fix(e2e): remove pods/log from RBAC to fix escalation error

The CI runner SA cannot grant permissions it doesn't hold. Adding pods/log caused: "attempting to grant RBAC permissions not currently held". Remove it to match the infra-managed Role. Co-Authored-By: Paperclip <noreply@paperclip.ing>
chore: trigger E2E workflow
2026-05-06 16:54:49 +00:00 · 2026-05-06 16:54:49 +00:00 · 2026-05-06 16:54:49 +00:00 · 2026-05-06 16:54:49 +00:00 · 2026-05-06 16:54:49 +00:00 · 2026-05-06 16:54:49 +00:00
4 changed files with 22 additions and 49 deletions
@@ -132,11 +132,7 @@ jobs:
      - name: Apply RBAC for E2E pipeline
        run: |
          set -x
-          echo "=== Verifying RBAC is available in headlamp-dev namespace ==="
-          kubectl get role e2e-ci-runner -n headlamp-dev && echo "Role e2e-ci-runner already exists" || echo "Role e2e-ci-runner not found"
-          kubectl get rolebinding e2e-ci-runner-binding -n headlamp-dev && echo "RoleBinding e2e-ci-runner-binding already exists" || echo "RoleBinding not found"
-          echo "Applying RBAC from deployment/e2e-ci-runner-rbac.yaml..."
-          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml || echo "apply returned exit code $?"
+          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
          echo "Waiting for RBAC propagation..."
          sleep 5
          kubectl get role e2e-ci-runner -n headlamp-dev
@@ -25,9 +25,6 @@ rules:
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
-  - apiGroups: [""]
-    resources: ["pods/log"]
-    verbs: ["get"]
  - apiGroups: [""]
    resources: ["serviceaccounts/token"]
    verbs: ["create"]
@@ -23,10 +23,22 @@
    "format": "prettier --write src/",
    "format:check": "prettier --check src/",
    "test": "vitest run",
-"test:watch": "vitest",
+    "test:watch": "vitest",
    "e2e": "playwright test",
    "e2e:headed": "playwright test --headed"
  },
+  "peerDependencies": {
+    "react": "^18.0.0",
+    "react-dom": "^18.0.0"
+  },
+  "pnpm": {
+    "overrides": {
+      "tar": "^7.5.11",
+      "undici": "^7.24.3",
+      "flatted": "^3.4.2",
+      "elliptic": ">=6.6.1"
+    }
+  },
  "devDependencies": {
    "@playwright/test": "^1.58.2",
    "@kinvolk/headlamp-plugin": "^0.13.0",
@@ -4,6 +4,12 @@ settings:
  autoInstallPeers: true
  excludeLinksFromLockfile: false

+overrides:
+  tar: ^7.5.11
+  undici: ^7.24.3
+  flatted: ^3.4.2
+  elliptic: '>=6.6.1'
+
 importers:

  .:
@@ -17,9 +23,6 @@ importers:
      '@mui/material':
        specifier: ^5.15.14
        version: 5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
-      '@playwright/test':
-        specifier: ^1.58.2
-        version: 1.59.1
      '@testing-library/jest-dom':
        specifier: ^6.4.8
        version: 6.9.1
@@ -999,11 +1002,6 @@ packages:
    resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==}
    engines: {node: '>=14'}

-  '@playwright/test@1.59.1':
-    resolution: {integrity: sha512-PG6q63nQg5c9rIi4/Z5lR5IVF7yU5MqmKaPOe0HSc0O2cX1fPi96sUQu5j7eo4gKCkB2AnNGoWt7y4/Xx3Kcqg==}
-    engines: {node: '>=18'}
-    hasBin: true
-
  '@popperjs/core@2.11.8':
    resolution: {integrity: sha512-P1st0aksCrn9sGZhp8GMYwBnQsbvAWsZAX44oXNNvLHGqAOcoVxmjZiohstwQ7SqKnbR47akdNi+uleWD8+g6A==}

@@ -3085,11 +3083,6 @@ packages:
  fs.realpath@1.0.0:
    resolution: {integrity: sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==}

-  fsevents@2.3.2:
-    resolution: {integrity: sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==}
-    engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
-    os: [darwin]
-
  fsevents@2.3.3:
    resolution: {integrity: sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==}
    engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
@@ -4229,16 +4222,6 @@ packages:
    resolution: {integrity: sha512-NPE8TDbzl/3YQYY7CSS228s3g2ollTFnc+Qi3tqmqJp9Vg2ovUpixcJEo2HJScN2Ez+kEaal6y70c0ehqJBJeA==}
    engines: {node: '>=10'}

-  playwright-core@1.59.1:
-    resolution: {integrity: sha512-HBV/RJg81z5BiiZ9yPzIiClYV/QMsDCKUyogwH9p3MCP6IYjUFu/MActgYAvK0oWyV9NlwM3GLBjADyWgydVyg==}
-    engines: {node: '>=18'}
-    hasBin: true
-
-  playwright@1.59.1:
-    resolution: {integrity: sha512-C8oWjPR3F81yljW9o5OxcWzfh6avkVwDD2VYdwIGqTkl+OGFISgypqzfu7dOe4QNLL2aqcWBmI3PMtLIK233lw==}
-    engines: {node: '>=18'}
-    hasBin: true
-
  possible-typed-array-names@1.1.0:
    resolution: {integrity: sha512-/+5VFTchJDoVj3bhoqi6UeymcD00DAwb1nJwamzPvHEszJ4FpF6SNNbUbOS8yI56qHzdV8eK0qEfOSiodkTdxg==}
    engines: {node: '>= 0.4'}
@@ -6250,7 +6233,7 @@ snapshots:
      material-react-table: 2.13.3(0078ddeddc9e779fa84c03996c1db10e)
      monaco-editor: 0.52.2
      msw: 2.4.9(typescript@5.6.2)
-      msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.2))
+      msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.3))
      notistack: 3.0.2(csstype@3.2.3)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
      path-browserify: 1.0.1
      prettier: 2.8.8
@@ -6645,10 +6628,6 @@ snapshots:
  '@pkgjs/parseargs@0.11.0':
    optional: true

-  '@playwright/test@1.59.1':
-    dependencies:
-      playwright: 1.59.1
-
  '@popperjs/core@2.11.8': {}

  '@reduxjs/toolkit@2.11.2(react-redux@9.2.0(@types/react@18.3.28)(react@18.3.1)(redux@5.0.1))(react@18.3.1)':
@@ -9207,9 +9186,6 @@ snapshots:

  fs.realpath@1.0.0: {}

-  fsevents@2.3.2:
-    optional: true
-
  fsevents@2.3.3:
    optional: true

@@ -10262,7 +10238,7 @@ snapshots:

  ms@2.1.3: {}

-  msw-storybook-addon@2.0.3(msw@2.4.9(typescript@5.6.2)):
+  msw-storybook-addon@2.0.3(msw@2.4.9(typescript@5.6.3)):
    dependencies:
      is-node-process: 1.2.0
      msw: 2.4.9(typescript@5.6.2)
@@ -10592,14 +10568,6 @@ snapshots:
    dependencies:
      find-up: 5.0.0

-  playwright-core@1.59.1: {}
-
-  playwright@1.59.1:
-    dependencies:
-      playwright-core: 1.59.1
-    optionalDependencies:
-      fsevents: 2.3.2
-
  possible-typed-array-names@1.1.0: {}

  postcss-modules-extract-imports@3.1.0(postcss@8.5.10):
Author	SHA1	Message	Date
Chris Farhood	5997fb5e7e	fix(e2e): remove pods/log from RBAC to fix escalation error The CI runner SA cannot grant permissions it doesn't hold. Adding pods/log caused: "attempting to grant RBAC permissions not currently held". Remove it to match the infra-managed Role. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-06 16:54:49 +00:00
Chris Farhood	420504a43d	chore: trigger E2E workflow	2026-05-06 16:54:49 +00:00
privilegedescalation-ceo[bot]	15069c368a	ci(e2e): trigger PR workflow check via API commit	2026-05-06 16:54:49 +00:00
Chris Farhood	9143847019	fix(e2e): add kubeconfig setup, RBAC, kubectl logs diagnostics - Add Get kubeconfig step (matches polaris pattern for ARC runners) - Add Apply RBAC for E2E pipeline step + deployment/e2e-ci-runner-rbac.yaml - Pin kubectl to latest (addresses azure/setup-kubectl@v4 Node.js 20 warning) - Add kubectl logs (current + previous) to failure diagnostics so pod crash root cause is visible in CI output Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-06 16:54:49 +00:00
Chris Farhood	5931220ee3	fix(e2e): set executable bit on deploy/teardown scripts Scripts were committed as 100644 which causes exit code 126 (Permission denied) when the CI runner tries to execute them. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-06 16:54:49 +00:00
Chris Farhood	fe158777ce	fix(e2e): use pnpm with proper detection and E2E_RELEASE config The argocd-plugin uses pnpm (packageManager: pnpm@10.32.1) but the original inline workflow used npm commands (npm ci, cache: npm). This caused the workflow to fail. Switch to pnpm detection and commands while preserving the E2E_RELEASE=headlamp-e2e-argocd setting required by the deploy script.	2026-05-06 16:54:49 +00:00
Chris Farhood	3e73cc376d	fix(e2e): use pnpm-capable reusable workflow The argocd plugin uses pnpm (packageManager: pnpm@10.32.1) but the inline workflow was using npm-based commands (npm ci, cache: npm). This caused 'Setup Node.js' to fail because setup-node@v6 with cache: npm has issues when no package-lock.json exists. Switch to the reusable plugin-e2e workflow which properly detects and uses pnpm for projects with pnpm-lock.yaml.	2026-05-06 16:54:22 +00:00
privilegedescalation-engineer[bot]	1c27b354af	Add @playwright/test devDependency	2026-05-06 16:54:22 +00:00
privilegedescalation-engineer[bot]	6cac81159d	Add playwright.config.ts	2026-05-06 16:53:59 +00:00
privilegedescalation-engineer[bot]	5b030e4c25	Add e2e/auth.setup.ts	2026-05-06 16:53:59 +00:00
privilegedescalation-engineer[bot]	fe8397172a	Add e2e/argocd.spec.ts	2026-05-06 16:53:59 +00:00
privilegedescalation-engineer[bot]	dc7a5fd23c	Add scripts/teardown-e2e-headlamp.sh	2026-05-06 16:53:59 +00:00
privilegedescalation-engineer[bot]	eb8b965e71	Add scripts/deploy-e2e-headlamp.sh	2026-05-06 16:53:59 +00:00
privilegedescalation-engineer[bot]	090943f7d9	Add .github/workflows/e2e.yaml	2026-05-06 16:53:59 +00:00
privilegedescalation-ceo[bot]	dedf6538c7	Merge pull request #26 from privilegedescalation/fix/elliptic-vulnerability-override fix: override elliptic to patched version for GHSA-848j-6mx2-7j84	2026-05-05 18:40:42 +00:00
Chris Farhood	0af4939d8e	chore: update pnpm lockfile for elliptic override Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 12:58:43 +00:00
Chris Farhood	c24e96da97	fix: override elliptic to patched version for GHSA-848j-6mx2-7j84	2026-05-05 12:51:05 +00:00