Set berserker config via url#95
Conversation
…ad-in-long-running-clusters
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe changes add configurable Berserker repository inputs, update kube-burner indexing and secret handling, shorten long-running cluster lifespan, and provision secured-cluster namespaces, image pull secrets, sensor settings, and collector environment variables. ChangesBerserker and secured cluster runtime
Estimated code review effort: 3 (Moderate) | ~25 minutes 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
| BERSERKER_CONFIGMAP_TEMPLATE: "https://raw.githubusercontent.com/stackrox/${{ inputs.kube-burner-config-repo }}/${{ needs.parse-refs.outputs.burner-ref }}/scripts/release-tools/kube-burner-configs/berserker-load/berserker-all-configs.yml" | ||
| BERSERKER_DAEMONSET_TEMPLATE: "https://raw.githubusercontent.com/stackrox/${{ inputs.kube-burner-config-repo }}/${{ needs.parse-refs.outputs.burner-ref }}/scripts/release-tools/kube-burner-configs/berserker-load/berserker-all-loads.yml" | ||
| BERSERKER_SERVICE_TEMPLATE: "https://raw.githubusercontent.com/stackrox/${{ inputs.kube-burner-config-repo }}/${{ needs.parse-refs.outputs.burner-ref }}/scripts/release-tools/kube-burner-configs/berserker-load/service.yml" |
There was a problem hiding this comment.
How does this work? Does Berserker pull this data automatically during start up?
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/create-demo-clusters.yml:
- Around line 483-489: Add persist-credentials: false to the with block of the
actions/checkout@v4 step checking out the berserker config repository, ensuring
the checkout does not persist GITHUB_TOKEN credentials for downstream steps.
- Around line 34-41: Update the default values for berserker-config-repo and
berserker-config-ref in the workflow inputs so they reference a stable
organization-controlled repository and immutable or stable ref, not a personal
fork or branch; preserve caller overrides and ensure both checkout and
raw-template retrieval use the corrected defaults.
In `@release/start-secured-cluster/start-secured-cluster.sh`:
- Around line 22-39: Replace the three `kubectl create secret docker-registry`
commands in `start-secured-cluster.sh` with an idempotent create-or-update
approach, such as generating the secret manifest with `--dry-run=client -o yaml`
and piping it to `kubectl apply -f -`; remove the unconditional `|| true` so
genuine failures remain visible while repeated runs update rotated credentials.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: ea0905f2-8590-4a98-bd48-019bd748fb2c
📒 Files selected for processing (5)
.github/workflows/create-demo-clusters.ymlrelease/start-kube-burner/kube-burner.yamlrelease/start-kube-burner/start-kube-burner.shrelease/start-secured-cluster/action.ymlrelease/start-secured-cluster/start-secured-cluster.sh
| berserker-config-repo: | ||
| description: The repository where the berserker kube-burner config files can be found | ||
| type: string | ||
| default: JoukoVirtanen/kube-burner-ocp | ||
| berserker-config-ref: | ||
| description: Ref of where the berserker kube-burner config files can be found | ||
| type: string | ||
| default: jv-add-berserker-workload-2 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow file and nearby usage of the inputs
git ls-files .github/workflows/create-demo-clusters.yml
echo '---'
cat -n .github/workflows/create-demo-clusters.yml | sed -n '1,220p'
echo '--- SEARCH ---'
rg -n "berserker-config-(repo|ref)|kube-burner-ocp|JoukoVirtanen|stackrox/kube-burner-ocp|jv-add-berserker-workload-2" .github/workflows . -g '!**/node_modules/**'Repository: stackrox/actions
Length of output: 11515
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the Berserker-related job and any callers of this workflow
echo '--- BERSERKER SECTION ---'
cat -n .github/workflows/create-demo-clusters.yml | sed -n '450,540p'
echo '--- WORKFLOW CALLERS / REFERENCES ---'
rg -n "create-demo-clusters\.yml|berserker-config-repo|berserker-config-ref|workflow_call" .github/workflows . -g '!**/node_modules/**'
echo '--- REPOSITORY FILES THAT MAY DOCUMENT THIS WORKFLOW ---'
git ls-files | rg '(^|/)(README\.md|docs/|\.github/workflows/.*\.yml)$'Repository: stackrox/actions
Length of output: 6866
Default Berserker inputs should not point to a personal fork/branch. This reusable workflow checks out inputs.berserker-config-repo and pulls raw templates from inputs.berserker-config-ref, so any caller that omits overrides will use JoukoVirtanen/kube-burner-ocp / jv-add-berserker-workload-2. That makes the shared path depend on a mutable user-owned branch; switch these defaults to a stable org-controlled source or an immutable pin.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/create-demo-clusters.yml around lines 34 - 41, Update the
default values for berserker-config-repo and berserker-config-ref in the
workflow inputs so they reference a stable organization-controlled repository
and immutable or stable ref, not a personal fork or branch; preserve caller
overrides and ensure both checkout and raw-template retrieval use the corrected
defaults.
| - name: Check out berserker config repository code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: ${{ inputs.berserker-config-repo }} | ||
| path: .berserker-config | ||
| ref: ${{ inputs.berserker-config-ref }} | ||
| # TODO(ROX-29223): Remove once old versions don't use the benchmark-operator |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Checkout missing persist-credentials: false.
Static analysis (zizmor) flags this checkout for credential persistence via GITHUB_TOKEN on disk (artipacked). Since artifacts/workspace can be exposed downstream, consider disabling credential persistence unless it's needed by a later step.
Suggested fix
- name: Check out berserker config repository code
uses: actions/checkout@v4
with:
repository: ${{ inputs.berserker-config-repo }}
path: .berserker-config
ref: ${{ inputs.berserker-config-ref }}
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Check out berserker config repository code | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ${{ inputs.berserker-config-repo }} | |
| path: .berserker-config | |
| ref: ${{ inputs.berserker-config-ref }} | |
| # TODO(ROX-29223): Remove once old versions don't use the benchmark-operator | |
| - name: Check out berserker config repository code | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ${{ inputs.berserker-config-repo }} | |
| path: .berserker-config | |
| ref: ${{ inputs.berserker-config-ref }} | |
| persist-credentials: false | |
| # TODO(ROX-29223): Remove once old versions don't use the benchmark-operator |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 483-489: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/create-demo-clusters.yml around lines 483 - 489, Add
persist-credentials: false to the with block of the actions/checkout@v4 step
checking out the berserker config repository, ensuring the checkout does not
persist GITHUB_TOKEN credentials for downstream steps.
Source: Linters/SAST tools
| # Create namespace and image pull secrets BEFORE running sensor.sh | ||
| kubectl create namespace stackrox || true | ||
|
|
||
| kubectl -n stackrox create secret docker-registry stackrox \ | ||
| --docker-server=quay.io \ | ||
| --docker-username="${REGISTRY_USERNAME}" \ | ||
| --docker-password="${REGISTRY_PASSWORD}" || true | ||
|
|
||
| kubectl -n stackrox create secret docker-registry secured-cluster-services-main \ | ||
| --docker-server=quay.io \ | ||
| --docker-username="${REGISTRY_USERNAME}" \ | ||
| --docker-password="${REGISTRY_PASSWORD}" || true | ||
|
|
||
| kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \ | ||
| --docker-server=quay.io \ | ||
| --docker-username="${REGISTRY_USERNAME}" \ | ||
| --docker-password="${REGISTRY_PASSWORD}" || true | ||
|
|
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
create ... || true doesn't update existing secrets — stale credentials risk.
kubectl create secret docker-registry ... || true only ignores the "already exists" error; it does not update the secret if it already exists (e.g. on repeated runs against a reused namespace/cluster, or if REGISTRY_USERNAME/REGISTRY_PASSWORD rotate). This means image pull secrets can silently go stale and pods will start failing to pull images with no clear signal — the || true swallows the real error too. Use a create-or-update (apply) pattern instead.
Suggested fix
-kubectl create namespace stackrox || true
+kubectl create namespace stackrox --dry-run=client -o yaml | kubectl apply -f -
-kubectl -n stackrox create secret docker-registry stackrox \
- --docker-server=quay.io \
- --docker-username="${REGISTRY_USERNAME}" \
- --docker-password="${REGISTRY_PASSWORD}" || true
+kubectl -n stackrox create secret docker-registry stackrox \
+ --docker-server=quay.io \
+ --docker-username="${REGISTRY_USERNAME}" \
+ --docker-password="${REGISTRY_PASSWORD}" \
+ --dry-run=client -o yaml | kubectl apply -f -(repeat for the other two secrets)
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Create namespace and image pull secrets BEFORE running sensor.sh | |
| kubectl create namespace stackrox || true | |
| kubectl -n stackrox create secret docker-registry stackrox \ | |
| --docker-server=quay.io \ | |
| --docker-username="${REGISTRY_USERNAME}" \ | |
| --docker-password="${REGISTRY_PASSWORD}" || true | |
| kubectl -n stackrox create secret docker-registry secured-cluster-services-main \ | |
| --docker-server=quay.io \ | |
| --docker-username="${REGISTRY_USERNAME}" \ | |
| --docker-password="${REGISTRY_PASSWORD}" || true | |
| kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \ | |
| --docker-server=quay.io \ | |
| --docker-username="${REGISTRY_USERNAME}" \ | |
| --docker-password="${REGISTRY_PASSWORD}" || true | |
| # Create namespace and image pull secrets BEFORE running sensor.sh | |
| kubectl create namespace stackrox --dry-run=client -o yaml | kubectl apply -f - | |
| kubectl -n stackrox create secret docker-registry stackrox \ | |
| --docker-server=quay.io \ | |
| --docker-username="${REGISTRY_USERNAME}" \ | |
| --docker-password="${REGISTRY_PASSWORD}" \ | |
| --dry-run=client -o yaml | kubectl apply -f - | |
| kubectl -n stackrox create secret docker-registry secured-cluster-services-main \ | |
| --docker-server=quay.io \ | |
| --docker-username="${REGISTRY_USERNAME}" \ | |
| --docker-password="${REGISTRY_PASSWORD}" \ | |
| --dry-run=client -o yaml | kubectl apply -f - | |
| kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \ | |
| --docker-server=quay.io \ | |
| --docker-username="${REGISTRY_USERNAME}" \ | |
| --docker-password="${REGISTRY_PASSWORD}" \ | |
| --dry-run=client -o yaml | kubectl apply -f - |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@release/start-secured-cluster/start-secured-cluster.sh` around lines 22 - 39,
Replace the three `kubectl create secret docker-registry` commands in
`start-secured-cluster.sh` with an idempotent create-or-update approach, such as
generating the secret manifest with `--dry-run=client -o yaml` and piping it to
`kubectl apply -f -`; remove the unconditional `|| true` so genuine failures
remain visible while repeated runs update rotated credentials.
No description provided.