ci(k3d): backport per-job k3d review/QA pipeline to 9-11-stable

João Alexandre Cunharequested to merge
backport-k3d-ci/9-11 into 9-11-stable

What does this MR do?

Backports the per-job k3d review/QA CI pipeline to 9-11-stable, bringing this branch's CI toward master's final k3d state (consolidating master MRs !4967 (merged), !4984 (merged), !4982 (merged), !4983 (merged), !4985 (merged) into one change rather than cherry-picking each):

  • Adds the k3d per-job scripts (k3d.sh, k3d_deploy.sh), the k3d-templates + k3d-version-pipeline[-arm64] child pipelines, and the k3d.gatewayapi / k3d.ingress CI values.
  • Wires parallel:matrix bridge jobs into .gitlab-ci.yml:
    • k3d — v1.33 / v1.34 / v1.35 (v1.35 K3D_PRIMARY auto-runs on MR/default; v1.33/v1.34 manual)
    • k3d_arm64 — v1.35 ARM64 (manual on MR/default, auto on nightly/stable)
  • Removes the vcluster/EKS trigger jobs, scripts, and environment configs; keeps a single GKE nightly (gke.135.amd64gke.amd64).
  • autodevops.sh: adds the is_k3d_deployment networking branch in deploy(), the set_context k3d guard, and create_admin_pat() (used by k3d_deploy.sh); helpers.sh: adds is_k3d_deployment().

Networking: NGINX ingress (not Gateway API) on 18.11

Unlike master/19.0, 9-11's k3d jobs use the NGINX ingress path, not Envoy Gateway. The 18.11 chart bundles envoy-gateway 1.7.1, on which the Gateway API review environment returns HTTP 308 on every API call and fails the review specs (master/19.0 use envoy-gateway 1.8.0, where it works). Bumping a bundled dependency on a stable branch is out of scope for this CI backport, so k3d and k3d_arm64 set K3D_USE_NGINX_INGRESS=true and there is no separate k3d_nginx job. This deploys the chart's bundled nginx-ingress controller over HTTP — no Gateway API/Envoy resources.

CI-only — no chart/product code changes

This MR contains no charts/ or templates/ changes. All changes are CI tooling (.gitlab/ci/, scripts/ci/, spec/). Pipeline iteration uncovered and fixed three CI issues:

  1. CNPG operator/CRDs for k3d (scripts/ci/lib/cloudnativepg.sh): the CloudNativePG operator was only installed for vcluster deployments; gated it on is_k3d_deployment too and added a CRD-Established wait, so a fresh per-job k3d cluster has the postgresql.cnpg.io CRDs before the Cluster CR is applied.
  2. HTTP-aware spec helper (spec/api_helper.rb): honor the PROTOCOL env var (default https) for the base-URL scheme and SSL verification, so specs work against the HTTP-only k3d instance. Backward compatible — vcluster/GKE keep https + verify_ssl.
  3. RUBY_IMAGE_DEBIAN: defined the variable the arm64 k3d jobs use for their image (the .specs builder image has no ARM variant).

k3s version matrix: matches master (v1.33 / v1.34 / v1.35); no per-branch divergence.

Note: this differs from the original backport plan, which anticipated a 2-file webservice ClientTrafficPolicy chart change for this branch. That fix targets the Gateway API path; since 9-11 uses NGINX ingress for k3d (its bundled envoy-gateway 1.7.1 is unusable for this), the chart change is not applicable and the backport stays CI-only.

Related issues

Related to #6421 (closed)

Author checklist

For general guidance, please follow our Contributing guide.

Required

For anything in this list which will not be completed, please provide a reason in the MR discussion.

  • Merge Request Title and Description are up to date, accurate, and descriptive.
  • MR targeting the appropriate branch (9-11-stable).
  • MR has a green pipeline.
  • Documentation created/updated.
  • Tests added/updated, and test plan for scenarios not covered by automated tests.
  • Equivalent MR/issue for omnibus-gitlab opened.

Test plan

  • k3d v1.35 (primary) review_specs_k3d deploys via helm upgrade --install --wait and specs pass against the nip.io URL over NGINX ingress (HTTP).
  • qa_k3d (parallel:5) green.
  • Manually trigger k3d v1.33 / v1.34 and k3d_arm64; confirm green.
  • No vcluster/EKS jobs remain in the rendered pipeline.

Reviewers checklist

🤖 Generated with Claude Code

Edited by Clemens Beck

Merge request reports