fix(ci): pass secrets to reusable system test workflows#321
Open
franvila wants to merge 23 commits into
Open
Conversation
…RN for failure (kroxylicious#3965) * fix(runtime): log virtual cluster stop at INFO for clean shutdown, WARN for failure The onVirtualClusterStopped callback previously logged at WARN regardless of whether the stop was failure-driven (cause present) or a clean drain (cause absent). Clean stops during normal proxy shutdown produced spurious WARN entries in system test logs. The Optional<Throwable> parameter already carries the distinction: log at WARN with the error when a failure drove the stop; log at INFO without an error key for clean stops. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * bump stopped to info Signed-off-by: Sam Barker <sam@quadrocket.co.uk> --------- Signed-off-by: Sam Barker <sam@quadrocket.co.uk>
Signed-off-by: prmellor <pmellor@redhat.com>
Added a comment regarding kube version compatibility. Signed-off-by: Keith Wall <kwall@apache.org>
kroxylicious#3966) * Replace jsr305 annotations with spotbugs Nullable and custom threading annotations Assisted-by: Claude Signed-off-by: dahyvuun <dahyvuun@gmail.com> * Fix module layering to allow io.kroxylicious.proxy.tag imports Assisted-by: Claude Signed-off-by: dahyvuun <dahyvuun@gmail.com> * Fix import ordering for findbugs annotations Assisted-by: Claude Signed-off-by: dahyvuun <dahyvuun@gmail.com> * Apply code formatter Assisted-by: Claude Signed-off-by: dahyvuun <dahyvuun@gmail.com> * Fix import sorting Assisted-by: Claude Signed-off-by: dahyvuun <dahyvuun@gmail.com> --------- Signed-off-by: dahyvuun <dahyvuun@gmail.com>
…rs, exceptions, result classes (kroxylicious#3971)
…roxylicious#3929) * docs(admission-webhook): fix documentation to match implementation The documentation introduced in commit 0097505 contained some inaccuracies that developed during implementation: - Environment variable FAILURE_POLICY does not exist; the actual variable is UNINJECTED_POD_POLICY with values Admit/Deny The failure policy section was rewritten to distinguish between internal error handling (always fail-closed, returns HTTP 500) and uninjected pod policy (configurable via UNINJECTED_POD_POLICY). Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Robert Young <robertyoungnz@gmail.com> * docs(admission): apply review feedback on failure policies Updates based on PR kroxylicious#3929 review: - Clarify that webhook "defaults to" failing closed for internal errors - Document that failurePolicy can be changed to Ignore for availability - Specify exact conditions for UNINJECTED_POD_POLICY (missing/invalid config) - Explain why unavailable config handling is separate from internal errors - Remove confusing statement about non-error paths Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Robert Young <robertyoungnz@gmail.com> --------- Signed-off-by: Robert Young <robertyoungnz@gmail.com>
…ious#3973) Refactor ProxyProtocolIT to reduce code duplication and improve defensive request handling. Extract a connectClient() helper to eliminate duplicated Bootstrap/ pipeline wiring across the four test methods. Wire CorrelationManager. onChannelClose() via channel.closeFuture() listener (mirroring how KafkaClient already does it) to defensively ensure in-flight requests complete if the peer closes the connection. Relates to kroxylicious#3757 Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Keith Wall <kwall@apache.org>
kroxylicious#3978) * fix(runtime): registerConnection rejects unless VC is in SERVING state The guard previously used a blocklist (reject if Draining or Stopped), silently accepting connections in Initializing and Failed states. Flip to an allowlist: only accept when Serving. Add tests covering all five lifecycle states, and fix the concurrency tests that were registering connections while still in Initializing. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(runtime): fix VirtualClusterRegistryTest connection tests to use SERVING state Tests were registering connections while the cluster was still in Initializing state, which is now correctly rejected. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> --------- Signed-off-by: Sam Barker <sam@quadrocket.co.uk>
…ndler (kroxylicious#3974) * fix(test): complete queued requests on channel close in KafkaClientHandler Improve KafkaClientHandler defensive behavior to properly complete queued request futures when the channel closes or encounters errors. This prevents futures from hanging indefinitely if the peer drops the connection before requests are sent. Add channelInactive() to drain the queue with ChannelClosedException (a new custom exception), and update exceptionCaught() to fail queued requests with the real cause rather than letting them hang or fail later with a follow-up exception. Add KafkaClientHandlerTest to verify the lifecycle behavior. Relates to kroxylicious#3757 Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Keith Wall <kwall@apache.org> * address review comments from Sam Barker Signed-off-by: Keith Wall <kwall@apache.org> --------- Signed-off-by: Keith Wall <kwall@apache.org>
…ylicious#3972) Make the JSR305 annotation ban more precise to allow standard Java annotation processing API (javax.annotation.processing.Generated) while still blocking JSR305 annotations (Nullable, Nonnull, etc). Changes: - IllegalImport: Use regex with negative lookahead to ban javax.annotation.* except processing.* - RegexpSinglelineJava: Use negative lookahead to allow javax.annotation.processing.* - Fixes checkstyle failures in krpc-generated code that uses @generated Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Keith Wall <kwall@apache.org>
kroxylicious#3979) Signed-off-by: Kroxylicious Robot <153509303+kroxylicious-robot@users.noreply.github.com>
…k{er,Context}` (kroxylicious#3913)
* refactor(operator): make kafkaProxyStatusPatch() accept ResourceState
* feat(operator): add DeprecationWarning to Condition.Type
* refactor(operator): add message parameter to newTrueCondition
* feat(operator): make reportAbsentSpecIfNecessary add condition
* feat(operator): add DeprecationCheck{er,Context}, AbsentSpecDeprecationChecker and AbsentSpecDeprecationCheckerTest
* test(operator): switch to AbsentSpecDeprecationChecker
* docs(changelog): add entry
* test(operator): add DeprecationWarning to existing tests
* fix(operator): remove condition when spec is added
Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Piotr Płaczek <piotrpdev@gmail.com>
Co-authored-by: Tom Bentley <tbentley@redhat.com>
…consumer count overrides (kroxylicious#3887) * Add 10KB and 100KB single-topic workload definitions Add workload ConfigMaps for 1topic-10kb and 1topic-100kb to measure how encryption overhead scales with message size. These use random payloads (no payloadFile) since content has no effect on AES-GCM performance. Assisted-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * Parameterise producer and consumer counts in workload definitions producersPerTopic and consumerPerSubscription are now templated from benchmark.producersPerTopic and benchmark.consumerPerSubscription (defaulting to 1). This allows scaling client counts via --set without needing separate workload definitions. Assisted-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): use profile JFR settings and restart async-profiler between rate probes When rate-sweep reuses infrastructure across probes (--skip-teardown), the JFR recording and async-profiler were restarted at the end of each probe ready for the next. Two bugs: - JFR was restarted with settings=default instead of settings=profile. The default profile omits jdk.NetworkUtilization and other I/O events, so all probes after the first recorded near-zero network traffic. - async-profiler was stopped at the end of each probe but never restarted, so all subsequent probes copied the stale flamegraph.html from probe 0. Fix both in the SKIP_TEARDOWN restart block: use settings=profile for JFR and restart async-profiler (when AGENT_LIB is available) so each probe gets an independent flamegraph covering its own benchmark window. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): guard async-profiler restart on ASYNC_PROFILER_FLAGS env var The previous fix restarted async-profiler between rate-sweep probes whenever AGENT_LIB was non-empty. AGENT_LIB (ASYNC_PROFILER_LIB) is set by kroxylicious-start.sh whenever the native library is present in the image, regardless of whether profiling was actually enabled. On clusters where the Unconfined seccomp patch is rejected by PodSecurity policy, probe 0 skips applying the async-profiler deployment patch. The patch is what sets ASYNC_PROFILER_FLAGS in the container env. Checking AGENT_LIB would have caused the restart to attempt profiling on restricted clusters where probe 0 deliberately skipped it. Use ASYNC_PROFILER_FLAGS from the JVM process environment as the guard — it is only present when the deployment patch was successfully applied. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * feat(benchmarks): isolate proxy from Kafka brokers by default Adds a proxy-anti-affinity.yaml SSA patch and wires it into run-benchmark.sh (applied by default) to keep the proxy pod off any node running a Kafka broker pod (matched via strimzi.io/cluster=kafka). Without this, on a 3-worker cluster the proxy inevitably shares a node with a broker. The resulting CPU contention is enough to push the encryption throughput ceiling below its true value, making the proxy appear slower than it really is on a properly provisioned cluster. The patch uses requiredDuringSchedulingIgnoredDuringExecution — if the cluster has no free node (e.g. 3 workers, all hosting a broker) the proxy will not schedule and the benchmark will fail with a clear error rather than silently produce misleading results. --no-isolate-proxy opts out with a prominent warning, for clusters where strict isolation is not possible and indicative results are acceptable. The flag is passed through from rate-sweep.sh to run-benchmark.sh. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * refactor(benchmarks): rename --no-isolate-proxy to --skip-proxy-isolation Aligns with the existing --skip-deploy / --skip-teardown naming convention. Also strengthens the warning to note that resource contention makes results hard to compare across runs with and without isolation active. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): clarify --skip-proxy-isolation warning The risk is unpredictable, run-to-run variation — not stable suppression (which would still be comparable). Update the warning to reflect this. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * feat(benchmarks): add per-probe producer/consumer count overrides Adds --producers-per-topic and --consumers-per-subscription flags to run-benchmark.sh, wired through to new Helm values (omb.coordinatorProducersPerTopic, omb.coordinatorConsumerPerSubscription) which are injected via sed into the workload YAML at job creation time, mirroring the existing coordinatorProducerRate pattern. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * feat(benchmarks): add connection-sweep.sh script Sweeps the number of producer connections to a single proxy pod while holding per-producer rate fixed (e.g. 1,2,4,8,16 producers at 30k msg/sec each). Consumers are scaled to match producers at each step. Deploys infrastructure once then calls run-benchmark.sh per step with --skip-deploy/--skip-teardown, matching the rate-sweep.sh pattern. Results land in <output-dir>/<scenario>/producers-<n>/result.json. Includes a connection-sweep-values.yaml profile (5 min warmup + 5 min test, workerReplicas=6 for headroom at high producer counts) and a dry-run mode that prints the step sequence without deploying. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * refactor(benchmarks): re-apply workload ConfigMap per-probe instead of sed Replaces the env-var+sed approach for injecting per-probe overrides (producerRate, producersPerTopic, consumerPerSubscription) with a cleaner split: apply_workload_configmap() re-renders and applies just the workload ConfigMap via helm template --show-only before every benchmark run, regardless of --skip-deploy. This means --skip-deploy now truly skips only infrastructure (Kafka, Strimzi, proxy, OMB workers) while workload config is always kept in sync with the current probe's parameters. Both rate-sweep and connection-sweep benefit automatically without any extra plumbing. Removes the coordinator* override fields from values.yaml and the corresponding env vars and sed replacements from the Job template. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): restart operator after Kafka is ready to fix CrashLoopBackOff The Kroxylicious operator is installed at cluster provision time, before Strimzi is deployed. Its Kafka informer fails immediately (kafka.strimzi.io/v1beta2/kafkas not yet served) and JOSDK exits the process. By benchmark time the operator may be in CrashLoopBackOff with a backoff delay of up to 5 minutes, leaving the proxy pod absent and the benchmark coordinator failing to connect. Fix: after Strimzi CRDs are available (Kafka cluster Ready), force a rollout restart of kroxylicious-operator. This bypasses the exponential backoff and gives the operator a clean start with Strimzi already serving the Kafka CRDs. Also adds an explicit wait for KafkaProxy Ready after the restart so the proxy pod is guaranteed to exist before JFR setup runs. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * Revert "fix(benchmarks): restart operator after Kafka is ready to fix CrashLoopBackOff" This reverts commit 666f9e5. Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): use version query param for Strimzi install URL https://strimzi.io/install/<version>?namespace=<ns> returns 404 for newer versions; the correct form is https://strimzi.io/install/latest?namespace=<ns>&version=<version>. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): fall back to curl for operator tarball download when gh absent gh CLI may not be available on all cluster nodes. Use curl with the GitHub releases URL as a fallback. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): install Strimzi from GitHub releases, not strimzi.io/install https://strimzi.io/install/latest?version=X ignores the version parameter and always serves the latest (1.0.0) manifests, including CRDs. This caused 0.51.0 installation to receive 1.0.0 CRDs that only serve v1, breaking the Kroxylicious operator which expects v1beta2. Switch to downloading directly from the GitHub release: - strimzi-crds-<version>.yaml for CRDs (cluster-scoped, no substitution) - strimzi-cluster-operator-<version>.yaml for the operator, with 'myproject' → NAMESPACE substitution via sed Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): raise worker CPU limit in connection-sweep profile OMB assigns ~1/3 of workers to producers and the rest to consumers. With 6 workers and 8 producers, each of the 2 producer workers handles ~4 producers at 10k msg/s = 40k msg/s per JVM — enough to saturate the previous 1000m limit before the proxy CPU becomes the bottleneck. Raise the limit to 2000m so workers have clear headroom at the highest producer counts in the sweep. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): switch results-reader pod image to Chainguard busybox Docker Hub rate limits were causing the omb-results-reader pod to fail ImagePullBackOff on clusters with many unauthenticated pulls. Chainguard's busybox is equivalent in size (3.8 MB compressed) with no pull rate limits, and is pinned by digest for reproducibility. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * feat(benchmarks): add phase timestamps and workload parameters to run-metadata.json ProbeContext now carries benchmark phase timing (warmupDurationMinutes, testDurationMinutes, benchmarkStartedAt, benchmarkCompletedAt) and workload shape (topics, partitionsPerTopic, messageSize, producersPerTopic, consumerPerSubscription). These fields make each probe's metadata self-describing without needing to open result.json, and allow analysis tools to filter CPU metrics to the measurement window rather than using a fixed snapshot-skip count. New factory methods ProbeContext.of() and withPhases()/withWorkload() keep call sites clean as the record grows. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * feat(benchmarks): wire phase timestamps and workload params through to run-metadata.json run-benchmark.sh now records benchmarkStartedAt/benchmarkCompletedAt around the benchmark poll loop, reads warmupDurationMinutes/testDurationMinutes from the live Helm release, and reads topics/partitions/messageSize/producersPerTopic/ consumerPerSubscription from the collected result.json. All values are passed to collect-results.sh (full deploy path) and the inline jbang call (--skip-deploy path). collect-results.sh forwards the new flags to the jbang CLI. analyze-cpu-coefficient.py now filters CPU snapshots to the measurement phase using the phase timestamps from run-metadata.json, falling back to --skip-first when timestamps are absent (e.g. older result directories). Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): replace JFR PVC with emptyDir to fix scheduling deadlock The JFR PVC used a local PersistentVolume which bound to a specific node. When that node also hosted a Kafka broker pod, the proxy anti-affinity rule prevented the proxy from scheduling there, creating an unresolvable deadlock (0/N nodes available: M nodes failed PV affinity, 1 node failed anti-affinity). Switch to emptyDir: no node affinity constraint, so the proxy schedules freely. JFR collection already copies the recording from the live pod via kubectl exec before teardown, so the PVC's "survive pod termination" property was never actually needed in practice. Removes: proxy-jfr-pvc.yaml patch, JFR PVC creation/deletion in run-benchmark.sh, jfr-collect fallback pod in collect-results.sh. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * feat(benchmarks): capture proxy resource config in run-metadata.json Query the proxy pod and KafkaProxy CR at metadata collection time to record cpuRequest, cpuLimit, memoryRequest, memoryLimit, and replicas in a proxyConfig block. This avoids having to thread resource values through script flags and gives a self-verifying record of what was actually deployed for each sweep probe. collect-results.sh passes PROXY_POD and NAMESPACE to the JBang CLI when the pod name is set; baseline runs (no proxy pod) omit the block. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): scale publishRate by topic count in sweep summaries OMB reports publishRate per-topic in result.json. Multi-topic workloads (e.g. 10topics-1kb) were compared against the aggregate target rate, flagging every probe as saturated. Read topic count from run-metadata.json and multiply before the saturation check so the summary is correct for both 1-topic and multi-topic workloads. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): add useRandomizedPayloads to 10kb and 100kb workloads Without payloadFile or useRandomizedPayloads, OMB's FilePayloadReader NPEs on a null file path. Random payloads are appropriate for encryption benchmarks since AES-GCM processes arbitrary bytes. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): set randomizedPayloadPoolSize for 10kb and 100kb workloads useRandomizedPayloads requires a non-zero randomizedPayloadPoolSize; with the default of 0 OMB crashes at startLoad trying to pick from an empty payload pool. Also set randomBytesRatio: 1.0 so payloads are fully random. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * feat(benchmarks): add JFR CPULoad fallback to analyze-cpu-coefficient.py When process_cpu_usage is absent from proxy-metrics.txt (not all deployments expose this Micrometer metric), the script now falls back to jdk.CPULoad events from the JFR recording. JFR CPULoad reports jvmUser + jvmSystem as a percentage of all machine CPUs. The node CPU count is read from clusterNodes.cpuPerNode in run-metadata.json and used to normalise the value to a fraction of one CPU, keeping the same scale as process_cpu_usage. Also: multi-topic achieved rates are now correctly scaled by the topics count from run-metadata.json, and the CPU source and absolute mc value are shown in the output table. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): avoid version strings that rot - Remove `latest` tag from busybox image reference in run-benchmark.sh; the SHA digest already pins the image content unambiguously. - Resolve STRIMZI_VERSION=latest dynamically in setup-cluster.sh by following the GitHub releases/latest redirect; the literal string 'latest' has no corresponding release artifact path and causes a 404. - Drop kafka.version from values.yaml; Strimzi defaults the Kafka version and an explicit pin will lag behind Strimzi upgrades. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): add blank line after license header in analyze-cpu-coefficient.py Satisfies the license-maven-plugin check which requires a blank line between the license block and the module docstring. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): make kafka.version optional in Helm template (#96) The kafka.version field was removed from values.yaml in commit ed1d43e to allow Strimzi to default the version, but the template still unconditionally rendered "version: {{ .Values.kafka.version }}", which produced "version: " (empty string/null) when the value was undefined. Strimzi 1.0.0 rejects this with: "spec.kafka.version: Invalid value: \"null\": spec.kafka.version in body must be of type string: \"null\"" Wrap the version field in a conditional so it's only rendered when .Values.kafka.version is set. When omitted, Strimzi uses its default Kafka version as documented in the CRD. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Keith Wall <kwall@apache.org> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * fix(benchmarks): qualify Vault image with docker.io and document cluster overrides Unqualified image references (hashicorp/vault) are redirected to Red Hat's registry on some OpenShift clusters, causing ErrImagePull. Prefix with docker.io/ so the pull target is unambiguous. Add a vault image override example to the existing cluster-specific settings section in QUICKSTART.md so users know how to substitute an alternative image via --cluster-overrides without modifying scenario files. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * refactor(benchmarks): reduce cognitive complexity in RunMetadata Replace repeated null-guard if-blocks with a putIfPresent helper, collapsing 13 checks in generate() and 4 in proxyInfo() to single-line calls. Behaviour is unchanged. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> * refactor(benchmarks): extract proxy container traversal to reduce proxyInfo complexity Extract the for-loop that finds the proxy container and reads its resource limits into a separate helper, removing nested branching from proxyInfo. Assisted-by: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Sam Barker <sam@quadrocket.co.uk> --------- Signed-off-by: Sam Barker <sam@quadrocket.co.uk> Signed-off-by: Keith Wall <kwall@apache.org> Co-authored-by: Keith Wall <kwall@redhat.com>
…r tag to v9.8-1777460003 (kroxylicious#3982) Signed-off-by: Kroxylicious Robot <153509303+kroxylicious-robot@users.noreply.github.com>
…gest to 79f51f4 (kroxylicious#3980) Signed-off-by: Kroxylicious Robot <153509303+kroxylicious-robot@users.noreply.github.com>
…icious#3985) Signed-off-by: Piotr Płaczek <piotrpdev@gmail.com>
* fix: use qualified class names to resolve BadImport warnings Signed-off-by: dahyvuun <dahyvuun@gmail.com> * fix: use qualified RoutingHttpServer.builder() to satisfy BadImport Signed-off-by: dahyvuun <dahyvuun@gmail.com> * fix: replace static imports of EnumSet methods with qualified names Signed-off-by: dahyvuun <dahyvuun@gmail.com> * fix: replace BadImport static imports with qualified KroxyliciousTesters references Signed-off-by: dahyvuun <dahyvuun@gmail.com> * Remove accidentally committed wq file Signed-off-by: dahyvuun <dahyvuun@gmail.com> --------- Signed-off-by: dahyvuun <dahyvuun@gmail.com>
Secrets are not automatically available in reusable workflows when using workflow_call. Added 'secrets: inherit' to both system-tests-pr and system-tests-merge workflows to ensure Fortanix KMS secrets (KROXYLICIOUS_KMS_FORTANIX_ADMIN_API_KEY and KROXYLICIOUS_KMS_FORTANIX_API_KEY) are accessible when testFortanixKMS is enabled. Without this change, the reusable run-system-tests.yaml workflow cannot access the secrets defined in the repository, causing Fortanix KMS tests to fail due to missing credentials. Assisted-by: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Francisco Vila <fvila@redhat.com>
Signed-off-by: Francisco Vila <fvila@redhat.com>
…a/kproxy into fix/workflow-secrets-inheritance
…s#3981) * chore(deps): update hashicorp/vault docker tag to v2.0.1 Signed-off-by: Kroxylicious Robot <153509303+kroxylicious-robot@users.noreply.github.com> * Update helm_vault_overrides.yaml Signed-off-by: Francisco Vila <57452611+franvila@users.noreply.github.com> --------- Signed-off-by: Kroxylicious Robot <153509303+kroxylicious-robot@users.noreply.github.com> Signed-off-by: Francisco Vila <57452611+franvila@users.noreply.github.com> Co-authored-by: Francisco Vila <57452611+franvila@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
9 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes Fortanix KMS system tests by ensuring secrets are properly passed to reusable workflows.
Problem
The
run-system-tests.yamlreusable workflow was attempting to access repository secrets (KROXYLICIOUS_KMS_FORTANIX_ADMIN_API_KEYandKROXYLICIOUS_KMS_FORTANIX_API_KEY) but these were not available because:workflow_callsecrets: inheritor by explicitly listing themThis caused Fortanix KMS tests to fail when
testFortanixKMS: 'true'was set, as the required credentials were undefined.Solution
Added
secrets: inheritto both workflows that call the reusable workflow:.github/workflows/system-tests-merge.yaml.github/workflows/system-tests-pr.yamlThis ensures all repository secrets are available to the reusable workflow without needing to explicitly enumerate each one.
Testing
secrets: inherit🤖 Generated with Claude Code