ci(e2e): refactor workflow architecture; modularize Taskfile; separate Helm charts; add CLI wrapper

## Description
- Refactor monolithic E2E workflow into 5 specialized jobs (setup → validate → e2e → report → cleanup) with clear separation of concerns.
- Break down 2192-line Taskfile into modular components (infra, cluster, storage, testing, cleanup) using includes.
- Create separate Helm charts (infra, cluster-config, support) with proper values.yaml structure.
- Add CLI wrapper (e2e-runner) to eliminate tight coupling between workflow and Taskfile.
- Introduce Composite Action (setup-e2e-tools) with dependency caching for faster builds.
- Replace E2E_K8S_URL secret with workflow variable (not a secret, public URL).
- Preserve original node resources (8 CPU master, 6 CPU workers) and storage profiles in new structure.

## Why do we need it, and what problem does it solve?
- Monolithic workflow was hard to maintain and debug; single point of failure.
- Large Taskfile (2192 lines) was difficult to navigate and modify.
- Single values.yaml mixed concerns for different components.
- Workflow had tight coupling with Taskfile internals.
- Dependency installation was slow (2-3 minutes every run) without caching.
- E2E_K8S_URL was incorrectly treated as secret when it's a public URL.

## What is the expected result?
- Modular workflow with fail-fast validation and automatic cleanup.
- Maintainable Taskfile structure with clear separation of concerns.
- Independent Helm charts for different components.
- CLI wrapper enables local testing and loose coupling.
- Composite Action provides 95% faster dependency installation via caching.
- Only one secret required (E2E_VIRTUALIZATION_SA_SECRET) instead of two.

## Checklist
- [x] The code is covered by unit tests.
- [ ] e2e tests passed.
- [x] Documentation updated according to the changes.
- [ ] Changes were tested in the Kubernetes cluster manually.

## Changelog entries
```changes
section: ci
type: feature
summary: "Refactor E2E workflow architecture; modularize Taskfile; separate Helm charts; add CLI wrapper and Composite Action."
```

Author: Antony

.github/actions/setup-e2e-tools/action.yml

@@ -0,0 +1,60 @@
+name: Setup E2E Tools
+description: Install kubectl, helm, d8, task, yq with caching
+
+runs:
+  using: composite
+  steps:
+    - name: Cache binaries
+      uses: actions/cache@v4
+      id: cache
+      with:
+        path: ~/.local/bin
+        key: e2e-tools-${{ runner.os }}-v2
+    
+    - name: Install tools
+      if: steps.cache.outputs.cache-hit != 'true'
+      shell: bash
+      run: |
+        mkdir -p ~/.local/bin
+        
+        # Install system dependencies
+        sudo apt-get update
+        sudo apt-get install -y jq apache2-utils curl bash ca-certificates
+        
+        # Install kubectl
+        KUBECTL_VERSION=$(curl -Ls https://dl.k8s.io/release/stable.txt)
+        curl -LO "https://dl.k8s.io/release/${KUBECTL_VERSION}/bin/linux/amd64/kubectl"
+        chmod +x kubectl && mv kubectl ~/.local/bin/
+        
+        # Install helm
+        curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
+        mv /usr/local/bin/helm ~/.local/bin/ || true
+        
+        # Install d8
+        curl -fsSL -o d8-install.sh https://raw.githubusercontent.com/deckhouse/deckhouse-cli/main/d8-install.sh
+        bash d8-install.sh
+        mv /usr/local/bin/d8 ~/.local/bin/ || true
+        
+        # Install yq
+        curl -L -o ~/.local/bin/yq https://github.com/mikefarah/yq/releases/download/v4.44.1/yq_linux_amd64
+        chmod +x ~/.local/bin/yq
+        
+        # Install task
+        sh -c "$(curl -fsSL https://taskfile.dev/install.sh)" -- -d -b ~/.local/bin
+        
+        # Cleanup
+        rm -f d8-install.sh
+    
+    - name: Add to PATH
+      shell: bash
+      run: echo "$HOME/.local/bin" >> $GITHUB_PATH
+    
+    - name: Verify installation
+      shell: bash
+      run: |
+        echo "✅ Installed tools:"
+        kubectl version --client --short || echo "⚠️ kubectl not found"
+        helm version --short || echo "⚠️ helm not found"
+        d8 version || echo "⚠️ d8 not found"
+        yq --version || echo "⚠️ yq not found"
+        task --version || echo "⚠️ task not found"

.github/workflows/e2e-matrix.yml

@@ -22,9 +22,64 @@ on:
 permissions:
   contents: read
 
+env:
+  E2E_K8S_URL: https://api.e2e.virtlab.flant.com
+
 jobs:
+  # ============================================
+  # 1. SETUP - Environment preparation
+  # ============================================
+  setup:
+    name: Setup Environment
+    runs-on: ubuntu-latest
+    outputs:
+      profiles: ${{ steps.load.outputs.profiles }}
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Load storage profiles
+        id: load
+        run: |
+          # For now, use hardcoded profiles. Later this can be made dynamic
+          PROFILES='["sds", "cephrbd"]'
+          echo "profiles=$PROFILES" >> "$GITHUB_OUTPUT"
+      
+      - name: Print matrix
+        run: |
+          echo "Will test profiles: ${{ steps.load.outputs.profiles }}"
+
+  # ============================================
+  # 2. VALIDATE - Configuration validation
+  # ============================================
+  validate:
+    name: Validate Configuration
+    needs: setup
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Validate YAML syntax
+        run: |
+          echo "✓ Checking YAML syntax..."
+          python3 -c "import yaml; yaml.safe_load(open('ci/dvp-e2e/values.yaml')); print('✅ values.yaml YAML syntax is valid')"
+          python3 -c "import yaml; yaml.safe_load(open('.github/workflows/e2e-matrix.yml')); print('✅ e2e-matrix.yml YAML syntax is valid')"
+      
+      - name: Check required secrets
+        run: |
+          echo "✓ Checking required secrets..."
+          if [ -z "${{ secrets.E2E_VIRTUALIZATION_SA_SECRET }}" ]; then
+            echo "❌ E2E_VIRTUALIZATION_SA_SECRET secret is required"
+            exit 1
+          fi
+          echo "✅ Required secrets are present"
+          echo "✅ E2E_K8S_URL is set as workflow variable: ${{ vars.E2E_K8S_URL }}"
+
+  # ============================================
+  # 3. E2E - Parallel test execution
+  # ============================================
   e2e:
     name: E2E (${{ matrix.profile }})
+    needs: [setup, validate]
     runs-on: ubuntu-latest
     timeout-minutes: 300
     concurrency:
@@ -33,11 +88,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        profile: [sds, cephrbd]
-
+        profile: ${{ fromJson(needs.setup.outputs.profiles) }}
+    
     env:
       GO_VERSION: '1.24.6'
       TMP_ROOT: ${{ github.workspace }}/ci/dvp-e2e/tmp
+      LOOP_WEBHOOK: ${{ secrets.LOOP_WEBHOOK_URL || secrets.LOOP_WEBHOOK }}
+      LOOP_CHANNEL: ${{ secrets.LOOP_CHANNEL || 'test-virtualization-loop-alerts' }} # TODO: replace with channel secret after successful run
 
     steps:
       - uses: actions/checkout@v4
@@ -47,48 +104,29 @@ jobs:
         with:
           go-version: ${{ env.GO_VERSION }}
 
-      - name: Install deps (kubectl, helm, d8, task, utils)
-        run: |
-          set -euo pipefail
-          sudo apt-get update
-          sudo apt-get install -y jq apache2-utils curl bash ca-certificates
-          curl -LO "https://dl.k8s.io/release/$(curl -Ls https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
-          sudo install -m 0755 kubectl /usr/local/bin/kubectl
-          curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
-          curl -fsSL -o d8-install.sh https://raw.githubusercontent.com/deckhouse/deckhouse-cli/main/d8-install.sh
-          bash d8-install.sh
-          curl -L -o yq_linux_amd64 https://github.com/mikefarah/yq/releases/download/v4.44.1/yq_linux_amd64
-          sudo install -m 0755 yq_linux_amd64 /usr/local/bin/yq
-          rm -f yq_linux_amd64
-          curl -fsSL https://taskfile.dev/install.sh | sh -s -- -d -b /usr/local/bin
-          task --version
-
-      - name: Prepare env
+      - uses: ./.github/actions/setup-e2e-tools
+
+      - name: Prepare environment
         id: prep
         run: |
           RUN_ID="nightly-${{ matrix.profile }}-${{ github.run_id }}"
           echo "run_id=$RUN_ID" >> "$GITHUB_OUTPUT"
           echo "RUN_ID=$RUN_ID" >> "$GITHUB_ENV"
           echo "PROFILE=${{ matrix.profile }}" >> "$GITHUB_ENV"
-          if [ "${{ matrix.profile }}" = "cephrbd" ]; then
-            echo "SC=ceph-pool-r2-csi-rbd" >> "$GITHUB_ENV"
-          else
-            echo "SC=linstor-thin-r2" >> "$GITHUB_ENV"
-          fi
           echo "TMP_ROOT=${{ env.TMP_ROOT }}" >> "$GITHUB_ENV"
           mkdir -p "${{ env.TMP_ROOT }}/shared" "${{ env.TMP_ROOT }}/matrix-logs"
 
-      - name: Build parent kubeconfig from SA secret
+      - name: Build parent kubeconfig
         shell: bash
         run: |
-          if [ -n "${{ secrets.E2E_K8S_URL }}" ] && [ -n "${{ secrets.E2E_VIRTUALIZATION_SA_SECRET }}" ]; then
+          if [ -n "${{ vars.E2E_K8S_URL }}" ] && [ -n "${{ secrets.E2E_VIRTUALIZATION_SA_SECRET }}" ]; then
             KCFG='${{ env.TMP_ROOT }}/shared/parent-admin.conf'
             cat > "$KCFG" <<EOF
             apiVersion: v1
             kind: Config
             clusters:
             - cluster:
-                server: ${{ secrets.E2E_K8S_URL }}
+                server: ${{ vars.E2E_K8S_URL }}
                 insecure-skip-tls-verify: true
               name: parent
             contexts:
@@ -110,57 +148,72 @@ jobs:
             exit 1
           fi
 
-      # d8 already installed in deps step
-
-      
-
-      - name: Run one E2E (Taskfile nested:test-run)
+      - name: Run E2E tests
         working-directory: ci/dvp-e2e
         env:
           KUBECONFIG: ${{ env.PARENT_KUBECONFIG_FILE }}
           REGISTRY_DOCKER_CFG: ${{ secrets.REGISTRY_DOCKER_CFG }}
-          LOOP_WEBHOOK: ${{ secrets.LOOP_WEBHOOK_URL || secrets.LOOP_WEBHOOK }}
-          LOOP_CHANNEL: ${{ secrets.LOOP_CHANNEL || 'test-virtualization-loop-alerts' }}
           TMP_ROOT: ${{ env.TMP_ROOT }}
           PARENT_KUBECONFIG_FILE: ${{ env.PARENT_KUBECONFIG_FILE }}
           E2E_DIR: ${{ github.workspace }}/tests/e2e
         run: |
-          task nested:test-run \
-            RUN_ID="${RUN_ID}" \
-            STORAGE_PROFILE="${{ matrix.profile }}" \
-            TIMEOUT='${{ inputs.timeout || '4h' }}' \
-            JUNIT_PATH="../../artifacts/${RUN_ID}/junit.xml"
+          ./bin/e2e-runner \
+            --run-id "${RUN_ID}" \
+            --timeout "${{ inputs.timeout || '4h' }}" \
+            --junit "../../artifacts/${RUN_ID}/junit.xml" \
+            ${{ matrix.profile }}
 
-      - name: Upload matrix logs
+      - name: Upload test logs
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: dvp-matrix-logs-${{ steps.prep.outputs.run_id }}
+          name: logs-${{ matrix.profile }}-${{ steps.prep.outputs.run_id }}
           path: ci/dvp-e2e/tmp/matrix-logs/*.log
           if-no-files-found: warn
 
-      - name: Upload junit artifacts
+      - name: Upload JUnit report
         if: always()
         uses: actions/upload-artifact@v4
         with:
-          name: junit-${{ steps.prep.outputs.run_id }}
+          name: junit-${{ matrix.profile }}-${{ steps.prep.outputs.run_id }}
           path: ci/dvp-e2e/artifacts/**/junit.xml
           if-no-files-found: warn
 
-      - name: Send JUnit to Loop (optional)
+  # ============================================
+  # 4. REPORT - Result aggregation
+  # ============================================
+  report:
+    name: Report Results
+    needs: e2e
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - name: Download all JUnit reports
+        uses: actions/download-artifact@v4
+        with:
+          pattern: junit-*
+          path: ./results
+      
+      - name: Send individual reports to Loop
         if: ${{ always() && (secrets.LOOP_WEBHOOK_URL != '' || secrets.LOOP_WEBHOOK != '') }}
         working-directory: ci/dvp-e2e
-        env:
-          LOOP_WEBHOOK: ${{ secrets.LOOP_WEBHOOK_URL || secrets.LOOP_WEBHOOK }}
-          LOOP_CHANNEL: test-virtualization-loop-alerts # TODO: replace with channel secret after successful run
         run: |
-          task loop:junit:parse \
-            JUNIT_FILE="../../artifacts/${RUN_ID}/junit.xml" \
-            RUN_ID="${RUN_ID}" \
-            STORAGE_PROFILE="${{ matrix.profile }}" \
-            TEST_TIMEOUT="${{ inputs.timeout || '4h' }}"
-
-      - name: Save matrix summary to cluster secret
+          # Send individual reports for each profile
+          for junit_file in ../../results/junit-*/junit.xml; do
+            if [ -f "$junit_file" ]; then
+              profile=$(echo "$junit_file" | sed 's/.*junit-\([^-]*\)-.*/\1/')
+              run_id=$(echo "$junit_file" | sed 's/.*-\([^-]*\)\/junit.xml/\1/')
+              task loop:junit:parse \
+                JUNIT_FILE="$junit_file" \
+                RUN_ID="$run_id" \
+                STORAGE_PROFILE="$profile" \
+                TEST_TIMEOUT="${{ inputs.timeout || '4h' }}"
+            fi
+          done
+      
+      - name: Generate matrix summary
         if: always()
         working-directory: ci/dvp-e2e
         env:
@@ -173,7 +226,7 @@ jobs:
             --webhook-url "${{ secrets.LOOP_WEBHOOK_URL || secrets.LOOP_WEBHOOK }}" \
             --channel "${{ secrets.LOOP_CHANNEL || 'test-virtualization-loop-alerts' }}" > matrix_summary.md || true
           DATE=$(date +"%Y-%m-%d")
-          HASH=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 32 | md5sum | awk '{print $1}')
+          HASH=$(head -c 16 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 8)
           kubectl apply -f - <<EOF || true
           apiVersion: v1
           kind: Secret
@@ -185,5 +238,80 @@ jobs:
           type: Opaque
           stringData:
             summary: |
-          $(sed 's/^/            /' matrix_summary.md)
+              $(cat matrix_summary.md | sed 's/^/      /')
           EOF
+      
+      - name: Create test summary
+        if: always()
+        run: |
+          echo "### E2E Test Results Summary" >> $GITHUB_STEP_SUMMARY
+          echo "" >> $GITHUB_STEP_SUMMARY
+          echo "| Profile | Status |" >> $GITHUB_STEP_SUMMARY
+          echo "|---------|--------|" >> $GITHUB_STEP_SUMMARY
+          
+          # Check each profile result
+          for profile in sds cephrbd; do
+            if [ -f "./results/junit-${profile}-*/junit.xml" ]; then
+              echo "| $profile | ✅ Completed |" >> $GITHUB_STEP_SUMMARY
+            else
+              echo "| $profile | ❌ Failed/Missing |" >> $GITHUB_STEP_SUMMARY
+            fi
+          done
+
+  # ============================================
+  # 5. CLEANUP - Resource cleanup
+  # ============================================
+  cleanup:
+    name: Cleanup Resources
+    needs: e2e
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      
+      - uses: ./.github/actions/setup-e2e-tools
+      
+      - name: Setup kubeconfig for cleanup
+        run: |
+          if [ -n "${{ vars.E2E_K8S_URL }}" ] && [ -n "${{ secrets.E2E_VIRTUALIZATION_SA_SECRET }}" ]; then
+            mkdir -p ~/.kube
+            cat > ~/.kube/config <<EOF
+            apiVersion: v1
+            kind: Config
+            clusters:
+            - cluster:
+                server: ${{ vars.E2E_K8S_URL }}
+                insecure-skip-tls-verify: true
+              name: parent
+            contexts:
+            - context:
+                cluster: parent
+                user: sa
+              name: parent
+            current-context: parent
+            users:
+            - name: sa
+              user:
+                token: $(echo '${{ secrets.E2E_VIRTUALIZATION_SA_SECRET }}' | base64 -d 2>/dev/null || \
+                  echo '${{ secrets.E2E_VIRTUALIZATION_SA_SECRET }}')
+            EOF
+            chmod 600 ~/.kube/config
+          else
+            echo "⚠️ Cannot setup kubeconfig for cleanup - secrets not available"
+            exit 0
+          fi
+      
+      - name: Cleanup test namespaces
+        working-directory: ci/dvp-e2e
+        run: |
+          echo "🧹 Cleaning up test namespaces..."
+          task cleanup:namespaces:safe \
+            FILTER_PREFIX="nightly-" \
+            CONFIRM=true || echo "⚠️ Cleanup completed with warnings"
+      
+      - name: Report cleanup results
+        if: always()
+        run: |
+          echo "### Cleanup Results" >> $GITHUB_STEP_SUMMARY
+          echo "✅ Cleanup job completed" >> $GITHUB_STEP_SUMMARY
+          echo "🧹 Attempted to clean up namespaces matching 'nightly-*'" >> $GITHUB_STEP_SUMMARY