Skip to content

ROX-35145: Use roxie in long-running release cluster setup#98

Open
porridge wants to merge 26 commits into
mainfrom
use-roxie-in-start-acs
Open

ROX-35145: Use roxie in long-running release cluster setup#98
porridge wants to merge 26 commits into
mainfrom
use-roxie-in-start-acs

Conversation

@porridge

@porridge porridge commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Summary

Replaces the legacy deploy-scripts-based flow (central.sh, sensor.sh, deploy.sh,
kubectl patches) in both release/start-acs and release/start-secured-cluster with
roxie — a single roxie deploy invocation per component.

start-acs (fake-load cluster: Central + SecuredCluster)

  • roxie deploy central replaces central.sh + sensor.sh + kubectl patches
  • Monitoring stack still deployed via stackrox Helm chart after roxie finishes
  • Installs roxctl from RHACS mirror (required by roxie)
  • Exports CA cert (base64) as a new output for cross-cluster secured-cluster deploy

start-secured-cluster (real-load cluster: SecuredCluster only)

  • roxie deploy secured-cluster replaces sensor.sh + kubectl patches
  • Uses API_ENDPOINT and ROX_CA_CERT_FILE env vars for CRS generation
    (see Multi-cluster secured-cluster deploy fails with cryptic error when following docs roxie#230 for a UX improvement filed)
  • Monitoring deployed via Helm, same as before
  • Collector-config ConfigMap for external IPs kept (operator doesn't manage it)
  • FACT container env vars via CRD overlay (operator would reconcile kubectl patches)

roxie-config.yaml (both actions)

  • Resource requests, limits, and HPA scaling tuned to match the previous deploy-scripts
    flow — verified with 100% alignment against a legacy baseline deployment (every
    deployment container's CPU/memory requests and limits, plus HPA min/max, match exactly)
  • Scanner v2 explicitly enabled (operator's default profile disables it)
  • May be adjusted in the future to better resemble a typical customer deployment

Deleted files

  • release/start-acs/patch-central.json and release/start-acs/patch-sensor.json — settings now in respective roxie-config.yaml

Test scaffolding

Useful for testing this workflow.

  • Added workflow_dispatch trigger to create-demo-clusters.yml with testing
    instructions in a comment
  • Added !cancelled() && !failure() conditions on jobs that depend on properties
    and wait-for-images (skipped in direct dispatch since those require the calling
    repo's context)
  • Added if: needs.properties.outputs.slack-channel != '' on Slack steps
  • Added roxie/install-cli step before both start-acs and start-secured-cluster
    in the workflow

Resource alignment verification

Deployed both legacy (deploy-scripts) and roxie side-by-side on identical GKE clusters
(5x e2-standard-8) with ACS 4.11.0. Compared every deployment container's CPU/memory
requests and limits, plus HPA min/max replicas:

  • Fake-load cluster: 14/14 containers match (YES on all)
  • Real-load cluster: 10/10 containers match (YES on all)
  • HPAs: All match (1 min/1 max treated as equivalent to Disabled)

Run: https://github.com/stackrox/stackrox/actions/runs/28577578264

Test plan

  • Run create-demo-clusters workflow end-to-end (all jobs pass)
  • Manual health check: all pods Running, Central API responding, both secured clusters registered
  • Resource comparison: 100% alignment with legacy deployment

🤖 Generated with Claude Code

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • ✅ Review completed - (🔄 Check again to review again)
📝 Walkthrough

Walkthrough

Adds a new roxie/install-cli composite action with installer and docs. Migrates release/start-acs to roxie deploy with a new config file, removes the old patch JSON files, and updates create-demo-clusters.yml for manual dispatch, ref selection, and roxie CLI installation.

Changes

New roxie/install-cli Action

Layer / File(s) Summary
Action, installer script, and docs
roxie/install-cli/action.yml, roxie/install-cli/install-roxie.sh, roxie/install-cli/README.md, README.md
Composite action definition, Bash installer (OS/arch validation, version resolution, SHA256 verification, PATH setup), documentation, and root README registration.

Migrate start-acs to roxie deploy

Layer / File(s) Summary
ROXIE config and removed patches
release/start-acs/roxie-config.yaml, release/start-acs/patch-central.json, release/start-acs/patch-sensor.json
New ROXIE config YAML defines central and securedCluster specs; the prior patch JSON manifests are deleted.
start-acs script and action wiring
release/start-acs/start-acs.sh, release/start-acs/action.yml
start-acs.sh adds a guard for an existing central deployment, replaces the manual deploy flow with roxie deploy, sources the generated envrc, derives CENTRAL_IP, and conditionally runs Helm for monitoring. action.yml narrows the env block and updates the stackrox-dir description.
Workflow dispatch and checkout refs
.github/workflows/create-demo-clusters.yml
Adds workflow_dispatch inputs, skips properties on manual runs, updates kube-burner ref parsing, defaults local action checkouts from workflow-ref, and inserts the roxie CLI install step in start-acs.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly summarizes the main change: switching the long-running release cluster setup to roxie.
Description check ✅ Passed The description matches the changeset and covers the roxie migration, workflow updates, and new configs.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch use-roxie-in-start-acs

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
release/start-acs/action.yml (1)

43-57: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Install or guard roxie in release/start-acs
start-acs.sh calls roxie deploy directly, but this composite action never installs or checks for roxie. Add the install/check here so the action doesn’t depend on every caller setting up the CLI first.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release/start-acs/action.yml` around lines 43 - 57, The start-acs composite
action invokes start-acs.sh, which expects roxie to be available but does not
install or verify it first. Update the launch-central step in action.yml to
ensure roxie is installed or explicitly checked before running the script, so
callers do not need to preconfigure the CLI. Use the existing start-acs.sh
entrypoint and add the dependency handling in the composite action itself.
🧹 Nitpick comments (1)
roxie/install-cli/install-roxie.sh (1)

21-25: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Unauthenticated GitHub API call is rate-limited and can flake on shared CI runners.

api.github.com allows only 60 requests/hour per source IP for unauthenticated calls; GitHub-hosted runners share egress IPs, so latest-version resolution can intermittently fail. Pass a token and guard an empty/null result so a bad response surfaces clearly instead of producing a malformed base_url.

♻️ Suggested hardening
 if [[ -z "${ROXIE_VERSION:-}" ]]; then
-    ROXIE_VERSION=$(curl -fsSL --retry 5 --retry-all-errors \
-        https://api.github.com/repos/stackrox/roxie/releases/latest | jq -r '.tag_name')
+    ROXIE_VERSION=$(curl -fsSL --retry 5 --retry-all-errors \
+        ${GITHUB_TOKEN:+-H "Authorization: Bearer ${GITHUB_TOKEN}"} \
+        https://api.github.com/repos/stackrox/roxie/releases/latest | jq -r '.tag_name')
+    if [[ -z "${ROXIE_VERSION}" || "${ROXIE_VERSION}" == "null" ]]; then
+        echo "::error::Failed to resolve latest roxie version"
+        exit 1
+    fi
     echo "::notice::Resolved latest roxie version: ${ROXIE_VERSION}"
 fi

Wire GITHUB_TOKEN through the action's env block if you adopt this.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@roxie/install-cli/install-roxie.sh` around lines 21 - 25, The latest-version
lookup in the ROXIE_VERSION initialization block is using an unauthenticated
GitHub API request, which can be rate-limited on shared runners. Update the
release query to use a token from GITHUB_TOKEN (and wire it through the action
env if needed), then validate the jq result before assigning ROXIE_VERSION so
empty or null responses fail clearly instead of flowing into a malformed
base_url.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@release/start-acs/roxie-config.yaml`:
- Around line 32-33: The static ROX_TELEMETRY_STORAGE_KEY_V1 entry in the roxie
config is now checked into the repo, so remove it from the committed YAML and
move it to a runtime-provided secret or rendered config path. Update the config
generation flow around the ROX_TELEMETRY_STORAGE_KEY_V1 setting so it is
injected from GitHub secrets or another secure source, or explicitly annotate
the config if this value is intended to be public/test-only.

In `@release/start-acs/start-acs.sh`:
- Around line 36-43: The temporary envrc created in the start-acs flow is left
behind if the script exits after sourcing it, which can leak ROX_ADMIN_PASSWORD.
Update the start-acs.sh flow around roxie_envrc and the roxie deploy/source
steps to register a cleanup handler that removes the generated temp file on
every exit path, including failures under set -e, and keep the cleanup tied to
the script’s normal teardown.

---

Outside diff comments:
In `@release/start-acs/action.yml`:
- Around line 43-57: The start-acs composite action invokes start-acs.sh, which
expects roxie to be available but does not install or verify it first. Update
the launch-central step in action.yml to ensure roxie is installed or explicitly
checked before running the script, so callers do not need to preconfigure the
CLI. Use the existing start-acs.sh entrypoint and add the dependency handling in
the composite action itself.

---

Nitpick comments:
In `@roxie/install-cli/install-roxie.sh`:
- Around line 21-25: The latest-version lookup in the ROXIE_VERSION
initialization block is using an unauthenticated GitHub API request, which can
be rate-limited on shared runners. Update the release query to use a token from
GITHUB_TOKEN (and wire it through the action env if needed), then validate the
jq result before assigning ROXIE_VERSION so empty or null responses fail clearly
instead of flowing into a malformed base_url.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9e12348d-d933-4f45-b737-11a36ef89ea6

📥 Commits

Reviewing files that changed from the base of the PR and between a98a889 and d71aa46.

📒 Files selected for processing (10)
  • .github/workflows/create-demo-clusters.yml
  • README.md
  • release/start-acs/action.yml
  • release/start-acs/patch-central.json
  • release/start-acs/patch-sensor.json
  • release/start-acs/roxie-config.yaml
  • release/start-acs/start-acs.sh
  • roxie/install-cli/README.md
  • roxie/install-cli/action.yml
  • roxie/install-cli/install-roxie.sh
💤 Files with no reviewable changes (2)
  • release/start-acs/patch-sensor.json
  • release/start-acs/patch-central.json

Comment thread release/start-acs/roxie-config.yaml
Comment thread release/start-acs/start-acs.sh

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/test-roxie-start-acs.yml:
- Around line 20-21: The workflow inputs in the test-roxie-start-acs dispatch
currently use fixed cluster names, so every run reuses the same clusters and can
interfere with other validations. Update the values passed to the reusable
workflow for cluster creation so they are unique per dispatch, using a per-run
identifier or other generated suffix in the test-roxie-start-acs workflow’s
cluster name fields to avoid collisions across reruns and parallel runs.
- Line 13: The workflow currently uses secrets: inherit, which exposes all
dispatcher secrets instead of only the ones this job needs. Update the workflow
trigger/job configuration to pass only the explicitly required secrets for this
workflow, using the existing secret names referenced by the job such as
INFRA_TOKEN, GCP_RELEASE_AUTOMATION_SA, QUAY_RHACS_ENG_BEARER_TOKEN,
QUAY_RHACS_ENG_RO_USERNAME, QUAY_RHACS_ENG_RO_PASSWORD,
RELEASE_MANAGEMENT_PAGERDUTY_INTEGRATION_KEY, SLACK_BOT_TOKEN,
K6_ELASTICSEARCH_USER, K6_ELASTICSEARCH_PASSWORD, and K6_ELASTICSEARCH_URL.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 6b814200-7675-411b-a0f4-a6e2f4c4af9b

📥 Commits

Reviewing files that changed from the base of the PR and between d71aa46 and 3a8a2d8.

📒 Files selected for processing (1)
  • .github/workflows/test-roxie-start-acs.yml

Comment thread .github/workflows/test-roxie-start-acs.yml Outdated
Comment thread .github/workflows/test-roxie-start-acs.yml Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
.github/workflows/create-demo-clusters.yml (1)

373-373: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Pin the ROXIE CLI version here.
roxie/install-cli defaults to the latest release when version is omitted, so reruns can pick up a different binary and break deploy behavior.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/create-demo-clusters.yml at line 373, The ROXIE CLI
install step is unpinned and will default to the latest release, which can make
workflow reruns non-deterministic. Update the `roxie/install-cli` usage in
`create-demo-clusters.yml` to pass an explicit version so the binary is stable
across runs. Keep the change localized to the `install-cli` action invocation
and make sure the selected version is consistent with the rest of the deployment
workflow.
🧹 Nitpick comments (1)
.github/workflows/create-demo-clusters.yml (1)

142-147: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Disable credential persistence on the local-action checkouts.

These checkouts are only used to read .actions, so keeping the GitHub token in each cloned repo’s .git/config is unnecessary exposure. Setting persist-credentials: false here addresses the artipacked warning without changing behavior.

Suggested hardening
      - name: Checkout local action
        uses: actions/checkout@v4
        with:
          repository: stackrox/actions
          path: .actions
          ref: ${{ inputs.workflow-ref || github.ref_name }}
+         persist-credentials: false

Also applies to: 163-168, 225-230, 290-295, 315-320, 356-361, 449-454, 510-515, 558-563

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/create-demo-clusters.yml around lines 142 - 147, Disable
credential persistence on the local action checkout steps used to populate
.actions. Update each actions/checkout@v4 invocation in the workflow to set
persist-credentials: false alongside the existing repository, path, and ref
inputs so the GitHub token is not stored in .git/config while preserving
behavior.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/create-demo-clusters.yml:
- Around line 24-29: The new kube-burner config ref is only applied in one
place, so the central kube-burner checkout still uses the default version ref
while the secured-cluster path uses burner-ref. Update the central job’s
checkout logic in the create-demo-clusters workflow to consume the same parsed
kube-burner config ref output as the other job, using the existing
parse-refs/burner-ref wiring consistently. Make sure both jobs resolve the repo
and ref from the same inputs so manual overrides behave identically.

---

Outside diff comments:
In @.github/workflows/create-demo-clusters.yml:
- Line 373: The ROXIE CLI install step is unpinned and will default to the
latest release, which can make workflow reruns non-deterministic. Update the
`roxie/install-cli` usage in `create-demo-clusters.yml` to pass an explicit
version so the binary is stable across runs. Keep the change localized to the
`install-cli` action invocation and make sure the selected version is consistent
with the rest of the deployment workflow.

---

Nitpick comments:
In @.github/workflows/create-demo-clusters.yml:
- Around line 142-147: Disable credential persistence on the local action
checkout steps used to populate .actions. Update each actions/checkout@v4
invocation in the workflow to set persist-credentials: false alongside the
existing repository, path, and ref inputs so the GitHub token is not stored in
.git/config while preserving behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 7e3528d8-8098-4183-a08c-65b514395b7b

📥 Commits

Reviewing files that changed from the base of the PR and between 3a8a2d8 and a52a0d5.

📒 Files selected for processing (1)
  • .github/workflows/create-demo-clusters.yml

Comment thread .github/workflows/create-demo-clusters.yml

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/create-demo-clusters.yml:
- Line 82: The Slack posting path in the `start-acs` job still runs even when
`properties` is skipped, so the manual `workflow_dispatch` flow can later read
an empty `needs.properties.outputs.slack-channel` value. Update the Slack step
in `create-demo-clusters.yml` to use the same skip condition as the `properties`
job, or add a check that `needs.properties.outputs.slack-channel` is non-empty
before posting, so the `start-acs` job does not attempt the Slack notification
when no channel is available.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 180b6672-13c9-4868-ae05-ab78097c4240

📥 Commits

Reviewing files that changed from the base of the PR and between a52a0d5 and 893f19c.

📒 Files selected for processing (1)
  • .github/workflows/create-demo-clusters.yml

Comment thread .github/workflows/create-demo-clusters.yml
porridge and others added 20 commits July 2, 2026 11:54
Replace the manual central.sh/sensor.sh/patch sequence with a single
`roxie deploy` invocation that handles operator installation, Central +
SecuredCluster deployment, readiness waiting, and LB detection.

The roxie config YAML captures what was previously spread across
action.yml env vars and patch-{central,sensor}.json files, including
PVC storage, resource limits, env vars, and scanner V4 settings.
Process baseline auto-locking uses the native CRD field.

Monitoring remains deployed via the stackrox Helm chart after ACS
is up, using envsubst for PagerDuty integration.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dispatch wrapper for testing the create-demo-clusters reusable workflow
from this branch. Remove after validation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add workflow_dispatch to create-demo-clusters.yml so it can be
dispatched directly from feature branches. Remove standalone test
workflow. All inputs fall back to sensible defaults for dispatch.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
These jobs require the calling repo's context (properties file,
Quay bearer token). Skip them for direct dispatch testing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add !cancelled() && !failure() conditions so downstream jobs run
when their dependencies are skipped (dispatch path) but still block
when they actually fail (workflow_call path).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Roxie requires roxctl. Download it from the RHACS mirror
matching the deployed version.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Return sooner without waiting for full scanner initialization.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The faster storage class doesn't exist on GKE clusters.
premium-rwo is the GKE equivalent (SSD-backed).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replace sensor.sh/pull-secrets/kubectl-patches with roxie deploy
secured-cluster. FACT container env vars use CRD overlays instead
of kubectl set env (which the operator would reconcile away).
Collector externalIps ConfigMap kept as-is (operator doesn't manage it).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Root cause: roxie uses API_ENDPOINT env var (not the CRD config's
centralEndpoint) for roxctl CRS generation. Without it, roxctl gets
an empty endpoint causing "missing port in address".

Filed stackrox/roxie#230 for the UX issue.

Fixes:
- Add CA cert as base64-encoded output from start-acs
- Decode CA cert in start-secured-cluster and set ROX_CA_CERT_FILE
- Set API_ENDPOINT env var for roxie's roxctl CRS generation
- Add --verbose to all roxie deploy calls

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Roxie auto-detects GKE infra clusters and applies medium resources,
which combined with kube-burner workloads exceeds the 5-node
e2-standard-8 cluster capacity. Use small profile to fit.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Remove resourceProfile: small (let operator use built-in defaults)
- Add explicit central resources matching old patch-central.json
  (2 CPU / 3Gi requests, 4 CPU / 12Gi limits)
- Add explicit sensor resources matching old patch-sensor.json
- Enable scanner v2 (scannerComponent: Enabled) on both configs
  — small profile was disabling it

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Legacy roxctl-generate produces min=1/max=1 HPAs for scanner-v4
components (effectively no autoscaling) and min=1/max=5 for scanner.
The operator defaults are min=2/max=5, causing extra replicas that
exhaust cluster CPU.

Set scaling to match legacy observations. Enable scanner v2
(scannerComponent: Enabled) which was missing. Keep central/sensor
resource overrides matching the old patch JSON files.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The SecuredCluster CRD only accepts "AutoSense" or "Disabled" for
scanner.scannerComponent (unlike the Central CRD which accepts "Enabled").

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Fake-load cluster:
- scanner-v4-db CPU req: 500m (was operator default 1)
- scanner-v4-indexer CPU req: 400m (was operator default 1500m)
- scanner-v4-matcher CPU req: 400m (was operator default 500m)

Real-load cluster:
- sensor: 500m/4 CPU, 500Mi/8Gi (was 2/4, 3Gi/12Gi from
  patch-sensor.json which only applies to fake-load)
- admission-control mem limit: 500Mi (was operator default 1Gi)
- scanner HPA min: 2 (was 1)
- scanner-v4-indexer HPA: Enabled min=2/max=5 (was Disabled)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add testing instructions comment near workflow_dispatch trigger
- Reorder dispatch inputs to match workflow_call order
- Consolidate roxie config comments to a single header explaining
  that resource settings match the previous deploy-scripts-based
  flow and may be tuned in the future

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@porridge porridge force-pushed the use-roxie-in-start-acs branch from 04591ad to d86a4e4 Compare July 2, 2026 09:59
@porridge porridge changed the title Replace stackrox deploy scripts with roxie in start-acs Replace deploy scripts with roxie in start-acs and start-secured-cluster Jul 2, 2026
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@porridge

porridge commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@CodeRabbit-ai review

@porridge porridge changed the title Replace deploy scripts with roxie in start-acs and start-secured-cluster Use roxie in long-running release cluster setup Jul 2, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (1)
.github/workflows/create-demo-clusters.yml (1)

563-589: 🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

start-kube-burner-for-central still checks out kube-burner config with version-ref, not burner-ref.

This is the same issue raised in a prior review (marked "Addressed") for the central job specifically. The sibling job start-kube-burner-for-secured-cluster was fixed to use needs.parse-refs.outputs.burner-ref (Line 528), but Line 583 here still uses needs.parse-refs.outputs.version-ref. When kube-burner-config-ref is manually overridden and differs from version, the central job will pull the wrong kube-burner config ref, causing inconsistent behavior between the two kube-burner jobs (and potential failures if the alternate repo lacks the stackrox version tag).

🐛 Proposed fix
       - name: Check out kube-burner config repository code
         uses: actions/checkout@v4
         with:
           repository: stackrox/${{ inputs.kube-burner-config-repo }}
           path: .kube-burner-config
-          ref: ${{ needs.parse-refs.outputs.version-ref }}
+          ref: ${{ needs.parse-refs.outputs.burner-ref }}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/create-demo-clusters.yml around lines 563 - 589, The
start-kube-burner-for-central job is still checking out the kube-burner config
repository with the wrong ref, so update the actions/checkout step in that job
to use needs.parse-refs.outputs.burner-ref instead of version-ref. Keep it
aligned with start-kube-burner-for-secured-cluster and ensure the kube-burner
config checkout in start-kube-burner-for-central uses the burner ref when
locating the repository.
🧹 Nitpick comments (2)
release/start-secured-cluster/action.yml (1)

47-53: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Pass ca-cert via env instead of inline ${{ }} interpolation.

Interpolating action inputs directly into an inline run block is a script-injection anti-pattern in GitHub Actions. The value here is Base64 (safe alphabet), so it isn't exploitable today, but binding it through env avoids the pattern and is more robust to future input changes.

🔒 Proposed fix
     - name: Decode CA certificate
       id: ca-cert
       shell: bash
+      env:
+        CA_CERT: ${{ inputs.ca-cert }}
       run: |
         ca_cert_file="$(mktemp)"
-        echo "${{ inputs.ca-cert }}" | base64 -d > "$ca_cert_file"
+        echo "$CA_CERT" | base64 -d > "$ca_cert_file"
         echo "file=$ca_cert_file" >> "$GITHUB_OUTPUT"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@release/start-secured-cluster/action.yml` around lines 47 - 53, The “Decode
CA certificate” step in action.yml should stop interpolating inputs directly
inside the inline shell script. Bind the ca-cert input through the step’s env
map and reference that environment variable inside the run block instead of
using the `${{ inputs.ca-cert }}` expression in the script. Keep the existing
output behavior from the ca-cert step unchanged while updating the shell command
to read from the env-backed value.
.github/workflows/create-demo-clusters.yml (1)

156-161: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Local-action checkouts don't set persist-credentials: false.

All "Checkout local action" steps (stackrox/actions) use actions/checkout@v4 without persist-credentials: false, leaving the auth token in the local git config for the remainder of the job (flagged by zizmor as artipacked across all listed line ranges). Consider adding persist-credentials: false to these steps since they don't need to push back to the checked-out repo.

🔒 Proposed fix (repeat for each occurrence)
       - name: Checkout local action
         uses: actions/checkout@v4
         with:
           repository: stackrox/actions
           path: .actions
           ref: ${{ inputs.workflow-ref || github.ref_name }}
+          persist-credentials: false

Also applies to: 177-182, 240-245, 307-312, 333-338, 376-381, 471-476, 535-540, 584-589

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/create-demo-clusters.yml around lines 156 - 161, The
“Checkout local action” steps in the workflow use actions/checkout@v4 without
disabling credential persistence, which leaves the auth token in git config for
the rest of the job. Update each stackrox/actions checkout block to set
persist-credentials to false, keeping the existing repository, path, and ref
settings unchanged.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/create-demo-clusters.yml:
- Around line 174-182: Add the same workflow status guard to the
create-os4-cluster job so it behaves consistently with the other cluster jobs.
Update the job condition on create-os4-cluster to include !cancelled() &&
!failure() alongside the existing dry-run and create-os4-cluster input checks,
using the create-os4-cluster and notify-os4-cluster job flow as the reference.
This will prevent the skipped wait-for-images dependency from cascading into an
unintended skip during manual dispatch.

In `@release/start-secured-cluster/start-secured-cluster.sh`:
- Around line 19-25: The roxctl install step in the secured cluster startup
script assumes ~/.local/bin already exists, so the curl download can fail on
fresh runner images. Update the install block around the roxctl check to create
the target directory first with a mkdir -p for ~/.local/bin before writing the
roxctl binary, keeping the existing curl and chmod flow intact.

---

Duplicate comments:
In @.github/workflows/create-demo-clusters.yml:
- Around line 563-589: The start-kube-burner-for-central job is still checking
out the kube-burner config repository with the wrong ref, so update the
actions/checkout step in that job to use needs.parse-refs.outputs.burner-ref
instead of version-ref. Keep it aligned with
start-kube-burner-for-secured-cluster and ensure the kube-burner config checkout
in start-kube-burner-for-central uses the burner ref when locating the
repository.

---

Nitpick comments:
In @.github/workflows/create-demo-clusters.yml:
- Around line 156-161: The “Checkout local action” steps in the workflow use
actions/checkout@v4 without disabling credential persistence, which leaves the
auth token in git config for the rest of the job. Update each stackrox/actions
checkout block to set persist-credentials to false, keeping the existing
repository, path, and ref settings unchanged.

In `@release/start-secured-cluster/action.yml`:
- Around line 47-53: The “Decode CA certificate” step in action.yml should stop
interpolating inputs directly inside the inline shell script. Bind the ca-cert
input through the step’s env map and reference that environment variable inside
the run block instead of using the `${{ inputs.ca-cert }}` expression in the
script. Keep the existing output behavior from the ca-cert step unchanged while
updating the shell command to read from the env-backed value.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dde1062a-2afb-45ba-83f6-b8d20699fe20

📥 Commits

Reviewing files that changed from the base of the PR and between 893f19c and 4cb3535.

📒 Files selected for processing (9)
  • .github/workflows/create-demo-clusters.yml
  • release/start-acs/action.yml
  • release/start-acs/patch-central.json
  • release/start-acs/patch-sensor.json
  • release/start-acs/roxie-config.yaml
  • release/start-acs/start-acs.sh
  • release/start-secured-cluster/action.yml
  • release/start-secured-cluster/roxie-config.yaml
  • release/start-secured-cluster/start-secured-cluster.sh
💤 Files with no reviewable changes (2)
  • release/start-acs/patch-sensor.json
  • release/start-acs/patch-central.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • release/start-acs/start-acs.sh

Comment thread .github/workflows/create-demo-clusters.yml
Comment thread release/start-secured-cluster/start-secured-cluster.sh
@porridge porridge marked this pull request as ready for review July 6, 2026 08:04
@porridge porridge requested a review from a team as a code owner July 6, 2026 08:04
@porridge porridge requested a review from mclasmeier July 6, 2026 08:10
@porridge porridge changed the title Use roxie in long-running release cluster setup ROX-35141: Use roxie in long-running release cluster setup Jul 6, 2026

@vikin91 vikin91 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Test plan

I would like to make sure that the validation of this PR included:

  • Starting a long running cluster
  • Confirming that the both workflows (fake and berserker) are working and generating load.

The current shape of the "Test plan" section doesn't say that - could we confirm this?

@porridge

porridge commented Jul 6, 2026

Copy link
Copy Markdown
Contributor Author

Test plan

I would like to make sure that the validation of this PR included:

  • Starting a long running cluster

Right, I did this part. The first two first two boxes try to reflect this.

  • Confirming that the both workflows (fake and berserker) are working and generating load.

Good point. I can spin them up, but likely will need some help making sure they are indeed working as expected. Is this something you have experience in @vikin91 ?

Comment on lines +7 to +14
sensor:
resources:
requests:
memory: "500Mi"
cpu: "500m"
limits:
memory: "8Gi"
cpu: "4"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Those are different values than in release/start-acs/patch-sensor.json. We are comparing past runs against the new ones, so I think it is important to keep the same resources settings - especially for Sensor which would consume tons of memory in the long-running cluster.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hm, these values were taken from an actual cluster created with this workflow.

I investigated deeper, and:

  • the release/start-acs/*-patch.json files have no relation to the roxie config we're commenting on, because the config belongs to a different job
  • even for the start-acs job's roxie config they do not matter a lot, because towards the end the job runs a funny little script which joyfully patches the resources again -- to completely different values!
  • either way, the operator is going to restore the values whenever it feels like it, so I need to pause reconciliation when deployment is up. It was and is a waste of time, but not something I'd like to refactor in scope of this PR.

I'm addressing this in 3d3837e
Will ping you on slack when the clusters are up.

Comment thread release/start-secured-cluster/roxie-config.yaml
@vikin91

vikin91 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Good point. I can spin them up, but likely will need some help making sure they are indeed working as expected. Is this something you have experience in @vikin91 ?

Yes, I do, but I am sure that you can spot Sensor consuming tons of memory very quickly (~1-2 hrs) yourself :)
Feel free to ping me on slack so that we look at this together, or - if you prefer - I can write few lines how to recognize that the fake workloads are working

porridge and others added 2 commits July 6, 2026 17:12
Enable pauseReconciliation on both Central and SecuredCluster CRs
so that post-deploy patches (from launch_workload.sh) persist
instead of being reconciled away by the operator.

Set central-db resources to match legacy ci-values (1 CPU / 1Gi
requests) rather than the operator Helm chart default (4 CPU / 8Gi).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The install-cli action's latest-version lookup hits unauthenticated
GitHub API rate limits when multiple jobs run in parallel.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@porridge porridge changed the title ROX-35141: Use roxie in long-running release cluster setup ROX-35145: Use roxie in long-running release cluster setup Jul 7, 2026
@vikin91

vikin91 commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Partial update:

  1. I checked the two fake-workload clusters shared by @porridge (pre-roxie, and post-roxie).
  2. I didn't check the berserker yet (thus partial update)
  3. Both execute the fake workload correctly (I did only smoke tests, but they should be sufficient in this case).
  4. On the post-roxie cluster I noticed that Grafana dashboards are not loading - metrics are exported from Sensor but must get lost somewhere on the way to Grafana.
kubectl -n stackrox port-forward service/monitoring 48444:8443

then go to https://localhost:48444/dashboards

Pre-roxie:
Screenshot 2026-07-07 at 10 12 16

Post-roxie:
Screenshot 2026-07-07 at 10 27 44

but metrics indicate that fake workloads work:

rox_sensor_host_connections_operations_total{object="connections",op="enrich"} 5.939702e+06
rox_sensor_host_connections_operations_total{object="connections",op="remove"} 5.773962e+06
rox_sensor_host_connections_operations_total{object="endpoints",op="enrich"} 7.93784e+06
rox_sensor_host_connections_operations_total{object="endpoints",op="remove"} 7.920009e+06

8M enrichments of network flows over night looks as expected for fake workloads.

Prometheus was unable to scrape StackRox metrics because the monitoring
ports and network policy rules were missing. Enable exposeEndpoint on
central, scanner, scannerV4 components, and use overlays to add the
monitoring port to the sensor service and allow ingress on port 9090
in the sensor network policy.

Partially generated by AI.
@porridge

porridge commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

@vikin91 I found the cause - missing monitoring port definitions on deployments. Fixed in the last commit. I'll set up a fresh new set of clusters.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants