From b1811f82a898d20910d4e1b9a23f7f209354d92b Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Wed, 22 Apr 2026 15:23:29 -0700 Subject: [PATCH 01/12] X-Smart-Branch-Parent: main From 7ea0587b50620e7ab4b0178ee41812b2f86a1120 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Wed, 22 Apr 2026 15:49:53 -0700 Subject: [PATCH 02/12] Fact should be deployed --- release/start-secured-cluster/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/release/start-secured-cluster/action.yml b/release/start-secured-cluster/action.yml index 74c88b36..9390131d 100644 --- a/release/start-secured-cluster/action.yml +++ b/release/start-secured-cluster/action.yml @@ -60,6 +60,7 @@ runs: STACKROX_DIR: ${{ github.workspace }} COMMON_DIR: ${{ github.workspace }}/deploy/common SECURED_CLUSTER_AUTO_LOCK_PROCESS_BASELINES: "true" + SFA_AGENT: "true" ROX_NETFLOW_BATCHING: "true" ROX_NETFLOW_CACHE_LIMITING: "true" run: | From db0dcc88ee41fcc8e4907546f06947a4275e1ad2 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Wed, 22 Apr 2026 16:25:38 -0700 Subject: [PATCH 03/12] Patching fact to monitor /tmp/data --- .../start-secured-cluster/start-secured-cluster.sh | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/release/start-secured-cluster/start-secured-cluster.sh b/release/start-secured-cluster/start-secured-cluster.sh index 3b1ca762..9e735719 100755 --- a/release/start-secured-cluster/start-secured-cluster.sh +++ b/release/start-secured-cluster/start-secured-cluster.sh @@ -28,6 +28,18 @@ kubectl -n stackrox create secret generic access-rhacs \ # Create the collector-config ConfigMap in order to enable external IPs kubectl create -f "${SCRIPT_DIR}/collector-config.yaml" +# Patch the collector DaemonSet to set FACT_PATHS to monitor /tmp/data/**/* +kubectl -n stackrox patch daemonset collector --type=strategic --patch ' +spec: + template: + spec: + containers: + - name: fact + env: + - name: FACT_PATHS + value: "/tmp/data/**/*" +' + echo "Deploying Monitoring..." monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml" From 1ad4beab84929d567850246e87d9a8090163d5a3 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Wed, 22 Apr 2026 16:26:52 -0700 Subject: [PATCH 04/12] Set run length to 5h temporarily --- .github/workflows/create-demo-clusters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index c6fcf7d4..6be07ae6 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -46,7 +46,7 @@ env: GH_TOKEN: ${{ github.token }} GH_NO_UPDATE_NOTIFIER: 1 TIMEOUT_WAIT_FOR_IMAGES_SECONDS: 3600 - LONG_RUNNING_CLUSTER_LIFESPAN: "168h" + LONG_RUNNING_CLUSTER_LIFESPAN: "5h" METRICS_COLLECTION_TIME: "30m" jobs: From dffc558eec7bd61fa35bb3f4dfe1161e935b5466 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Wed, 22 Apr 2026 20:12:15 -0700 Subject: [PATCH 05/12] Using set env instead of patch --- .../start-secured-cluster/start-secured-cluster.sh | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/release/start-secured-cluster/start-secured-cluster.sh b/release/start-secured-cluster/start-secured-cluster.sh index 9e735719..55345f8f 100755 --- a/release/start-secured-cluster/start-secured-cluster.sh +++ b/release/start-secured-cluster/start-secured-cluster.sh @@ -29,16 +29,7 @@ kubectl -n stackrox create secret generic access-rhacs \ kubectl create -f "${SCRIPT_DIR}/collector-config.yaml" # Patch the collector DaemonSet to set FACT_PATHS to monitor /tmp/data/**/* -kubectl -n stackrox patch daemonset collector --type=strategic --patch ' -spec: - template: - spec: - containers: - - name: fact - env: - - name: FACT_PATHS - value: "/tmp/data/**/*" -' +kubectl -n stackrox set env daemonset/collector FACT_PATHS="/tmp/data/**/*" -c fact echo "Deploying Monitoring..." monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml" From 20e0b8c11f8831efd5d49186552cd165387c3896 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Thu, 23 Apr 2026 11:35:57 -0700 Subject: [PATCH 06/12] Using SENSOR_HELM_DEPLOY --- release/start-secured-cluster/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/release/start-secured-cluster/action.yml b/release/start-secured-cluster/action.yml index 9390131d..efb4aa81 100644 --- a/release/start-secured-cluster/action.yml +++ b/release/start-secured-cluster/action.yml @@ -61,6 +61,7 @@ runs: COMMON_DIR: ${{ github.workspace }}/deploy/common SECURED_CLUSTER_AUTO_LOCK_PROCESS_BASELINES: "true" SFA_AGENT: "true" + SENSOR_HELM_DEPLOY: "true" ROX_NETFLOW_BATCHING: "true" ROX_NETFLOW_CACHE_LIMITING: "true" run: | From bd96551e479a1f12267ebc7970b48b03cf59f10d Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Thu, 23 Apr 2026 14:13:44 -0700 Subject: [PATCH 07/12] Set SENSOR_HELM_MANAGED to false --- release/start-secured-cluster/action.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/release/start-secured-cluster/action.yml b/release/start-secured-cluster/action.yml index efb4aa81..2b7b0794 100644 --- a/release/start-secured-cluster/action.yml +++ b/release/start-secured-cluster/action.yml @@ -62,6 +62,7 @@ runs: SECURED_CLUSTER_AUTO_LOCK_PROCESS_BASELINES: "true" SFA_AGENT: "true" SENSOR_HELM_DEPLOY: "true" + SENSOR_HELM_MANAGED: "false" ROX_NETFLOW_BATCHING: "true" ROX_NETFLOW_CACHE_LIMITING: "true" run: | From 3398aa73d37184194b3427187b0745645b551be8 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Thu, 23 Apr 2026 15:28:38 -0700 Subject: [PATCH 08/12] Not setting SENSOR_HELM_MANAGED to false. Setting ROX_DEPLOY_SENSOR_WITH_CRS to false --- release/start-secured-cluster/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/release/start-secured-cluster/action.yml b/release/start-secured-cluster/action.yml index 2b7b0794..5ef433dd 100644 --- a/release/start-secured-cluster/action.yml +++ b/release/start-secured-cluster/action.yml @@ -62,7 +62,7 @@ runs: SECURED_CLUSTER_AUTO_LOCK_PROCESS_BASELINES: "true" SFA_AGENT: "true" SENSOR_HELM_DEPLOY: "true" - SENSOR_HELM_MANAGED: "false" + ROX_DEPLOY_SENSOR_WITH_CRS: "false" ROX_NETFLOW_BATCHING: "true" ROX_NETFLOW_CACHE_LIMITING: "true" run: | From b4414266a312fb0abc26b9e26ad6fbcc7816a2f6 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Thu, 23 Apr 2026 21:09:22 -0700 Subject: [PATCH 09/12] Trying to create image pull secret --- .../start-secured-cluster.sh | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/release/start-secured-cluster/start-secured-cluster.sh b/release/start-secured-cluster/start-secured-cluster.sh index 55345f8f..dd12c93f 100755 --- a/release/start-secured-cluster/start-secured-cluster.sh +++ b/release/start-secured-cluster/start-secured-cluster.sh @@ -19,7 +19,26 @@ else echo "Using ACS pre-4.11 secured cluster setup (version: ${version_major_minor})" fi +# Create namespace and image pull secrets BEFORE running sensor.sh +kubectl create namespace stackrox || true + +kubectl -n stackrox create secret docker-registry stackrox \ + --docker-server=quay.io \ + --docker-username="${REGISTRY_USERNAME}" \ + --docker-password="${REGISTRY_PASSWORD}" || true + +kubectl -n stackrox create secret docker-registry secured-cluster-services-main \ + --docker-server=quay.io \ + --docker-username="${REGISTRY_USERNAME}" \ + --docker-password="${REGISTRY_PASSWORD}" || true + +kubectl -n stackrox create secret docker-registry secured-cluster-services-collector \ + --docker-server=quay.io \ + --docker-username="${REGISTRY_USERNAME}" \ + --docker-password="${REGISTRY_PASSWORD}" || true + "${STACKROX_DIR}/deploy/k8s/sensor.sh" + kubectl -n stackrox create secret generic access-rhacs \ --from-literal="username=${ROX_ADMIN_USERNAME}" \ --from-literal="password=${ROX_ADMIN_PASSWORD}" \ From 539b3d1245dc427d107e58084f7b99ea430b8e49 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Fri, 24 Apr 2026 11:14:03 -0700 Subject: [PATCH 10/12] Reduced long running cluster time to 3h --- .github/workflows/create-demo-clusters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index 6be07ae6..514e2fdc 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -46,7 +46,7 @@ env: GH_TOKEN: ${{ github.token }} GH_NO_UPDATE_NOTIFIER: 1 TIMEOUT_WAIT_FOR_IMAGES_SECONDS: 3600 - LONG_RUNNING_CLUSTER_LIFESPAN: "5h" + LONG_RUNNING_CLUSTER_LIFESPAN: "3h" METRICS_COLLECTION_TIME: "30m" jobs: From 303795226f297c5b440f68101b24b2a26f3c83ec Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Sun, 26 Apr 2026 11:21:57 -0700 Subject: [PATCH 11/12] FACT_LOGLEVEL set to info --- release/start-secured-cluster/start-secured-cluster.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/release/start-secured-cluster/start-secured-cluster.sh b/release/start-secured-cluster/start-secured-cluster.sh index dd12c93f..9fa467ae 100755 --- a/release/start-secured-cluster/start-secured-cluster.sh +++ b/release/start-secured-cluster/start-secured-cluster.sh @@ -47,8 +47,8 @@ kubectl -n stackrox create secret generic access-rhacs \ # Create the collector-config ConfigMap in order to enable external IPs kubectl create -f "${SCRIPT_DIR}/collector-config.yaml" -# Patch the collector DaemonSet to set FACT_PATHS to monitor /tmp/data/**/* -kubectl -n stackrox set env daemonset/collector FACT_PATHS="/tmp/data/**/*" -c fact +# Patch the collector DaemonSet to configure fact container +kubectl -n stackrox set env daemonset/collector FACT_PATHS="/tmp/data/**/*" FACT_LOGLEVEL="info" -c fact echo "Deploying Monitoring..." monitoring_values_file="${COMMON_DIR}/../charts/monitoring/values.yaml" From 8beb1e8d5c2ab801b55f168e5e94eda84067c0a8 Mon Sep 17 00:00:00 2001 From: JoukoVirtanen Date: Tue, 28 Apr 2026 10:33:48 -0700 Subject: [PATCH 12/12] Set lifespan back to 168h --- .github/workflows/create-demo-clusters.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/create-demo-clusters.yml b/.github/workflows/create-demo-clusters.yml index 514e2fdc..c6fcf7d4 100644 --- a/.github/workflows/create-demo-clusters.yml +++ b/.github/workflows/create-demo-clusters.yml @@ -46,7 +46,7 @@ env: GH_TOKEN: ${{ github.token }} GH_NO_UPDATE_NOTIFIER: 1 TIMEOUT_WAIT_FOR_IMAGES_SECONDS: 3600 - LONG_RUNNING_CLUSTER_LIFESPAN: "3h" + LONG_RUNNING_CLUSTER_LIFESPAN: "168h" METRICS_COLLECTION_TIME: "30m" jobs: