HYPERFLEET-1108 - feat: Add e2e.hyperfleet.io/run-id label for e2e-gcp environment, label resources created by adapters

[mliptak0]

Summary

This PR adds support for labeling all resources in the e2e-gcp environment with a unique e2e.hyperfleet.io/run-id label, enabling better tracking and cleanup of resources created during E2E test runs.

Caution

TODO: Prepare change for openshift/release repo CI for hyperfleet-e2e

What changed:

• Added required E2E_RUN_ID environment variable for e2e-gcp deployments
• All HyperFleet resources (API, Sentinel, Adapters, and their Kubernetes objects) deployed in e2e-gcp are automatically labeled with e2e.hyperfleet.io/run-id: <run-id>
• All adapter deployments receive E2E_RUN_ID as an environment variable
• Adapter task configs updated to accept and propagate e2eRunId parameter to resources they create (Namespaces, Jobs, Deployments, ConfigMaps, ManifestWorks)
• Added Makefile validation to enforce E2E_RUN_ID is set when deploying to e2e-gcp

Why this is needed:

• Enables automated cleanup of resources by run ID after test completion

Impact on users:

• e2e-gcp environment: Now requires E2E_RUN_ID to be set when deploying (enforced by validation)
• Other environments (gcp, kind, e2e-kind): No changes required - works exactly as before
• CI/CD pipelines using e2e-gcp: Must pass E2E_RUN_ID when running make install-hyperfleet

Usage:

# e2e-gcp deployment (new requirement)
make HELMFILE_ENV=e2e-gcp E2E_RUN_ID=ci-run-12345 NAMESPACE=hyperfleet-e2e install-hyperfleet

# Other environments (unchanged)
make HELMFILE_ENV=gcp NAMESPACE=hyperfleet install-hyperfleet
make HELMFILE_ENV=kind NAMESPACE=hyperfleet-local install-hyperfleet

• HYPERFLEET-1108

Test Plan

• Unit tests added/updated - N/A (infrastructure change)
• make test-all passes - N/A (no test suite for helmfile templates)
• make lint passes - Validated with make ci-validate
• Helm chart changes validated with make test-helm (if applicable) - N/A (changes are in helmfile values, not charts)
• Deployed to a development cluster and verified (if Helm/config changes) - Tested locally with make template-helmfile
• E2E tests passed (if cross-component or major changes) - N/A (this enables better E2E testing, doesn't affect functionality)

Manual Testing Performed:

• ✅ Verified e2e-gcp deployment fails without E2E_RUN_ID
• ✅ Verified e2e-gcp deployment succeeds with E2E_RUN_ID
• ✅ Verified all resources in e2e-gcp are labeled with e2e.hyperfleet.io/run-id
• ✅ Verified adapter deployments receive E2E_RUN_ID environment variable
• ✅ Verified gcp, kind, and e2e-kind environments build without changes
• ✅ Verified other environments don't have the e2e.hyperfleet.io/run-id label
• ✅ Validated helmfile templates render correctly for all environments

Breaking Changes

For e2e-gcp environment only:

• E2E_RUN_ID environment variable is now required when deploying to e2e-gcp
• Makefile will fail with clear error message if E2E_RUN_ID is not set
• CI/CD pipelines using HELMFILE_ENV=e2e-gcp must be updated to pass E2E_RUN_ID

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ma-hill for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

A new E2E_RUN_ID environment variable is enforced at deployment time via a Makefile check-e2e-run-id target that gates check-helmfile-env when HELMFILE_ENV=e2e-gcp. The value is threaded through helmfile.yaml.gotmpl as both e2eRunId and a labels map entry. The three base Go templates (base-adapter, base-api, base-sentinel) conditionally emit this labels block and, for adapters, append E2E_RUN_ID to the container env. All four e2e adapter task configs (cl-deployment, cl-job, cl-maestro, cl-namespace) declare e2eRunId as an optional param from env.E2E_RUN_ID; cl-namespace simultaneously renames testRunId→e2eRunId and the label key e2e.hyperfleet.io/test-run-id→e2e.hyperfleet.io/run-id. The corresponding Kubernetes resource templates stamp e2e.hyperfleet.io/run-id onto Deployments, Pods, Jobs, ManifestWork objects, and their embedded Namespace/ConfigMap manifests.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 11

✅ Passed checks (11 passed)

Check name	Status	Explanation
Title check	✅ Passed	Title matches the main change: requiring E2E_RUN_ID and labeling e2e-gcp resources with run-id.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Sec-02: Secrets In Log Output	✅ Passed	No non-test/example log/print statements contain token/password/credential/secret; only config/docs references were found. CWE-532 absent.
No Hardcoded Secrets	✅ Passed	No new API keys, tokens, passwords, private keys, embedded creds, or long base64 literals were added; only E2E_RUN_ID plumbing.
No Weak Cryptography	✅ Passed	PASS: exact scan found no crypto/md5, crypto/des, crypto/rc4, SHA1, ECB, or ConstantTimeCompare usage; PR only changes Makefile/YAML config. CWE-327 absent.
No Injection Vectors	✅ Passed	PASS: Touched files add YAML/Makefile templating only; no SQL concat (CWE-89), exec.Command (CWE-78), template.HTML (CWE-79), or yaml.Unmarshal (CWE-502).
No Privileged Containers	✅ Passed	No privileged:true, host*Network/IPC, SYS_ADMIN, allowPrivilegeEscalation, or USER root/runAsUser:0 in touched manifests/templates; only labels/env added. CWE-250 not introduced.
No Pii Or Sensitive Data In Logs	✅ Passed	No CWE-532 issue: changed logs are only build-time echoes/status text and an E2E_RUN_ID hint, with no PII, session data, raw bodies, or creds.
Description check	✅ Passed	The description matches the changeset by describing e2e-gcp run-id labeling, E2E_RUN_ID propagation, and Makefile validation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

✨ Simplify code

• Create PR with simplified code

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@helmfile/configs/e2e/adapters/cl-deployment/adapter-task-config.yaml`:
- Around line 9-12: The e2eRunId input is only checked for non-empty, but it is
later used as a Kubernetes label value, so invalid characters can still reach
templating. Update the boundary handling for the e2eRunId mapping sourced from
env.E2E_RUN_ID to enforce a strict label-safe regex before it is rendered or
stamped into manifests. Keep the validation close to the adapter-task-config
input definition so invalid values are rejected early and cannot flow into label
generation.

In
`@helmfile/configs/e2e/adapters/cl-maestro/adapter-task-resource-manifestwork.yaml`:
- Around line 31-50: The YAML template in the manifestwork adapter has an
indentation regression that breaks the parent mappings and produces invalid
YAML. Re-indent the `hyperfleet.io/platform-type` conditional, the `annotations`
block, the ConfigMap `data` conditionals, and the ConfigMap `metadata` block so
they remain nested under the correct `metadata`/resource sections in this
template. Use the surrounding manifest structure in
`adapter-task-resource-manifestwork.yaml` to keep the `annotations`, `data`, and
`metadata` keys aligned with their parent objects.

In `@helmfile/helmfile.yaml.gotmpl`:
- Around line 30-32: The run-id label value is being emitted unquoted in the
helmfile template, which can let a numeric E2E_RUN_ID be serialized as a
non-string scalar and break Kubernetes label rendering. Update the
helmfile.yaml.gotmpl entry for labels.e2e.hyperfleet.io/run-id so the value is
always quoted as a string, while keeping e2eRunId consistent with the downstream
string handling.

In `@Makefile`:
- Around line 320-327: The E2E_RUN_ID check in the Makefile only blocks empty
values, but it should also reject strings that are not valid Kubernetes label
values before they reach metadata.labels. Update the install-hyperfleet
validation block to verify E2E_RUN_ID against Kubernetes label-value rules
(allowed characters, length, and format) in addition to the existing non-empty
check, and fail fast with a clear error message when invalid. Keep the logic in
the same HELMFILE_ENV=e2e-gcp guard so the validation happens at the system
boundary before any Helm/Kubernetes apply step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: dec1e2d2-0e70-4017-9915-192667816ec1

📥 Commits

Reviewing files that changed from the base of the PR and between 931c935 and af0299f.

📒 Files selected for processing (12)

• Makefile
• helmfile/configs/e2e/adapters/cl-deployment/adapter-task-config.yaml
• helmfile/configs/e2e/adapters/cl-deployment/adapter-task-resource-deployment.yaml
• helmfile/configs/e2e/adapters/cl-job/adapter-task-config.yaml
• helmfile/configs/e2e/adapters/cl-job/adapter-task-resource-job.yaml
• helmfile/configs/e2e/adapters/cl-maestro/adapter-task-config.yaml
• helmfile/configs/e2e/adapters/cl-maestro/adapter-task-resource-manifestwork.yaml
• helmfile/configs/e2e/adapters/cl-namespace/adapter-task-config.yaml
• helmfile/helmfile.yaml.gotmpl
• helmfile/values/base-adapter.yaml.gotmpl
• helmfile/values/base-api.yaml.gotmpl
• helmfile/values/base-sentinel.yaml.gotmpl

🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

• openshift-hyperfleet/architecture (manual)
• openshift-hyperfleet/hyperfleet-api (manual)
• openshift-hyperfleet/hyperfleet-sentinel (manual)
• openshift-hyperfleet/hyperfleet-adapter (manual)
• openshift-hyperfleet/hyperfleet-broker (manual)

[coderabbitai]

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Enforce label-safe validation for E2E_RUN_ID before templating.

e2eRunId is sourced from env and later stamped into Kubernetes labels. Current gating only checks non-empty, so invalid characters can break manifests or inject malformed YAML/labels (CWE-20, CWE-74). Add strict label-value regex validation at the boundary.

As per path instructions, “Validate input at system boundaries (HTTP handlers, CLI parsers, webhook receivers).”

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@helmfile/configs/e2e/adapters/cl-deployment/adapter-task-config.yaml` around
lines 9 - 12, The e2eRunId input is only checked for non-empty, but it is later
used as a Kubernetes label value, so invalid characters can still reach
templating. Update the boundary handling for the e2eRunId mapping sourced from
env.E2E_RUN_ID to enforce a strict label-safe regex before it is rendered or
stamped into manifests. Keep the validation close to the adapter-task-config
input definition so invalid values are rejected early and cannot flow into label
generation.

Source: Path instructions

[coderabbitai]

🩺 Stability & Availability | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file='helmfile/configs/e2e/adapters/cl-maestro/adapter-task-resource-manifestwork.yaml'

echo "== outline =="
ast-grep outline "$file" --view expanded || true

echo
echo "== numbered excerpt (1-220) =="
cat -n "$file" | sed -n '1,220p'

Repository: openshift-hyperfleet/hyperfleet-infra

Length of output: 7552

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

file='helmfile/configs/e2e/adapters/cl-maestro/adapter-task-resource-manifestwork.yaml'

echo "== outline =="
ast-grep outline "$file" --view expanded || true

echo
echo "== numbered excerpt (1-220) =="
cat -n "$file" | sed -n '1,220p'

Repository: openshift-hyperfleet/hyperfleet-infra

Length of output: 7552

---

Fix the YAML indentation regression

hyperfleet.io/platform-type, annotations, the ConfigMap data conditionals, and the ConfigMap metadata block are dedented out of their parent mappings, so the template now renders invalid YAML and the manifest can’t be parsed (CWE-20). Also applies to 77-99.

🧰 Tools

🪛 YAMLlint (1.37.1)

[error] 32-32: syntax error: could not find expected ':'

(syntax)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@helmfile/configs/e2e/adapters/cl-maestro/adapter-task-resource-manifestwork.yaml`
around lines 31 - 50, The YAML template in the manifestwork adapter has an
indentation regression that breaks the parent mappings and produces invalid
YAML. Re-indent the `hyperfleet.io/platform-type` conditional, the `annotations`
block, the ConfigMap `data` conditionals, and the ConfigMap `metadata` block so
they remain nested under the correct `metadata`/resource sections in this
template. Use the surrounding manifest structure in
`adapter-task-resource-manifestwork.yaml` to keep the `annotations`, `data`, and
`metadata` keys aligned with their parent objects.

Source: Linters/SAST tools

[coderabbitai]

🗄️ Data Integrity & Integration | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== helmfile references =="
rg -n 'E2E_RUN_ID|e2e\.hyperfleet\.io/run-id|e2eRunId|requiredEnv "E2E_RUN_ID"|env "E2E_RUN_ID"' helmfile . || true

echo
echo "== nearby context in helmfile/helmfile.yaml.gotmpl =="
nl -ba helmfile/helmfile.yaml.gotmpl | sed -n '1,80p'

Repository: openshift-hyperfleet/hyperfleet-infra

Length of output: 5082

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== adapter references =="
rg -n 'testRunId|run-id|E2E_RUN_ID|TEST_RUN_ID|e2e\.hyperfleet\.io/(run-id|test-run-id)' . || true

Repository: openshift-hyperfleet/hyperfleet-adapter

Length of output: 437

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== architecture docs references =="
rg -n 'test-run-id|run-id|E2E_RUN_ID|TEST_RUN_ID|e2e\.hyperfleet\.io/(run-id|test-run-id)' hyperfleet/docs/e2e-testing || true

Repository: openshift-hyperfleet/architecture

Length of output: 2602

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

sed -n '20,38p' helmfile/helmfile.yaml.gotmpl
echo
sed -n '1,90p' helmfile/values/base-adapter.yaml.gotmpl
echo
sed -n '312,328p' Makefile

Repository: openshift-hyperfleet/hyperfleet-infra

Length of output: 2577

---

🏁 Script executed (no clone):

python3 - <<'PY'
import yaml, json, textwrap
doc = yaml.safe_load(textwrap.dedent("""
labels:
  e2e.hyperfleet.io/run-id: 123
"""))
print(type(doc["labels"]["e2e.hyperfleet.io/run-id"]).__name__, doc["labels"]["e2e.hyperfleet.io/run-id"])
PY

Length of output: 133

---

Quote the run-id label value (CWE-20).
e2eRunId is re-quoted downstream, but labels.e2e.hyperfleet.io/run-id is later serialized via toYaml and can become a non-string YAML scalar if E2E_RUN_ID is numeric, which breaks Kubernetes label rendering.

Suggested fix

-          e2e.hyperfleet.io/run-id: {{ env "E2E_RUN_ID" }}
+          e2e.hyperfleet.io/run-id: {{ env "E2E_RUN_ID" | quote }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	e2eRunId: {{ env "E2E_RUN_ID" }}
	labels:
	e2e.hyperfleet.io/run-id: {{ env "E2E_RUN_ID" }}
	e2eRunId: {{ env "E2E_RUN_ID" }}
	labels:
	e2e.hyperfleet.io/run-id: {{ env "E2E_RUN_ID" | quote }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@helmfile/helmfile.yaml.gotmpl` around lines 30 - 32, The run-id label value
is being emitted unquoted in the helmfile template, which can let a numeric
E2E_RUN_ID be serialized as a non-string scalar and break Kubernetes label
rendering. Update the helmfile.yaml.gotmpl entry for
labels.e2e.hyperfleet.io/run-id so the value is always quoted as a string, while
keeping e2eRunId consistent with the downstream string handling.

Source: Path instructions

[coderabbitai]

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

Enforce Kubernetes label-value validation for E2E_RUN_ID (CWE-20).

Current check only rejects empty values. Invalid label values (illegal chars/length) still pass here and fail later when applied as metadata.labels.

Suggested fix

 check-e2e-run-id: ## Verify E2E_RUN_ID is set for e2e-gcp environment
 	`@if` [ "$(HELMFILE_ENV)" = "e2e-gcp" ]; then \
 		if [ -z "$(E2E_RUN_ID)" ]; then \
 			echo "ERROR: E2E_RUN_ID must be set when HELMFILE_ENV=e2e-gcp"; \
 			echo "       Usage: E2E_RUN_ID=<run-id> make install-hyperfleet"; \
 			exit 1; \
 		fi; \
+		if ! printf '%s' "$(E2E_RUN_ID)" | grep -Eq '^[A-Za-z0-9]([A-Za-z0-9._-]{0,61}[A-Za-z0-9])?$$'; then \
+			echo "ERROR: E2E_RUN_ID must be a valid Kubernetes label value (1-63 chars, alnum boundaries, [A-Za-z0-9._-] allowed)"; \
+			exit 1; \
+		fi; \
 		echo "OK: E2E_RUN_ID=$(E2E_RUN_ID)"; \
 	fi;

As per path instructions, "Validate input at system boundaries (HTTP handlers, CLI parsers, webhook receivers)."

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@if [ "$(HELMFILE_ENV)" = "e2e-gcp" ]; then \
	if [ -z "$(E2E_RUN_ID)" ]; then \
	echo "ERROR: E2E_RUN_ID must be set when HELMFILE_ENV=e2e-gcp"; \
	echo " Usage: E2E_RUN_ID=<run-id> make install-hyperfleet"; \
	exit 1; \
	fi; \
	echo "OK: E2E_RUN_ID=$(E2E_RUN_ID)"; \
	fi;
	`@if` [ "$(HELMFILE_ENV)" = "e2e-gcp" ]; then \
	if [ -z "$(E2E_RUN_ID)" ]; then \
	echo "ERROR: E2E_RUN_ID must be set when HELMFILE_ENV=e2e-gcp"; \
	echo " Usage: E2E_RUN_ID=<run-id> make install-hyperfleet"; \
	exit 1; \
	fi; \
	if ! printf '%s' "$(E2E_RUN_ID)" | grep -Eq '^[A-Za-z0-9]([A-Za-z0-9._-]{0,61}[A-Za-z0-9])?$$'; then \
	echo "ERROR: E2E_RUN_ID must be a valid Kubernetes label value (1-63 chars, alnum boundaries, [A-Za-z0-9._-] allowed)"; \
	exit 1; \
	fi; \
	echo "OK: E2E_RUN_ID=$(E2E_RUN_ID)"; \
	fi;

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@Makefile` around lines 320 - 327, The E2E_RUN_ID check in the Makefile only
blocks empty values, but it should also reject strings that are not valid
Kubernetes label values before they reach metadata.labels. Update the
install-hyperfleet validation block to verify E2E_RUN_ID against Kubernetes
label-value rules (allowed characters, length, and format) in addition to the
existing non-empty check, and fail fast with a clear error message when invalid.
Keep the logic in the same HELMFILE_ENV=e2e-gcp guard so the validation happens
at the system boundary before any Helm/Kubernetes apply step.

Source: Path instructions