Skip to content

feat(seitask): WS-C — rpc scenario templates → SeiNode + provision-node RBAC#420

Merged
bdchatham merged 2 commits into
mainfrom
feat/wsc-seitask-scenario-templates
Jun 20, 2026
Merged

feat(seitask): WS-C — rpc scenario templates → SeiNode + provision-node RBAC#420
bdchatham merged 2 commits into
mainfrom
feat/wsc-seitask-scenario-templates

Conversation

@bdchatham

@bdchatham bdchatham commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

What

Controller-side half of WS-C (the platform nightly migration):

  • runner/rbac.yaml: grant the seitask-runner Role seinodes create (provision-node's first act is c.Create(SeiNode) — without it every rpc-fleet step 403s) + seinodes/status get (forward-compat, matches the existing /status pattern).
  • scenarios/{load-test,release-test}/rpc.yaml.tmpl: rewrite from a dead second kind: SeiNetwork (replicas: 2) to a single kind: SeiNode fullNode follower. name/ns/ownerRef/labels/peers are stamped by provision-node at runtime.

Why

Pairs with the platform WS-C PR (chaos workflows → provision-node) and consumes the already-merged provision-node (#419) + SeiNode.status.endpoint (#418). The old rpc.yaml.tmpl rendered a second genesis pool, not followers.

⚠️ Hard merge gate — Q4 live-CRD dry-run

The new kind: SeiNode template has never been applied against the deployed CRD. make build/lint/manifests are clean and strict-unmarshal passes, but that only covers the repo-bundled CRD. Before merge, run server-side validation against the target cluster:

seictl node apply bench-nightly-r1-rpc-0 --preset rpc --chain-id bench-nightly-r1 \
  --image <img> --network bench-nightly-r1 -n <ns> --dry-run

A clean dry-run (no Invalid/unknown-field/missing-required) closes it. Specifically verify the deployed CRD doesn't enforce a peers/CEL constraint on fullNode that the repo CRD doesn't (followers get peers stamped post-render).

Sequence

This PR (+ its seitask image build) lands before the platform PR, which bumps to the resulting image. RBAC should merge first/standalone.

🤖 Generated with Claude Code

@bdchatham @claude
feat(seitask): WS-C — rpc scenario templates → SeiNode + provision-no…
c72d84c 
…de RBAC

- runner/rbac.yaml: grant seitask-runner `seinodes` create (provision-node's
  first act is c.Create(SeiNode); without it every rpc-fleet step 403s) +
  seinodes/status get (forward-compat, matches the /status pattern).
- scenarios/{load-test,release-test}/rpc.yaml.tmpl: rewrite from a dead second
  `kind: SeiNetwork` (replicas:2) to a single `kind: SeiNode` fullNode follower;
  name/ns/ownerRef/labels/peers stamped by provision-node at runtime.

Pairs with platform WS-C (chaos workflows → provision-node) and consumes the
merged provision-node (#419) + SeiNode.status.endpoint (#418).

HARD GATE before merge: dry-run the rendered SeiNode template against the
DEPLOYED CRD (`seictl node apply … --dry-run`) — envtest only covers the
repo CRD, not the live one.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@cursor

cursor Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

PR Summary

Medium Risk
Expands workflow SA permissions to create SeiNode CRs and changes how nightly RPC fleets are modeled; operational risk if deployed CRD validation diverges from repo schema (called out in the PR merge gate).

Overview
RPC scenario templates for load-test and release-test no longer render a second SeiNetwork genesis pool. They now describe a single SeiNode fullNode follower (chainId, image, role-specific overrides); naming, labels, peering, and topology stay provision-node’s job at apply time.

Runner RBAC grants seitask-runner seinodes create (required for provision-node’s initial Create(SeiNode) fan-out) plus seinodes/status get for forward compatibility. Read verbs remain for selector fan-out and post-create waits.

Tests split bundled-template coverage: provisionnode validates both scenarios’ rpc.yaml.tmpl via renderNode; provisionsnd keeps genesis/validator SeiNetwork templates only and drops rpc.yaml.tmpl from its bundled test.

Reviewed by Cursor Bugbot for commit 1985129. Bugbot is set up for automated code reviews on this repo. Configure here.

cursor[bot]
cursor Bot reviewed Jun 18, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit c72d84c. Configure here.

Comment thread scenarios/load-test/rpc.yaml.tmpl
@bdchatham @claude
test(seitask): move rpc.yaml.tmpl render-clean guard to provisionnode
1985129 
The WS-C rewrite of scenarios/{load-test,release-test}/rpc.yaml.tmpl from
kind: SeiNetwork to kind: SeiNode broke provisionsnd's
TestBundledTemplates_RenderClean, which strict-unmarshals every bundled
template as a SeiNetwork (rendered SeiNode has top-level spec.chainId, an
unknown field on SeiNetworkSpec).

- provisionsnd test: drop the rpc.yaml.tmpl case — it only owns the
  SeiNetwork genesis/validator templates now.
- provisionnode test: add TestBundledTemplates_RenderClean covering both
  rpc.yaml.tmpl, asserting they render + strict-unmarshal as a SeiNode
  (spec.chainId set, spec.fullNode present).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@bdchatham bdchatham merged commit adca2d5 into main Jun 20, 2026
5 checks passed
@bdchatham bdchatham deleted the feat/wsc-seitask-scenario-templates branch June 20, 2026 15:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bdchatham