Enable parallel CI execution with cluster isolation and local testing support (#24)

* feat: Enable parallel CI execution with isolated infrastructure

Add atomic subnet allocation and cluster-specific resource isolation to
allow multiple CI jobs to run simultaneously without conflicts.

Key changes:
- Atomic subnet allocation with file locking (100.64.X.0/24 ranges)
- Cluster-specific BMC emulator ports (8000 + subnet_id)
- Unique storage pool paths per cluster
- Network isolation (bridges, libvirt networks)
- Comprehensive network diagnostics for troubleshooting
- Orphaned bridge cleanup and conflict detection
- Storage pool activation and management improvements
- Container lifecycle fixes for sushy-tools

Infrastructure reliability improvements:
- Handle "already active" storage pools gracefully
- Remove orphaned bridges from previous runs
- Add layer 2 network diagnostics (ebtables, arptables, nftables)
- Network initialization wait for ARP resolution
- Bridge IP assignment timeout handling
- Clean up dev-scripts -1 suffix pools
- Firewall rules for BMC endpoints

This enables parallel PR testing and nightly runs without resource
conflicts or cross-contamination between jobs.

* refactor: Standardize working directory handling across all scripts

Refactor all scripts to auto-construct WORKING_DIR from BASE_WORKING_DIR
when not explicitly set, enabling cluster-specific working directories.

This supports:
- Parallel CI execution (each cluster gets own directory)
- Local testing (explicit WORKING_DIR)
- CI environment (BASE_WORKING_DIR set, auto-construct path)
- Workflow steps with if: always() (work even if setup-working-dir failed)

Scripts updated with auto-construction pattern:
- get_landing_zone_ip.sh - Find Landing Zone IP from environment file
- generate_environment_json.sh - Create environment metadata
- generate_enclave_vars.sh - Generate Ansible variables
- install_enclave.sh - Enclave installation
- verify_landing_zone.sh - Landing Zone verification
- collect_ci_artifacts.sh - Artifact collection

Pattern: Auto-construct from BASE_WORKING_DIR + ENCLAVE_CLUSTER_NAME,
with appropriate fallbacks or errors for each script's needs.

* refactor: Move CI logic to Makefile and scripts for local testing

Refactor GitHub Actions workflows to use Makefile targets and scripts,
enabling full CI flow to run locally for development and debugging.

New scripts (dual-mode: local terminal + GitHub Actions):
- verify_cluster.sh - Cluster deployment verification
- verify_cleanup.sh - Infrastructure cleanup verification
- verify_networks.sh - Network infrastructure validation
- setup_working_dir.sh - Working directory setup
- collect_step_logs.sh - Log collection
- preflight_checks.sh - Environment validation
- generate_cluster_name.sh - Unique cluster naming

New Makefile targets:
- verify-cluster, verify-cleanup, verify-networks
- setup-working-dir, collect-step-logs
- preflight-checks, ci-flow-connected, ci-flow-disconnected

Workflow changes:
- Inline bash → make targets (e2e-deployment, infra-verify, nightlies)
- Remove setup-infrastructure action (direct make calls instead)
- Refactor preflight-checks action (delegate to script)
- Add allocate-subnet action usage
- Restore check-e2e-needed to pr-validation runner (intentional change)
- Restore e2e-deployment to enclave-large runner
- Restore infra-verify to enclave-small runner
- Un-comment "Clean existing infrastructure" step

Benefits:
- Run full CI locally: make ci-flow-connected
- Debug individual steps: make verify-cluster
- Test changes before CI: make environment && make provision-landing-zone
- Consistent logic: same code for CI and local

Documentation:
- docs/LOCAL_TESTING.md - Comprehensive local testing guide
- README.md - New Makefile targets section

Author: eliorerz

.github/actions/allocate-subnet/action.yml

@@ -0,0 +1,50 @@
+name: Allocate Subnet
+description: Allocate unique subnet for cluster to avoid IP conflicts in parallel CI runs
+
+outputs:
+  subnet-id:
+    description: 'Allocated subnet ID (2-254)'
+    value: ${{ steps.allocate.outputs.subnet-id }}
+
+runs:
+  using: composite
+  steps:
+    - name: Allocate unique subnet for cluster
+      id: allocate
+      shell: bash
+      run: |
+        echo "## Subnet Allocation" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "Allocating unique subnet for cluster: ${ENCLAVE_CLUSTER_NAME}" >> $GITHUB_STEP_SUMMARY
+
+        # Allocate subnet and get network configuration
+        # Use BASE_WORKING_DIR for shared allocation file across all clusters
+        # Script outputs environment variable assignments with all network details
+        ALLOCATION_OUTPUT=$(WORKING_DIR="${BASE_WORKING_DIR}" bash scripts/allocate_subnet.sh allocate)
+
+        if [ -z "$ALLOCATION_OUTPUT" ]; then
+          echo "❌ Failed to allocate subnet"
+          echo "❌ Failed to allocate subnet" >> $GITHUB_STEP_SUMMARY
+          exit 1
+        fi
+
+        # Source the environment variables from the script output
+        eval "$ALLOCATION_OUTPUT"
+
+        # Export to GitHub environment and outputs
+        echo "subnet-id=$ENCLAVE_SUBNET_ID" >> $GITHUB_OUTPUT
+        echo "ENCLAVE_SUBNET_ID=$ENCLAVE_SUBNET_ID" >> $GITHUB_ENV
+        echo "ENCLAVE_BMC_NETWORK=$ENCLAVE_BMC_NETWORK" >> $GITHUB_ENV
+        echo "ENCLAVE_CLUSTER_NETWORK=$ENCLAVE_CLUSTER_NETWORK" >> $GITHUB_ENV
+
+        # Output to console
+        echo "✅ Subnet allocated: ID $ENCLAVE_SUBNET_ID"
+        echo "  - BMC Network: $ENCLAVE_BMC_NETWORK"
+        echo "  - Cluster Network: $ENCLAVE_CLUSTER_NETWORK"
+
+        # Output to summary
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "✅ Subnet allocated: **ID $ENCLAVE_SUBNET_ID**" >> $GITHUB_STEP_SUMMARY
+        echo "- BMC Network: \`$ENCLAVE_BMC_NETWORK\`" >> $GITHUB_STEP_SUMMARY
+        echo "- Cluster Network: \`$ENCLAVE_CLUSTER_NETWORK\`" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY

.github/actions/preflight-checks/action.yml

@@ -27,79 +27,26 @@ runs:
   using: composite
   steps:
     - name: Run preflight checks
-      shell: bash {0}
+      shell: bash
       run: |
-        set +e  # Don't exit on first error, collect all failures
-        FAILED=0
-
-        echo "## ${{ inputs.title }}" | tee -a $GITHUB_STEP_SUMMARY
-        echo "" | tee -a $GITHUB_STEP_SUMMARY
-
-        # Check required environment variables
-        echo "### Environment Variables" | tee -a $GITHUB_STEP_SUMMARY
-
-        if [ -z "$DEV_SCRIPTS_PATH" ]; then
-          echo "❌ DEV_SCRIPTS_PATH not set" | tee -a $GITHUB_STEP_SUMMARY
-          FAILED=1
-        else
-          echo "✅ DEV_SCRIPTS_PATH: $DEV_SCRIPTS_PATH" | tee -a $GITHUB_STEP_SUMMARY
-        fi
-
-        if [ -z "$WORKING_DIR" ]; then
-          echo "❌ WORKING_DIR not set" | tee -a $GITHUB_STEP_SUMMARY
-          FAILED=1
-        else
-          echo "✅ WORKING_DIR: $WORKING_DIR" | tee -a $GITHUB_STEP_SUMMARY
-        fi
+        # Build arguments for the script based on inputs
+        ARGS="--title '${{ inputs.title }}'"
 
         if [ "${{ inputs.check-pull-secret }}" = "true" ]; then
-          if [ -z "$PULL_SECRET" ]; then
-            echo "❌ PULL_SECRET not set" | tee -a $GITHUB_STEP_SUMMARY
-            FAILED=1
-          else
-            echo "✅ PULL_SECRET: configured" | tee -a $GITHUB_STEP_SUMMARY
-          fi
+          ARGS="$ARGS --check-pull-secret"
         fi
 
-        if [ -n "${{ inputs.deployment-mode }}" ]; then
-          echo "✅ Deployment mode: ${{ inputs.deployment-mode }}" | tee -a $GITHUB_STEP_SUMMARY
-        fi
-
-        # Check system resources if requested
         if [ "${{ inputs.check-system-resources }}" = "true" ]; then
-          echo "" | tee -a $GITHUB_STEP_SUMMARY
-          echo "### System Resources" | tee -a $GITHUB_STEP_SUMMARY
-          TOTAL_RAM=$(free -g | awk '/^Mem:/{print $2}')
-          echo "✅ Total RAM: ${TOTAL_RAM}GB" | tee -a $GITHUB_STEP_SUMMARY
-
-          if [ -n "$WORKING_DIR" ]; then
-            AVAILABLE_DISK=$(df -h $WORKING_DIR 2>/dev/null | awk 'NR==2{print $4}')
-            if [ -n "$AVAILABLE_DISK" ]; then
-              echo "✅ Available disk space: $AVAILABLE_DISK" | tee -a $GITHUB_STEP_SUMMARY
-            fi
-          fi
+          ARGS="$ARGS --check-system-resources"
         fi
 
-        # Check libvirt access if requested
         if [ "${{ inputs.check-libvirt }}" = "true" ]; then
-          echo "" | tee -a $GITHUB_STEP_SUMMARY
-          echo "### Libvirt Access" | tee -a $GITHUB_STEP_SUMMARY
-          if sudo virsh list --all > /dev/null 2>&1; then
-            echo "✅ Libvirt access verified" | tee -a $GITHUB_STEP_SUMMARY
-          else
-            echo "❌ Cannot access libvirt" | tee -a $GITHUB_STEP_SUMMARY
-            FAILED=1
-          fi
+          ARGS="$ARGS --check-libvirt"
         fi
 
-        # Final status
-        if [ $FAILED -eq 0 ]; then
-          echo "" | tee -a $GITHUB_STEP_SUMMARY
-          echo "✅ All pre-flight checks passed" | tee -a $GITHUB_STEP_SUMMARY
-        else
-          echo "" | tee -a $GITHUB_STEP_SUMMARY
-          echo "❌ Pre-flight checks failed" | tee -a $GITHUB_STEP_SUMMARY
-          echo "" | tee -a $GITHUB_STEP_SUMMARY
-          echo "**Action Required**: Configure repository variables and secrets in Settings → Secrets and variables → Actions" | tee -a $GITHUB_STEP_SUMMARY
-          exit 1
+        if [ -n "${{ inputs.deployment-mode }}" ]; then
+          ARGS="$ARGS --deployment-mode '${{ inputs.deployment-mode }}'"
         fi
+
+        # Call the preflight checks script
+        eval "./scripts/preflight_checks.sh $ARGS"