feat(scenarios): ConfigMap ownerReference + Workflow name templating (PR 7)

[bdchatham]

Two related cleanups to the major-upgrade scenario from PR 6.

Workstream

Follow-up to the SeiNodeTask MVP workstream (design merged at #277):

• PRs 1–5: shipped the MVP (feat(seinodetask): v1alpha1 CRD types (PR 1/5) #281, feat(seinodetask): reconciler + UpdateNodeImage task (PR 2/5) #283, feat(seinodetask): wire sidecar-backed kinds (PR 3/5) #285, feat(seitask-runner): orchestration binary + image + templates (PR 4/5) #286, feat(scenarios): major-upgrade Chaos Workflow + runbook (PR 5/5) #288, plus hotfix fix(crd): add seinodetasks to config/crd/kustomization.yaml #287)
• PR 6 (feat(scenarios): ConfigMap-based cross-step variable bridge (PR 6) #289): cross-step variable bridge — made the Workflow runnable
• PR 7 (this PR): ConfigMap ownerReference + Workflow name templating
• PR 8 (next): runner image release pipeline in .github/workflows/ecr.yml

Changes

1. Workflow CR name carries the run ID

Previously metadata.name: major-upgrade was hardcoded. Two parallel kubectl apply invocations would patch the same CR rather than create distinct runs, even when their ConfigMap names were distinct (the README's concurrent-runs claim only partially held).

Now: metadata.name: major-upgrade-$SEI_WORKFLOW_RUN_ID. Concurrent runs get genuinely separate Workflow CRs.

2. ConfigMap ownerReference → Workflow CR

compute-target-height now looks up the parent Workflow's UID via kubectl and stamps it onto the rendered ConfigMap's ownerReferences field (via kubectl patch --local --type=merge) before applying. blockOwnerDeletion: false so the ConfigMap never blocks Workflow deletion.

Deletion of the Workflow now cascades garbage-collection of the ConfigMap automatically via kube-controller-manager. No operator-managed cleanup, no ConfigMap accumulation across runs.

3. RBAC

runner/rbac.yaml gains one new verb: chaos-mesh.org/workflows: get. The seitask-runner SA needs this so compute-target-height can resolve the parent Workflow's UID.

4. README

• Cleanup section now reflects cascade-delete: kubectl delete workflow <name> removes the ConfigMap too.
• Known Limitations item feat: refactor CRD — replace stateSync with snapshotRestore, add replay mode #5 (deferred ConfigMap cleanup) is gone — handled by this PR.
• Concurrency caveats updated to reflect that Workflow names are now distinct per run.

Test plan

• yaml.safe_load_all parses both scenarios/major-upgrade.yaml and runner/rbac.yaml cleanly
• Workflow's metadata.name reflects $SEI_WORKFLOW_RUN_ID
• compute-target-height script flow: kubectl get workflow → kubectl create configmap → kubectl label → kubectl patch (ownerRefs) → kubectl apply
• Reviewers verify the kubectl patch --local --type=merge ownerReferences pattern works against an actual cluster (it's the cleanest YAML pipeline form; alternative is jq injection)
• Reviewers confirm blockOwnerDeletion: false is the right call (we don't want stale ConfigMaps blocking Workflow cleanup)

Runner binary unchanged. Only YAML + RBAC.

🤖 Generated with Claude Code

[cursor]

You have used all Bugbot PR reviews included in your free trial for your GitHub account on this workspace.

To continue using Bugbot reviews, enable Bugbot for your team in the Cursor dashboard.