Skip to content

ci(operator): centralize Kubernetes test versions#281

Open
AnouarMohamed wants to merge 1 commit into
NVIDIA:mainfrom
AnouarMohamed:fix/issue-238-k8s-test-versions
Open

ci(operator): centralize Kubernetes test versions#281
AnouarMohamed wants to merge 1 commit into
NVIDIA:mainfrom
AnouarMohamed:fix/issue-238-k8s-test-versions

Conversation

@AnouarMohamed

@AnouarMohamed AnouarMohamed commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

  • add operator/k8s-test-versions.mk as the owner for envtest, Kind node image, Kind binary, and CI matrix versions
  • render the local ctlptl config from Make and validate kindest/node tags before Kind cluster creation
  • derive envtest BinaryAssetsDirectory in Go suites from the centralized version owner instead of hard-coded paths
  • load the same version outputs in operator and agent GitHub Actions, including path filters, cache keys, and least-privilege job permissions

Notes

upstream/main already uses envtest 1.36.0 while local/CI Kind node images remain on 1.35.0. This keeps those current values and documents the intentional split because Kind does not publish every Kubernetes patch version.

Closes #238.

Validation

  • make -C operator print-k8s-test-versions-github-output
  • make -C operator envtest
  • make -C operator render-ctlptl-config
  • make -C operator validate-kind-node-image
  • make -C operator validate-kind-node-image DOCKER_CMD=podman with a temporary Podman shim to confirm DOCKER_CMD is preferred
  • make -C operator -n create-kind-cluster
  • make -C operator -n create-deployment-policy-cluster
  • cd operator && make unit-tests (first run hit an envtest 1.36.0 startup timeout; retry passed)
  • workflow YAML parsed with PyYAML
  • git diff --check

@github-actions github-actions Bot added doc Documentation change (PR path label; doc issues use the Documentation type) component/operator Skyhook operator (controller-manager) component/ci CI workflows, GitHub Actions, and repo tooling labels Jun 15, 2026
@AnouarMohamed AnouarMohamed marked this pull request as ready for review June 15, 2026 03:27
@AnouarMohamed AnouarMohamed requested a review from a team June 15, 2026 03:27
@coderabbitai

coderabbitai Bot commented Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

This PR introduces operator/k8s-test-versions.mk as a single source of truth for all Kubernetes and Kind version variables (ENVTEST_K8S_VERSION, KIND_VERSION, KIND_NODE_IMAGE_VERSION, KIND_BINARY_VERSION, CI_KIND_NODE_IMAGE_VERSIONS_JSON). operator/deps.mk includes this file and removes its own ENVTEST_K8S_VERSION default. The operator/Makefile gains three new targets (print-k8s-test-versions-github-output, validate-kind-node-image, render-ctlptl-config) and updates cluster management targets to use a rendered ctlptl config templated from config/local-dev/ctlptl-config.yaml. A new operator/internal/testenv/envtest.go package provides BinaryAssetsDirectory(), which replaces hard-coded envtest binary path construction in both test suite files. Both CI workflows adopt dynamic version matrices derived from the new Makefile target, and documentation is updated throughout.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~65 minutes

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main objective: centralizing Kubernetes test versions in the operator CI infrastructure.
Description check ✅ Passed The description comprehensively explains the changes, their purpose, and validation steps performed, with a clear reference to the related issue.
Linked Issues check ✅ Passed The PR successfully fulfills all acceptance criteria from issue #238: centralizes envtest versions via k8s-test-versions.mk, documents version relationships, establishes CI ownership, and adds validation for Kind node images.
Out of Scope Changes check ✅ Passed All changes are directly related to centralizing Kubernetes test version management as required by issue #238; no unrelated modifications are present.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed Jun 15, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/operator-ci.yaml:
- Around line 68-84: Add a permissions block to the k8s-test-versions job to
enforce least privilege access. Since this job only checks out the repository
and runs a make command to print version information with no write or deployment
operations, add explicit minimal permissions (such as read-all or restricted
permissions) at the job level to reduce the attack surface if the job were
compromised.

In `@operator/Makefile`:
- Around line 166-179: The validate-kind-node-image target hardcodes docker as
the first choice for container command checking, which ignores the DOCKER_CMD
variable that may be configured to use podman instead. Update the conditional
logic to check for the DOCKER_CMD variable first before falling back to docker,
then podman, and finally curl. This ensures that if DOCKER_CMD is explicitly set
to podman, that preference is honored during image validation rather than
defaulting to docker if it exists on the system.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 8746bd17-b760-4ccd-be48-1ad24591a61a

📥 Commits

Reviewing files that changed from the base of the PR and between 81ef6be and d0d2e08.

📒 Files selected for processing (13)
  • .github/workflows/agent-ci.yaml
  • .github/workflows/operator-ci.yaml
  • docs/README.md
  • docs/development.md
  • docs/kubernetes-support.md
  • operator/Makefile
  • operator/README.md
  • operator/api/v1alpha1/webhook_suite_test.go
  • operator/config/local-dev/ctlptl-config.yaml
  • operator/deps.mk
  • operator/internal/controller/suite_test.go
  • operator/internal/testenv/envtest.go
  • operator/k8s-test-versions.mk

Comment thread .github/workflows/operator-ci.yaml
Comment thread operator/Makefile
@AnouarMohamed
ci(operator): centralize Kubernetes test versions
9d8e057 
Signed-off-by: AnouarMohamed <m.anouar@mundiapolis.ma>
@AnouarMohamed AnouarMohamed force-pushed the fix/issue-238-k8s-test-versions branch from d0d2e08 to 9d8e057 Compare June 15, 2026 11:42
coderabbitai[bot]
coderabbitai Bot reviewed Jun 15, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@operator/internal/testenv/envtest.go`:
- Around line 39-49: The function `BinaryAssetsDirectory` returns bare errors
from `findOperatorRoot()` and `makeDefault()` calls without wrapping them with
context. Wrap both error returns using `fmt.Errorf` with the `%w` verb to
provide diagnostic context, following the pattern `fmt.Errorf("descriptive
message: %w", err)` for each of the two return statements that currently return
bare `err` values.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 19a32c2d-a2cb-4982-a8b7-691b971b7a57

📥 Commits

Reviewing files that changed from the base of the PR and between d0d2e08 and 9d8e057.

📒 Files selected for processing (13)
  • .github/workflows/agent-ci.yaml
  • .github/workflows/operator-ci.yaml
  • docs/README.md
  • docs/development.md
  • docs/kubernetes-support.md
  • operator/Makefile
  • operator/README.md
  • operator/api/v1alpha1/webhook_suite_test.go
  • operator/config/local-dev/ctlptl-config.yaml
  • operator/deps.mk
  • operator/internal/controller/suite_test.go
  • operator/internal/testenv/envtest.go
  • operator/k8s-test-versions.mk

Comment thread operator/internal/testenv/envtest.go
Comment on lines +39 to +49
operatorRoot, err := findOperatorRoot()
if err != nil {
return "", err
}

version := strings.TrimPrefix(os.Getenv(envtestK8SVersionVar), "v")
if version == "" {
version, err = makeDefault(operatorRoot, envtestK8SVersionVar)
if err != nil {
return "", err
}

@coderabbitai coderabbitai Bot Jun 15, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major | ⚡ Quick win

Add context when returning helper errors from BinaryAssetsDirectory.

At Line 41 and Line 48, this function returns bare err. Wrap both returns with %w context so failures are diagnosable at call sites.

Suggested diff 
 	operatorRoot, err := findOperatorRoot()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("resolving operator root for envtest assets: %w", err)
 	}

 	version := strings.TrimPrefix(os.Getenv(envtestK8SVersionVar), "v")
 	if version == "" {
 		version, err = makeDefault(operatorRoot, envtestK8SVersionVar)
 		if err != nil {
-			return "", err
+			return "", fmt.Errorf("resolving %s default: %w", envtestK8SVersionVar, err)
 		}
 	}

As per coding guidelines, “Wrap errors with fmt.Errorf("…: %w", err) using %w for error wrapping; never return bare err.”

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@operator/internal/testenv/envtest.go` around lines 39 - 49, The function
`BinaryAssetsDirectory` returns bare errors from `findOperatorRoot()` and
`makeDefault()` calls without wrapping them with context. Wrap both error
returns using `fmt.Errorf` with the `%w` verb to provide diagnostic context,
following the pattern `fmt.Errorf("descriptive message: %w", err)` for each of
the two return statements that currently return bare `err` values.

Source: Coding guidelines

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@lockwobr lockwobr Awaiting requested review from lockwobr lockwobr is a code owner

@ayuskauskas ayuskauskas Awaiting requested review from ayuskauskas ayuskauskas is a code owner

@rice-riley rice-riley Awaiting requested review from rice-riley rice-riley is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

component/ci CI workflows, GitHub Actions, and repo tooling component/operator Skyhook operator (controller-manager) doc Documentation change (PR path label; doc issues use the Documentation type)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unify Kubernetes test version sources

1 participant

@AnouarMohamed