ci(e2e): bump pinned runtime version from 1.17.3 to 1.17.7#1645
Merged
Conversation
The E2E - KinD non-HA matrix has been red for 10 days (since 2026-05-11). TestRenewCertificateMTLSEnabled hangs at the 25-minute suite timeout in the "Renew certificate which expires in less than 30 days" subtest. Root cause: PR #1629 bumped github.com/dapr/dapr from v1.17.3 to a pseudo-version (commit f8d0f6142987, 2026-04-25) to pull in the workflow proto renames. That commit also includes #9598 (Sentry: Ed25519 for X.509 cert key generation, merged 2026-03-18). The CLI now generates Ed25519 root/issuer certs via bundle.GenerateX509(). The E2E pinned runtime was 1.17.3, whose sentry cannot parse Ed25519 keys -- it crashes on startup with "unsupported key type ed25519.PrivateKey" (a known issue documented in the 1.18 release notes as the "rollback floor is 1.17.7" caveat). After the cert renewal step, sentry crash-loops and the post-renewal `kubectl rollout status` call (which has no timeout) blocks until the 25-minute test alarm fires. Bumping the pinned version to 1.17.7 -- the first stable release that includes the Ed25519 PEM-decoder fix (dapr/dapr#9904) -- aligns the E2E runtime with the minimum compatible sentry for a 1.18 CLI. Only non-HA matrix legs were affected because TestRenewCertificateMTLSEnabled is skipped in HA mode (DaprModeNonHA guard at the top of the test). Note: the unbounded `kubectl rollout status` in `restartControlPlaneService` is a separate latent bug that turned this incompatibility into a 25-min hang instead of a clean failure. Worth fixing in a follow-up. Signed-off-by: Nelson Parente <nelson_parente@live.com.pt>
javier-aliaga
approved these changes
May 21, 2026
cicoyle
approved these changes
May 21, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
E2E - KinDnon-HA matrix has been red for 10 days (since 2026-05-11). Every scheduled run consistently fails withpanic: test timed out after 25m0sinTestRenewCertificateMTLSEnabled/Renew_certificate_which_expires_in_less_than_30_days.This bumps the pinned runtime version used by the E2E workflows from
1.17.3→1.17.7to restore compatibility with the cert key algorithm the CLI now generates.Root cause
#1629 bumped
github.com/dapr/daprfrom stablev1.17.3to pseudo-versionv1.17.0-rc.1.0.20260425162356-f8d0f6142987to pull in the workflow proto renames. That commit (2026-04-25) sits after dapr/dapr#9598 ("Sentry: Use Ed25519 for X.509 certificate key generation", merged 2026-03-18). Through the transitive bump,bundle.GenerateX509()— called bypkg/kubernetes/renew_certificate.go— now produces Ed25519 root and issuer keys.The E2E workflows hardcode
DAPR_RUNTIME_PINNED_VERSION: 1.17.3for scheduled runs. Sentry 1.17.3 cannot parse Ed25519 trust-bundle keys; it crashes on startup with:This is the documented incompatibility called out in the 1.18 release notes as the "rollback floor is 1.17.7" rule.
After cert renewal, sentry crash-loops, and the
--restartpost-step incmd/renew_certificate.gocallskubectl rollout statuswith no timeout, so it blocks until the Go test alarm fires at 25 minutes.Why only non-HA?
TestRenewCertificateMTLSEnabledhasif common.ShouldSkipTest(common.DaprModeNonHA) { t.Skip(...) }at the top — it only runs in non-HA mode. HA matrix legs skip it and stay green.Fix
Bump the pinned runtime to
1.17.7— the first stable release that includes the Ed25519 PEM-decoder backport (dapr/dapr#9904) and is officially compatible with a 1.18-cycle CLI.Applied to both:
.github/workflows/kind_e2e.yaml.github/workflows/self_hosted_e2e.yamlFollow-up (separate PR)
The
kubectl rollout statuscall inrestartControlPlaneService(cmd/renew_certificate.go) has no timeout, which is what turned this incompatibility into a 25-minute silent hang instead of a clean failure. Worth adding--timeout=Xsdefense-in-depth.Test plan
References
tests/e2e/common/common.go:597GenerateNewCertAndRenew