feat(k8s): add k8s-health-check reusable workflow

[chrisamti]

Summary

• Adds a new reusable workflow k8s-health-check.yaml that validates key cluster components are healthy after a Terraform apply
• Intended to gate prod deploys on dev health, sitting between tf-apply (dev) and tf-apply (prod)
• Checks performed:
  • Karpenter rollout status
  • Datadog operator + cluster-agent + node-agent rollout status
  • DatadogAgent CRD status conditions — directly checks for Error/Degraded conditions on the custom resource (catches immutable field errors, reconciliation failures, etc.)
  • Datadog operator logs — scans for ERROR level entries from the last 3 minutes
  • Lacework rollout status (skipped gracefully if not deployed)

Usage

apply-dev:
  uses: DND-IT/github-workflows/.github/workflows/tf-apply.yaml@v3
  with:
    environment: platform-dev

health-check-dev:
  needs: apply-dev
  uses: DND-IT/github-workflows/.github/workflows/k8s-health-check.yaml@v3
  with:
    environment: platform-dev

apply-prod:
  needs: health-check-dev
  uses: DND-IT/github-workflows/.github/workflows/tf-apply.yaml@v3
  with:
    environment: platform-prod

Testing

No integration test is included in this repo. This workflow is an integration test by nature — it runs kubectl rollout status and inspects live CRD status against real cluster resources. The sandbox account has no EKS cluster with the required components (Karpenter, Datadog), so it cannot be tested here.

The workflow is tested end-to-end via the disco-infra-terraform pipeline (see companion PR), which has access to the real platform-dev cluster.

Test plan

• Verify workflow runs correctly via the disco-infra-terraform PR pipeline against platform-dev

[swibrow]

@codex[agent] Please review

[Codex]

@swibrow I've opened a new pull request, #107, to work on those changes. Once the pull request is ready, I'll request review from you.