
+++ b/templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml
@@ -0,0 +1,44 @@
+global:
+  cloudIntegrationEnabled: false
+name: rabbitmq-service
+rabbitmqPrometheusMonitoring: false
+rabbitmq:
+  fsGroup: 5000
+  runAsUser: 5000
+  hostpath_configuration: false
+  validate_state: false
+  clean_rabbitmq_pvs: false
+  auto_reboot: true
+  ingress:
+    enabled: true
+    host: rabbitmq.qubership.com
+  custom_params:
+    rabbitmq_vm_memory_high_watermark: 90%
+    rabbitmq_default_user: admin
+    rabbitmq_default_password: admin
+  resources:
+    requests:
+      cpu: 300m
+      memory: 300Mi
+    limits:
+      cpu: 600m
+      memory: 600Mi
+    storageclass: standard
+  storage: 750Mi
+  enabledPlugins:
+    - rabbitmq_prometheus
+  perQueueMetrics: true
+backupDaemon:
+  enabled: true
+  backupSchedule: "*/15 * * * *"
+  evictionPolicy: 1h/1d,7d/delete
+  storageClass: standard
+  securityContext:
+    fsGroup: 5000
+    runAsUser: 5000
+tests:
+  runTests: true
+  runTestsOnly: false
+  timeout: 300
+  tags: smokeORrabbitmq_images
+  waitTestResultOnJob: true
diff --git a/templates/zookeeper-service/zookeeper_install_hardening.yml b/templates/zookeeper-service/zookeeper_install_hardening.yml
new file mode 100644
index 00000000..0fd739a0
--- /dev/null
+++ b/templates/zookeeper-service/zookeeper_install_hardening.yml
@@ -0,0 +1,46 @@
+global:
+  name: zookeeper
+  secrets:
+    zooKeeper:
+      adminUsername: zadmin
+      adminPassword: zadmin
+      clientUsername: zclient
+      clientPassword: zclient
+    backupDaemon:
+      username: admin
+      password: admin
+operator:
+  securityContext:
+    fsGroup: 1000
+    runAsUser: 1000
+zooKeeper:
+  replicas: 3
+  storage:
+    className:
+      - standard
+    size: 1Gi
+  securityContext:
+    fsGroup: 1000
+    runAsUser: 1000
+monitoring:
+  install: false
+  securityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+backupDaemon:
+  install: true
+  backupStorage:
+    persistentVolumeType: standalone
+    storageClass: standard
+    volumeSize: 1Gi
+  securityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+integrationTests:
+  install: true
+  tags: zookeeperNOTzookeeper_backup_daemon
+  timeout: 600
+  pvType: standalone
+  securityContext:
+    fsGroup: 1000
+    runAsUser: 1000
diff --git a/workflow-config/consul_hardening.yaml b/workflow-config/consul_hardening.yaml
new file mode 100644
index 00000000..e0e224d5
--- /dev/null
+++ b/workflow-config/consul_hardening.yaml
@@ -0,0 +1,7 @@
+jobs:
+  - name: Clean [${service_branch}] hardening
+    install_version: ${service_branch}
+    template: templates/consul-service/consul_clean_all_on_sc_hardening.yml
+    sequence: install
+    restricted: true
+    artifact_name: Clean_CURRENT_Hardening
diff --git a/workflow-config/monitoring_hardening.yaml b/workflow-config/monitoring_hardening.yaml
new file mode 100644
index 00000000..443d24de
--- /dev/null
+++ b/workflow-config/monitoring_hardening.yaml
@@ -0,0 +1,9 @@
+jobs:
+  ## Upgrade from previous releases to current
+  - name: Clean [${service_branch}] hardening
+    install_version: ${service_branch}
+    template: templates/monitoring/monitoring_hardening.yml
+    sequence: install
+    check_tests: true
+    restricted: false
+    artifact_name: Clean_${service_branch}_Hardening
diff --git a/workflow-config/opensearch_hardening.yaml b/workflow-config/opensearch_hardening.yaml
new file mode 100644
index 00000000..ec31e589
--- /dev/null
+++ b/workflow-config/opensearch_hardening.yaml
@@ -0,0 +1,7 @@
+jobs:
+  - name: Clean [${service_branch}] hardening
+    install_version: ${service_branch}
+    template: templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
+    sequence: install
+    restricted: true
+    artifact_name: Clean_CURRENT_Hardening
diff --git a/workflow-config/pgskipper_hardening.yaml b/workflow-config/pgskipper_hardening.yaml
new file mode 100644
index 00000000..3dee286a
--- /dev/null
+++ b/workflow-config/pgskipper_hardening.yaml
@@ -0,0 +1,9 @@
+jobs:
+  - name: Clean [${service_branch}] hardening
+    install_version: ${service_branch}
+    core_template: templates/pgskipper/patroni-core-hardening.yaml
+    services_template: templates/pgskipper/patroni-services-hardening.yaml
+    sequence: install
+    restricted: true
+    tls: false
+    artifact_name: Clean_CURRENT_Hardening
diff --git a/workflow-config/rabbitmq _hardening.yaml b/workflow-config/rabbitmq _hardening.yaml
new file mode 100644
index 00000000..497bae08
--- /dev/null
+++ b/workflow-config/rabbitmq _hardening.yaml	
@@ -0,0 +1,7 @@
+jobs:
+  - name: Clean [${service_branch}] hardening
+    install_version: ${service_branch}
+    template: templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml
+    sequence: install
+    restricted: true
+    artifact_name: Clean_CURRENT_Hardening
diff --git a/workflow-config/zookeeper_hardening.yaml b/workflow-config/zookeeper_hardening.yaml
new file mode 100644
index 00000000..2e041586
--- /dev/null
+++ b/workflow-config/zookeeper_hardening.yaml
@@ -0,0 +1,7 @@
+jobs:
+  - name: Clean [${service_branch}] hardening
+    install_version: ${service_branch}
+    template: templates/zookeeper-service/zookeeper_install_hardening.yml
+    sequence: install
+    restricted: true
+    artifact_name: Clean_CURRENT_Hardening

From 666b7a09298ac58a468fd9725847386280149a7d Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 30 Apr 2026 09:54:16 +0300
Subject: [PATCH 02/22] chore: enable Trivy scan in OpenSearch workflow

---
 .github/workflows/opensearch.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/opensearch.yaml b/.github/workflows/opensearch.yaml
index e7983551..22ca1ba4 100644
--- a/.github/workflows/opensearch.yaml
+++ b/.github/workflows/opensearch.yaml
@@ -360,7 +360,7 @@ jobs:
           namespaces: opensearch
           output-file: opensearch-hardening-scan.json
           install-kubescape: true
-          execute-trivy-scan: false
+          execute-trivy-scan: true
           fail-on-mandatory-checks: true
           config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml
 

From cb5e7bf5aadb1f6c87d4c057112c6e1ad152064f Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Fri, 8 May 2026 10:39:39 +0300
Subject: [PATCH 03/22] fix: typo in file name and zookeeper.yaml workflow

---
 .github/workflows/zookeeper.yaml                                | 2 +-
 .../{rabbitmq _hardening.yaml => rabbitmq_hardening.yaml}       | 0
 2 files changed, 1 insertion(+), 1 deletion(-)
 rename workflow-config/{rabbitmq _hardening.yaml => rabbitmq_hardening.yaml} (100%)

diff --git a/.github/workflows/zookeeper.yaml b/.github/workflows/zookeeper.yaml
index 6e24345e..724f0f1b 100644
--- a/.github/workflows/zookeeper.yaml
+++ b/.github/workflows/zookeeper.yaml
@@ -561,7 +561,7 @@ jobs:
   final-status-check:
     if: ${{ always() }}
     runs-on: ubuntu-latest
-    needs: [Zookeeper-Test-Cases, Clean-Latest-TLS,Clean-Latest-TLS-Certificates, Clean-Latest-TLS-Secrets]
+    needs: [Zookeeper-Test-Cases, Clean-Latest-TLS, Clean-Latest-TLS-Certificates, Clean-Latest-TLS-Secrets]
     steps:
       - name: Checkout pipeline
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v5.1.0
diff --git a/workflow-config/rabbitmq _hardening.yaml b/workflow-config/rabbitmq_hardening.yaml
similarity index 100%
rename from workflow-config/rabbitmq _hardening.yaml
rename to workflow-config/rabbitmq_hardening.yaml

From def973c911fd0c4dd2b04cd1f55705d882d559c3 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Fri, 8 May 2026 16:07:00 +0300
Subject: [PATCH 04/22] chore: bump k8s-hardening-scan action from v2.2.1 to
 v2.2.2

---
 .github/workflows/consul.yaml     | 2 +-
 .github/workflows/opensearch.yaml | 2 +-
 .github/workflows/pgskipper.yaml  | 2 +-
 .github/workflows/rabbitmq.yaml   | 2 +-
 .github/workflows/zookeeper.yaml  | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/consul.yaml b/.github/workflows/consul.yaml
index 53fa361d..d432d698 100644
--- a/.github/workflows/consul.yaml
+++ b/.github/workflows/consul.yaml
@@ -352,7 +352,7 @@ jobs:
 
       - name: Hardening Check
         if: inputs.scope == 'hardening'
-        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@e64a1ee2fc2f68ab44a4ef416c27d83ce36ba8e1 # v2.2.1
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2
         with:
           namespaces: consul
           output-file: consul-hardening-scan.json
diff --git a/.github/workflows/opensearch.yaml b/.github/workflows/opensearch.yaml
index 22ca1ba4..2c58f1d6 100644
--- a/.github/workflows/opensearch.yaml
+++ b/.github/workflows/opensearch.yaml
@@ -355,7 +355,7 @@ jobs:
 
       - name: Hardening Check
         if: inputs.scope == 'hardening'
-        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@e64a1ee2fc2f68ab44a4ef416c27d83ce36ba8e1 # v2.2.1
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2
         with:
           namespaces: opensearch
           output-file: opensearch-hardening-scan.json
diff --git a/.github/workflows/pgskipper.yaml b/.github/workflows/pgskipper.yaml
index 30dc4bb3..94a59df8 100644
--- a/.github/workflows/pgskipper.yaml
+++ b/.github/workflows/pgskipper.yaml
@@ -367,7 +367,7 @@ jobs:
 
       - name: Hardening Check
         if: inputs.scope == 'hardening'
-        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@e64a1ee2fc2f68ab44a4ef416c27d83ce36ba8e1 # v2.2.1
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2
         with:
           namespaces: pgskipper
           output-file: pgskipper-hardening-scan.json
diff --git a/.github/workflows/rabbitmq.yaml b/.github/workflows/rabbitmq.yaml
index 2f91640c..86965d10 100644
--- a/.github/workflows/rabbitmq.yaml
+++ b/.github/workflows/rabbitmq.yaml
@@ -312,7 +312,7 @@ jobs:
 
       - name: Hardening Check
         if: inputs.scope == 'hardening'
-        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@e64a1ee2fc2f68ab44a4ef416c27d83ce36ba8e1 # v2.2.1
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2
         with:
           namespaces: rabbitmq
           output-file: rabbitmq-hardening-scan.json
diff --git a/.github/workflows/zookeeper.yaml b/.github/workflows/zookeeper.yaml
index 724f0f1b..26be4f60 100644
--- a/.github/workflows/zookeeper.yaml
+++ b/.github/workflows/zookeeper.yaml
@@ -296,7 +296,7 @@ jobs:
 
       - name: Hardening Check
         if: inputs.scope == 'hardening'
-        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@e64a1ee2fc2f68ab44a4ef416c27d83ce36ba8e1 # v2.2.1
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2
         with:
           namespaces: zookeeper
           output-file: zookeeper-hardening-scan.json

From 0d36a4f968b77d588ab98abf6263ddca26a9d22d Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Tue, 12 May 2026 10:46:31 +0300
Subject: [PATCH 05/22] chore: remove upgrade comment from
 monitoring_hardening.yaml

Removed upgrade comment from monitoring hardening job.
---
 workflow-config/monitoring_hardening.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/workflow-config/monitoring_hardening.yaml b/workflow-config/monitoring_hardening.yaml
index 443d24de..9a4b1d26 100644
--- a/workflow-config/monitoring_hardening.yaml
+++ b/workflow-config/monitoring_hardening.yaml
@@ -1,5 +1,4 @@
 jobs:
-  ## Upgrade from previous releases to current
   - name: Clean [${service_branch}] hardening
     install_version: ${service_branch}
     template: templates/monitoring/monitoring_hardening.yml

From 9f43a616e56adb8b1d75a5e7caf10b845abcbbc3 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Wed, 13 May 2026 16:38:46 +0300
Subject: [PATCH 06/22] chore: consul & opensearch hardening templates
 adjustment

---
 .../consul_clean_all_on_sc_hardening.yml               | 10 ++++++++--
 .../opensearch_clean_all_on_sc_hardening.yml           |  6 +++---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/templates/consul-service/consul_clean_all_on_sc_hardening.yml b/templates/consul-service/consul_clean_all_on_sc_hardening.yml
index 9907038d..e4433d02 100644
--- a/templates/consul-service/consul_clean_all_on_sc_hardening.yml
+++ b/templates/consul-service/consul_clean_all_on_sc_hardening.yml
@@ -2,7 +2,13 @@ global:
   restrictedEnvironment: true
   enablePodSecurityPolicies: false
   enabled: true
-server:
+  disasterRecovery:
+    mode: active
+    region: one
+    httpAuth:
+      enabled: false
+      smNamespace: site-manager
+      smServiceAccountName: sm-auth-saserver:
   replicas: 3
   bootstrapExpect: 3
   storage: 1Gi
@@ -42,7 +48,7 @@ backupDaemon:
   evictionPolicy: 1h/1d,7d/delete
 integrationTests:
   enabled: true
-  tags: backupORcrudORconsul_images
+  tags: crud
 statusProvisioner:
   lifetimeAfterCompletion: 120
   integrationTestsTimeout: 600
diff --git a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
index 2fec08a7..2a219843 100644
--- a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
+++ b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
@@ -50,7 +50,7 @@ opensearch:
       hosts:
         - opensearch-opensearch-service.qubership.com
 dbaasAdapter:
-  enabled: false
+  enabled: true
   dbaasAggregatorPhysicalDatabaseIdentifier: opensearch
   opensearchRepo: snapshots
   opensearchRepoRoot: /usr/share/opensearch/
@@ -62,7 +62,7 @@ dbaasAdapter:
     runAsUser: 1000
     fsGroup: 1000
 monitoring:
-  enabled: false
+  enabled: true
   includeIndices: true
   slowQueries:
     enabled: true
@@ -86,7 +86,7 @@ curator:
     fsGroup: 1000
 integrationTests:
   enabled: true
-  tags: smokeORhaORopensearch_images
+  tags: smoke
 secret:
   idp:
     username: ""

From 57a06be3fae4d1adb6d367903b555a27f2145114 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 14 May 2026 09:50:34 +0300
Subject: [PATCH 07/22] chore: fix smServiceAccountName formatting in YAML

---
 templates/consul-service/consul_clean_all_on_sc_hardening.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/consul-service/consul_clean_all_on_sc_hardening.yml b/templates/consul-service/consul_clean_all_on_sc_hardening.yml
index e4433d02..e5cc7299 100644
--- a/templates/consul-service/consul_clean_all_on_sc_hardening.yml
+++ b/templates/consul-service/consul_clean_all_on_sc_hardening.yml
@@ -8,7 +8,7 @@ global:
     httpAuth:
       enabled: false
       smNamespace: site-manager
-      smServiceAccountName: sm-auth-saserver:
+      smServiceAccountName: sm-auth-saserver
   replicas: 3
   bootstrapExpect: 3
   storage: 1Gi

From 68d0a5d1b44c6a3177e77490f848ff241ee37f95 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 14 May 2026 10:06:34 +0300
Subject: [PATCH 08/22] chore: update service account name in Consul
 configuration

---
 templates/consul-service/consul_clean_all_on_sc_hardening.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/templates/consul-service/consul_clean_all_on_sc_hardening.yml b/templates/consul-service/consul_clean_all_on_sc_hardening.yml
index e5cc7299..76501b2d 100644
--- a/templates/consul-service/consul_clean_all_on_sc_hardening.yml
+++ b/templates/consul-service/consul_clean_all_on_sc_hardening.yml
@@ -2,13 +2,14 @@ global:
   restrictedEnvironment: true
   enablePodSecurityPolicies: false
   enabled: true
+server:
   disasterRecovery:
     mode: active
     region: one
     httpAuth:
       enabled: false
       smNamespace: site-manager
-      smServiceAccountName: sm-auth-saserver
+      smServiceAccountName: sm-auth-sa
   replicas: 3
   bootstrapExpect: 3
   storage: 1Gi

From 6f008cbb8d5ff4a063f3e4448c8ac8f3306c64b2 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 14 May 2026 11:42:12 +0300
Subject: [PATCH 09/22] chore: update k8s hardening scan action version

---
 .github/workflows/consul.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/consul.yaml b/.github/workflows/consul.yaml
index d432d698..4c2a338d 100644
--- a/.github/workflows/consul.yaml
+++ b/.github/workflows/consul.yaml
@@ -352,7 +352,7 @@ jobs:
 
       - name: Hardening Check
         if: inputs.scope == 'hardening'
-        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@feature/k8s-hardening-scan-action-improvement
         with:
           namespaces: consul
           output-file: consul-hardening-scan.json

From 36b8600ff32bed9f56720af0d9fd2f5547dc4a82 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 14 May 2026 13:50:46 +0300
Subject: [PATCH 10/22] chore: update k8s-hardening-scan action to improved
 version

---
 .github/workflows/opensearch.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/opensearch.yaml b/.github/workflows/opensearch.yaml
index 2c58f1d6..0a6acf66 100644
--- a/.github/workflows/opensearch.yaml
+++ b/.github/workflows/opensearch.yaml
@@ -355,7 +355,7 @@ jobs:
 
       - name: Hardening Check
         if: inputs.scope == 'hardening'
-        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@6a2de8d62ac5b6998e30f923613c998c263ea9f2 # v2.2.2
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@feature/k8s-hardening-scan-action-improvement
         with:
           namespaces: opensearch
           output-file: opensearch-hardening-scan.json

From d504bb56c968fc7a2a11c370e603eb0e9d276b29 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 14 May 2026 14:17:57 +0300
Subject: [PATCH 11/22] feat: enable monitoring in OpenSearch hardening
 workflow

---
 workflow-config/opensearch_hardening.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/workflow-config/opensearch_hardening.yaml b/workflow-config/opensearch_hardening.yaml
index ec31e589..42be81e3 100644
--- a/workflow-config/opensearch_hardening.yaml
+++ b/workflow-config/opensearch_hardening.yaml
@@ -5,3 +5,4 @@ jobs:
     sequence: install
     restricted: true
     artifact_name: Clean_CURRENT_Hardening
+    monitoring: true

From 4834920b91aab726f8b444a582c1103c0758275b Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 14 May 2026 14:34:55 +0300
Subject: [PATCH 12/22] chore: disabled monitoring for opensearch

---
 workflow-config/opensearch_hardening.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/workflow-config/opensearch_hardening.yaml b/workflow-config/opensearch_hardening.yaml
index 42be81e3..a3dfb6a9 100644
--- a/workflow-config/opensearch_hardening.yaml
+++ b/workflow-config/opensearch_hardening.yaml
@@ -5,4 +5,4 @@ jobs:
     sequence: install
     restricted: true
     artifact_name: Clean_CURRENT_Hardening
-    monitoring: true
+    monitoring: false

From d475eb06367bf4cc909306ade0fdf769dac322e8 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 14 May 2026 14:39:21 +0300
Subject: [PATCH 13/22] chore: disabled monitoring for opensearch

---
 .../opensearch_clean_all_on_sc_hardening.yml                | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
index 2a219843..d3d48af0 100644
--- a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
+++ b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
@@ -62,12 +62,12 @@ dbaasAdapter:
     runAsUser: 1000
     fsGroup: 1000
 monitoring:
-  enabled: true
+  enabled: false
   includeIndices: true
   slowQueries:
     enabled: true
 dashboards:
-  enabled: true
+  enabled: false
   ingress:
     enabled: true
     hosts:
@@ -75,7 +75,7 @@ dashboards:
         paths:
           - path: /
 curator:
-  enabled: false
+  enabled: true
   backupSchedule: 0 * * * *
   evictionPolicy: 0/1d,7d/delete
   username: backup

From 5759c5e73aaff32e78d83a583b862e1458eb1151 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 14 May 2026 14:56:03 +0300
Subject: [PATCH 14/22] feat: added disasterRecovery into opensearch

---
 .../opensearch-service/opensearch_clean_all_on_sc_hardening.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
index d3d48af0..de63d79d 100644
--- a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
+++ b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
@@ -6,6 +6,8 @@ global:
       certProvider: cert-manager
       clusterIssuerName: dev-clusterissuer
   restrictedEnvironment: true
+  disasterRecovery:
+    mode: "active"
 opensearch:
   tls:
     enabled: false

From 56c6e04b2fb8e2a9ae894d540ce96007cca5aa1e Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 14 May 2026 15:01:12 +0300
Subject: [PATCH 15/22] feat: added tls mode for opensearch

---
 .../opensearch-service/opensearch_clean_all_on_sc_hardening.yml | 2 +-
 workflow-config/opensearch_hardening.yaml                       | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
index de63d79d..634af35b 100644
--- a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
+++ b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
@@ -1,7 +1,7 @@
 global:
   cloudIntegrationEnabled: false
   tls:
-    enabled: false
+    enabled: true
     generateCerts:
       certProvider: cert-manager
       clusterIssuerName: dev-clusterissuer
diff --git a/workflow-config/opensearch_hardening.yaml b/workflow-config/opensearch_hardening.yaml
index a3dfb6a9..11585fba 100644
--- a/workflow-config/opensearch_hardening.yaml
+++ b/workflow-config/opensearch_hardening.yaml
@@ -6,3 +6,4 @@ jobs:
     restricted: true
     artifact_name: Clean_CURRENT_Hardening
     monitoring: false
+    tls: true

From 0cd7785a6328235f85f10fea29082b3e3c919950 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 14 May 2026 15:09:18 +0300
Subject: [PATCH 16/22] feat: opensearch   disasterRecovery:     mode: "active"
     siteManagerEnabled: false

---
 .../opensearch-service/opensearch_clean_all_on_sc_hardening.yml  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
index 634af35b..2377ab73 100644
--- a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
+++ b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
@@ -8,6 +8,7 @@ global:
   restrictedEnvironment: true
   disasterRecovery:
     mode: "active"
+    siteManagerEnabled: false
 opensearch:
   tls:
     enabled: false

From 96b9e17ad5284000dcf2af8cbeb8403b084c2bea Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 14 May 2026 15:40:17 +0300
Subject: [PATCH 17/22] feat: opensearch ```   tls:     enabled: true    
 generateCerts:       enabled: true       certProvider: helm ```

---
 .../opensearch_clean_all_on_sc_hardening.yml                 | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
index 2377ab73..20848c6d 100644
--- a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
+++ b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
@@ -3,8 +3,9 @@ global:
   tls:
     enabled: true
     generateCerts:
-      certProvider: cert-manager
-      clusterIssuerName: dev-clusterissuer
+      enabled: true
+      certProvider: helm
+      # clusterIssuerName: dev-clusterissuer
   restrictedEnvironment: true
   disasterRecovery:
     mode: "active"

From ed102a1a6fa07a7d1aab17829b0fc5fce3830a30 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Mon, 18 May 2026 15:54:49 +0300
Subject: [PATCH 18/22] feat: add hardening check to monitoring workflow

Added a hardening check step to the monitoring workflow.
---
 .github/workflows/monitoring.yaml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.github/workflows/monitoring.yaml b/.github/workflows/monitoring.yaml
index 8e5515f7..b35af4dd 100644
--- a/.github/workflows/monitoring.yaml
+++ b/.github/workflows/monitoring.yaml
@@ -230,6 +230,17 @@ jobs:
         if: matrix.test.sequence == 'upgrade'
         run: sleep 2m
 
+      - name: Hardening Check
+        if: inputs.scope == 'hardening'
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@feature/k8s-hardening-scan-action-improvement
+        with:
+          namespaces: monitoring
+          output-file: monitoring-hardening-scan.json
+          install-kubescape: true
+          execute-trivy-scan: true
+          fail-on-mandatory-checks: true
+          config-file: ${{ inputs.repository_name }}/.github/hardening-config.yaml
+
       - name: Get Upgraded Monitoring CR name
         if: matrix.test.sequence == 'upgrade'
         uses: ./qubership-test-pipelines/actions/shared/get_crds

From cbb5b40ad99cefefde9b548aa9b49d2e39aa24f5 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Tue, 19 May 2026 13:32:19 +0300
Subject: [PATCH 19/22] chore: switched on monitoring installation for
 zookeeper in hardening check workflow

---
 templates/zookeeper-service/zookeeper_install_hardening.yml | 2 +-
 workflow-config/zookeeper_hardening.yaml                    | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/templates/zookeeper-service/zookeeper_install_hardening.yml b/templates/zookeeper-service/zookeeper_install_hardening.yml
index 0fd739a0..67d85309 100644
--- a/templates/zookeeper-service/zookeeper_install_hardening.yml
+++ b/templates/zookeeper-service/zookeeper_install_hardening.yml
@@ -23,7 +23,7 @@ zooKeeper:
     fsGroup: 1000
     runAsUser: 1000
 monitoring:
-  install: false
+  install: true
   securityContext:
     runAsUser: 1000
     fsGroup: 1000
diff --git a/workflow-config/zookeeper_hardening.yaml b/workflow-config/zookeeper_hardening.yaml
index 2e041586..1c23a59f 100644
--- a/workflow-config/zookeeper_hardening.yaml
+++ b/workflow-config/zookeeper_hardening.yaml
@@ -5,3 +5,4 @@ jobs:
     sequence: install
     restricted: true
     artifact_name: Clean_CURRENT_Hardening
+    monitoring: true

From 065c5fc3970fc02a1b00a1be29ed9e294f5f60e8 Mon Sep 17 00:00:00 2001
From: borislavr <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 21 May 2026 09:12:29 +0300
Subject: [PATCH 20/22] feat: update hardening check action to use main branch
 in workflows

---
 .github/workflows/consul.yaml     | 2 +-
 .github/workflows/monitoring.yaml | 2 +-
 .github/workflows/opensearch.yaml | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/consul.yaml b/.github/workflows/consul.yaml
index 4c2a338d..35c1aa3a 100644
--- a/.github/workflows/consul.yaml
+++ b/.github/workflows/consul.yaml
@@ -352,7 +352,7 @@ jobs:
 
       - name: Hardening Check
         if: inputs.scope == 'hardening'
-        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@feature/k8s-hardening-scan-action-improvement
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@main
         with:
           namespaces: consul
           output-file: consul-hardening-scan.json
diff --git a/.github/workflows/monitoring.yaml b/.github/workflows/monitoring.yaml
index b35af4dd..e04dff8d 100644
--- a/.github/workflows/monitoring.yaml
+++ b/.github/workflows/monitoring.yaml
@@ -232,7 +232,7 @@ jobs:
 
       - name: Hardening Check
         if: inputs.scope == 'hardening'
-        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@feature/k8s-hardening-scan-action-improvement
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@main
         with:
           namespaces: monitoring
           output-file: monitoring-hardening-scan.json
diff --git a/.github/workflows/opensearch.yaml b/.github/workflows/opensearch.yaml
index 0a6acf66..e3a8a680 100644
--- a/.github/workflows/opensearch.yaml
+++ b/.github/workflows/opensearch.yaml
@@ -355,7 +355,7 @@ jobs:
 
       - name: Hardening Check
         if: inputs.scope == 'hardening'
-        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@feature/k8s-hardening-scan-action-improvement
+        uses: netcracker/qubership-workflow-hub/actions/k8s-hardening-scan@main
         with:
           namespaces: opensearch
           output-file: opensearch-hardening-scan.json

From 4fe453ccb7d788245206fd6c7abc8832c78c4619 Mon Sep 17 00:00:00 2001
From: borislavr <boris.lavrishchev.qubership@gmail.com>
Date: Thu, 21 May 2026 09:20:11 +0300
Subject: [PATCH 21/22] fix: update test tags to use 'smoke' for consistency in
 monitoring and rabbitmq hardening configurations

---
 templates/monitoring/monitoring_hardening.yml              | 2 +-
 templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/monitoring/monitoring_hardening.yml b/templates/monitoring/monitoring_hardening.yml
index feaf235f..1932b479 100644
--- a/templates/monitoring/monitoring_hardening.yml
+++ b/templates/monitoring/monitoring_hardening.yml
@@ -4,7 +4,7 @@ grafana:
     install: true
 integrationTests:
   install: true
-  tags: grafanaORsmoke
+  tags: smoke
   timeoutBeforeStart: 60
   statusWriting:
     enabled: false
diff --git a/templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml b/templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml
index 47b04b26..213e9c34 100644
--- a/templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml
+++ b/templates/rabbitmq-service/rabbitmq_clean_sc_hardening.yml
@@ -40,5 +40,5 @@ tests:
   runTests: true
   runTestsOnly: false
   timeout: 300
-  tags: smokeORrabbitmq_images
+  tags: smoke
   waitTestResultOnJob: true

From 327d58157fbb32653421626916f959a0e9f8d411 Mon Sep 17 00:00:00 2001
From: Boris Lavrishchev <boris.lavrishchev.qubership@gmail.com>
Date: Fri, 22 May 2026 12:39:06 +0300
Subject: [PATCH 22/22] chore: update opensearch_clean_all_on_sc_hardening.yml

---
 .../opensearch-service/opensearch_clean_all_on_sc_hardening.yml  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
index 20848c6d..09ba7970 100644
--- a/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
+++ b/templates/opensearch-service/opensearch_clean_all_on_sc_hardening.yml
@@ -100,3 +100,4 @@ statusProvisioner:
   lifetimeAfterCompletion: 30
   integrationTestsTimeout: 900
   podReadinessTimeout: 900
+PAAS_PLATFORM: "KUBERNETES"