refactor(ci): workflows nested cluster#2414
Open
universal-itengineer wants to merge 24 commits into
Open
Conversation
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Move large nightly E2E shell blocks into reusable scripts so the workflow stays focused on orchestration and the scripts can be shellchecked directly. Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
universal-itengineer
force-pushed
the
refactor/ci/workflows-nested-cluster
branch
from
48cb015 to
39fbd69
Compare
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Migrate the release pipeline Generate values.yaml step onto the shared
render-dvp-static-values.sh and unify nightly/release into a single
values.yaml.tmpl. The only previous difference (enabledModules: [console])
is now driven by the ENABLED_MODULES env var rendered as
"enabledModules: [${ENABLED_MODULES}]" (empty for nightly, which the
cluster-config chart treats as no enabled modules via default (list)).
Secrets and BOOTSTRAP_DEV_PROXY now flow through step env instead of
inline shell, two duplicate checkout steps are removed, and the worker
additionalDisks size becomes a workflow_call input
(cluster_config_additional_disk_size) flowing through ADDITIONAL_DISK_SIZE
(50Gi nightly, 250Gi release).
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
universal-itengineer
force-pushed
the
refactor/ci/workflows-nested-cluster
branch
from
bb7b023 to
6b39c04
Compare
Derive the envsubst whitelist from the template so it can no longer drift from the placeholders actually used, decode the dev registry docker config once and select the first auth entry explicitly, and write both discovered registry values in a single yq invocation. Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
universal-itengineer
requested review from
Isteb4k,
nevermarine and
yaroslavborbat
as code owners
nevermarine
requested changes
Jun 4, 2026
Comment on lines
+24
to
+26
| echo "::add-mask::$USERNAME" | ||
| echo "::add-mask::$PASSWORD" | ||
| echo "$PASSWORD" | docker login "$REGISTRY" --username "$USERNAME" --password-stdin |
Member
Author
There was a problem hiding this comment.
The masking + login is correct by GitHub's docs:
- The decoded username/password are freshly derived strings, so they aren't auto-masked — the explicit ::add-mask:: (lines 24-25) is required and is placed before the only command that uses them (docker login).
- --password-stdin keeps the password out of the process args.
- Steps run as bash --noprofile --norc -eo pipefail, so a broken base64 / missing auth will fail the step.
Masking with ::add-mask:: (manually masking values derived at runtime, like the decoded username/password):
- https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#masking-a-value-in-a-log
Note that auto-masking applies only to registered secrets: https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#about-secrets
Default bash shell flags -eo pipefail (and --noprofile --norc):
- https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#jobsjob_idstepsshell (see the "bash" row in the default-shell table / exit-code handling)
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Remove the unused task_run_ci.sh entrypoint together with its run:ci task, and rename the actual GitHub Actions e2e task from e2e:ci to run:ci so it groups with run/runp and avoids the e2e:e2e: stutter when invoked from the repo root. Update the workflow invocation accordingly. Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Drop duplicated require_env calls, scope phase-specific env validation to each case branch, and replace the set +e/-e block around ginkgo with a single exit-code capture. Add comments explaining the indirect env read helper and the cd into the test/e2e Go module. Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Refactors the nested-cluster E2E CI workflows and supporting automation.
This PR replaces large inline workflow shell blocks with versioned scripts under
.github/scripts/bash/e2e, adds reusable composite actions for common setup, registry login, kubeconfig, run ID, and encrypted artifact handling, and splits the previous monolithic E2E workflows into dedicated nightly and release-oriented reusable pipelines.It also adds lint gates for GitHub Actions and shell scripts, moves repeated E2E CI logic into task/script entrypoints, and unifies static cluster values rendering through a shared
test/dvp-static-cluster/values.yaml.tmplplus.github/scripts/bash/e2e/render-dvp-static-values.sh. Nightly and release flows now pass runtime differences through environment/input values such asENABLED_MODULESandcluster_config_additional_disk_size.Why do we need it, and what problem does it solve?
The old nested-cluster E2E workflows mixed orchestration with long inline shell logic. That made changes difficult to review, duplicated release and nightly behavior, and left important CI code paths without direct lint coverage.
Moving operational logic into tracked scripts and composite actions makes the pipelines easier to maintain and reuse. The shared values template also removes drift between nightly and release cluster configuration while keeping release-specific settings explicit through workflow inputs.
What is the expected result?
Nested-cluster nightly and release E2E jobs continue to provision prerequisites, render static cluster values, configure storage and virtualization, run tests, collect encrypted artifacts, and clean up resources through the refactored workflows.
Validation for these changes is available with:
task lint:shellchecktask lint:actionlinttask e2e:e2e:cifrom the repository roottask e2e:ciinsidetest/e2eChecklist
Changelog entries