chore(matrix): derive CI scenario validation from filesystem

Eliminates the four coupling points called out in #6340 between data
under charts/<version>/test/ and the deploy-camunda Go CLI: adding or
removing a scenario, persistence layer, fixture, or pre-install script
no longer forces a CLI edit + rebuild.

Changes:
- scenarios.Validate(scenariosDir) discovers valid identity/persistence/
  platform/feature names from values/<sub>/*.yaml at call time, replacing
  three hardcoded slices that had already drifted from the filesystem.
  Per-version: a name accepted for 8.10 may now be rejected for 8.7 if
  the corresponding values file doesn't exist there.
- BuildDeploymentConfig takes scenariosDir and forwards it to Validate.
  Four production call sites already had the path on hand and pass it
  through.
- Shell completions and flag help text in cmd/{root,prepare_values}.go
  no longer carry duplicate hardcoded name lists; they discover via
  scenarios.List* + a chart-scan fallback.
- The orphan-file allowlist moves out of Go (lifecycle_allowlist.go,
  deleted) and into per-chart .orphan-allowlist.yaml under
  test/integration/scenarios/. Loader: matrix.LoadOrphanAllowlist.
  Adding an exempt file is a YAML edit + a one-line reason; no Go
  rebuild required. RegistryValidator and TestLifecycleFixtures both
  consume the loader and additionally assert that every allowlist entry
  matches an existing file (dead-entry guard).
- TestGenerate_PropagatesPreInstall no longer pins the rdbms scenario;
  it iterates every scenario whose config declares a pre-install hook
  and asserts the fixtures/script payload propagates to the Generate'd
  entry.
- TestLifecycleFixtures iterates chart-versions.yaml's ActiveVersions()
  (alpha + supportStandard) rather than every directory on disk;
  supportExtended series (8.3-8.6) and EOL series are skipped because
  they are not in the active CI matrix.

Closes #6340

Author: Ian-wang-liyang

charts/camunda-platform-8.10/test/integration/scenarios/.orphan-allowlist.yaml

@@ -0,0 +1,18 @@
+# Files in pre-setup-scripts/ and common/resources/ permitted to exist
+# without being referenced by any LifecycleHook in test/ci-test-config.yaml.
+# Loaded by scripts/deploy-camunda/matrix.LoadOrphanAllowlist.
+#
+# Adding an entry requires a one-line reason — reviewers should be able to
+# tell from a YAML diff alone why the exemption exists.
+pre-setup-scripts:
+  - name: pre-install-upgrade.sh
+    reason: sed-target marker for values uncommenting (alpha8 backcompat); not invoked by the matrix runner.
+  - name: create-opensearch-tls-secrets.sh
+    reason: helper sourced by pre-install-opensearch-self-signed*.sh; never invoked by the runner directly.
+common-resources:
+  - name: postgres-createdb-job.yaml
+    reason: fixture staged for the disabled rdbms-external scenario; kept to avoid a separate re-add PR when it is enabled.
+  - name: postgresql-cluster-tls.yaml
+    reason: applied by pre-install-rdbms-self-signed.sh via envsubst+kubectl, not via the runner's declarative fixtures pipeline.
+  - name: gateway-proxy-settings.yaml
+    reason: applied by post-deploy-gateway-keycloak.sh via envsubst+kubectl, not via the runner's declarative fixtures pipeline.

charts/camunda-platform-8.7/test/integration/scenarios/.orphan-allowlist.yaml

@@ -0,0 +1,11 @@
+# Files in pre-setup-scripts/ and common/resources/ permitted to exist
+# without being referenced by any LifecycleHook in test/ci-test-config.yaml.
+# Loaded by scripts/deploy-camunda/matrix.LoadOrphanAllowlist.
+#
+# Adding an entry requires a one-line reason — reviewers should be able to
+# tell from a YAML diff alone why the exemption exists.
+pre-setup-scripts:
+  - name: pre-install-upgrade.sh
+    reason: sed-target marker for values uncommenting (alpha8 backcompat); not invoked by the matrix runner.
+  - name: create-elasticsearch-tls-secrets.sh
+    reason: helper sourced by pre-install-elasticsearch-self-signed*.sh; never invoked by the runner directly.

charts/camunda-platform-8.8/test/integration/scenarios/.orphan-allowlist.yaml

@@ -0,0 +1,11 @@
+# Files in pre-setup-scripts/ and common/resources/ permitted to exist
+# without being referenced by any LifecycleHook in test/ci-test-config.yaml.
+# Loaded by scripts/deploy-camunda/matrix.LoadOrphanAllowlist.
+#
+# Adding an entry requires a one-line reason — reviewers should be able to
+# tell from a YAML diff alone why the exemption exists.
+pre-setup-scripts:
+  - name: pre-install-upgrade.sh
+    reason: sed-target marker for values uncommenting (alpha8 backcompat); not invoked by the matrix runner.
+  - name: create-elasticsearch-tls-secrets.sh
+    reason: helper sourced by pre-install-elasticsearch-self-signed-upgrade.sh; never invoked by the runner directly.

charts/camunda-platform-8.9/test/integration/scenarios/.orphan-allowlist.yaml

@@ -0,0 +1,14 @@
+# Files in pre-setup-scripts/ and common/resources/ permitted to exist
+# without being referenced by any LifecycleHook in test/ci-test-config.yaml.
+# Loaded by scripts/deploy-camunda/matrix.LoadOrphanAllowlist.
+#
+# Adding an entry requires a one-line reason — reviewers should be able to
+# tell from a YAML diff alone why the exemption exists.
+pre-setup-scripts:
+  - name: pre-install-upgrade.sh
+    reason: sed-target marker for values uncommenting (alpha8 backcompat); not invoked by the matrix runner.
+  - name: create-elasticsearch-tls-secrets.sh
+    reason: helper sourced by pre-install-elasticsearch-self-signed.sh; never invoked by the runner directly.
+common-resources:
+  - name: postgres-createdb-job.yaml
+    reason: fixture staged for the disabled rdbms-external scenario; kept to avoid a separate re-add PR when it is enabled.

scripts/camunda-core/pkg/scenarios/scenarios.go

@@ -50,42 +50,39 @@ type DeploymentConfig struct {
 	Flow         string // Deployment flow: install, upgrade-patch, upgrade-minor
 }
 
-// Validate checks that required fields are set and feature constraints are satisfied.
-func (c *DeploymentConfig) Validate() error {
+// Validate checks that required fields are set and feature constraints are
+// satisfied. The set of valid identity/persistence/platform/feature names is
+// discovered from the scenariosDir at call time — adding values/<dir>/foo.yaml
+// in a chart is sufficient to make `foo` a valid selection for that version,
+// with no code change required. A name accepted by one chart version may be
+// rejected by another if the corresponding values file does not exist there.
+func (c *DeploymentConfig) Validate(scenariosDir string) error {
 	if c.Identity == "" {
-		return errors.New("--identity is required (keycloak, oidc, auth0, basic, hybrid)")
+		return errors.New("--identity is required")
 	}
 	if c.Persistence == "" {
-		return errors.New("--persistence is required (elasticsearch, opensearch, rdbms, rdbms-external, rdbms-oracle)")
+		return errors.New("--persistence is required")
 	}
 	if c.Platform == "" {
-		return errors.New("--platform is required (gke, eks, openshift)")
+		return errors.New("--platform is required")
 	}
-
-	// Validate identity values
-	validIdentities := []string{"keycloak", "oidc", "auth0", "basic", "hybrid"}
-	if !contains(validIdentities, c.Identity) {
-		return fmt.Errorf("invalid --identity value %q: must be one of: %s", c.Identity, strings.Join(validIdentities, ", "))
+	if scenariosDir == "" {
+		return errors.New("scenariosDir is required for validation")
 	}
 
-	// Validate persistence values.
-	// Note: this list is global across chart versions. Some values resolve to
-	// values files that exist only in 8.10+ — `elasticsearch-self-signed`,
-	// `opensearch-self-signed`, `opensearch-self-signed-os-trust`,
-	// `rdbms-self-signed`. Selecting one of
-	// these against an older chart version passes Validate() but produces no
-	// persistence layer (ResolvePaths skips missing files), so the deploy
-	// proceeds with no TLS wiring. Treated as an 8.10-only scope intentionally;
-	// when 8.10 becomes the only supported series this comment can be removed.
-	validPersistence := []string{"elasticsearch", "elasticsearch-self-signed", "no-elasticsearch", "opensearch", "opensearch-embedded", "opensearch-self-signed", "opensearch-self-signed-os-trust", "rdbms", "rdbms-external", "rdbms-oracle", "rdbms-self-signed"}
-	if !contains(validPersistence, c.Persistence) {
-		return fmt.Errorf("invalid --persistence value %q: must be one of: %s", c.Persistence, strings.Join(validPersistence, ", "))
+	if err := validateAgainstDir(c.Identity, scenariosDir, IdentityDir, "--identity"); err != nil {
+		return err
 	}
-
-	// Validate platform values
-	validPlatforms := []string{"gke", "eks", "openshift"}
-	if !contains(validPlatforms, c.Platform) {
-		return fmt.Errorf("invalid --platform value %q: must be one of: %s", c.Platform, strings.Join(validPlatforms, ", "))
+	if err := validateAgainstDir(c.Persistence, scenariosDir, PersistenceDir, "--persistence"); err != nil {
+		return err
+	}
+	if err := validateAgainstDir(c.Platform, scenariosDir, PlatformDir, "--platform"); err != nil {
+		return err
+	}
+	for _, feature := range c.Features {
+		if err := validateAgainstDir(feature, scenariosDir, FeaturesDir, "--features"); err != nil {
+			return err
+		}
 	}
 
 	// Feature constraints
@@ -96,6 +93,28 @@ func (c *DeploymentConfig) Validate() error {
 	return nil
 }
 
+// validateAgainstDir confirms that <scenariosDir>/values/<subDir>/<name>.yaml
+// exists. Listing the directory contents (instead of stat-ing the single file)
+// lets the error message enumerate the actually-available choices, which is
+// the whole point of discovery-based validation. If the directory itself does
+// not exist, validation is skipped (the scenario does not declare a vocabulary
+// for this dimension, so any name is permissive); this matches ResolvePaths's
+// behaviour of silently skipping missing values files.
+func validateAgainstDir(name, scenariosDir, subDir, flag string) error {
+	dir := filepath.Join(scenariosDir, ValuesDir, subDir)
+	if _, err := os.Stat(dir); os.IsNotExist(err) {
+		return nil
+	}
+	available, err := listYamlFiles(dir)
+	if err != nil {
+		return fmt.Errorf("cannot list %s in %s: %w", subDir, scenariosDir, err)
+	}
+	if !contains(available, name) {
+		return fmt.Errorf("invalid %s value %q: must be one of: %s", flag, name, strings.Join(available, ", "))
+	}
+	return nil
+}
+
 // ResolvePaths returns the ordered list of values files based on the configuration.
 // Files are returned in order: base -> base modifiers -> identity -> persistence -> platform -> infra -> features -> migrator -> image-tags
 func (c *DeploymentConfig) ResolvePaths(scenariosDir string) ([]string, error) {
@@ -445,7 +464,7 @@ type BuilderOverrides struct {
 // prepare-values, dry-run, and coverage — goes through the same gate. This
 // prevents situations where a value (e.g. persistence: "no-elasticsearch") works
 // locally but fails in CI because only the CI path called Validate().
-func BuildDeploymentConfig(scenario string, ov BuilderOverrides) (*DeploymentConfig, error) {
+func BuildDeploymentConfig(scenario, scenariosDir string, ov BuilderOverrides) (*DeploymentConfig, error) {
 	cfg := MapScenarioToConfig(scenario)
 
 	// Apply non-zero overrides.
@@ -483,7 +502,7 @@ func BuildDeploymentConfig(scenario string, ov BuilderOverrides) (*DeploymentCon
 		cfg.ChartVersion = ov.ChartVersion
 	}
 
-	if err := cfg.Validate(); err != nil {
+	if err := cfg.Validate(scenariosDir); err != nil {
 		return nil, fmt.Errorf("deployment config validation failed for scenario %q: %w", scenario, err)
 	}
 

scripts/camunda-core/pkg/scenarios/scenarios_test.go

@@ -434,16 +434,45 @@ func TestDeploymentConfigValidate(t *testing.T) {
 		},
 	}
 
+	scenariosDir := makeFakeScenariosDir(t)
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			err := tt.config.Validate()
+			err := tt.config.Validate(scenariosDir)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("Validate() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
 	}
 }
 
+// makeFakeScenariosDir builds a values/ tree containing the names referenced
+// by the validation tests, and excluding the names that those tests assert
+// should be rejected (mongodb, opensearch-external, elasticsearch-external,
+// keycloak-external). Adding/removing a name here mirrors what a chart
+// maintainer would do by adding/removing a values file in a real chart.
+func makeFakeScenariosDir(t *testing.T) string {
+	t.Helper()
+	dir := t.TempDir()
+	tree := map[string][]string{
+		IdentityDir:    {"keycloak", "oidc", "auth0", "basic", "hybrid"},
+		PersistenceDir: {"elasticsearch", "elasticsearch-self-signed", "no-elasticsearch", "opensearch", "opensearch-embedded", "opensearch-self-signed", "opensearch-self-signed-os-trust", "rdbms", "rdbms-external", "rdbms-oracle", "rdbms-self-signed"},
+		PlatformDir:    {"gke", "eks", "openshift"},
+		FeaturesDir:    {"multitenancy", "rba", "documentstore", "mcp", "license", "tasklist-v1"},
+	}
+	for sub, names := range tree {
+		full := filepath.Join(dir, ValuesDir, sub)
+		if err := os.MkdirAll(full, 0o755); err != nil {
+			t.Fatalf("mkdir %s: %v", full, err)
+		}
+		for _, n := range names {
+			if err := os.WriteFile(filepath.Join(full, n+".yaml"), nil, 0o644); err != nil {
+				t.Fatalf("write %s: %v", n, err)
+			}
+		}
+	}
+	return dir
+}
+
 func TestDeploymentConfigResolvePaths(t *testing.T) {
 	// Create a temporary directory structure to test path resolution
 	tmpDir := t.TempDir()
@@ -889,7 +918,7 @@ func TestBuildDeploymentConfig_ImageTagsAutoDetection(t *testing.T) {
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cfg, err := BuildDeploymentConfig("qa-elasticsearch", BuilderOverrides{
+			cfg, err := BuildDeploymentConfig("qa-elasticsearch", makeFakeScenariosDir(t), BuilderOverrides{
 				Identity:     "keycloak",
 				Persistence:  "elasticsearch",
 				Platform:     "gke",

scripts/deploy-camunda/cmd/prepare_values.go

@@ -7,7 +7,6 @@ import (
 	"path/filepath"
 	"scripts/camunda-core/pkg/logging"
 	"scripts/camunda-core/pkg/scenarios"
-	"scripts/deploy-camunda/config"
 	"scripts/deploy-camunda/deploy"
 	"scripts/prepare-helm-values/pkg/env"
 	"scripts/prepare-helm-values/pkg/values"
@@ -88,11 +87,11 @@ All diagnostic output goes to stderr via the logger.`,
 	f.StringVar(&pv.scenarioPath, "scenario-path", "", "Path to the scenario directory (e.g., chart-full-setup)")
 	f.StringVar(&pv.chartPath, "chart-path", "", "Path to the Camunda chart directory (used to derive scenario-path if not set)")
 	f.StringVar(&pv.scenario, "scenario", "chart-full-setup", "Scenario name (used to derive defaults from naming conventions)")
-	f.StringVar(&pv.identity, "identity", "", "Identity selection: keycloak, oidc, basic, hybrid")
-	f.StringVar(&pv.persistence, "persistence", "", "Persistence selection: elasticsearch, elasticsearch-self-signed, no-elasticsearch, opensearch, opensearch-embedded, opensearch-self-signed, opensearch-self-signed-os-trust, rdbms, rdbms-external, rdbms-oracle, rdbms-self-signed")
-	f.StringVar(&pv.testPlatform, "test-platform", "", "Test platform selection: gke, eks, openshift")
-	f.StringVar(&pv.platform, "platform", "gke", "Deploy platform: gke, rosa, eks (fallback for --test-platform)")
-	f.StringSliceVar(&pv.features, "features", nil, "Feature selections (comma-separated): multitenancy, rba, documentstore")
+	f.StringVar(&pv.identity, "identity", "", "Identity selection (one of values/identity/*.yaml under the scenario)")
+	f.StringVar(&pv.persistence, "persistence", "", "Persistence selection (one of values/persistence/*.yaml under the scenario)")
+	f.StringVar(&pv.testPlatform, "test-platform", "", "Test platform selection (one of values/platform/*.yaml under the scenario)")
+	f.StringVar(&pv.platform, "platform", "gke", "Deploy platform (fallback for --test-platform)")
+	f.StringSliceVar(&pv.features, "features", nil, "Feature selections, comma-separated (each one of values/features/*.yaml under the scenario)")
 	f.BoolVar(&pv.qa, "qa", false, "Enable QA configuration (test users, etc.)")
 	f.BoolVar(&pv.imageTags, "image-tags", false, "Enable image tag overrides from env vars")
 	f.BoolVar(&pv.upgradeFlow, "upgrade-flow", false, "Enable upgrade flow configuration")
@@ -105,18 +104,20 @@ All diagnostic output goes to stderr via the logger.`,
 	f.BoolVar(&pv.interactive, "interactive", false, "Enable interactive prompts for missing variables")
 	f.StringVarP(&pv.logLevel, "log-level", "l", "info", "Log level")
 
-	// Register completions for selection flags
+	// Selection completions: discovered from the scenario directory's values/
+	// tree at completion time (see discoverCompletions). Adding a values file
+	// in any chart is sufficient to make its name completable here.
 	_ = cmd.RegisterFlagCompletionFunc("identity", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		return []string{"keycloak", "oidc", "basic", "hybrid"}, cobra.ShellCompDirectiveNoFileComp
+		return discoverCompletions(cmd, scenarios.ListIdentities), cobra.ShellCompDirectiveNoFileComp
 	})
 	_ = cmd.RegisterFlagCompletionFunc("persistence", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		return []string{"elasticsearch", "elasticsearch-self-signed", "no-elasticsearch", "opensearch", "opensearch-embedded", "opensearch-self-signed", "opensearch-self-signed-os-trust", "rdbms", "rdbms-external", "rdbms-oracle", "rdbms-self-signed"}, cobra.ShellCompDirectiveNoFileComp
+		return discoverCompletions(cmd, scenarios.ListPersistence), cobra.ShellCompDirectiveNoFileComp
 	})
 	_ = cmd.RegisterFlagCompletionFunc("test-platform", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		return config.TestPlatforms, cobra.ShellCompDirectiveNoFileComp
+		return discoverCompletions(cmd, scenarios.ListPlatforms), cobra.ShellCompDirectiveNoFileComp
 	})
 	_ = cmd.RegisterFlagCompletionFunc("features", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
-		return completeMultiSelect(toComplete, []string{"multitenancy", "rba", "documentstore", "arm", "migrator"})
+		return completeMultiSelect(toComplete, discoverCompletions(cmd, scenarios.ListFeatures))
 	})
 	_ = cmd.RegisterFlagCompletionFunc("log-level", func(cmd *cobra.Command, args []string, toComplete string) ([]string, cobra.ShellCompDirective) {
 		return completeLogLevels(toComplete)
@@ -218,7 +219,7 @@ func runPrepareValuesLayered(pv *prepareValuesFlags, scenarioDir, outputDir stri
 		effectivePlatform = pv.platform
 	}
 
-	deployConfig, err := scenarios.BuildDeploymentConfig(pv.scenario, scenarios.BuilderOverrides{
+	deployConfig, err := scenarios.BuildDeploymentConfig(pv.scenario, scenarioDir, scenarios.BuilderOverrides{
 		Identity:     pv.identity,
 		Persistence:  pv.persistence,
 		Platform:     effectivePlatform,

scripts/deploy-camunda/cmd/prepare_values_test.go

@@ -19,6 +19,7 @@ func writeTempFile(t *testing.T, dir, name, content string) string {
 	return p
 }
 
+
 func captureStdout(t *testing.T, fn func() error) (string, error) {
 	t.Helper()
 	oldStdout := os.Stdout