Skip to content

Set berserker config via url#95

Open
JoukoVirtanen wants to merge 26 commits into
mainfrom
jv-set-berserker-config-via-url
Open

Set berserker config via url#95
JoukoVirtanen wants to merge 26 commits into
mainfrom
jv-set-berserker-config-via-url

Conversation

@JoukoVirtanen

Copy link
Copy Markdown
Contributor

No description provided.

@JoukoVirtanen JoukoVirtanen requested a review from a team as a code owner June 5, 2026 00:17
@coderabbitai

coderabbitai Bot commented Jun 5, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Summary by CodeRabbit

  • New Features

    • Added configurable Berserker workload sources for demo cluster creation.
    • Improved secured-cluster setup with required namespaces and private registry access.
    • Added configurable fact collection and logging settings for cluster services.
  • Bug Fixes

    • Improved setup reliability when resources or optional templates already exist.
    • Updated load-generation tooling to support current indexing and metrics workflows.
  • Changes

    • Reduced the default lifespan of long-running demo clusters from seven days to six hours.

Walkthrough

The changes add configurable Berserker repository inputs, update kube-burner indexing and secret handling, shorten long-running cluster lifespan, and provision secured-cluster namespaces, image pull secrets, sensor settings, and collector environment variables.

Changes

Berserker and secured cluster runtime

Layer / File(s) Summary
Berserker workflow wiring
.github/workflows/create-demo-clusters.yml
Adds Berserker repository inputs, checks out the selected configuration, changes the cluster lifespan to 6h, and passes updated configuration paths and template URLs to kube-burner.
kube-burner runtime and secret configuration
release/start-kube-burner/kube-burner.yaml, release/start-kube-burner/start-kube-burner.sh
Updates the kube-burner image and indexing arguments, conditionally generates the Docker secret, and adds Berserker template values to kube-burner-secret.
Secured-cluster provisioning
release/start-secured-cluster/action.yml, release/start-secured-cluster/start-secured-cluster.sh
Enables sensor-related settings, creates the stackrox namespace and image pull secrets, and configures collector fact environment variables.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive No description was provided, so there is nothing meaningful to assess against the changeset. Add a brief description of the workflow and script updates, especially the new Berserker config URL inputs.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: Berserker config is now sourced via configurable URLs.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch jv-set-berserker-config-via-url

Comment @coderabbitai help to get the list of available commands.

Comment on lines +504 to +506
BERSERKER_CONFIGMAP_TEMPLATE: "https://raw.githubusercontent.com/stackrox/${{ inputs.kube-burner-config-repo }}/${{ needs.parse-refs.outputs.burner-ref }}/scripts/release-tools/kube-burner-configs/berserker-load/berserker-all-configs.yml"
BERSERKER_DAEMONSET_TEMPLATE: "https://raw.githubusercontent.com/stackrox/${{ inputs.kube-burner-config-repo }}/${{ needs.parse-refs.outputs.burner-ref }}/scripts/release-tools/kube-burner-configs/berserker-load/berserker-all-loads.yml"
BERSERKER_SERVICE_TEMPLATE: "https://raw.githubusercontent.com/stackrox/${{ inputs.kube-burner-config-repo }}/${{ needs.parse-refs.outputs.burner-ref }}/scripts/release-tools/kube-burner-configs/berserker-load/service.yml"

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this work? Does Berserker pull this data automatically during start up?

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/create-demo-clusters.yml:
- Around line 483-489: Add persist-credentials: false to the with block of the
actions/checkout@v4 step checking out the berserker config repository, ensuring
the checkout does not persist GITHUB_TOKEN credentials for downstream steps.
- Around line 34-41: Update the default values for berserker-config-repo and
berserker-config-ref in the workflow inputs so they reference a stable
organization-controlled repository and immutable or stable ref, not a personal
fork or branch; preserve caller overrides and ensure both checkout and
raw-template retrieval use the corrected defaults.

In `@release/start-secured-cluster/start-secured-cluster.sh`:
- Around line 22-39: Replace the three `kubectl create secret docker-registry`
commands in `start-secured-cluster.sh` with an idempotent create-or-update
approach, such as generating the secret manifest with `--dry-run=client -o yaml`
and piping it to `kubectl apply -f -`; remove the unconditional `|| true` so
genuine failures remain visible while repeated runs update rotated credentials.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ea0905f2-8590-4a98-bd48-019bd748fb2c

📥 Commits

Reviewing files that changed from the base of the PR and between 53ea97b and 52e0e0f.

📒 Files selected for processing (5)
  • .github/workflows/create-demo-clusters.yml
  • release/start-kube-burner/kube-burner.yaml
  • release/start-kube-burner/start-kube-burner.sh
  • release/start-secured-cluster/action.yml
  • release/start-secured-cluster/start-secured-cluster.sh

Comment on lines +34 to +41
berserker-config-repo:
description: The repository where the berserker kube-burner config files can be found
type: string
default: JoukoVirtanen/kube-burner-ocp
berserker-config-ref:
description: Ref of where the berserker kube-burner config files can be found
type: string
default: jv-add-berserker-workload-2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow file and nearby usage of the inputs
git ls-files .github/workflows/create-demo-clusters.yml
echo '---'
cat -n .github/workflows/create-demo-clusters.yml | sed -n '1,220p'
echo '--- SEARCH ---'
rg -n "berserker-config-(repo|ref)|kube-burner-ocp|JoukoVirtanen|stackrox/kube-burner-ocp|jv-add-berserker-workload-2" .github/workflows . -g '!**/node_modules/**'

Repository: stackrox/actions

Length of output: 11515


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the Berserker-related job and any callers of this workflow
echo '--- BERSERKER SECTION ---'
cat -n .github/workflows/create-demo-clusters.yml | sed -n '450,540p'

echo '--- WORKFLOW CALLERS / REFERENCES ---'
rg -n "create-demo-clusters\.yml|berserker-config-repo|berserker-config-ref|workflow_call" .github/workflows . -g '!**/node_modules/**'

echo '--- REPOSITORY FILES THAT MAY DOCUMENT THIS WORKFLOW ---'
git ls-files | rg '(^|/)(README\.md|docs/|\.github/workflows/.*\.yml)$'

Repository: stackrox/actions

Length of output: 6866


Default Berserker inputs should not point to a personal fork/branch. This reusable workflow checks out inputs.berserker-config-repo and pulls raw templates from inputs.berserker-config-ref, so any caller that omits overrides will use JoukoVirtanen/kube-burner-ocp / jv-add-berserker-workload-2. That makes the shared path depend on a mutable user-owned branch; switch these defaults to a stable org-controlled source or an immutable pin.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/create-demo-clusters.yml around lines 34 - 41, Update the
default values for berserker-config-repo and berserker-config-ref in the
workflow inputs so they reference a stable organization-controlled repository
and immutable or stable ref, not a personal fork or branch; preserve caller
overrides and ensure both checkout and raw-template retrieval use the corrected
defaults.

Comment on lines +483 to 489
- name: Check out berserker config repository code
uses: actions/checkout@v4
with:
repository: ${{ inputs.berserker-config-repo }}
path: .berserker-config
ref: ${{ inputs.berserker-config-ref }}
# TODO(ROX-29223): Remove once old versions don't use the benchmark-operator

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Checkout missing persist-credentials: false.

Static analysis (zizmor) flags this checkout for credential persistence via GITHUB_TOKEN on disk (artipacked). Since artifacts/workspace can be exposed downstream, consider disabling credential persistence unless it's needed by a later step.

Suggested fix
       - name: Check out berserker config repository code
         uses: actions/checkout@v4
         with:
           repository: ${{ inputs.berserker-config-repo }}
           path: .berserker-config
           ref: ${{ inputs.berserker-config-ref }}
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Check out berserker config repository code
uses: actions/checkout@v4
with:
repository: ${{ inputs.berserker-config-repo }}
path: .berserker-config
ref: ${{ inputs.berserker-config-ref }}
# TODO(ROX-29223): Remove once old versions don't use the benchmark-operator
- name: Check out berserker config repository code
uses: actions/checkout@v4
with:
repository: ${{ inputs.berserker-config-repo }}
path: .berserker-config
ref: ${{ inputs.berserker-config-ref }}
persist-credentials: false
# TODO(ROX-29223): Remove once old versions don't use the benchmark-operator
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 483-489: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/create-demo-clusters.yml around lines 483 - 489, Add
persist-credentials: false to the with block of the actions/checkout@v4 step
checking out the berserker config repository, ensuring the checkout does not
persist GITHUB_TOKEN credentials for downstream steps.

Source: Linters/SAST tools

Comment on lines +22 to +39
# Create namespace and image pull secrets BEFORE running sensor.sh
kubectl create namespace stackrox || true

kubectl -n stackrox create secret docker-registry stackrox \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true

kubectl -n stackrox create secret docker-registry secured-cluster-services-main \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true

kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

create ... || true doesn't update existing secrets — stale credentials risk.

kubectl create secret docker-registry ... || true only ignores the "already exists" error; it does not update the secret if it already exists (e.g. on repeated runs against a reused namespace/cluster, or if REGISTRY_USERNAME/REGISTRY_PASSWORD rotate). This means image pull secrets can silently go stale and pods will start failing to pull images with no clear signal — the || true swallows the real error too. Use a create-or-update (apply) pattern instead.

Suggested fix
-kubectl create namespace stackrox || true
+kubectl create namespace stackrox --dry-run=client -o yaml | kubectl apply -f -

-kubectl -n stackrox create secret docker-registry stackrox \
-  --docker-server=quay.io \
-  --docker-username="${REGISTRY_USERNAME}" \
-  --docker-password="${REGISTRY_PASSWORD}" || true
+kubectl -n stackrox create secret docker-registry stackrox \
+  --docker-server=quay.io \
+  --docker-username="${REGISTRY_USERNAME}" \
+  --docker-password="${REGISTRY_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply -f -

(repeat for the other two secrets)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Create namespace and image pull secrets BEFORE running sensor.sh
kubectl create namespace stackrox || true
kubectl -n stackrox create secret docker-registry stackrox \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true
kubectl -n stackrox create secret docker-registry secured-cluster-services-main \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true
kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true
# Create namespace and image pull secrets BEFORE running sensor.sh
kubectl create namespace stackrox --dry-run=client -o yaml | kubectl apply -f -
kubectl -n stackrox create secret docker-registry stackrox \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl -n stackrox create secret docker-registry secured-cluster-services-main \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" \
--dry-run=client -o yaml | kubectl apply -f -
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release/start-secured-cluster/start-secured-cluster.sh` around lines 22 - 39,
Replace the three `kubectl create secret docker-registry` commands in
`start-secured-cluster.sh` with an idempotent create-or-update approach, such as
generating the secret manifest with `--dry-run=client -o yaml` and piping it to
`kubectl apply -f -`; remove the unconditional `|| true` so genuine failures
remain visible while repeated runs update rotated credentials.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants