Skip to content

Set berserker config via url#95

Open
JoukoVirtanen wants to merge 31 commits into
mainfrom
jv-set-berserker-config-via-url
Open

Set berserker config via url#95
JoukoVirtanen wants to merge 31 commits into
mainfrom
jv-set-berserker-config-via-url

Conversation

@JoukoVirtanen

Copy link
Copy Markdown
Contributor

No description provided.

@JoukoVirtanen JoukoVirtanen requested a review from a team as a code owner June 5, 2026 00:17
@coderabbitai

coderabbitai Bot commented Jun 5, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: bf009b93-831c-4022-a475-2761a3124c2b

📥 Commits

Reviewing files that changed from the base of the PR and between 9c83977 and 6be36f9.

📒 Files selected for processing (1)
  • release/start-kube-burner/kube-burner.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • release/start-kube-burner/kube-burner.yaml

📝 Walkthrough

Summary by CodeRabbit

  • New Features
    • Added configurable Berserker workload templates for demo cluster creation.
    • Enhanced secured-cluster startup with additional agent/sensor deployment settings and collector configuration.
    • Improved kube-burner load generation by using template-driven Berserker parameters and injecting related tuning settings.
  • Bug Fixes
    • Improved startup reliability by only applying Docker config secret patching when the expected template exists.
  • Changes
    • Reduced long-running demo cluster default lifespan to 6 hours.
    • Updated kube-burner image and adjusted load-generation behavior, including Elasticsearch and indexing/metrics handling.
    • Secured-cluster now ensures required namespace and image pull secrets exist (idempotent) before starting.

Walkthrough

The changes add configurable Berserker repository inputs, update kube-burner initialization and indexing, shorten the long-running cluster lifespan, and provision secured-cluster namespaces, image pull secrets, sensor settings, and collector environment variables.

Changes

Berserker and secured cluster runtime

Layer / File(s) Summary
Berserker workflow wiring
.github/workflows/create-demo-clusters.yml
Adds Berserker repository inputs, checks out the selected configuration, changes the cluster lifespan to 6h, and passes updated configuration paths and template URLs to kube-burner.
kube-burner runtime and secret configuration
release/start-kube-burner/...
Updates the kube-burner image and initialization/indexing arguments, adds runtime tuning and Elasticsearch settings, conditionally generates the Docker secret, and adds Berserker template values to kube-burner-secret.
Secured-cluster provisioning
release/start-secured-cluster/...
Enables sensor-related settings, creates the stackrox namespace and image pull secrets, and configures collector fact environment variables.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Workflow as create-demo-clusters.yml
  participant Berserker as Berserker config repository
  participant KubeBurner as kube-burner
  participant Elasticsearch
  Workflow->>Berserker: checkout configured repository and ref
  Workflow->>KubeBurner: provide config directory and template URLs
  KubeBurner->>KubeBurner: initialize workloads with generated vars
  KubeBurner->>Elasticsearch: index metrics with ES settings
Loading
🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Description check ❓ Inconclusive No author description was provided, so relevance cannot be assessed from description text. Add a brief pull request description describing the intended change and affected workflows.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title matches the main change: sourcing Berserker config via URL.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch jv-set-berserker-config-via-url

Comment @coderabbitai help to get the list of available commands.

Comment on lines +504 to +506
BERSERKER_CONFIGMAP_TEMPLATE: "https://raw.githubusercontent.com/stackrox/${{ inputs.kube-burner-config-repo }}/${{ needs.parse-refs.outputs.burner-ref }}/scripts/release-tools/kube-burner-configs/berserker-load/berserker-all-configs.yml"
BERSERKER_DAEMONSET_TEMPLATE: "https://raw.githubusercontent.com/stackrox/${{ inputs.kube-burner-config-repo }}/${{ needs.parse-refs.outputs.burner-ref }}/scripts/release-tools/kube-burner-configs/berserker-load/berserker-all-loads.yml"
BERSERKER_SERVICE_TEMPLATE: "https://raw.githubusercontent.com/stackrox/${{ inputs.kube-burner-config-repo }}/${{ needs.parse-refs.outputs.burner-ref }}/scripts/release-tools/kube-burner-configs/berserker-load/service.yml"

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this work? Does Berserker pull this data automatically during start up?

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/create-demo-clusters.yml:
- Around line 483-489: Add persist-credentials: false to the with block of the
actions/checkout@v4 step checking out the berserker config repository, ensuring
the checkout does not persist GITHUB_TOKEN credentials for downstream steps.
- Around line 34-41: Update the default values for berserker-config-repo and
berserker-config-ref in the workflow inputs so they reference a stable
organization-controlled repository and immutable or stable ref, not a personal
fork or branch; preserve caller overrides and ensure both checkout and
raw-template retrieval use the corrected defaults.

In `@release/start-secured-cluster/start-secured-cluster.sh`:
- Around line 22-39: Replace the three `kubectl create secret docker-registry`
commands in `start-secured-cluster.sh` with an idempotent create-or-update
approach, such as generating the secret manifest with `--dry-run=client -o yaml`
and piping it to `kubectl apply -f -`; remove the unconditional `|| true` so
genuine failures remain visible while repeated runs update rotated credentials.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ea0905f2-8590-4a98-bd48-019bd748fb2c

📥 Commits

Reviewing files that changed from the base of the PR and between 53ea97b and 52e0e0f.

📒 Files selected for processing (5)
  • .github/workflows/create-demo-clusters.yml
  • release/start-kube-burner/kube-burner.yaml
  • release/start-kube-burner/start-kube-burner.sh
  • release/start-secured-cluster/action.yml
  • release/start-secured-cluster/start-secured-cluster.sh

Comment on lines +34 to +41
berserker-config-repo:
description: The repository where the berserker kube-burner config files can be found
type: string
default: JoukoVirtanen/kube-burner-ocp
berserker-config-ref:
description: Ref of where the berserker kube-burner config files can be found
type: string
default: jv-add-berserker-workload-2

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow file and nearby usage of the inputs
git ls-files .github/workflows/create-demo-clusters.yml
echo '---'
cat -n .github/workflows/create-demo-clusters.yml | sed -n '1,220p'
echo '--- SEARCH ---'
rg -n "berserker-config-(repo|ref)|kube-burner-ocp|JoukoVirtanen|stackrox/kube-burner-ocp|jv-add-berserker-workload-2" .github/workflows . -g '!**/node_modules/**'

Repository: stackrox/actions

Length of output: 11515


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the Berserker-related job and any callers of this workflow
echo '--- BERSERKER SECTION ---'
cat -n .github/workflows/create-demo-clusters.yml | sed -n '450,540p'

echo '--- WORKFLOW CALLERS / REFERENCES ---'
rg -n "create-demo-clusters\.yml|berserker-config-repo|berserker-config-ref|workflow_call" .github/workflows . -g '!**/node_modules/**'

echo '--- REPOSITORY FILES THAT MAY DOCUMENT THIS WORKFLOW ---'
git ls-files | rg '(^|/)(README\.md|docs/|\.github/workflows/.*\.yml)$'

Repository: stackrox/actions

Length of output: 6866


Default Berserker inputs should not point to a personal fork/branch. This reusable workflow checks out inputs.berserker-config-repo and pulls raw templates from inputs.berserker-config-ref, so any caller that omits overrides will use JoukoVirtanen/kube-burner-ocp / jv-add-berserker-workload-2. That makes the shared path depend on a mutable user-owned branch; switch these defaults to a stable org-controlled source or an immutable pin.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/create-demo-clusters.yml around lines 34 - 41, Update the
default values for berserker-config-repo and berserker-config-ref in the
workflow inputs so they reference a stable organization-controlled repository
and immutable or stable ref, not a personal fork or branch; preserve caller
overrides and ensure both checkout and raw-template retrieval use the corrected
defaults.

Comment on lines +483 to 489
- name: Check out berserker config repository code
uses: actions/checkout@v4
with:
repository: ${{ inputs.berserker-config-repo }}
path: .berserker-config
ref: ${{ inputs.berserker-config-ref }}
# TODO(ROX-29223): Remove once old versions don't use the benchmark-operator

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Checkout missing persist-credentials: false.

Static analysis (zizmor) flags this checkout for credential persistence via GITHUB_TOKEN on disk (artipacked). Since artifacts/workspace can be exposed downstream, consider disabling credential persistence unless it's needed by a later step.

Suggested fix
       - name: Check out berserker config repository code
         uses: actions/checkout@v4
         with:
           repository: ${{ inputs.berserker-config-repo }}
           path: .berserker-config
           ref: ${{ inputs.berserker-config-ref }}
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Check out berserker config repository code
uses: actions/checkout@v4
with:
repository: ${{ inputs.berserker-config-repo }}
path: .berserker-config
ref: ${{ inputs.berserker-config-ref }}
# TODO(ROX-29223): Remove once old versions don't use the benchmark-operator
- name: Check out berserker config repository code
uses: actions/checkout@v4
with:
repository: ${{ inputs.berserker-config-repo }}
path: .berserker-config
ref: ${{ inputs.berserker-config-ref }}
persist-credentials: false
# TODO(ROX-29223): Remove once old versions don't use the benchmark-operator
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 483-489: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/create-demo-clusters.yml around lines 483 - 489, Add
persist-credentials: false to the with block of the actions/checkout@v4 step
checking out the berserker config repository, ensuring the checkout does not
persist GITHUB_TOKEN credentials for downstream steps.

Source: Linters/SAST tools

Comment on lines +22 to +39
# Create namespace and image pull secrets BEFORE running sensor.sh
kubectl create namespace stackrox || true

kubectl -n stackrox create secret docker-registry stackrox \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true

kubectl -n stackrox create secret docker-registry secured-cluster-services-main \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true

kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

create ... || true doesn't update existing secrets — stale credentials risk.

kubectl create secret docker-registry ... || true only ignores the "already exists" error; it does not update the secret if it already exists (e.g. on repeated runs against a reused namespace/cluster, or if REGISTRY_USERNAME/REGISTRY_PASSWORD rotate). This means image pull secrets can silently go stale and pods will start failing to pull images with no clear signal — the || true swallows the real error too. Use a create-or-update (apply) pattern instead.

Suggested fix
-kubectl create namespace stackrox || true
+kubectl create namespace stackrox --dry-run=client -o yaml | kubectl apply -f -

-kubectl -n stackrox create secret docker-registry stackrox \
-  --docker-server=quay.io \
-  --docker-username="${REGISTRY_USERNAME}" \
-  --docker-password="${REGISTRY_PASSWORD}" || true
+kubectl -n stackrox create secret docker-registry stackrox \
+  --docker-server=quay.io \
+  --docker-username="${REGISTRY_USERNAME}" \
+  --docker-password="${REGISTRY_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply -f -

(repeat for the other two secrets)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Create namespace and image pull secrets BEFORE running sensor.sh
kubectl create namespace stackrox || true
kubectl -n stackrox create secret docker-registry stackrox \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true
kubectl -n stackrox create secret docker-registry secured-cluster-services-main \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true
kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true
# Create namespace and image pull secrets BEFORE running sensor.sh
kubectl create namespace stackrox --dry-run=client -o yaml | kubectl apply -f -
kubectl -n stackrox create secret docker-registry stackrox \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl -n stackrox create secret docker-registry secured-cluster-services-main \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" \
--dry-run=client -o yaml | kubectl apply -f -
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release/start-secured-cluster/start-secured-cluster.sh` around lines 22 - 39,
Replace the three `kubectl create secret docker-registry` commands in
`start-secured-cluster.sh` with an idempotent create-or-update approach, such as
generating the secret manifest with `--dry-run=client -o yaml` and piping it to
`kubectl apply -f -`; remove the unconditional `|| true` so genuine failures
remain visible while repeated runs update rotated credentials.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
release/start-kube-burner/kube-burner.yaml (1)

86-127: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Large block of hardcoded config defaults inline in the manifest.

Twenty-plus static value: env entries bake operational knobs (churn, QPS/burst, replicas, timeouts) directly into the Deployment. Consider moving these into a ConfigMap or values file so they can be tuned/overridden without editing the manifest, consistent with how the Berserker template values are already externalized via secrets.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release/start-kube-burner/kube-burner.yaml` around lines 86 - 127, The
kube-burner manifest hardcodes numerous operational environment defaults inline.
Move the static values in the Deployment’s environment block—especially churn,
QPS/BURST, timeouts, and replica settings—into an external ConfigMap or values
configuration, then reference that source from the manifest so operators can
override them without editing kube-burner.yaml, following the existing Berserker
template externalization pattern.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@release/start-kube-burner/kube-burner.yaml`:
- Around line 86-127: The kube-burner manifest hardcodes numerous operational
environment defaults inline. Move the static values in the Deployment’s
environment block—especially churn, QPS/BURST, timeouts, and replica
settings—into an external ConfigMap or values configuration, then reference that
source from the manifest so operators can override them without editing
kube-burner.yaml, following the existing Berserker template externalization
pattern.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 760ffa4f-b402-440c-93a3-1eeb08b3dec3

📥 Commits

Reviewing files that changed from the base of the PR and between 52e0e0f and 7cea873.

📒 Files selected for processing (1)
  • release/start-kube-burner/kube-burner.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants