From 732fff1e38c246bbffc40b242e1ce47ccba7e7df Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Tue, 30 Jun 2026 13:39:47 +0200 Subject: [PATCH 01/21] Replace stackrox deploy scripts with roxie in start-acs Replace the manual central.sh/sensor.sh/patch sequence with a single `roxie deploy` invocation that handles operator installation, Central + SecuredCluster deployment, readiness waiting, and LB detection. The roxie config YAML captures what was previously spread across action.yml env vars and patch-{central,sensor}.json files, including PVC storage, resource limits, env vars, and scanner V4 settings. Process baseline auto-locking uses the native CRD field. Monitoring remains deployed via the stackrox Helm chart after ACS is up, using envsubst for PagerDuty integration. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/create-demo-clusters.yml | 1 + release/start-acs/action.yml | 15 ++----- release/start-acs/patch-central.json | 45 ------------------- release/start-acs/patch-sensor.json | 45 ------------------- release/start-acs/roxie-config.yaml | 52 ++++++++++++++++++++++ release/start-acs/start-acs.sh | 44 +++++++++--------- 6 files changed, 77 insertions(+), 125 deletions(-) delete mode 100644 release/start-acs/patch-central.json delete mode 100644 release/start-acs/patch-sensor.json create mode 100644 release/start-acs/roxie-config.yaml diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index c6fcf7d4..7fc64188 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -342,6 +342,7 @@ jobs: id: artifacts run: | infractl artifacts "${NAME//./-}" -d artifacts >> "$GITHUB_STEP_SUMMARY" + - uses: ./.actions/roxie/install-cli - name: Launch central id: launch-central uses: ./.actions/release/start-acs diff --git a/release/start-acs/action.yml b/release/start-acs/action.yml index 3cfd925d..c2747e49 100644 --- a/release/start-acs/action.yml +++ b/release/start-acs/action.yml @@ -22,7 +22,7 @@ inputs: required: true default: "" stackrox-dir: - description: Where the stackrox directory is located + description: Where the stackrox directory is located (needed for monitoring chart) required: true default: "" name: @@ -42,24 +42,15 @@ runs: - id: launch-central env: - ROX_PRODUCT_BRANDING: RHACS_BRANDING MAIN_IMAGE_TAG: ${{ inputs.main-image-tag }} - API_ENDPOINT: localhost:8000 - STORAGE: pvc # Backing storage - STORAGE_CLASS: faster # Runs on an SSD type - STORAGE_SIZE: "100" # 100G - MONITORING_SUPPORT: "true" # Runs monitoring - LOAD_BALANCER: lb - SECURED_CLUSTER_AUTO_LOCK_PROCESS_BASELINES: "true" - ROX_ADMIN_USERNAME: admin + MONITORING_SUPPORT: "true" PAGERDUTY_INTEGRATION_KEY: ${{ inputs.pagerduty-integration-key }} + ROX_ADMIN_USERNAME: admin REGISTRY_USERNAME: ${{ inputs.registry-username }} REGISTRY_PASSWORD: ${{ inputs.registry-password }} KUBECONFIG: ${{ inputs.kubeconfig }} STACKROX_DIR: ${{ inputs.stackrox-dir }} NAME: ${{ inputs.name }} - ROX_TELEMETRY_STORAGE_KEY_V1: R5fMyO9n0gibSGzOXtlP2qCFWCGb8uoW - ROX_SCANNER_V4: "true" run: | set -uo pipefail "${GITHUB_ACTION_PATH}/../../common/common.sh" \ diff --git a/release/start-acs/patch-central.json b/release/start-acs/patch-central.json deleted file mode 100644 index 2b60315f..00000000 --- a/release/start-acs/patch-central.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "spec": { - "template": { - "spec": { - "containers": [ - { - "name": "central", - "env": [ - { - "name": "MUTEX_WATCHDOG_TIMEOUT_SECS", - "value": "0" - }, - { - "name": "ROX_EXTERNAL_IPS", - "value": "true" - }, - { - "name": "ROX_NETWORK_GRAPH_EXTERNAL_IPS", - "value": "true" - }, - { - "name": "ROX_AUTO_LOCK_PROCESS_BASELINES", - "value": "true" - }, - { - "name": "ROX_BASELINE_GENERATION_DURATION", - "value": "3m" - } - ], - "resources": { - "requests": { - "memory": "3Gi", - "cpu": "2" - }, - "limits": { - "memory": "12Gi", - "cpu": "4" - } - } - } - ] - } - } - } -} diff --git a/release/start-acs/patch-sensor.json b/release/start-acs/patch-sensor.json deleted file mode 100644 index f4445769..00000000 --- a/release/start-acs/patch-sensor.json +++ /dev/null @@ -1,45 +0,0 @@ -{ - "spec": { - "template": { - "spec": { - "containers": [ - { - "name": "sensor", - "env": [ - { - "name": "MUTEX_WATCHDOG_TIMEOUT_SECS", - "value": "0" - }, - { - "name": "ROX_FAKE_KUBERNETES_WORKLOAD", - "value": "long-running" - }, - { - "name": "ROX_NETFLOW_BATCHING", - "value": "true" - }, - { - "name": "ROX_NETFLOW_CACHE_LIMITING", - "value": "true" - }, - { - "name": "ROX_FAKE_WORKLOAD_STORAGE", - "value": "/var/cache/stackrox/pebble.db" - } - ], - "resources": { - "requests": { - "memory": "3Gi", - "cpu": "2" - }, - "limits": { - "memory": "12Gi", - "cpu": "4" - } - } - } - ] - } - } - } -} diff --git a/release/start-acs/roxie-config.yaml b/release/start-acs/roxie-config.yaml new file mode 100644 index 00000000..401bd958 --- /dev/null +++ b/release/start-acs/roxie-config.yaml @@ -0,0 +1,52 @@ +central: + namespace: stackrox + spec: + central: + exposure: + loadBalancer: + enabled: true + resources: + requests: + memory: "3Gi" + cpu: "2" + limits: + memory: "12Gi" + cpu: "4" + db: + persistence: + persistentVolumeClaim: + storageClassName: faster + size: "100Gi" + customize: + envVars: + - name: MUTEX_WATCHDOG_TIMEOUT_SECS + value: "0" + - name: ROX_EXTERNAL_IPS + value: "true" + - name: ROX_NETWORK_GRAPH_EXTERNAL_IPS + value: "true" + - name: ROX_AUTO_LOCK_PROCESS_BASELINES + value: "true" + - name: ROX_BASELINE_GENERATION_DURATION + value: "3m" + - name: ROX_TELEMETRY_STORAGE_KEY_V1 + value: "R5fMyO9n0gibSGzOXtlP2qCFWCGb8uoW" + scannerV4: + scannerComponent: Enabled +securedCluster: + namespace: stackrox + spec: + processBaselines: + autoLock: Enabled + customize: + envVars: + - name: MUTEX_WATCHDOG_TIMEOUT_SECS + value: "0" + - name: ROX_FAKE_KUBERNETES_WORKLOAD + value: "long-running" + - name: ROX_NETFLOW_BATCHING + value: "true" + - name: ROX_NETFLOW_CACHE_LIMITING + value: "true" + - name: ROX_FAKE_WORKLOAD_STORAGE + value: "/var/cache/stackrox/pebble.db" diff --git a/release/start-acs/start-acs.sh b/release/start-acs/start-acs.sh index bce490d6..39baa2e3 100755 --- a/release/start-acs/start-acs.sh +++ b/release/start-acs/start-acs.sh @@ -27,37 +27,35 @@ set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" -# shellcheck source=/dev/null -source "${STACKROX_DIR}"/deploy/common/deploy.sh - if kubectl -n stackrox get deploy/central; then gh_log error "Central is already running. It means that you are trying to deploy ACS to a cluster where it is already deployed. This can happen if you try to create a long-running cluster for a release candicate when the such a cluster already exists. Try looking for another workflow that created the cluster." exit 1 fi -gh_log notice "Deploying central..." -"${STACKROX_DIR}"/deploy/k8s/central.sh - -gh_log notice "Forwarding central port..." -kubectl -n stackrox port-forward deploy/central 8000:8443 > /dev/null 2>&1 & -sleep 20 - -gh_log notice "Deploying sensor..." -"${STACKROX_DIR}"/deploy/k8s/sensor.sh - -gh_log notice "Patching sensor deployment..." -kubectl -n stackrox patch deploy/sensor --patch-file="${SCRIPT_DIR}/patch-sensor.json" +gh_log notice "Deploying ACS with roxie..." +roxie_envrc="$(mktemp)" +roxie deploy \ + --tag "$MAIN_IMAGE_TAG" \ + --config "${SCRIPT_DIR}/roxie-config.yaml" \ + --envrc "$roxie_envrc" -gh_log notice "Patching central deployment..." -kubectl -n stackrox patch deploy/central --patch-file="${SCRIPT_DIR}/patch-central.json" - -CENTRAL_IP=$(kubectl -n stackrox get svc/central-loadbalancer -o json | jq -r '.status.loadBalancer.ingress[0] | .ip // .hostname') +# shellcheck source=/dev/null +source "$roxie_envrc" +CENTRAL_IP="${API_ENDPOINT%:*}" gh_log notice "CENTRAL_IP=$CENTRAL_IP" -API_ENDPOINT="${CENTRAL_IP}:443" -wait_for_central "${API_ENDPOINT}" - -ROX_ADMIN_PASSWORD=$(cat "${STACKROX_DIR}"/deploy/k8s/central-deploy/password) +if [[ "${MONITORING_SUPPORT:-}" == "true" ]]; then + gh_log notice "Deploying monitoring stack..." + monitoring_values="$(mktemp)" + envsubst < "${STACKROX_DIR}/deploy/charts/monitoring/values.yaml" > "$monitoring_values" + helm dependency update "${STACKROX_DIR}/deploy/charts/monitoring" + helm upgrade -n stackrox --install stackrox-monitoring \ + "${STACKROX_DIR}/deploy/charts/monitoring" \ + --values "$monitoring_values" \ + --set persistence.type=pvc \ + --set exposure.type=none + rm -f "$monitoring_values" +fi # Don't mask the password: masked values are not passed to the runner. gh_output rox-password "$ROX_ADMIN_PASSWORD" From 03a3607088230672e5fc9f4197192d6d4980b0bb Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Tue, 30 Jun 2026 13:43:44 +0200 Subject: [PATCH 02/21] Add temporary test workflow for roxie start-acs Dispatch wrapper for testing the create-demo-clusters reusable workflow from this branch. Remove after validation. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/test-roxie-start-acs.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 .github/workflows/test-roxie-start-acs.yml diff --git a/.github/workflows/test-roxie-start-acs.yml b/.github/workflows/test-roxie-start-acs.yml new file mode 100644 index 00000000..ccdd2943 --- /dev/null +++ b/.github/workflows/test-roxie-start-acs.yml @@ -0,0 +1,21 @@ +name: "TEST: roxie start-acs" +on: + workflow_dispatch: + inputs: + version: + description: ACS image version tag (e.g. 4.11.0) + required: true + type: string + +jobs: + clusters: + uses: ./.github/workflows/create-demo-clusters.yml + secrets: inherit + with: + version: ${{ inputs.version }} + create-long-cluster: true + workflow-ref: ${{ github.ref_name }} + kube-burner-config-ref: ${{ inputs.version }} + kube-burner-config-repo: stackrox + cluster-with-fake-load-name: test-roxie-fl + cluster-with-real-load-name: test-roxie-rl From 1ba316dd13eef8eae50a2b5e007248cd6bd45303 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Tue, 30 Jun 2026 13:50:27 +0200 Subject: [PATCH 03/21] Add workflow_dispatch trigger for testing Add workflow_dispatch to create-demo-clusters.yml so it can be dispatched directly from feature branches. Remove standalone test workflow. All inputs fall back to sensible defaults for dispatch. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/create-demo-clusters.yml | 48 +++++++++++++++++----- .github/workflows/test-roxie-start-acs.yml | 21 ---------- 2 files changed, 38 insertions(+), 31 deletions(-) delete mode 100644 .github/workflows/test-roxie-start-acs.yml diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index 7fc64188..8daaf3db 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -1,5 +1,33 @@ name: Create demo clusters for version on: + workflow_dispatch: + inputs: + version: + description: Version of the images + required: true + type: string + create-long-cluster: + description: Create a long-running cluster + default: true + type: boolean + cluster-with-fake-load-name: + description: Fake-load cluster name + default: test-roxie-fl + type: string + cluster-with-real-load-name: + description: Real-load cluster name + default: test-roxie-rl + type: string + workflow-ref: + description: Ref for actions checkout (defaults to current branch) + type: string + kube-burner-config-ref: + description: Ref for kube-burner config (defaults to version) + type: string + kube-burner-config-repo: + description: Repo with kube-burner config + default: stackrox + type: string workflow_call: inputs: version: @@ -72,7 +100,7 @@ jobs: - name: Parse refs (extract SHA from git-describe format) env: INPUT_VERSION: ${{ inputs.version }} - INPUT_KUBE_BURNER_VERSION: ${{ inputs.kube-burner-config-ref }} + INPUT_KUBE_BURNER_VERSION: ${{ inputs.kube-burner-config-ref || inputs.version }} id: parse run: | set -euo pipefail @@ -116,7 +144,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - name: Wait for the ${{matrix.image}} image uses: ./.actions/release/wait-for-image with: @@ -137,7 +165,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -199,7 +227,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -264,7 +292,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -289,7 +317,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -330,7 +358,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -423,7 +451,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -484,7 +512,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -532,7 +560,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" diff --git a/.github/workflows/test-roxie-start-acs.yml b/.github/workflows/test-roxie-start-acs.yml deleted file mode 100644 index ccdd2943..00000000 --- a/.github/workflows/test-roxie-start-acs.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: "TEST: roxie start-acs" -on: - workflow_dispatch: - inputs: - version: - description: ACS image version tag (e.g. 4.11.0) - required: true - type: string - -jobs: - clusters: - uses: ./.github/workflows/create-demo-clusters.yml - secrets: inherit - with: - version: ${{ inputs.version }} - create-long-cluster: true - workflow-ref: ${{ github.ref_name }} - kube-burner-config-ref: ${{ inputs.version }} - kube-burner-config-repo: stackrox - cluster-with-fake-load-name: test-roxie-fl - cluster-with-real-load-name: test-roxie-rl From 406da5eea7b0f5ae42cba4e32df7a17f88fbc93b Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Tue, 30 Jun 2026 13:54:16 +0200 Subject: [PATCH 04/21] Skip properties and wait-for-images on workflow_dispatch These jobs require the calling repo's context (properties file, Quay bearer token). Skip them for direct dispatch testing. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/create-demo-clusters.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index 8daaf3db..767bcbdb 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -79,6 +79,7 @@ env: jobs: properties: + if: github.event_name != 'workflow_dispatch' runs-on: ubuntu-latest outputs: slack-channel: ${{ fromJSON(format('["{0}","{1}"]', steps.fetch.outputs.dry-slack-channel, steps.fetch.outputs.slack-channel))[inputs.dry-run != true] }} @@ -131,10 +132,12 @@ jobs: wait-for-images: name: Wait for images on Quay.io runs-on: ubuntu-latest - if: >- # Skip if no clusters are going to be created. + if: >- + github.event_name != 'workflow_dispatch' && ( inputs.create-k8s-cluster != false || inputs.create-os4-cluster != false || inputs.create-long-cluster != false + ) strategy: matrix: image: [main, scanner, scanner-db, scanner-v4, scanner-v4-db, collector] From 23e5bdf79efe346f54f93cbed9ff583d6f105a86 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Tue, 30 Jun 2026 13:56:41 +0200 Subject: [PATCH 05/21] Allow jobs to proceed when wait-for-images/properties are skipped Add !cancelled() && !failure() conditions so downstream jobs run when their dependencies are skipped (dispatch path) but still block when they actually fail (workflow_call path). Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/create-demo-clusters.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index 767bcbdb..de6c15b3 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -160,7 +160,7 @@ jobs: create-k8s-cluster: name: Create k8s cluster needs: [wait-for-images] - if: inputs.dry-run != true && inputs.create-k8s-cluster != false + if: "!cancelled() && !failure() && inputs.dry-run != true && inputs.create-k8s-cluster != false" runs-on: ubuntu-latest steps: - name: Checkout local action @@ -286,6 +286,7 @@ jobs: name: Create GKE long-running cluster for fake load needs: [wait-for-images] if: >- + !cancelled() && !failure() && inputs.dry-run != true && inputs.create-long-cluster == true runs-on: ubuntu-latest @@ -311,6 +312,7 @@ jobs: name: Create GKE long-running cluster for real load needs: [wait-for-images] if: >- + !cancelled() && !failure() && inputs.dry-run != true && inputs.create-long-cluster == true runs-on: ubuntu-latest @@ -334,6 +336,7 @@ jobs: start-acs: name: Start ACS needs: [properties, parse-refs, create-long-running-cluster-for-fake-load] + if: "!cancelled() && !failure()" runs-on: ubuntu-latest outputs: rox-password: ${{ steps.launch-central.outputs.rox-password }} @@ -430,6 +433,7 @@ jobs: start-secured-cluster: name: Start secured cluster needs: [properties, parse-refs, start-acs, create-long-running-cluster-for-real-load] + if: "!cancelled() && !failure()" runs-on: ubuntu-latest env: SECURED_CLUSTER_NAME: ${{ inputs.cluster-with-real-load-name }} @@ -487,6 +491,7 @@ jobs: start-kube-burner-for-secured-cluster: name: Start kube-burner for the secured cluster needs: [properties, parse-refs, start-secured-cluster] + if: "!cancelled() && !failure()" runs-on: ubuntu-latest env: INFRA_NAME: ${{ inputs.cluster-with-real-load-name }} @@ -541,6 +546,7 @@ jobs: start-kube-burner-for-central: name: Start kube-burner for Central needs: [properties, parse-refs, start-acs] + if: "!cancelled() && !failure()" runs-on: ubuntu-latest env: INFRA_NAME: ${{ inputs.cluster-with-fake-load-name }} From cd90b1ff127551187420b73076e5e8821c633387 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Tue, 30 Jun 2026 15:01:46 +0200 Subject: [PATCH 06/21] Install roxctl if not in PATH before roxie deploy Roxie requires roxctl. Download it from the RHACS mirror matching the deployed version. Co-Authored-By: Claude Opus 4.6 (1M context) --- release/start-acs/start-acs.sh | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/release/start-acs/start-acs.sh b/release/start-acs/start-acs.sh index 39baa2e3..fd73c25c 100755 --- a/release/start-acs/start-acs.sh +++ b/release/start-acs/start-acs.sh @@ -27,6 +27,14 @@ set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +if ! command -v roxctl &>/dev/null; then + gh_log notice "Installing roxctl ${MAIN_IMAGE_TAG}..." + curl -fsSL --retry 5 --retry-all-errors \ + -o ~/.local/bin/roxctl \ + "https://mirror.openshift.com/pub/rhacs/assets/${MAIN_IMAGE_TAG}/bin/linux/roxctl" + chmod +x ~/.local/bin/roxctl +fi + if kubectl -n stackrox get deploy/central; then gh_log error "Central is already running. It means that you are trying to deploy ACS to a cluster where it is already deployed. This can happen if you try to create a long-running cluster for a release candicate when the such a cluster already exists. Try looking for another workflow that created the cluster." exit 1 From 616261ea778865c9f209acc131d8c7799ac3474a Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Tue, 30 Jun 2026 15:39:08 +0200 Subject: [PATCH 07/21] Add --early-readiness flag to roxie deploy Return sooner without waiting for full scanner initialization. Co-Authored-By: Claude Opus 4.6 (1M context) --- release/start-acs/start-acs.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/release/start-acs/start-acs.sh b/release/start-acs/start-acs.sh index fd73c25c..b8f47d4b 100755 --- a/release/start-acs/start-acs.sh +++ b/release/start-acs/start-acs.sh @@ -45,7 +45,8 @@ roxie_envrc="$(mktemp)" roxie deploy \ --tag "$MAIN_IMAGE_TAG" \ --config "${SCRIPT_DIR}/roxie-config.yaml" \ - --envrc "$roxie_envrc" + --envrc "$roxie_envrc" \ + --early-readiness # shellcheck source=/dev/null source "$roxie_envrc" From b9787b6c0cd0945673c478a98fc32da2a7c2f827 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Tue, 30 Jun 2026 16:05:54 +0200 Subject: [PATCH 08/21] Use premium-rwo storage class instead of faster The faster storage class doesn't exist on GKE clusters. premium-rwo is the GKE equivalent (SSD-backed). Co-Authored-By: Claude Opus 4.6 (1M context) --- release/start-acs/roxie-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release/start-acs/roxie-config.yaml b/release/start-acs/roxie-config.yaml index 401bd958..d3121b96 100644 --- a/release/start-acs/roxie-config.yaml +++ b/release/start-acs/roxie-config.yaml @@ -15,7 +15,7 @@ central: db: persistence: persistentVolumeClaim: - storageClassName: faster + storageClassName: premium-rwo size: "100Gi" customize: envVars: From c0a7274297453ddca6fadf764232208b3e9a6c0c Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Wed, 1 Jul 2026 06:41:48 +0200 Subject: [PATCH 09/21] Revert test-only workflow changes, keep only roxie install step Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/create-demo-clusters.yml | 61 +++++----------------- 1 file changed, 12 insertions(+), 49 deletions(-) diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index de6c15b3..7fc64188 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -1,33 +1,5 @@ name: Create demo clusters for version on: - workflow_dispatch: - inputs: - version: - description: Version of the images - required: true - type: string - create-long-cluster: - description: Create a long-running cluster - default: true - type: boolean - cluster-with-fake-load-name: - description: Fake-load cluster name - default: test-roxie-fl - type: string - cluster-with-real-load-name: - description: Real-load cluster name - default: test-roxie-rl - type: string - workflow-ref: - description: Ref for actions checkout (defaults to current branch) - type: string - kube-burner-config-ref: - description: Ref for kube-burner config (defaults to version) - type: string - kube-burner-config-repo: - description: Repo with kube-burner config - default: stackrox - type: string workflow_call: inputs: version: @@ -79,7 +51,6 @@ env: jobs: properties: - if: github.event_name != 'workflow_dispatch' runs-on: ubuntu-latest outputs: slack-channel: ${{ fromJSON(format('["{0}","{1}"]', steps.fetch.outputs.dry-slack-channel, steps.fetch.outputs.slack-channel))[inputs.dry-run != true] }} @@ -101,7 +72,7 @@ jobs: - name: Parse refs (extract SHA from git-describe format) env: INPUT_VERSION: ${{ inputs.version }} - INPUT_KUBE_BURNER_VERSION: ${{ inputs.kube-burner-config-ref || inputs.version }} + INPUT_KUBE_BURNER_VERSION: ${{ inputs.kube-burner-config-ref }} id: parse run: | set -euo pipefail @@ -132,12 +103,10 @@ jobs: wait-for-images: name: Wait for images on Quay.io runs-on: ubuntu-latest - if: >- - github.event_name != 'workflow_dispatch' && ( + if: >- # Skip if no clusters are going to be created. inputs.create-k8s-cluster != false || inputs.create-os4-cluster != false || inputs.create-long-cluster != false - ) strategy: matrix: image: [main, scanner, scanner-db, scanner-v4, scanner-v4-db, collector] @@ -147,7 +116,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref || github.ref_name }} + ref: ${{ inputs.workflow-ref }} - name: Wait for the ${{matrix.image}} image uses: ./.actions/release/wait-for-image with: @@ -160,7 +129,7 @@ jobs: create-k8s-cluster: name: Create k8s cluster needs: [wait-for-images] - if: "!cancelled() && !failure() && inputs.dry-run != true && inputs.create-k8s-cluster != false" + if: inputs.dry-run != true && inputs.create-k8s-cluster != false runs-on: ubuntu-latest steps: - name: Checkout local action @@ -168,7 +137,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref || github.ref_name }} + ref: ${{ inputs.workflow-ref }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -230,7 +199,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref || github.ref_name }} + ref: ${{ inputs.workflow-ref }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -286,7 +255,6 @@ jobs: name: Create GKE long-running cluster for fake load needs: [wait-for-images] if: >- - !cancelled() && !failure() && inputs.dry-run != true && inputs.create-long-cluster == true runs-on: ubuntu-latest @@ -296,7 +264,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref || github.ref_name }} + ref: ${{ inputs.workflow-ref }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -312,7 +280,6 @@ jobs: name: Create GKE long-running cluster for real load needs: [wait-for-images] if: >- - !cancelled() && !failure() && inputs.dry-run != true && inputs.create-long-cluster == true runs-on: ubuntu-latest @@ -322,7 +289,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref || github.ref_name }} + ref: ${{ inputs.workflow-ref }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -336,7 +303,6 @@ jobs: start-acs: name: Start ACS needs: [properties, parse-refs, create-long-running-cluster-for-fake-load] - if: "!cancelled() && !failure()" runs-on: ubuntu-latest outputs: rox-password: ${{ steps.launch-central.outputs.rox-password }} @@ -364,7 +330,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref || github.ref_name }} + ref: ${{ inputs.workflow-ref }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -433,7 +399,6 @@ jobs: start-secured-cluster: name: Start secured cluster needs: [properties, parse-refs, start-acs, create-long-running-cluster-for-real-load] - if: "!cancelled() && !failure()" runs-on: ubuntu-latest env: SECURED_CLUSTER_NAME: ${{ inputs.cluster-with-real-load-name }} @@ -458,7 +423,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref || github.ref_name }} + ref: ${{ inputs.workflow-ref }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -491,7 +456,6 @@ jobs: start-kube-burner-for-secured-cluster: name: Start kube-burner for the secured cluster needs: [properties, parse-refs, start-secured-cluster] - if: "!cancelled() && !failure()" runs-on: ubuntu-latest env: INFRA_NAME: ${{ inputs.cluster-with-real-load-name }} @@ -520,7 +484,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref || github.ref_name }} + ref: ${{ inputs.workflow-ref }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -546,7 +510,6 @@ jobs: start-kube-burner-for-central: name: Start kube-burner for Central needs: [properties, parse-refs, start-acs] - if: "!cancelled() && !failure()" runs-on: ubuntu-latest env: INFRA_NAME: ${{ inputs.cluster-with-fake-load-name }} @@ -569,7 +532,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref || github.ref_name }} + ref: ${{ inputs.workflow-ref }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" From 5becf58b470144b12e03c10b73d815d1f1336f51 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Wed, 1 Jul 2026 07:50:41 +0200 Subject: [PATCH 10/21] Revert "Revert test-only workflow changes, keep only roxie install step" This reverts commit 296804f70440e4084962d1238d7f10a56bd13925. --- .github/workflows/create-demo-clusters.yml | 61 +++++++++++++++++----- 1 file changed, 49 insertions(+), 12 deletions(-) diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index 7fc64188..de6c15b3 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -1,5 +1,33 @@ name: Create demo clusters for version on: + workflow_dispatch: + inputs: + version: + description: Version of the images + required: true + type: string + create-long-cluster: + description: Create a long-running cluster + default: true + type: boolean + cluster-with-fake-load-name: + description: Fake-load cluster name + default: test-roxie-fl + type: string + cluster-with-real-load-name: + description: Real-load cluster name + default: test-roxie-rl + type: string + workflow-ref: + description: Ref for actions checkout (defaults to current branch) + type: string + kube-burner-config-ref: + description: Ref for kube-burner config (defaults to version) + type: string + kube-burner-config-repo: + description: Repo with kube-burner config + default: stackrox + type: string workflow_call: inputs: version: @@ -51,6 +79,7 @@ env: jobs: properties: + if: github.event_name != 'workflow_dispatch' runs-on: ubuntu-latest outputs: slack-channel: ${{ fromJSON(format('["{0}","{1}"]', steps.fetch.outputs.dry-slack-channel, steps.fetch.outputs.slack-channel))[inputs.dry-run != true] }} @@ -72,7 +101,7 @@ jobs: - name: Parse refs (extract SHA from git-describe format) env: INPUT_VERSION: ${{ inputs.version }} - INPUT_KUBE_BURNER_VERSION: ${{ inputs.kube-burner-config-ref }} + INPUT_KUBE_BURNER_VERSION: ${{ inputs.kube-burner-config-ref || inputs.version }} id: parse run: | set -euo pipefail @@ -103,10 +132,12 @@ jobs: wait-for-images: name: Wait for images on Quay.io runs-on: ubuntu-latest - if: >- # Skip if no clusters are going to be created. + if: >- + github.event_name != 'workflow_dispatch' && ( inputs.create-k8s-cluster != false || inputs.create-os4-cluster != false || inputs.create-long-cluster != false + ) strategy: matrix: image: [main, scanner, scanner-db, scanner-v4, scanner-v4-db, collector] @@ -116,7 +147,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - name: Wait for the ${{matrix.image}} image uses: ./.actions/release/wait-for-image with: @@ -129,7 +160,7 @@ jobs: create-k8s-cluster: name: Create k8s cluster needs: [wait-for-images] - if: inputs.dry-run != true && inputs.create-k8s-cluster != false + if: "!cancelled() && !failure() && inputs.dry-run != true && inputs.create-k8s-cluster != false" runs-on: ubuntu-latest steps: - name: Checkout local action @@ -137,7 +168,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -199,7 +230,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -255,6 +286,7 @@ jobs: name: Create GKE long-running cluster for fake load needs: [wait-for-images] if: >- + !cancelled() && !failure() && inputs.dry-run != true && inputs.create-long-cluster == true runs-on: ubuntu-latest @@ -264,7 +296,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -280,6 +312,7 @@ jobs: name: Create GKE long-running cluster for real load needs: [wait-for-images] if: >- + !cancelled() && !failure() && inputs.dry-run != true && inputs.create-long-cluster == true runs-on: ubuntu-latest @@ -289,7 +322,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: ./.actions/infra/create-cluster with: token: ${{ secrets.INFRA_TOKEN }} @@ -303,6 +336,7 @@ jobs: start-acs: name: Start ACS needs: [properties, parse-refs, create-long-running-cluster-for-fake-load] + if: "!cancelled() && !failure()" runs-on: ubuntu-latest outputs: rox-password: ${{ steps.launch-central.outputs.rox-password }} @@ -330,7 +364,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -399,6 +433,7 @@ jobs: start-secured-cluster: name: Start secured cluster needs: [properties, parse-refs, start-acs, create-long-running-cluster-for-real-load] + if: "!cancelled() && !failure()" runs-on: ubuntu-latest env: SECURED_CLUSTER_NAME: ${{ inputs.cluster-with-real-load-name }} @@ -423,7 +458,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -456,6 +491,7 @@ jobs: start-kube-burner-for-secured-cluster: name: Start kube-burner for the secured cluster needs: [properties, parse-refs, start-secured-cluster] + if: "!cancelled() && !failure()" runs-on: ubuntu-latest env: INFRA_NAME: ${{ inputs.cluster-with-real-load-name }} @@ -484,7 +520,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" @@ -510,6 +546,7 @@ jobs: start-kube-burner-for-central: name: Start kube-burner for Central needs: [properties, parse-refs, start-acs] + if: "!cancelled() && !failure()" runs-on: ubuntu-latest env: INFRA_NAME: ${{ inputs.cluster-with-fake-load-name }} @@ -532,7 +569,7 @@ jobs: with: repository: stackrox/actions path: .actions - ref: ${{ inputs.workflow-ref }} + ref: ${{ inputs.workflow-ref || github.ref_name }} - uses: "google-github-actions/auth@v2" with: credentials_json: "${{ secrets.GCP_RELEASE_AUTOMATION_SA }}" From 52a3ffa33b64a03790e330236192af4c29cf1ca6 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Wed, 1 Jul 2026 07:51:12 +0200 Subject: [PATCH 11/21] Restore test scaffolding, add roxie install for start-secured-cluster Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/create-demo-clusters.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index de6c15b3..5e4505e8 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -476,6 +476,7 @@ jobs: registry: quay.io username: ${{ secrets.QUAY_RHACS_ENG_RO_USERNAME }} password: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} + - uses: ./.actions/roxie/install-cli - name: Launch secured cluster id: launch-secured-cluster uses: ./.actions/release/start-secured-cluster From 465185bdae4a64b080805e5af27c9831a0141150 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Wed, 1 Jul 2026 08:30:02 +0200 Subject: [PATCH 12/21] Replace deploy scripts with roxie in start-secured-cluster Replace sensor.sh/pull-secrets/kubectl-patches with roxie deploy secured-cluster. FACT container env vars use CRD overlays instead of kubectl set env (which the operator would reconcile away). Collector externalIps ConfigMap kept as-is (operator doesn't manage it). Co-Authored-By: Claude Opus 4.6 (1M context) --- release/start-secured-cluster/action.yml | 22 +--- .../start-secured-cluster/roxie-config.yaml | 27 +++++ .../start-secured-cluster.sh | 102 ++++++++---------- 3 files changed, 78 insertions(+), 73 deletions(-) create mode 100644 release/start-secured-cluster/roxie-config.yaml diff --git a/release/start-secured-cluster/action.yml b/release/start-secured-cluster/action.yml index 5ef433dd..5b3e83bf 100644 --- a/release/start-secured-cluster/action.yml +++ b/release/start-secured-cluster/action.yml @@ -42,29 +42,17 @@ runs: - id: launch-secured-cluster env: - ROX_PRODUCT_BRANDING: RHACS_BRANDING - MAIN_IMAGE_TAG: ${{inputs.main-image-tag}} # Release version, e.g. 3.63.0-rc.2. + MAIN_IMAGE_TAG: ${{ inputs.main-image-tag }} REGISTRY_USERNAME: ${{ inputs.registry-username }} REGISTRY_PASSWORD: ${{ inputs.registry-password }} - ROX_ADMIN_PASSWORD: ${{ inputs.rox-admin-password }} + ROX_ADMIN_PASSWORD: ${{ inputs.rox-admin-password }} ROX_ADMIN_USERNAME: admin + CENTRAL_IP: ${{ inputs.central-ip }} + CLUSTER_API_ENDPOINT: https://${{ inputs.central-ip }}:443 + MONITORING_SUPPORT: "true" PAGERDUTY_INTEGRATION_KEY: ${{ inputs.pagerduty-integration-key }} - CENTRAL_IP: ${{ inputs.central-ip }} - CLUSTER_API_ENDPOINT: https://${{ inputs.central-ip }}:443 - API_ENDPOINT: ${{ inputs.central-ip }}:443 - CLUSTER: secured-cluster - MONITORING_SUPPORT: "true" - STORAGE: pvc - MONITORING_LOAD_BALANCER: none KUBECONFIG: ${{ inputs.kubeconfig }} STACKROX_DIR: ${{ github.workspace }} - COMMON_DIR: ${{ github.workspace }}/deploy/common - SECURED_CLUSTER_AUTO_LOCK_PROCESS_BASELINES: "true" - SFA_AGENT: "true" - SENSOR_HELM_DEPLOY: "true" - ROX_DEPLOY_SENSOR_WITH_CRS: "false" - ROX_NETFLOW_BATCHING: "true" - ROX_NETFLOW_CACHE_LIMITING: "true" run: | set -uo pipefail "${GITHUB_ACTION_PATH}/../../common/common.sh" \ diff --git a/release/start-secured-cluster/roxie-config.yaml b/release/start-secured-cluster/roxie-config.yaml new file mode 100644 index 00000000..8cd7f053 --- /dev/null +++ b/release/start-secured-cluster/roxie-config.yaml @@ -0,0 +1,27 @@ +securedCluster: + namespace: stackrox + spec: + processBaselines: + autoLock: Enabled + perNode: + fileActivityMonitoring: + mode: Enabled + customize: + envVars: + - name: ROX_NETFLOW_BATCHING + value: "true" + - name: ROX_NETFLOW_CACHE_LIMITING + value: "true" + overlays: + - apiVersion: apps/v1 + kind: DaemonSet + name: collector + patches: + - path: spec.template.spec.containers[name:fact].env[-1] + value: | + name: FACT_PATHS + value: "/tmp/data/**/*" + - path: spec.template.spec.containers[name:fact].env[-1] + value: | + name: FACT_LOGLEVEL + value: "info" diff --git a/release/start-secured-cluster/start-secured-cluster.sh b/release/start-secured-cluster/start-secured-cluster.sh index 9fa467ae..7f304bc2 100755 --- a/release/start-secured-cluster/start-secured-cluster.sh +++ b/release/start-secured-cluster/start-secured-cluster.sh @@ -5,75 +5,65 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" # Extract version from MAIN_IMAGE_TAG (e.g., "4.11.0-rc.2" -> "4.11") version_major_minor=$(echo "${MAIN_IMAGE_TAG}" | sed -E 's/^([0-9]+\.[0-9]+).*/\1/') - -# Parse major and minor version numbers version_major=$(echo "${version_major_minor}" | cut -d. -f1) version_minor=$(echo "${version_major_minor}" | cut -d. -f2) -# Determine if version is 4.11 or later (compare as integers, not floats) is_4_11_plus=false if [[ "$version_major" -gt 4 ]] || [[ "$version_major" -eq 4 && "$version_minor" -ge 11 ]]; then - echo "Using ACS 4.11+ secured cluster setup (version: ${version_major_minor})" + gh_log notice "Using ACS 4.11+ secured cluster setup (version: ${version_major_minor})" is_4_11_plus=true else - echo "Using ACS pre-4.11 secured cluster setup (version: ${version_major_minor})" + gh_log notice "Using ACS pre-4.11 secured cluster setup (version: ${version_major_minor})" fi -# Create namespace and image pull secrets BEFORE running sensor.sh -kubectl create namespace stackrox || true - -kubectl -n stackrox create secret docker-registry stackrox \ - --docker-server=quay.io \ - --docker-username="${REGISTRY_USERNAME}" \ - --docker-password="${REGISTRY_PASSWORD}" || true - -kubectl -n stackrox create secret docker-registry secured-cluster-services-main \ - --docker-server=quay.io \ - --docker-username="${REGISTRY_USERNAME}" \ - --docker-password="${REGISTRY_PASSWORD}" || true - -kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \ - --docker-server=quay.io \ - --docker-username="${REGISTRY_USERNAME}" \ - --docker-password="${REGISTRY_PASSWORD}" || true +if ! command -v roxctl &>/dev/null; then + gh_log notice "Installing roxctl ${MAIN_IMAGE_TAG}..." + curl -fsSL --retry 5 --retry-all-errors \ + -o ~/.local/bin/roxctl \ + "https://mirror.openshift.com/pub/rhacs/assets/${MAIN_IMAGE_TAG}/bin/linux/roxctl" + chmod +x ~/.local/bin/roxctl +fi -"${STACKROX_DIR}/deploy/k8s/sensor.sh" +gh_log notice "Deploying secured cluster with roxie..." +ROX_ADMIN_PASSWORD="${ROX_ADMIN_PASSWORD}" \ +roxie deploy secured-cluster \ + --tag "$MAIN_IMAGE_TAG" \ + --config "${SCRIPT_DIR}/roxie-config.yaml" \ + --set "securedCluster.spec.centralEndpoint=${CENTRAL_IP}:443" \ + --early-readiness kubectl -n stackrox create secret generic access-rhacs \ - --from-literal="username=${ROX_ADMIN_USERNAME}" \ - --from-literal="password=${ROX_ADMIN_PASSWORD}" \ - --from-literal="central_url=${CLUSTER_API_ENDPOINT}" + --from-literal="username=${ROX_ADMIN_USERNAME}" \ + --from-literal="password=${ROX_ADMIN_PASSWORD}" \ + --from-literal="central_url=${CLUSTER_API_ENDPOINT}" -# Create the collector-config ConfigMap in order to enable external IPs kubectl create -f "${SCRIPT_DIR}/collector-config.yaml" -# Patch the collector DaemonSet to configure fact container -kubectl -n stackrox set env daemonset/collector FACT_PATHS="/tmp/data/**/*" FACT_LOGLEVEL="info" -c fact - -echo "Deploying Monitoring..." -monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml" - -# Build base helm arguments -helm_args=( - --set persistence.type="${STORAGE}" - --set exposure.type="${MONITORING_LOAD_BALANCER}" - --set resources.requests.memory="8Gi" - --set resources.limits.memory="8Gi" -) - -if [[ "$is_4_11_plus" == true ]]; then - # 4.11+: Add memory settings and metric relabel configs to helm args - helm_args+=( - --set-json 'cadvisorMetricRelabelConfigs=[{"source_labels":["container"],"regex":"berserker","action":"drop"},{"source_labels":["namespace"],"regex":"berserker-.*","action":"drop"}]' - ) -fi - -helm dependency update "${COMMON_DIR}/../charts/monitoring" -envsubst < "$monitoring_values_file" > "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" -helm upgrade -n stackrox --install --create-namespace stackrox-monitoring "${COMMON_DIR}/../charts/monitoring" --values "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" "${helm_args[@]}" -rm "${COMMON_DIR}/../charts/monitoring/values_substituted.yaml" - -# Pre-4.11 only: Replace prometheus ConfigMap -if [[ "$is_4_11_plus" == false ]]; then - kubectl apply -f "${SCRIPT_DIR}"/prometheus.yaml +if [[ "${MONITORING_SUPPORT:-}" == "true" ]]; then + gh_log notice "Deploying monitoring stack..." + monitoring_values="$(mktemp)" + monitoring_chart="${STACKROX_DIR}/deploy/charts/monitoring" + + helm_args=( + --set persistence.type=pvc + --set exposure.type=none + --set resources.requests.memory="8Gi" + --set resources.limits.memory="8Gi" + ) + + if [[ "$is_4_11_plus" == true ]]; then + helm_args+=( + --set-json 'cadvisorMetricRelabelConfigs=[{"source_labels":["container"],"regex":"berserker","action":"drop"},{"source_labels":["namespace"],"regex":"berserker-.*","action":"drop"}]' + ) + fi + + envsubst < "${monitoring_chart}/values.yaml" > "$monitoring_values" + helm dependency update "$monitoring_chart" + helm upgrade -n stackrox --install --create-namespace stackrox-monitoring \ + "$monitoring_chart" --values "$monitoring_values" "${helm_args[@]}" + rm -f "$monitoring_values" + + if [[ "$is_4_11_plus" == false ]]; then + kubectl apply -f "${SCRIPT_DIR}/prometheus.yaml" + fi fi From d5b4f6dfad924cc6237912da98269b868acb5db8 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Wed, 1 Jul 2026 09:04:05 +0200 Subject: [PATCH 13/21] Skip Slack notifications when properties output is empty Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/create-demo-clusters.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index 5e4505e8..e2092e8b 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -190,6 +190,7 @@ jobs: echo "cluster-name=${NAME//./-}" >> "$GITHUB_OUTPUT" echo "url=https://${NAME//[.-]/}.demos.rox.systems/login" >> "$GITHUB_OUTPUT" - name: Post to Slack + if: needs.properties.outputs.slack-channel != '' env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} uses: slackapi/slack-github-action@v1.26.0 @@ -252,6 +253,7 @@ jobs: echo "cluster-name=${NAME//./-}" >> "$GITHUB_OUTPUT" echo "url=https://central-stackrox.apps.${NAME//./-}.ocp.infra.rox.systems/login" >> "$GITHUB_OUTPUT" - name: Post to Slack + if: needs.properties.outputs.slack-channel != '' env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} uses: slackapi/slack-github-action@v1.26.0 @@ -390,6 +392,7 @@ jobs: name: ${{ env.NAME }} - name: Post to Slack + if: needs.properties.outputs.slack-channel != '' env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} uses: slackapi/slack-github-action@v1.26.0 @@ -614,6 +617,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Post to Slack + if: needs.properties.outputs.slack-channel != '' env: SLACK_BOT_TOKEN: ${{ secrets.SLACK_BOT_TOKEN }} uses: slackapi/slack-github-action@v1.26.0 From 3dfcf7dc460af5688961780a0c7dcdf79c2bcf2a Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Wed, 1 Jul 2026 11:09:33 +0200 Subject: [PATCH 14/21] Fix secured-cluster deploy: propagate CA cert and API_ENDPOINT Root cause: roxie uses API_ENDPOINT env var (not the CRD config's centralEndpoint) for roxctl CRS generation. Without it, roxctl gets an empty endpoint causing "missing port in address". Filed https://github.com/stackrox/roxie/issues/230 for the UX issue. Fixes: - Add CA cert as base64-encoded output from start-acs - Decode CA cert in start-secured-cluster and set ROX_CA_CERT_FILE - Set API_ENDPOINT env var for roxie's roxctl CRS generation - Add --verbose to all roxie deploy calls Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/create-demo-clusters.yml | 2 ++ release/start-acs/action.yml | 3 +++ release/start-acs/start-acs.sh | 2 ++ release/start-secured-cluster/action.yml | 14 ++++++++++++++ .../start-secured-cluster/start-secured-cluster.sh | 1 + 5 files changed, 22 insertions(+) diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index e2092e8b..ad63d4d9 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -343,6 +343,7 @@ jobs: outputs: rox-password: ${{ steps.launch-central.outputs.rox-password }} central-ip: ${{ steps.launch-central.outputs.central-ip }} + ca-cert: ${{ steps.launch-central.outputs.ca-cert }} env: NAME: ${{ inputs.cluster-with-fake-load-name }} KUBECONFIG: artifacts/kubeconfig @@ -491,6 +492,7 @@ jobs: registry-password: ${{ secrets.QUAY_RHACS_ENG_RO_PASSWORD }} rox-admin-password: ${{ needs.start-acs.outputs.rox-password }} central-ip: ${{ needs.start-acs.outputs.central-ip }} + ca-cert: ${{ needs.start-acs.outputs.ca-cert }} start-kube-burner-for-secured-cluster: name: Start kube-burner for the secured cluster diff --git a/release/start-acs/action.yml b/release/start-acs/action.yml index c2747e49..8290262d 100644 --- a/release/start-acs/action.yml +++ b/release/start-acs/action.yml @@ -64,3 +64,6 @@ outputs: central-ip: description: The ip address of central value: ${{steps.launch-central.outputs.central-ip}} + ca-cert: + description: Base64-encoded Central CA certificate + value: ${{steps.launch-central.outputs.ca-cert}} diff --git a/release/start-acs/start-acs.sh b/release/start-acs/start-acs.sh index b8f47d4b..0826255f 100755 --- a/release/start-acs/start-acs.sh +++ b/release/start-acs/start-acs.sh @@ -43,6 +43,7 @@ fi gh_log notice "Deploying ACS with roxie..." roxie_envrc="$(mktemp)" roxie deploy \ + --verbose \ --tag "$MAIN_IMAGE_TAG" \ --config "${SCRIPT_DIR}/roxie-config.yaml" \ --envrc "$roxie_envrc" \ @@ -69,6 +70,7 @@ fi # Don't mask the password: masked values are not passed to the runner. gh_output rox-password "$ROX_ADMIN_PASSWORD" gh_output central-ip "$CENTRAL_IP" +gh_output ca-cert "$(base64 -w0 < "$ROX_CA_CERT_FILE")" gh_log notice "Creating access-rhacs secret with the username and the password..." kubectl -n stackrox create secret generic access-rhacs \ diff --git a/release/start-secured-cluster/action.yml b/release/start-secured-cluster/action.yml index 5b3e83bf..b468722a 100644 --- a/release/start-secured-cluster/action.yml +++ b/release/start-secured-cluster/action.yml @@ -29,6 +29,10 @@ inputs: description: The IP address for central required: true default: "" + ca-cert: + description: Base64-encoded Central CA certificate + required: true + default: "" runs: using: composite @@ -40,6 +44,14 @@ runs: username: ${{ inputs.registry-username }} password: ${{ inputs.registry-password }} + - name: Decode CA certificate + id: ca-cert + shell: bash + run: | + ca_cert_file="$(mktemp)" + echo "${{ inputs.ca-cert }}" | base64 -d > "$ca_cert_file" + echo "file=$ca_cert_file" >> "$GITHUB_OUTPUT" + - id: launch-secured-cluster env: MAIN_IMAGE_TAG: ${{ inputs.main-image-tag }} @@ -49,6 +61,8 @@ runs: ROX_ADMIN_USERNAME: admin CENTRAL_IP: ${{ inputs.central-ip }} CLUSTER_API_ENDPOINT: https://${{ inputs.central-ip }}:443 + API_ENDPOINT: ${{ inputs.central-ip }}:443 + ROX_CA_CERT_FILE: ${{ steps.ca-cert.outputs.file }} MONITORING_SUPPORT: "true" PAGERDUTY_INTEGRATION_KEY: ${{ inputs.pagerduty-integration-key }} KUBECONFIG: ${{ inputs.kubeconfig }} diff --git a/release/start-secured-cluster/start-secured-cluster.sh b/release/start-secured-cluster/start-secured-cluster.sh index 7f304bc2..1379bf07 100755 --- a/release/start-secured-cluster/start-secured-cluster.sh +++ b/release/start-secured-cluster/start-secured-cluster.sh @@ -27,6 +27,7 @@ fi gh_log notice "Deploying secured cluster with roxie..." ROX_ADMIN_PASSWORD="${ROX_ADMIN_PASSWORD}" \ roxie deploy secured-cluster \ + --verbose \ --tag "$MAIN_IMAGE_TAG" \ --config "${SCRIPT_DIR}/roxie-config.yaml" \ --set "securedCluster.spec.centralEndpoint=${CENTRAL_IP}:443" \ From eb10e35b0b1f034312d7733ed7007567b3a0fd0d Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Wed, 1 Jul 2026 12:49:32 +0200 Subject: [PATCH 15/21] Use small resource profile for both central and secured cluster Roxie auto-detects GKE infra clusters and applies medium resources, which combined with kube-burner workloads exceeds the 5-node e2-standard-8 cluster capacity. Use small profile to fit. Co-Authored-By: Claude Opus 4.6 (1M context) --- release/start-acs/roxie-config.yaml | 9 ++------- release/start-secured-cluster/roxie-config.yaml | 1 + 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/release/start-acs/roxie-config.yaml b/release/start-acs/roxie-config.yaml index d3121b96..0f93ca7d 100644 --- a/release/start-acs/roxie-config.yaml +++ b/release/start-acs/roxie-config.yaml @@ -1,17 +1,11 @@ central: namespace: stackrox + resourceProfile: small spec: central: exposure: loadBalancer: enabled: true - resources: - requests: - memory: "3Gi" - cpu: "2" - limits: - memory: "12Gi" - cpu: "4" db: persistence: persistentVolumeClaim: @@ -35,6 +29,7 @@ central: scannerComponent: Enabled securedCluster: namespace: stackrox + resourceProfile: small spec: processBaselines: autoLock: Enabled diff --git a/release/start-secured-cluster/roxie-config.yaml b/release/start-secured-cluster/roxie-config.yaml index 8cd7f053..ab0b6199 100644 --- a/release/start-secured-cluster/roxie-config.yaml +++ b/release/start-secured-cluster/roxie-config.yaml @@ -1,5 +1,6 @@ securedCluster: namespace: stackrox + resourceProfile: small spec: processBaselines: autoLock: Enabled From 7c8ad6a9e88c7b5890b231ac64d4657eaaee1551 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Wed, 1 Jul 2026 16:24:07 +0200 Subject: [PATCH 16/21] Use acs-defaults profile with custom resource overrides MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove resourceProfile: small (let operator use built-in defaults) - Add explicit central resources matching old patch-central.json (2 CPU / 3Gi requests, 4 CPU / 12Gi limits) - Add explicit sensor resources matching old patch-sensor.json - Enable scanner v2 (scannerComponent: Enabled) on both configs — small profile was disabling it Co-Authored-By: Claude Opus 4.6 (1M context) --- release/start-acs/roxie-config.yaml | 11 +++++++++-- release/start-secured-cluster/roxie-config.yaml | 11 ++++++++++- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/release/start-acs/roxie-config.yaml b/release/start-acs/roxie-config.yaml index 0f93ca7d..01fde8db 100644 --- a/release/start-acs/roxie-config.yaml +++ b/release/start-acs/roxie-config.yaml @@ -1,16 +1,24 @@ central: namespace: stackrox - resourceProfile: small spec: central: exposure: loadBalancer: enabled: true + resources: + requests: + memory: "3Gi" + cpu: "2" + limits: + memory: "12Gi" + cpu: "4" db: persistence: persistentVolumeClaim: storageClassName: premium-rwo size: "100Gi" + scanner: + scannerComponent: Enabled customize: envVars: - name: MUTEX_WATCHDOG_TIMEOUT_SECS @@ -29,7 +37,6 @@ central: scannerComponent: Enabled securedCluster: namespace: stackrox - resourceProfile: small spec: processBaselines: autoLock: Enabled diff --git a/release/start-secured-cluster/roxie-config.yaml b/release/start-secured-cluster/roxie-config.yaml index ab0b6199..b9ddefbc 100644 --- a/release/start-secured-cluster/roxie-config.yaml +++ b/release/start-secured-cluster/roxie-config.yaml @@ -1,7 +1,16 @@ securedCluster: namespace: stackrox - resourceProfile: small spec: + sensor: + resources: + requests: + memory: "3Gi" + cpu: "2" + limits: + memory: "12Gi" + cpu: "4" + scanner: + scannerComponent: Enabled processBaselines: autoLock: Enabled perNode: From 463af6558fadee6b89c0336be4aa982e339e2a4a Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Wed, 1 Jul 2026 21:58:30 +0200 Subject: [PATCH 17/21] Match legacy HPA scaling and enable scanner v2 Legacy roxctl-generate produces min=1/max=1 HPAs for scanner-v4 components (effectively no autoscaling) and min=1/max=5 for scanner. The operator defaults are min=2/max=5, causing extra replicas that exhaust cluster CPU. Set scaling to match legacy observations. Enable scanner v2 (scannerComponent: Enabled) which was missing. Keep central/sensor resource overrides matching the old patch JSON files. Co-Authored-By: Claude Opus 4.6 (1M context) --- release/start-acs/roxie-config.yaml | 28 +++++++++++++++++++ .../start-secured-cluster/roxie-config.yaml | 16 +++++++++++ 2 files changed, 44 insertions(+) diff --git a/release/start-acs/roxie-config.yaml b/release/start-acs/roxie-config.yaml index 01fde8db..e612936f 100644 --- a/release/start-acs/roxie-config.yaml +++ b/release/start-acs/roxie-config.yaml @@ -5,6 +5,7 @@ central: exposure: loadBalancer: enabled: true + # Match patch-central.json from the legacy deploy flow. resources: requests: memory: "3Gi" @@ -19,6 +20,14 @@ central: size: "100Gi" scanner: scannerComponent: Enabled + # Legacy roxctl-generate flow produces HPA min=1/max=5 for scanner + # (vs Helm chart default min=2/max=5). + analyzer: + scaling: + autoScaling: Enabled + minReplicas: 1 + maxReplicas: 5 + replicas: 1 customize: envVars: - name: MUTEX_WATCHDOG_TIMEOUT_SECS @@ -35,9 +44,28 @@ central: value: "R5fMyO9n0gibSGzOXtlP2qCFWCGb8uoW" scannerV4: scannerComponent: Enabled + # Legacy roxctl-generate flow produces HPA min=1/max=1 for scanner-v4 + # (vs Helm chart default min=2/max=5). Effectively no autoscaling. + indexer: + scaling: + autoScaling: Disabled + replicas: 1 + matcher: + scaling: + autoScaling: Disabled + replicas: 1 securedCluster: namespace: stackrox spec: + # Match patch-sensor.json from the legacy deploy flow. + sensor: + resources: + requests: + memory: "3Gi" + cpu: "2" + limits: + memory: "12Gi" + cpu: "4" processBaselines: autoLock: Enabled customize: diff --git a/release/start-secured-cluster/roxie-config.yaml b/release/start-secured-cluster/roxie-config.yaml index b9ddefbc..1b18b406 100644 --- a/release/start-secured-cluster/roxie-config.yaml +++ b/release/start-secured-cluster/roxie-config.yaml @@ -1,6 +1,7 @@ securedCluster: namespace: stackrox spec: + # Match patch-sensor.json from the legacy deploy flow. sensor: resources: requests: @@ -11,6 +12,21 @@ securedCluster: cpu: "4" scanner: scannerComponent: Enabled + # Legacy roxctl-generate flow produces HPA min=1/max=5 for scanner + # (vs Helm chart default min=2/max=5). + analyzer: + scaling: + autoScaling: Enabled + minReplicas: 1 + maxReplicas: 5 + replicas: 1 + scannerV4: + # Legacy roxctl-generate flow produces HPA min=1/max=1 for scanner-v4 + # (vs Helm chart default min=2/max=5). Effectively no autoscaling. + indexer: + scaling: + autoScaling: Disabled + replicas: 1 processBaselines: autoLock: Enabled perNode: From f080ee0336a5ed6ad8f49277a1b47170b2922f22 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Thu, 2 Jul 2026 07:56:56 +0200 Subject: [PATCH 18/21] Fix: SecuredCluster scanner uses AutoSense, not Enabled The SecuredCluster CRD only accepts "AutoSense" or "Disabled" for scanner.scannerComponent (unlike the Central CRD which accepts "Enabled"). Co-Authored-By: Claude Opus 4.6 (1M context) --- release/start-secured-cluster/roxie-config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release/start-secured-cluster/roxie-config.yaml b/release/start-secured-cluster/roxie-config.yaml index 1b18b406..6c7a10f1 100644 --- a/release/start-secured-cluster/roxie-config.yaml +++ b/release/start-secured-cluster/roxie-config.yaml @@ -11,7 +11,7 @@ securedCluster: memory: "12Gi" cpu: "4" scanner: - scannerComponent: Enabled + scannerComponent: AutoSense # Legacy roxctl-generate flow produces HPA min=1/max=5 for scanner # (vs Helm chart default min=2/max=5). analyzer: From 8f769d07d347fad13a804ae86738592a5d10df49 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Thu, 2 Jul 2026 10:49:25 +0200 Subject: [PATCH 19/21] Align resource specs and HPA scaling with legacy deployment Fake-load cluster: - scanner-v4-db CPU req: 500m (was operator default 1) - scanner-v4-indexer CPU req: 400m (was operator default 1500m) - scanner-v4-matcher CPU req: 400m (was operator default 500m) Real-load cluster: - sensor: 500m/4 CPU, 500Mi/8Gi (was 2/4, 3Gi/12Gi from patch-sensor.json which only applies to fake-load) - admission-control mem limit: 500Mi (was operator default 1Gi) - scanner HPA min: 2 (was 1) - scanner-v4-indexer HPA: Enabled min=2/max=5 (was Disabled) Co-Authored-By: Claude Opus 4.6 (1M context) --- release/start-acs/roxie-config.yaml | 13 ++++++++ .../start-secured-cluster/roxie-config.yaml | 31 ++++++++++++------- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/release/start-acs/roxie-config.yaml b/release/start-acs/roxie-config.yaml index e612936f..6d255f4e 100644 --- a/release/start-acs/roxie-config.yaml +++ b/release/start-acs/roxie-config.yaml @@ -46,11 +46,24 @@ central: scannerComponent: Enabled # Legacy roxctl-generate flow produces HPA min=1/max=1 for scanner-v4 # (vs Helm chart default min=2/max=5). Effectively no autoscaling. + db: + # Match legacy roxctl-generate default (vs operator default 1 CPU). + resources: + requests: + cpu: "500m" indexer: + # Match legacy roxctl-generate default (vs operator default 1500m). + resources: + requests: + cpu: "400m" scaling: autoScaling: Disabled replicas: 1 matcher: + # Match legacy roxctl-generate default (vs operator default 500m). + resources: + requests: + cpu: "400m" scaling: autoScaling: Disabled replicas: 1 diff --git a/release/start-secured-cluster/roxie-config.yaml b/release/start-secured-cluster/roxie-config.yaml index 6c7a10f1..c7eb0d09 100644 --- a/release/start-secured-cluster/roxie-config.yaml +++ b/release/start-secured-cluster/roxie-config.yaml @@ -1,32 +1,39 @@ securedCluster: namespace: stackrox spec: - # Match patch-sensor.json from the legacy deploy flow. + # Match legacy roxctl sensor-generate defaults for the real-load cluster. + # Note: the fake-load cluster's sensor gets patch-sensor.json overrides + # via the start-acs config; this cluster uses the unpatched defaults. sensor: resources: requests: - memory: "3Gi" - cpu: "2" + memory: "500Mi" + cpu: "500m" limits: - memory: "12Gi" + memory: "8Gi" cpu: "4" + # Match legacy roxctl-generate default (vs operator default 1Gi). + admissionControl: + resources: + limits: + memory: "500Mi" scanner: scannerComponent: AutoSense - # Legacy roxctl-generate flow produces HPA min=1/max=5 for scanner - # (vs Helm chart default min=2/max=5). + # Match legacy HPA: min=2/max=5. analyzer: scaling: autoScaling: Enabled - minReplicas: 1 + minReplicas: 2 maxReplicas: 5 - replicas: 1 + replicas: 2 scannerV4: - # Legacy roxctl-generate flow produces HPA min=1/max=1 for scanner-v4 - # (vs Helm chart default min=2/max=5). Effectively no autoscaling. + # Match legacy HPA: min=2/max=5. indexer: scaling: - autoScaling: Disabled - replicas: 1 + autoScaling: Enabled + minReplicas: 2 + maxReplicas: 5 + replicas: 2 processBaselines: autoLock: Enabled perNode: From d86a4e4e228152274425155eaf3d64038dd77a04 Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Thu, 2 Jul 2026 11:58:51 +0200 Subject: [PATCH 20/21] Tidy workflow dispatch comments, config comments, input order - Add testing instructions comment near workflow_dispatch trigger - Reorder dispatch inputs to match workflow_call order - Consolidate roxie config comments to a single header explaining that resource settings match the previous deploy-scripts-based flow and may be tuned in the future Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/create-demo-clusters.yml | 24 ++++++++++++------- release/start-acs/roxie-config.yaml | 12 +++------- .../start-secured-cluster/roxie-config.yaml | 9 +++---- 3 files changed, 22 insertions(+), 23 deletions(-) diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index ad63d4d9..040cd595 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -1,5 +1,13 @@ name: Create demo clusters for version on: + # For testing this workflow directly from a branch of stackrox/actions + # (the normal path is workflow_call from stackrox/stackrox). To test: + # 1. Push your branch to stackrox/actions. + # 2. Create a branch in stackrox/stackrox with .github/workflows/create-clusters.yml + # pointing uses: at your branch SHA and workflow-ref: at your branch name. + # 3. Dispatch from that stackrox/stackrox branch. + # Alternatively, dispatch this workflow directly from the Actions tab on the + # stackrox/actions repo (requires the workflow file to exist on main). workflow_dispatch: inputs: version: @@ -10,14 +18,6 @@ on: description: Create a long-running cluster default: true type: boolean - cluster-with-fake-load-name: - description: Fake-load cluster name - default: test-roxie-fl - type: string - cluster-with-real-load-name: - description: Real-load cluster name - default: test-roxie-rl - type: string workflow-ref: description: Ref for actions checkout (defaults to current branch) type: string @@ -28,6 +28,14 @@ on: description: Repo with kube-burner config default: stackrox type: string + cluster-with-fake-load-name: + description: Fake-load cluster name + default: test-fl + type: string + cluster-with-real-load-name: + description: Real-load cluster name + default: test-rl + type: string workflow_call: inputs: version: diff --git a/release/start-acs/roxie-config.yaml b/release/start-acs/roxie-config.yaml index 6d255f4e..3f8c593c 100644 --- a/release/start-acs/roxie-config.yaml +++ b/release/start-acs/roxie-config.yaml @@ -1,3 +1,6 @@ +# Resource requests, limits, and scaling settings below are tuned to match +# the previous deploy-scripts-based flow. They may be adjusted in the future +# to better resemble a typical customer deployment. central: namespace: stackrox spec: @@ -5,7 +8,6 @@ central: exposure: loadBalancer: enabled: true - # Match patch-central.json from the legacy deploy flow. resources: requests: memory: "3Gi" @@ -20,8 +22,6 @@ central: size: "100Gi" scanner: scannerComponent: Enabled - # Legacy roxctl-generate flow produces HPA min=1/max=5 for scanner - # (vs Helm chart default min=2/max=5). analyzer: scaling: autoScaling: Enabled @@ -44,15 +44,11 @@ central: value: "R5fMyO9n0gibSGzOXtlP2qCFWCGb8uoW" scannerV4: scannerComponent: Enabled - # Legacy roxctl-generate flow produces HPA min=1/max=1 for scanner-v4 - # (vs Helm chart default min=2/max=5). Effectively no autoscaling. db: - # Match legacy roxctl-generate default (vs operator default 1 CPU). resources: requests: cpu: "500m" indexer: - # Match legacy roxctl-generate default (vs operator default 1500m). resources: requests: cpu: "400m" @@ -60,7 +56,6 @@ central: autoScaling: Disabled replicas: 1 matcher: - # Match legacy roxctl-generate default (vs operator default 500m). resources: requests: cpu: "400m" @@ -70,7 +65,6 @@ central: securedCluster: namespace: stackrox spec: - # Match patch-sensor.json from the legacy deploy flow. sensor: resources: requests: diff --git a/release/start-secured-cluster/roxie-config.yaml b/release/start-secured-cluster/roxie-config.yaml index c7eb0d09..0440fc57 100644 --- a/release/start-secured-cluster/roxie-config.yaml +++ b/release/start-secured-cluster/roxie-config.yaml @@ -1,9 +1,9 @@ +# Resource requests, limits, and scaling settings below are tuned to match +# the previous deploy-scripts-based flow. They may be adjusted in the future +# to better resemble a typical customer deployment. securedCluster: namespace: stackrox spec: - # Match legacy roxctl sensor-generate defaults for the real-load cluster. - # Note: the fake-load cluster's sensor gets patch-sensor.json overrides - # via the start-acs config; this cluster uses the unpatched defaults. sensor: resources: requests: @@ -12,14 +12,12 @@ securedCluster: limits: memory: "8Gi" cpu: "4" - # Match legacy roxctl-generate default (vs operator default 1Gi). admissionControl: resources: limits: memory: "500Mi" scanner: scannerComponent: AutoSense - # Match legacy HPA: min=2/max=5. analyzer: scaling: autoScaling: Enabled @@ -27,7 +25,6 @@ securedCluster: maxReplicas: 5 replicas: 2 scannerV4: - # Match legacy HPA: min=2/max=5. indexer: scaling: autoScaling: Enabled From 4cb3535c0799b0d9eba955bbdf3551de92bd472a Mon Sep 17 00:00:00 2001 From: Marcin Owsiany Date: Thu, 2 Jul 2026 12:29:10 +0200 Subject: [PATCH 21/21] Improve testing instructions with concrete example fields Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/create-demo-clusters.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index 040cd595..05f5c6ed 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -1,13 +1,16 @@ name: Create demo clusters for version on: - # For testing this workflow directly from a branch of stackrox/actions - # (the normal path is workflow_call from stackrox/stackrox). To test: - # 1. Push your branch to stackrox/actions. - # 2. Create a branch in stackrox/stackrox with .github/workflows/create-clusters.yml - # pointing uses: at your branch SHA and workflow-ref: at your branch name. - # 3. Dispatch from that stackrox/stackrox branch. - # Alternatively, dispatch this workflow directly from the Actions tab on the - # stackrox/actions repo (requires the workflow file to exist on main). + # For testing this workflow from a branch of stackrox/actions (the normal + # path is workflow_call from stackrox/stackrox). To test: + # 1. Push your branch to stackrox/actions, note the HEAD commit SHA. + # 2. Create a branch in stackrox/stackrox and edit + # .github/workflows/create-clusters.yml — change these fields: + # uses: stackrox/actions/...@ + # workflow-ref: + # Also change CLUSTER_WITH_FAKE_LOAD_NAME and CLUSTER_WITH_REAL_LOAD_NAME + # to unique prefixes to avoid clashing with production clusters. + # 3. Dispatch "RELEASE: Create Clusters" from that stackrox/stackrox branch + # with create-long-cluster=true and an existing ACS version (e.g. 4.11.0). workflow_dispatch: inputs: version: