Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
b1811f8
X-Smart-Branch-Parent: main
JoukoVirtanen Apr 22, 2026
7ea0587
Fact should be deployed
JoukoVirtanen Apr 22, 2026
db0dcc8
Patching fact to monitor /tmp/data
JoukoVirtanen Apr 22, 2026
1ad4bea
Set run length to 5h temporarily
JoukoVirtanen Apr 22, 2026
dffc558
Using set env instead of patch
JoukoVirtanen Apr 23, 2026
20e0b8c
Using SENSOR_HELM_DEPLOY
JoukoVirtanen Apr 23, 2026
bd96551
Set SENSOR_HELM_MANAGED to false
JoukoVirtanen Apr 23, 2026
3398aa7
Not setting SENSOR_HELM_MANAGED to false. Setting ROX_DEPLOY_SENSOR_W…
JoukoVirtanen Apr 23, 2026
b441426
Trying to create image pull secret
JoukoVirtanen Apr 24, 2026
539b3d1
Reduced long running cluster time to 3h
JoukoVirtanen Apr 24, 2026
3037952
FACT_LOGLEVEL set to info
JoukoVirtanen Apr 26, 2026
8beb1e8
Set lifespan back to 168h
JoukoVirtanen Apr 28, 2026
b807df8
X-Smart-Branch-Parent: jv-ROX-34390-add-file-activity-to-berserker-lo…
JoukoVirtanen May 21, 2026
bdf8975
Temporary set cluster lifetime to 5h
JoukoVirtanen May 21, 2026
ccef454
Setting BERSERKER_OBJECTS to blank so default is used
JoukoVirtanen May 26, 2026
ef1ef36
X-Smart-Branch-Parent: jv-templatize-berserker-load
JoukoVirtanen May 29, 2026
b45d630
Setting berserker config paths
JoukoVirtanen May 29, 2026
57d6d2b
Setting berserker url
JoukoVirtanen Jun 3, 2026
39c0d04
Set lifespan to 168h
JoukoVirtanen Jun 5, 2026
708f4b9
Should used kube-burner config in kube-burner-ocp
JoukoVirtanen Jun 11, 2026
52bbe98
Switched from BERSERKER_DAEMONSET_TEMPLATE to BERSERKER_CONTAINERS_FILE
JoukoVirtanen Jun 12, 2026
a5a9456
Set lifespan to 6h
JoukoVirtanen Jun 14, 2026
e338d6b
Updated kube-burner version to 2.6.2
JoukoVirtanen Jun 14, 2026
b7b0526
Updated init command for new kube-burner version
JoukoVirtanen Jun 15, 2026
12ea674
Updated index command
JoukoVirtanen Jun 17, 2026
52e0e0f
Updated BERSERKER_CONFIGMAP_TEMPLATE
JoukoVirtanen Jul 10, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions .github/workflows/create-demo-clusters.yml
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,14 @@ on:
kube-burner-config-repo:
description: The repository where the kube-burner config files can be found
type: string
berserker-config-repo:
description: The repository where the berserker kube-burner config files can be found
type: string
default: JoukoVirtanen/kube-burner-ocp
berserker-config-ref:
description: Ref of where the berserker kube-burner config files can be found
type: string
default: jv-add-berserker-workload-2
Comment on lines +34 to +41

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the workflow file and nearby usage of the inputs
git ls-files .github/workflows/create-demo-clusters.yml
echo '---'
cat -n .github/workflows/create-demo-clusters.yml | sed -n '1,220p'
echo '--- SEARCH ---'
rg -n "berserker-config-(repo|ref)|kube-burner-ocp|JoukoVirtanen|stackrox/kube-burner-ocp|jv-add-berserker-workload-2" .github/workflows . -g '!**/node_modules/**'

Repository: stackrox/actions

Length of output: 11515


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the Berserker-related job and any callers of this workflow
echo '--- BERSERKER SECTION ---'
cat -n .github/workflows/create-demo-clusters.yml | sed -n '450,540p'

echo '--- WORKFLOW CALLERS / REFERENCES ---'
rg -n "create-demo-clusters\.yml|berserker-config-repo|berserker-config-ref|workflow_call" .github/workflows . -g '!**/node_modules/**'

echo '--- REPOSITORY FILES THAT MAY DOCUMENT THIS WORKFLOW ---'
git ls-files | rg '(^|/)(README\.md|docs/|\.github/workflows/.*\.yml)$'

Repository: stackrox/actions

Length of output: 6866


Default Berserker inputs should not point to a personal fork/branch. This reusable workflow checks out inputs.berserker-config-repo and pulls raw templates from inputs.berserker-config-ref, so any caller that omits overrides will use JoukoVirtanen/kube-burner-ocp / jv-add-berserker-workload-2. That makes the shared path depend on a mutable user-owned branch; switch these defaults to a stable org-controlled source or an immutable pin.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/create-demo-clusters.yml around lines 34 - 41, Update the
default values for berserker-config-repo and berserker-config-ref in the
workflow inputs so they reference a stable organization-controlled repository
and immutable or stable ref, not a personal fork or branch; preserve caller
overrides and ensure both checkout and raw-template retrieval use the corrected
defaults.

cluster-with-fake-load-name:
description: "The name of the long running cluster where the central deployment is run with a sensor that creates its own fake workload. Must comply to the regex: [a-z][a-z0-9-]{1,26}[a-z0-9]"
type: string
Expand All @@ -46,7 +54,7 @@ env:
GH_TOKEN: ${{ github.token }}
GH_NO_UPDATE_NOTIFIER: 1
TIMEOUT_WAIT_FOR_IMAGES_SECONDS: 3600
LONG_RUNNING_CLUSTER_LIFESPAN: "168h"
LONG_RUNNING_CLUSTER_LIFESPAN: "6h"
METRICS_COLLECTION_TIME: "30m"

jobs:
Expand Down Expand Up @@ -472,6 +480,12 @@ jobs:
repository: stackrox/${{ inputs.kube-burner-config-repo }}
path: .kube-burner-config
ref: ${{ needs.parse-refs.outputs.burner-ref }}
- name: Check out berserker config repository code
uses: actions/checkout@v4
with:
repository: ${{ inputs.berserker-config-repo }}
path: .berserker-config
ref: ${{ inputs.berserker-config-ref }}
# TODO(ROX-29223): Remove once old versions don't use the benchmark-operator
Comment on lines +483 to 489

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Checkout missing persist-credentials: false.

Static analysis (zizmor) flags this checkout for credential persistence via GITHUB_TOKEN on disk (artipacked). Since artifacts/workspace can be exposed downstream, consider disabling credential persistence unless it's needed by a later step.

Suggested fix
       - name: Check out berserker config repository code
         uses: actions/checkout@v4
         with:
           repository: ${{ inputs.berserker-config-repo }}
           path: .berserker-config
           ref: ${{ inputs.berserker-config-ref }}
+          persist-credentials: false
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Check out berserker config repository code
uses: actions/checkout@v4
with:
repository: ${{ inputs.berserker-config-repo }}
path: .berserker-config
ref: ${{ inputs.berserker-config-ref }}
# TODO(ROX-29223): Remove once old versions don't use the benchmark-operator
- name: Check out berserker config repository code
uses: actions/checkout@v4
with:
repository: ${{ inputs.berserker-config-repo }}
path: .berserker-config
ref: ${{ inputs.berserker-config-ref }}
persist-credentials: false
# TODO(ROX-29223): Remove once old versions don't use the benchmark-operator
🧰 Tools
🪛 zizmor (1.26.1)

[warning] 483-489: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/create-demo-clusters.yml around lines 483 - 489, Add
persist-credentials: false to the with block of the actions/checkout@v4 step
checking out the berserker config repository, ensuring the checkout does not
persist GITHUB_TOKEN credentials for downstream steps.

Source: Linters/SAST tools

- name: Check out cloud-bulldozer/benchmark-operator code
run: |
Expand Down Expand Up @@ -501,9 +515,12 @@ jobs:
REGISTRY_USERNAME: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }}
REGISTRY_PASSWORD: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }}
ELASTICSEARCH_URL: "https://${{ secrets.K6_ELASTICSEARCH_USER }}:${{ secrets.K6_ELASTICSEARCH_PASSWORD }}@${{ secrets.K6_ELASTICSEARCH_URL }}"
BERSERKER_CONFIGMAP_TEMPLATE: "https://raw.githubusercontent.com/${{ inputs.berserker-config-repo }}/${{ inputs.berserker-config-ref }}/cmd/config/berserker-load/berserker-configmap.yml"
BERSERKER_SERVICE_TEMPLATE: "https://raw.githubusercontent.com/${{ inputs.berserker-config-repo }}/${{ inputs.berserker-config-ref }}/cmd/config/berserker-load/service.yml"
BERSERKER_CONTAINERS_FILE: "berserker-default-containers.yml"
uses: ./.actions/release/start-kube-burner
with:
kube-burner-config-dir: ./.kube-burner-config/scripts/release-tools/kube-burner-configs/berserker-load
kube-burner-config-dir: ./.berserker-config/cmd/config/berserker-load
benchmark-operator-dir: ${{ github.workspace }}/benchmark-operator

start-kube-burner-for-central:
Expand Down
21 changes: 18 additions & 3 deletions release/start-kube-burner/kube-burner.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ spec:
spec:
containers:
- name: kube-burner
image: quay.io/kube-burner/kube-burner:v1.4.3
image: quay.io/kube-burner/kube-burner:v2.6.2
command: ["/bin/sh", "-c"]
args:
- |
Expand All @@ -26,12 +26,12 @@ spec:
config=config.yml
metrics_profile=/etc/kube-burner-metrics/metrics.yml
prometheus_url="http://monitoring.stackrox.svc.cluster.local:9090"
(kube-burner init --config="$config" --metrics-profile="$metrics_profile" --prometheus-url="$prometheus_url" --timeout=1000h || true) &
(kube-burner init --config="$config" --skip-log-file --timeout=1000h || true) &
while true; do
start="$(get_epoch_time)"
sleep "$METRICS_COLLECTION_TIME"
end="$(get_epoch_time)"
kube-burner index --config="$config" --metrics-profile="$metrics_profile" --prometheus-url="$prometheus_url" --start "$start" --end "$end" --step "$METRICS_TIME_STEP" --uuid="$UUID"
kube-burner index --metrics-profile="$metrics_profile" --prometheus-url="$prometheus_url" --start "$start" --end "$end" --step "$METRICS_TIME_STEP" --uuid="$UUID" --es-server "$ELASTICSEARCH_URL" --es-index kube-burner-long-running-test
done
volumeMounts:
- name: config
Expand Down Expand Up @@ -60,6 +60,21 @@ spec:
secretKeyRef:
name: kube-burner-secret
key: METRICS_TIME_STEP
- name: BERSERKER_CONFIGMAP_TEMPLATE
valueFrom:
secretKeyRef:
name: kube-burner-secret
key: BERSERKER_CONFIGMAP_TEMPLATE
- name: BERSERKER_SERVICE_TEMPLATE
valueFrom:
secretKeyRef:
name: kube-burner-secret
key: BERSERKER_SERVICE_TEMPLATE
- name: BERSERKER_CONTAINERS_FILE
valueFrom:
secretKeyRef:
name: kube-burner-secret
key: BERSERKER_CONTAINERS_FILE
volumes:
- name: config
configMap:
Expand Down
9 changes: 7 additions & 2 deletions release/start-kube-burner/start-kube-burner.sh
Original file line number Diff line number Diff line change
Expand Up @@ -27,8 +27,10 @@ dockerconfigjson="$(kubectl -n stackrox get secret stackrox -o yaml | grep docke
secret_template="${KUBE_BURNER_CONFIG_DIR_BASE}/secret_template.yml"
secret_file="${KUBE_BURNER_CONFIG_DIR}/secret.yml"

gh_log notice "Patching $secret_template"
sed "s|__DOCKERCONFIGJSON__|$dockerconfigjson|" "$secret_template" > "$secret_file"
if [ -f "$secret_template" ]; then
gh_log notice "Patching $secret_template"
sed "s|__DOCKERCONFIGJSON__|$dockerconfigjson|" "$secret_template" > "$secret_file"
fi

kubectl create ns kube-burner

Expand All @@ -50,6 +52,9 @@ kubectl create secret generic kube-burner-secret \
--from-literal=UUID="$uuid" \
--from-literal=METRICS_COLLECTION_TIME="$METRICS_COLLECTION_TIME" \
--from-literal=METRICS_TIME_STEP="5m" \
--from-literal=BERSERKER_CONFIGMAP_TEMPLATE="${BERSERKER_CONFIGMAP_TEMPLATE}" \
--from-literal=BERSERKER_SERVICE_TEMPLATE="${BERSERKER_SERVICE_TEMPLATE}" \
--from-literal=BERSERKER_CONTAINERS_FILE="${BERSERKER_CONTAINERS_FILE}" \
--namespace=kube-burner

kubectl create -f "${DIR}"/kube-burner.yaml
3 changes: 3 additions & 0 deletions release/start-secured-cluster/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ runs:
STACKROX_DIR: ${{ github.workspace }}
COMMON_DIR: ${{ github.workspace }}/deploy/common
SECURED_CLUSTER_AUTO_LOCK_PROCESS_BASELINES: "true"
SFA_AGENT: "true"
SENSOR_HELM_DEPLOY: "true"
ROX_DEPLOY_SENSOR_WITH_CRS: "false"
ROX_NETFLOW_BATCHING: "true"
ROX_NETFLOW_CACHE_LIMITING: "true"
run: |
Expand Down
22 changes: 22 additions & 0 deletions release/start-secured-cluster/start-secured-cluster.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,26 @@ else
echo "Using ACS pre-4.11 secured cluster setup (version: ${version_major_minor})"
fi

# Create namespace and image pull secrets BEFORE running sensor.sh
kubectl create namespace stackrox || true

kubectl -n stackrox create secret docker-registry stackrox \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true

kubectl -n stackrox create secret docker-registry secured-cluster-services-main \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true

kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true

Comment on lines +22 to +39

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

create ... || true doesn't update existing secrets — stale credentials risk.

kubectl create secret docker-registry ... || true only ignores the "already exists" error; it does not update the secret if it already exists (e.g. on repeated runs against a reused namespace/cluster, or if REGISTRY_USERNAME/REGISTRY_PASSWORD rotate). This means image pull secrets can silently go stale and pods will start failing to pull images with no clear signal — the || true swallows the real error too. Use a create-or-update (apply) pattern instead.

Suggested fix
-kubectl create namespace stackrox || true
+kubectl create namespace stackrox --dry-run=client -o yaml | kubectl apply -f -

-kubectl -n stackrox create secret docker-registry stackrox \
-  --docker-server=quay.io \
-  --docker-username="${REGISTRY_USERNAME}" \
-  --docker-password="${REGISTRY_PASSWORD}" || true
+kubectl -n stackrox create secret docker-registry stackrox \
+  --docker-server=quay.io \
+  --docker-username="${REGISTRY_USERNAME}" \
+  --docker-password="${REGISTRY_PASSWORD}" \
+  --dry-run=client -o yaml | kubectl apply -f -

(repeat for the other two secrets)

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Create namespace and image pull secrets BEFORE running sensor.sh
kubectl create namespace stackrox || true
kubectl -n stackrox create secret docker-registry stackrox \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true
kubectl -n stackrox create secret docker-registry secured-cluster-services-main \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true
kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" || true
# Create namespace and image pull secrets BEFORE running sensor.sh
kubectl create namespace stackrox --dry-run=client -o yaml | kubectl apply -f -
kubectl -n stackrox create secret docker-registry stackrox \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl -n stackrox create secret docker-registry secured-cluster-services-main \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" \
--dry-run=client -o yaml | kubectl apply -f -
kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \
--docker-server=quay.io \
--docker-username="${REGISTRY_USERNAME}" \
--docker-password="${REGISTRY_PASSWORD}" \
--dry-run=client -o yaml | kubectl apply -f -
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release/start-secured-cluster/start-secured-cluster.sh` around lines 22 - 39,
Replace the three `kubectl create secret docker-registry` commands in
`start-secured-cluster.sh` with an idempotent create-or-update approach, such as
generating the secret manifest with `--dry-run=client -o yaml` and piping it to
`kubectl apply -f -`; remove the unconditional `|| true` so genuine failures
remain visible while repeated runs update rotated credentials.

"${STACKROX_DIR}/deploy/k8s/sensor.sh"

kubectl -n stackrox create secret generic access-rhacs \
--from-literal="username=${ROX_ADMIN_USERNAME}" \
--from-literal="password=${ROX_ADMIN_PASSWORD}" \
Expand All @@ -28,6 +47,9 @@ kubectl -n stackrox create secret generic access-rhacs \
# Create the collector-config ConfigMap in order to enable external IPs
kubectl create -f "${SCRIPT_DIR}/collector-config.yaml"

# Patch the collector DaemonSet to configure fact container
kubectl -n stackrox set env daemonset/collector FACT_PATHS="/tmp/data/**/*" FACT_LOGLEVEL="info" -c fact

echo "Deploying Monitoring..."
monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml"

Expand Down
Loading