kubectl yconverge checks DAG and kustomize base traversal

.github/workflows/checks.yaml

@@ -0,0 +1,82 @@
+name: checks
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+  workflow_call:
+
+jobs:
+  script-lint:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5.0.0
+    - uses: actions/cache/restore@v5.0.5
+      with:
+        key: script-lint-${{ github.ref_name }}-
+        restore-keys: |
+          script-lint-main-
+        path: ~/.cache/ystack
+    - name: Script lint
+      run: bin/y-script-lint --fail=degrade bin/
+      env:
+        Y_SCRIPT_LINT_BRANCH: ${{ github.ref_name }}
+    - uses: actions/cache/save@v5.0.5
+      with:
+        key: script-lint-${{ github.ref_name }}-${{ github.run_id }}
+        path: ~/.cache/ystack
+
+  itest:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v5.0.0
+    - uses: actions/cache/restore@v5.0.5
+      with:
+        key: itest-${{ github.ref_name }}-
+        restore-keys: |
+          itest-main-
+        path: ~/.cache/ystack
+    - name: Integration tests (yconverge framework)
+      run: yconverge/itest/test.sh
+      env:
+        YSTACK_HOME: ${{ github.workspace }}
+        PATH: ${{ github.workspace }}/bin:/usr/local/bin:/usr/bin:/bin
+    - uses: actions/cache/save@v5.0.5
+      with:
+        key: itest-${{ github.ref_name }}-${{ github.run_id }}
+        path: ~/.cache/ystack
+
+  e2e-cluster:
+    # Opt-in via the `e2e-cluster` label on the PR -- runs the full
+    # qemu-based acceptance test (provision a real k3s cluster,
+    # converge ystack, validate). Heavyweight (~10-15 min); gates
+    # behind script-lint + itest so it only fires when the cheaper
+    # checks have passed.
+    needs: [script-lint, itest]
+    if: |
+      github.event_name == 'pull_request' &&
+      contains(github.event.pull_request.labels.*.name, 'e2e-cluster')
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+    - uses: actions/checkout@v5.0.0
+    - name: Pre-flight (disk, docker)
+      run: |
+        df -h /
+        docker info | head -10
+    - name: Set KUBECONFIG (ystack convention)
+      run: |
+        mkdir -p "$HOME/.kube"
+        echo "KUBECONFIG=$HOME/.kube/yolean" >> "$GITHUB_ENV"
+    - name: Run cluster acceptance
+      env:
+        # The script's first action is `exec env -i ...` which wipes
+        # the env to "mirror a fresh interactive terminal" on a dev
+        # laptop. CI's environment is already minimal; setting
+        # ENV_IS_CLEAN=true skips the trampoline so KUBECONFIG /
+        # PATH / YSTACK_HOME below take effect.
+        ENV_IS_CLEAN: "true"
+        YSTACK_HOME: ${{ github.workspace }}
+        PATH: ${{ github.workspace }}/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin
+      run: e2e/agents-clusterautomation-acceptance-linux-amd64.sh

.github/workflows/images.yaml

@@ -16,23 +16,23 @@ jobs:
     steps:
     -
       name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@v5.0.0
     -
       name: Set up QEMU
-      uses: docker/setup-qemu-action@v3
+      uses: docker/setup-qemu-action@v4.0.0
     -
       name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
+      uses: docker/setup-buildx-action@v4.0.0
     -
       name: Login to GitHub Container Registry
-      uses: docker/login-action@v3
+      uses: docker/login-action@v4.1.0
       with:
         registry: ghcr.io
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
     -
       name: Build and push runner
-      uses: docker/build-push-action@v6
+      uses: docker/build-push-action@v7.1.0
       env:
         SOURCE_DATE_EPOCH: 0
         BUILDKIT_PROGRESS: plain
@@ -49,15 +49,11 @@ jobs:
       continue-on-error: false
       timeout-minutes: 45
     -
-      uses: actions/setup-go@v5
-      with:
-        go-version: 1.22
-    -
-      uses: imjasonh/setup-crane@v0.3
+      uses: imjasonh/setup-crane@v0.5
     -
       name: Get registry image tag
       id: imageRegistryTag
-      uses: mikefarah/yq@v4.44.1
+      uses: mikefarah/yq@v4.53.2
       with:
         cmd: yq '.images[0].newTag | sub("(.*)@.*", "${1}")' registry/images/kustomization.yaml
     -
@@ -68,7 +64,7 @@ jobs:
     -
       name: Get buildkit image tag
       id: imageBuildkitTag
-      uses: mikefarah/yq@v4.44.1
+      uses: mikefarah/yq@v4.53.2
       with:
         cmd: yq '.images[0].newTag | sub("(.*)@.*", "${1}")' buildkit/kustomization.yaml
     -
@@ -79,7 +75,7 @@ jobs:
     -
       name: Get dockerd image tag
       id: imageDockerdTag
-      uses: mikefarah/yq@v4.44.1
+      uses: mikefarah/yq@v4.53.2
       with:
         cmd: yq '.images[0].newTag | sub("(.*)@.*", "${1}")' docker/kustomization.yaml
     -
@@ -91,7 +87,7 @@ jobs:
     -
       name: Get gitea image tag
       id: imageGiteaTag
-      uses: mikefarah/yq@v4.44.1
+      uses: mikefarah/yq@v4.53.2
       with:
         cmd: yq '.images[0].newTag | sub("(.*)@.*", "${1}")' git-source/base/kustomization.yaml
     -
@@ -102,7 +98,7 @@ jobs:
     -
       name: Get grafana image tag
       id: imageGrafanaTag
-      uses: mikefarah/yq@v4.44.1
+      uses: mikefarah/yq@v4.53.2
       with:
         cmd: yq '.images[0].newTag | sub("(.*)@.*", "${1}")' monitoring/grafana/kustomization.yaml
     -
@@ -113,7 +109,7 @@ jobs:
     -
       name: Get grafana-image-renderer image tag
       id: imageGrafanaImageRendererTag
-      uses: mikefarah/yq@v4.44.1
+      uses: mikefarah/yq@v4.53.2
       with:
         cmd: yq '.images[1].newTag | sub("(.*)@.*", "${1}")' monitoring/grafana/kustomization.yaml
     -
@@ -124,18 +120,29 @@ jobs:
     -
       name: Get redpanda image tag
       id: imageRedpandaTag
-      uses: mikefarah/yq@v4.44.1
+      uses: mikefarah/yq@v4.53.2
       with:
         cmd: yq '.images[0].newTag | sub("(.*)@.*", "${1}")' kafka/redpanda-image/kustomization.yaml
     -
       name: Mirror redpanda image
       run: |
         TAG_REDPANDA=${{ steps.imageRedpandaTag.outputs.result }}
         crane cp docker.redpanda.com/redpandadata/redpanda:$TAG_REDPANDA ghcr.io/yolean/redpanda:$TAG_REDPANDA
+    -
+      name: Get versitygw image tag
+      id: imageVersitygwTag
+      uses: mikefarah/yq@v4.53.2
+      with:
+        cmd: yq '.spec.template.spec.containers[0].image | sub("[^:]+:(.+)@.*", "${1}")' blobs-versitygw/standalone/deployment.yaml
+    -
+      name: Mirror versitygw image from hub
+      run: |
+        TAG_VERSITYGW=${{ steps.imageVersitygwTag.outputs.result }}
+        crane cp docker.io/versity/versitygw:$TAG_VERSITYGW ghcr.io/yolean/versitygw:$TAG_VERSITYGW
     -
       name: Get static-web-server image tag
       id: imageStaticWebServerTag
-      uses: mikefarah/yq@v4.44.1
+      uses: mikefarah/yq@v4.53.2
       with:
         cmd: yq '."static-web-server".version' bin/y-bin.optional.yaml
     -

bin/.gitignore

@@ -6,6 +6,7 @@ buildctl
 buildx
 bun
 bunyan
+cluster
 contain
 container-structure-test
 crane

bin/acceptance-y-kustomize-local

@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+[ -z "$DEBUG" ] || set -x
+set -eo pipefail
+
+YHELP='acceptance-y-kustomize-local - standalone test for y-kustomize/y-cluster-serve.yaml
+
+Usage: acceptance-y-kustomize-local
+
+Boots `y-cluster serve -c y-kustomize/` against a temp state dir,
+probes the four routes the host-local serve is expected to expose,
+and stops the serve. No qemu, no docker, no kubectl -- exercises
+only the host-local kustomize-build + HTTP serve pipeline.
+
+The four routes mirror the source list in y-kustomize/y-cluster-serve.yaml:
+  /v1/blobs/setup-bucket-job/base-for-annotations.yaml
+  /v1/blobs/setup-bucket-prep/base-for-annotations.yaml
+  /v1/kafka/setup-topic-job/base-for-annotations.yaml
+  /v1/kafka/setup-topic-prep/base-for-annotations.yaml
+
+Exit codes:
+  0    All four routes serve valid YAML
+  1    One or more routes failed (404, malformed YAML, serve crash)
+
+Dependencies:
+  y-cluster (in PATH; auto-resolved via bin/y-cluster wrapper)
+  curl
+'
+
+case "${1:-}" in
+  help|--help|-h) echo "$YHELP"; exit 0 ;;
+  "") ;;
+  *) echo "ERROR: unknown argument '$1'" >&2; exit 1 ;;
+esac
+
+YBIN="$(cd "$(dirname "$0")" && pwd)"
+YSTACK_HOME="$(cd "$YBIN/.." && pwd)"
+SERVE_DIR="$YSTACK_HOME/y-kustomize"
+PORT=8944
+
+[ -f "$SERVE_DIR/y-cluster-serve.yaml" ] || { echo "ERROR: $SERVE_DIR/y-cluster-serve.yaml not found" >&2; exit 1; }
+
+STATE_DIR=$(mktemp -d -t acceptance-y-kustomize-local.XXXXXX)
+LOG_FILE="$STATE_DIR/serve.log"
+
+cleanup() {
+  local rc=$?
+  echo "# Stopping y-cluster serve ..."
+  y-cluster serve stop --state-dir "$STATE_DIR" >/dev/null 2>&1 || true # y-script-lint:disable=or-true # best-effort
+  rm -rf "$STATE_DIR"
+  exit $rc
+}
+trap cleanup EXIT INT TERM
+
+echo "# Starting y-cluster serve (state-dir=$STATE_DIR)"
+y-cluster serve ensure -c "$SERVE_DIR" --state-dir "$STATE_DIR" >"$LOG_FILE" 2>&1
+
+echo "# Probing /health"
+HEALTH=$(curl -fsS --max-time 5 "http://127.0.0.1:$PORT/health")
+echo "  $HEALTH"
+echo "$HEALTH" | grep -q '"routes":4' \
+  || { echo "ERROR: expected routes=4 in /health, got: $HEALTH" >&2; exit 1; }
+
+PASS=0
+FAIL=0
+for route in \
+  v1/blobs/setup-bucket-job/base-for-annotations.yaml \
+  v1/blobs/setup-bucket-prep/base-for-annotations.yaml \
+  v1/kafka/setup-topic-job/base-for-annotations.yaml \
+  v1/kafka/setup-topic-prep/base-for-annotations.yaml
+do
+  if curl -fsS --max-time 5 "http://127.0.0.1:$PORT/$route" 2>/dev/null | grep -q '^apiVersion:'; then
+    echo "  PASS  /$route"
+    PASS=$((PASS + 1))
+  else
+    echo "  FAIL  /$route" >&2
+    FAIL=$((FAIL + 1))
+  fi
+done
+
+echo "# Results: $PASS passed, $FAIL failed"
+[ "$FAIL" -eq 0 ]

bin/kubectl-yconverge

@@ -0,0 +1 @@
+cluster

bin/y-bin.runner.yaml

@@ -155,6 +155,39 @@ cue:
     tool: tar
     path: cue
 
+cluster:
+  version: 0.3.7
+  templates:
+    download: https://github.com/Yolean/y-cluster/releases/download/v${version}/y-cluster_v${version}_${os}_${arch}
+  sha256:
+    darwin_amd64: 8b46a3e771a4afc1da855a6cb22f7729bce5b8f09f1b53ab7c02d0d20068b15d
+    darwin_arm64: b220ffd5062e6de3b55d84d2dbb489977ec84517553d48880735a44dd7a0a961
+    linux_amd64: 7c0c97efc6fa3689d6eeb00a7c3a0f1ec9ad4e02d8cc0373434e880d4b807727
+    linux_arm64: 224fb614edfd840e4f06488cc2b51e911286352e2ddb1e724fe9861c71707a2b
+
+contain:
+  version: 0.9.1
+  templates:
+    download: https://github.com/turbokube/contain/releases/download/v${version}/contain-v${version}-${os}-${arch}
+  sha256:
+    darwin_amd64: 514d8492f5daf2a406c0f5a835e5c8887aa20bea0be83b6096659215bd559d55
+    darwin_arm64: 04e907d9ad93f3b00bd028f60ababefd5edcdd25e39a4f1f9eb730454097caaf
+    linux_amd64: 38c070ca6e6057d8f8ff91f1d1ecc79f57ffd2338f19a0e6a48456c15e342429
+    linux_arm64: 2ad19485957456a08373b820ec7ba491befe27454f36a57ab420bb1de5b45781
+
+kustomize-traverse:
+  version: 0.1.0
+  templates:
+    download: https://github.com/Yolean/kustomize-traverse/releases/download/v${version}/kustomize-traverse-${os}-${arch}.tar.gz
+  sha256:
+    darwin_amd64: bdca1fe29afcbc9817557046a3de2661f9ce5044aec3086a263e2724200bb580
+    darwin_arm64: 67acdd588a37cb213afad319ef18b67090214ee1d3bad06a469137cb5ef2b2b8
+    linux_amd64: e643fe6a162ef22ef8ecffc960e0fc6c76741613098b3f583c16d9206a4f3628
+    linux_arm64: d5e564c54d043350e928fb366a4ab004b09381e1aa3f07c750b598bc2bf2b85c
+  archive:
+    tool: tar
+    path: kustomize-traverse
+
 npx:
   version: 0.2.1
   templates:

bin/y-cluster

@@ -0,0 +1,11 @@
+#!/bin/bash
+[ -z "$DEBUG" ] || set -x
+set -e
+YBIN="$(dirname "$0")"
+
+# bin/kubectl-yconverge is a tracked symlink to y-cluster so kubectl
+# plugin discovery picks it up. exec -a preserves the invocation
+# name so the binary detects which mode it's in.
+
+version=$(y-bin-download "$YBIN/y-bin.runner.yaml" cluster)
+exec -a "$(basename "$0")" "$YBIN/y-cluster-v${version}-bin" "$@"