Set berserker config via url#95
Conversation
…ad-in-long-running-clusters
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Central YAML (base), Organization UI (inherited) Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughSummary by CodeRabbit
WalkthroughThe changes add configurable Berserker repository inputs, update kube-burner initialization and indexing, shorten the long-running cluster lifespan, and provision secured-cluster namespaces, image pull secrets, sensor settings, and collector environment variables. ChangesBerserker and secured cluster runtime
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant Workflow as create-demo-clusters.yml
participant Berserker as Berserker config repository
participant KubeBurner as kube-burner
participant Elasticsearch
Workflow->>Berserker: checkout configured repository and ref
Workflow->>KubeBurner: provide config directory and template URLs
KubeBurner->>KubeBurner: initialize workloads with generated vars
KubeBurner->>Elasticsearch: index metrics with ES settings
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
| BERSERKER_CONFIGMAP_TEMPLATE: "https://raw.githubusercontent.com/stackrox/${{ inputs.kube-burner-config-repo }}/${{ needs.parse-refs.outputs.burner-ref }}/scripts/release-tools/kube-burner-configs/berserker-load/berserker-all-configs.yml" | ||
| BERSERKER_DAEMONSET_TEMPLATE: "https://raw.githubusercontent.com/stackrox/${{ inputs.kube-burner-config-repo }}/${{ needs.parse-refs.outputs.burner-ref }}/scripts/release-tools/kube-burner-configs/berserker-load/berserker-all-loads.yml" | ||
| BERSERKER_SERVICE_TEMPLATE: "https://raw.githubusercontent.com/stackrox/${{ inputs.kube-burner-config-repo }}/${{ needs.parse-refs.outputs.burner-ref }}/scripts/release-tools/kube-burner-configs/berserker-load/service.yml" |
There was a problem hiding this comment.
How does this work? Does Berserker pull this data automatically during start up?
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/create-demo-clusters.yml:
- Around line 483-489: Add persist-credentials: false to the with block of the
actions/checkout@v4 step checking out the berserker config repository, ensuring
the checkout does not persist GITHUB_TOKEN credentials for downstream steps.
- Around line 34-41: Update the default values for berserker-config-repo and
berserker-config-ref in the workflow inputs so they reference a stable
organization-controlled repository and immutable or stable ref, not a personal
fork or branch; preserve caller overrides and ensure both checkout and
raw-template retrieval use the corrected defaults.
In `@release/start-secured-cluster/start-secured-cluster.sh`:
- Around line 22-39: Replace the three `kubectl create secret docker-registry`
commands in `start-secured-cluster.sh` with an idempotent create-or-update
approach, such as generating the secret manifest with `--dry-run=client -o yaml`
and piping it to `kubectl apply -f -`; remove the unconditional `|| true` so
genuine failures remain visible while repeated runs update rotated credentials.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: ea0905f2-8590-4a98-bd48-019bd748fb2c
📒 Files selected for processing (5)
.github/workflows/create-demo-clusters.ymlrelease/start-kube-burner/kube-burner.yamlrelease/start-kube-burner/start-kube-burner.shrelease/start-secured-cluster/action.ymlrelease/start-secured-cluster/start-secured-cluster.sh
| berserker-config-repo: | ||
| description: The repository where the berserker kube-burner config files can be found | ||
| type: string | ||
| default: JoukoVirtanen/kube-burner-ocp | ||
| berserker-config-ref: | ||
| description: Ref of where the berserker kube-burner config files can be found | ||
| type: string | ||
| default: jv-add-berserker-workload-2 |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the workflow file and nearby usage of the inputs
git ls-files .github/workflows/create-demo-clusters.yml
echo '---'
cat -n .github/workflows/create-demo-clusters.yml | sed -n '1,220p'
echo '--- SEARCH ---'
rg -n "berserker-config-(repo|ref)|kube-burner-ocp|JoukoVirtanen|stackrox/kube-burner-ocp|jv-add-berserker-workload-2" .github/workflows . -g '!**/node_modules/**'Repository: stackrox/actions
Length of output: 11515
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the Berserker-related job and any callers of this workflow
echo '--- BERSERKER SECTION ---'
cat -n .github/workflows/create-demo-clusters.yml | sed -n '450,540p'
echo '--- WORKFLOW CALLERS / REFERENCES ---'
rg -n "create-demo-clusters\.yml|berserker-config-repo|berserker-config-ref|workflow_call" .github/workflows . -g '!**/node_modules/**'
echo '--- REPOSITORY FILES THAT MAY DOCUMENT THIS WORKFLOW ---'
git ls-files | rg '(^|/)(README\.md|docs/|\.github/workflows/.*\.yml)$'Repository: stackrox/actions
Length of output: 6866
Default Berserker inputs should not point to a personal fork/branch. This reusable workflow checks out inputs.berserker-config-repo and pulls raw templates from inputs.berserker-config-ref, so any caller that omits overrides will use JoukoVirtanen/kube-burner-ocp / jv-add-berserker-workload-2. That makes the shared path depend on a mutable user-owned branch; switch these defaults to a stable org-controlled source or an immutable pin.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/create-demo-clusters.yml around lines 34 - 41, Update the
default values for berserker-config-repo and berserker-config-ref in the
workflow inputs so they reference a stable organization-controlled repository
and immutable or stable ref, not a personal fork or branch; preserve caller
overrides and ensure both checkout and raw-template retrieval use the corrected
defaults.
| - name: Check out berserker config repository code | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| repository: ${{ inputs.berserker-config-repo }} | ||
| path: .berserker-config | ||
| ref: ${{ inputs.berserker-config-ref }} | ||
| # TODO(ROX-29223): Remove once old versions don't use the benchmark-operator |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
Checkout missing persist-credentials: false.
Static analysis (zizmor) flags this checkout for credential persistence via GITHUB_TOKEN on disk (artipacked). Since artifacts/workspace can be exposed downstream, consider disabling credential persistence unless it's needed by a later step.
Suggested fix
- name: Check out berserker config repository code
uses: actions/checkout@v4
with:
repository: ${{ inputs.berserker-config-repo }}
path: .berserker-config
ref: ${{ inputs.berserker-config-ref }}
+ persist-credentials: false📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| - name: Check out berserker config repository code | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ${{ inputs.berserker-config-repo }} | |
| path: .berserker-config | |
| ref: ${{ inputs.berserker-config-ref }} | |
| # TODO(ROX-29223): Remove once old versions don't use the benchmark-operator | |
| - name: Check out berserker config repository code | |
| uses: actions/checkout@v4 | |
| with: | |
| repository: ${{ inputs.berserker-config-repo }} | |
| path: .berserker-config | |
| ref: ${{ inputs.berserker-config-ref }} | |
| persist-credentials: false | |
| # TODO(ROX-29223): Remove once old versions don't use the benchmark-operator |
🧰 Tools
🪛 zizmor (1.26.1)
[warning] 483-489: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/create-demo-clusters.yml around lines 483 - 489, Add
persist-credentials: false to the with block of the actions/checkout@v4 step
checking out the berserker config repository, ensuring the checkout does not
persist GITHUB_TOKEN credentials for downstream steps.
Source: Linters/SAST tools
| # Create namespace and image pull secrets BEFORE running sensor.sh | ||
| kubectl create namespace stackrox || true | ||
|
|
||
| kubectl -n stackrox create secret docker-registry stackrox \ | ||
| --docker-server=quay.io \ | ||
| --docker-username="${REGISTRY_USERNAME}" \ | ||
| --docker-password="${REGISTRY_PASSWORD}" || true | ||
|
|
||
| kubectl -n stackrox create secret docker-registry secured-cluster-services-main \ | ||
| --docker-server=quay.io \ | ||
| --docker-username="${REGISTRY_USERNAME}" \ | ||
| --docker-password="${REGISTRY_PASSWORD}" || true | ||
|
|
||
| kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \ | ||
| --docker-server=quay.io \ | ||
| --docker-username="${REGISTRY_USERNAME}" \ | ||
| --docker-password="${REGISTRY_PASSWORD}" || true | ||
|
|
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
create ... || true doesn't update existing secrets — stale credentials risk.
kubectl create secret docker-registry ... || true only ignores the "already exists" error; it does not update the secret if it already exists (e.g. on repeated runs against a reused namespace/cluster, or if REGISTRY_USERNAME/REGISTRY_PASSWORD rotate). This means image pull secrets can silently go stale and pods will start failing to pull images with no clear signal — the || true swallows the real error too. Use a create-or-update (apply) pattern instead.
Suggested fix
-kubectl create namespace stackrox || true
+kubectl create namespace stackrox --dry-run=client -o yaml | kubectl apply -f -
-kubectl -n stackrox create secret docker-registry stackrox \
- --docker-server=quay.io \
- --docker-username="${REGISTRY_USERNAME}" \
- --docker-password="${REGISTRY_PASSWORD}" || true
+kubectl -n stackrox create secret docker-registry stackrox \
+ --docker-server=quay.io \
+ --docker-username="${REGISTRY_USERNAME}" \
+ --docker-password="${REGISTRY_PASSWORD}" \
+ --dry-run=client -o yaml | kubectl apply -f -(repeat for the other two secrets)
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Create namespace and image pull secrets BEFORE running sensor.sh | |
| kubectl create namespace stackrox || true | |
| kubectl -n stackrox create secret docker-registry stackrox \ | |
| --docker-server=quay.io \ | |
| --docker-username="${REGISTRY_USERNAME}" \ | |
| --docker-password="${REGISTRY_PASSWORD}" || true | |
| kubectl -n stackrox create secret docker-registry secured-cluster-services-main \ | |
| --docker-server=quay.io \ | |
| --docker-username="${REGISTRY_USERNAME}" \ | |
| --docker-password="${REGISTRY_PASSWORD}" || true | |
| kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \ | |
| --docker-server=quay.io \ | |
| --docker-username="${REGISTRY_USERNAME}" \ | |
| --docker-password="${REGISTRY_PASSWORD}" || true | |
| # Create namespace and image pull secrets BEFORE running sensor.sh | |
| kubectl create namespace stackrox --dry-run=client -o yaml | kubectl apply -f - | |
| kubectl -n stackrox create secret docker-registry stackrox \ | |
| --docker-server=quay.io \ | |
| --docker-username="${REGISTRY_USERNAME}" \ | |
| --docker-password="${REGISTRY_PASSWORD}" \ | |
| --dry-run=client -o yaml | kubectl apply -f - | |
| kubectl -n stackrox create secret docker-registry secured-cluster-services-main \ | |
| --docker-server=quay.io \ | |
| --docker-username="${REGISTRY_USERNAME}" \ | |
| --docker-password="${REGISTRY_PASSWORD}" \ | |
| --dry-run=client -o yaml | kubectl apply -f - | |
| kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \ | |
| --docker-server=quay.io \ | |
| --docker-username="${REGISTRY_USERNAME}" \ | |
| --docker-password="${REGISTRY_PASSWORD}" \ | |
| --dry-run=client -o yaml | kubectl apply -f - |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@release/start-secured-cluster/start-secured-cluster.sh` around lines 22 - 39,
Replace the three `kubectl create secret docker-registry` commands in
`start-secured-cluster.sh` with an idempotent create-or-update approach, such as
generating the secret manifest with `--dry-run=client -o yaml` and piping it to
`kubectl apply -f -`; remove the unconditional `|| true` so genuine failures
remain visible while repeated runs update rotated credentials.
There was a problem hiding this comment.
🧹 Nitpick comments (1)
release/start-kube-burner/kube-burner.yaml (1)
86-127: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueLarge block of hardcoded config defaults inline in the manifest.
Twenty-plus static
value:env entries bake operational knobs (churn, QPS/burst, replicas, timeouts) directly into the Deployment. Consider moving these into a ConfigMap or values file so they can be tuned/overridden without editing the manifest, consistent with how the Berserker template values are already externalized via secrets.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@release/start-kube-burner/kube-burner.yaml` around lines 86 - 127, The kube-burner manifest hardcodes numerous operational environment defaults inline. Move the static values in the Deployment’s environment block—especially churn, QPS/BURST, timeouts, and replica settings—into an external ConfigMap or values configuration, then reference that source from the manifest so operators can override them without editing kube-burner.yaml, following the existing Berserker template externalization pattern.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@release/start-kube-burner/kube-burner.yaml`:
- Around line 86-127: The kube-burner manifest hardcodes numerous operational
environment defaults inline. Move the static values in the Deployment’s
environment block—especially churn, QPS/BURST, timeouts, and replica
settings—into an external ConfigMap or values configuration, then reference that
source from the manifest so operators can override them without editing
kube-burner.yaml, following the existing Berserker template externalization
pattern.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Central YAML (base), Organization UI (inherited)
Review profile: CHILL
Plan: Enterprise
Run ID: 760ffa4f-b402-440c-93a3-1eeb08b3dec3
📒 Files selected for processing (1)
release/start-kube-burner/kube-burner.yaml
No description provided.