fix(ci): retry kubectl wait for fresh CRD nil-status race (#500)

.github/actions/kind-cluster-setup/action.yml

@@ -115,8 +115,23 @@ runs:
       run: |
         kubectl apply -f \
           "https://github.com/prometheus-operator/prometheus-operator/v0.91.0/example/prometheus-operator-crd/monitoring.coreos.com_servicemonitors.yaml"
-        kubectl wait --for=condition=established \
-          crd/servicemonitors.monitoring.coreos.com --timeout=60s
+        # Retry-loop guards the fresh-CRD nil-status race (#500): a CRD's
+        # .status.conditions is nil for ~1-3s after `kubectl apply`, and
+        # `kubectl wait` errors immediately (not retries) with:
+        #   .status.conditions accessor error: <nil> is of the type <nil>,
+        #   expected []interface{}
+        # 30 attempts × (2s wait + 1s sleep) → ~90s ceiling, well above
+        # the observed 1-3s race window. Final wait outside the loop
+        # fails loud if the CRD never became established.
+        for _ in $(seq 1 30); do
+          if kubectl wait --for=condition=established --timeout=2s \
+               crd/servicemonitors.monitoring.coreos.com 2>/dev/null; then
+            break
+          fi
+          sleep 1
+        done
+        kubectl wait --for=condition=established --timeout=2s \
+          crd/servicemonitors.monitoring.coreos.com
 
     - name: Install Gatekeeper CRDs (pinned v3.18.2)
       # Reserved for future workflows that need to apply
@@ -130,8 +145,18 @@ runs:
       run: |
         kubectl apply -f \
           "https://github.com/open-policy-agent/gatekeeper/v3.18.2/deploy/gatekeeper.yaml"
-        kubectl wait --for=condition=established \
-          crd/constrainttemplates.templates.gatekeeper.sh --timeout=120s
+        # See ServiceMonitor block above for nil-status race rationale (#500).
+        # Gatekeeper's bundle ships more resources, so the 60-attempt ceiling
+        # (~3min) provides extra headroom over the 120s prior timeout.
+        for _ in $(seq 1 60); do
+          if kubectl wait --for=condition=established --timeout=2s \
+               crd/constrainttemplates.templates.gatekeeper.sh 2>/dev/null; then
+            break
+          fi
+          sleep 1
+        done
+        kubectl wait --for=condition=established --timeout=2s \
+          crd/constrainttemplates.templates.gatekeeper.sh
 
     - name: Install cert-manager CRDs (pinned v1.16.1)
       # Reserved for future tls.enabled=true install paths that
@@ -141,8 +166,16 @@ runs:
       run: |
         kubectl apply -f \
           "https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml"
+        # See ServiceMonitor block above for nil-status race rationale (#500).
         for crd in certificates.cert-manager.io \
                    issuers.cert-manager.io \
                    clusterissuers.cert-manager.io; do
-          kubectl wait --for=condition=established "crd/${crd}" --timeout=60s
+          for _ in $(seq 1 30); do
+            if kubectl wait --for=condition=established --timeout=2s \
+                 "crd/${crd}" 2>/dev/null; then
+              break
+            fi
+            sleep 1
+          done
+          kubectl wait --for=condition=established --timeout=2s "crd/${crd}"
         done