fix(e2e): add waitForSidebar helper and networkidle waits for reliability

Add waitForSidebar helper function with explicit sidebar visibility wait and networkidle state to ensure page is fully loaded before assertions. This addresses flaky E2E tests where elements were not consistently found due to timing issues during page transitions.
Fix E2E workflow: use pnpm-capable reusable workflow branch
2026-05-05 06:50:21 +00:00 · 2026-05-05 06:10:20 +00:00 · 2026-05-05 05:14:47 +00:00
14 changed files with 444 additions and 251 deletions
@@ -4,7 +4,7 @@ on:
  push:
    branches: ['**']
  pull_request:
-    branches: [main, dev, uat]
+    branches: [main, dev]
  workflow_dispatch:

 permissions:
@@ -12,200 +12,4 @@ permissions:

 jobs:
  ci:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    container: node:22-slim
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v6
-
-      - name: Install Python
-        run: apt-get update && apt-get install -y --no-install-recommends python3 python3-yaml
-
-      - name: Validate artifacthub-pkg.yml
-        run: |
-          python3 - <<'EOF'
-          import sys, re
-          try:
-              import yaml
-          except ImportError:
-              print("::warning::PyYAML not available, skipping artifacthub-pkg.yml validation")
-              sys.exit(0)
-
-          try:
-              with open("artifacthub-pkg.yml") as f:
-                  pkg = yaml.safe_load(f)
-          except FileNotFoundError:
-              print("::error::artifacthub-pkg.yml not found")
-              sys.exit(1)
-          except yaml.YAMLError as e:
-              print(f"::error::artifacthub-pkg.yml is invalid YAML: {e}")
-              sys.exit(1)
-
-          errors = []
-
-          for field in ["version", "name", "description", "homeURL"]:
-              if not pkg.get(field):
-                  errors.append(f"Missing required field: {field}")
-
-          version = pkg.get("version", "")
-          if version and not re.match(r'^\d+\.\d+\.\d+$', str(version)):
-              errors.append(f"version '{version}' is not SemVer (expected X.Y.Z)")
-
-          annotations = pkg.get("annotations", {}) or {}
-          archive_url = annotations.get("headlamp/plugin/archive-url", "")
-          archive_checksum = annotations.get("headlamp/plugin/archive-checksum", "")
-
-          if not archive_url:
-              errors.append("Missing annotation: headlamp/plugin/archive-url")
-          if not archive_checksum:
-              errors.append("Missing annotation: headlamp/plugin/archive-checksum")
-          elif not re.match(r'^sha256:[0-9a-f]{64}$', str(archive_checksum)):
-              errors.append(f"archive-checksum has unexpected format: '{archive_checksum}' (expected sha256:<64 hex chars>)")
-
-          if errors:
-              for e in errors:
-                  print(f"::error::{e}")
-              sys.exit(1)
-
-          print(f"artifacthub-pkg.yml valid: name={pkg['name']} version={pkg['version']}")
-          EOF
-
-      - name: Detect package manager
-        id: pkg-manager
-        run: |
-          if [ -f "pnpm-lock.yaml" ]; then
-            echo "manager=pnpm" >> $GITHUB_OUTPUT
-            PM=$(python3 -c "import json,sys; d=json.load(open('package.json')); print('true' if d.get('packageManager','').startswith('pnpm@') else 'false')" 2>/dev/null || echo "false")
-            echo "has_package_manager=$PM" >> $GITHUB_OUTPUT
-          else
-            echo "manager=npm" >> $GITHUB_OUTPUT
-            echo "has_package_manager=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Setup Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: '22'
-          cache: ${{ steps.pkg-manager.outputs.manager == 'npm' && 'npm' || '' }}
-
-      - name: Setup pnpm (via Corepack, reads version from packageManager field)
-        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
-        run: |
-          npm install -g corepack
-          corepack enable pnpm
-          corepack install
-
-      - name: Setup pnpm (version latest)
-        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'false'
-        uses: pnpm/action-setup@v5
-        with:
-          run_install: false
-          version: latest
-
-      - name: Get pnpm store directory
-        id: pnpm-store
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        run: echo "dir=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
-
-      - name: Cache pnpm store
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        uses: actions/cache@v5
-        with:
-          path: ${{ steps.pnpm-store.outputs.dir }}
-          key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-pnpm-
-
-      - name: Validate pnpm lockfile freshness
-        if: steps.pkg-manager.outputs.manager == 'pnpm'
-        run: |
-          if [ ! -f "pnpm-lock.yaml" ]; then
-            echo "No pnpm-lock.yaml found, skipping lockfile freshness check"
-            exit 0
-          fi
-          if ! grep -q 'overrides:' pnpm-lock.yaml 2>/dev/null; then
-            echo "No overrides section in pnpm-lock.yaml, skipping lockfile freshness check"
-            exit 0
-          fi
-          echo "Detected pnpm-lock.yaml with overrides section. Checking lockfile freshness..."
-          ERR_FILE=$(mktemp)
-          if pnpm install --frozen-lockfile 2>&1 | tee "$ERR_FILE"; then
-            echo "Lockfile is fresh."
-          else
-            if grep -q "CONFIG_MISMATCH\|EBADLOCKFILE\|ERR_PNPM_LOCKFILE" "$ERR_FILE"; then
-              echo ""
-              echo "::error::pnpm-lock.yaml is out of sync with package.json overrides."
-              echo "::error::Run 'pnpm install' to regenerate the lockfile and commit the updated pnpm-lock.yaml."
-              rm -f "$ERR_FILE"
-              exit 1
-            fi
-            rm -f "$ERR_FILE"
-            echo "::warning::Install failed with a different error. Will retry in the Install dependencies step."
-          fi
-
-      - name: Install dependencies
-        run: |
-          max_attempts=3
-          attempt=1
-          while [ $attempt -le $max_attempts ]; do
-            echo "Attempt $attempt of $max_attempts"
-            if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-              pnpm install --frozen-lockfile && break
-            else
-              npm ci && break
-            fi
-            if [ $attempt -lt $max_attempts ]; then
-              echo "::warning::Install step failed on attempt $attempt. Retrying in 5 seconds..."
-              sleep 5
-            fi
-            attempt=$((attempt + 1))
-          done
-          if [ $attempt -gt $max_attempts ]; then
-            echo "::error::Install step failed after $max_attempts attempts."
-            exit 1
-          fi
-
-      - name: Build plugin
-        run: npx @kinvolk/headlamp-plugin build
-
-      - name: Lint
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm run lint
-          else
-            npm run lint
-          fi
-
-      - name: Type-check
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm run tsc
-          else
-            npm run tsc
-          fi
-
-      - name: Format check
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm run format:check
-          else
-            npm run format:check
-          fi
-
-      - name: Run tests
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            pnpm test
-          else
-            npm test
-          fi
-
-      - name: Security audit
-        run: |
-          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
-            npx audit-ci --pnpm --audit-level=high --config ./audit-ci.jsonc
-          else
-            npx audit-ci --npm --audit-level=high --config ./audit-ci.jsonc
-          fi
+    uses: privilegedescalation/.github/.github/workflows/plugin-ci.yaml@main
@@ -1,20 +0,0 @@
-name: Promotion Gate
-
-# Calls the shared promotion gate workflow.
-# dev PRs: no gate (engineer self-merges).
-# uat PRs: QA approval required.
-# main PRs: UAT approval required (uat→main promotions).
-
-on:
-  pull_request_review:
-    types: [submitted, dismissed]
-  pull_request:
-    branches: [uat, main]
-    types: [opened, reopened, synchronize]
-
-jobs:
-  promotion-gate:
-    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
-    secrets: inherit
-    with:
-      pr_number: ${{ github.event.pull_request.number }}
@@ -0,0 +1,23 @@
+name: E2E Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+concurrency:
+  group: e2e-${{ github.repository }}
+  cancel-in-progress: false
+
+jobs:
+  e2e:
+    uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@hugh/add-pnpm-support-plugin-e2e
+    with:
+      node-version: '22'
+      headlamp-version: v0.40.1
+      e2e-namespace: headlamp-dev
@@ -14,4 +14,10 @@ coverage/
 *.swo
 *~
 .vscode/
-.idea/
+.idea/
+
+# E2E
+e2e/.auth/
+.env.e2e
+playwright-report/
+test-results/
@@ -1,4 +1,4 @@
-version: "0.1.2"
+version: "0.1.0"
 name: headlamp-argocd
 displayName: ArgoCD Headlamp Plugin
 createdAt: "2026-04-21T00:00:00Z"
@@ -26,8 +26,8 @@ maintainers:
 provider:
  name: privilegedescalation
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.2/privilegedescalation-headlamp-argocd-plugin-0.1.2.tar.gz"
-  headlamp/plugin/archive-checksum: sha256:e71f84913eed1fd7e2d074912e3bfa668c4b1fefcbb069731a4e4277a998ca28
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.0/headlamp-argocd-0.1.0.tar.gz"
+  headlamp/plugin/archive-checksum: "sha256:1f4df43f79b795bdf4f70e1e3aa5bacadf689ea5584fdadf92fb677faab21c2c"
  headlamp/plugin/version-compat: ">=0.26"
  headlamp/plugin/distro-compat: "in-cluster"
 changes:
@@ -1,20 +0,0 @@
-{
-  // Allowlist for inherited dev-dependency CVEs from @kinvolk/headlamp-plugin
-  // CTO decision (PRI-854): these high-severity vulns are dev/build-time only,
-  // trace to @kinvolk/headlamp-plugin transitive deps (Picomatch, Vite, lodash),
-  // and do NOT ship in production plugin artifacts.
-  "allowlist": [
-    {
-      "id": "GHSA-hhpm-516h-p3p6",
-      "reason": "Picomatch ReDoS: devDependency only, does not ship in production plugin bundle"
-    },
-    {
-      "id": "GHSA-36xf-7xpp-53w5",
-      "reason": "Vite arbitrary file read: devDependency only, does not ship in production plugin bundle"
-    },
-    {
-      "id": "GHSA-jf8v-p3pp-93qh",
-      "reason": "lodash code injection via _.template: devDependency only, does not ship in production plugin bundle"
-    }
-  ]
-}
@@ -0,0 +1,50 @@
+import { test, expect } from '@playwright/test';
+
+async function waitForSidebar(page: import('@playwright/test').Page) {
+  const sidebar = page.getByRole('navigation', { name: 'Navigation' });
+  await expect(sidebar).toBeVisible({ timeout: 15_000 });
+  await page.waitForLoadState('networkidle');
+  return sidebar;
+}
+
+test.describe('ArgoCD plugin smoke tests', () => {
+  test('sidebar contains ArgoCD entry', async ({ page }) => {
+    await page.goto('/');
+    const sidebar = await waitForSidebar(page);
+    await expect(sidebar.getByRole('button', { name: /argocd/i })).toBeVisible();
+  });
+
+  test('ArgoCD sidebar entry navigates to applications list', async ({ page }) => {
+    await page.goto('/');
+    const sidebar = await waitForSidebar(page);
+
+    const argocdEntry = sidebar.getByRole('button', { name: /argocd/i });
+    await expect(argocdEntry).toBeVisible();
+    await argocdEntry.click();
+
+    await page.waitForLoadState('networkidle');
+    await expect(page).toHaveURL(/argocd/);
+    await expect(page.getByRole('heading', { name: /argo.*cd.*applications/i })).toBeVisible();
+  });
+
+  test('applications list page renders', async ({ page }) => {
+    await page.goto('/c/main/argocd');
+    await waitForSidebar(page);
+
+    await expect(page.getByRole('heading', { name: /argo.*cd.*applications/i })).toBeVisible({
+      timeout: 15_000,
+    });
+
+    const hasTable = await page.locator('table').first().isVisible().catch(() => false);
+    const hasContent = await page.locator('text=/application|sync|health/i').first().isVisible().catch(() => false);
+    expect(hasTable || hasContent).toBe(true);
+  });
+
+  test('plugin settings page shows argocd plugin entry', async ({ page }) => {
+    await page.goto('/settings/plugins');
+    await page.waitForLoadState('networkidle');
+
+    const pluginEntry = page.locator('text=/argocd|argo.*cd/i').first();
+    await expect(pluginEntry).toBeVisible({ timeout: 30_000 });
+  });
+});
@@ -0,0 +1,69 @@
+import { test as setup, expect, Page } from '@playwright/test';
+
+const AUTH_STATE_PATH = 'e2e/.auth/state.json';
+
+async function authenticateWithOIDC(page: Page, username: string, password: string): Promise<void> {
+  await page.goto('/');
+  await page.waitForURL('**/login');
+
+  const popupPromise = page.waitForEvent('popup');
+  await page.getByRole('button', { name: /sign in/i }).click();
+  const popup = await popupPromise;
+
+  await popup.waitForLoadState('domcontentloaded');
+  await popup.waitForLoadState('networkidle');
+
+  const usernameField = popup.getByRole('textbox', { name: /email or username/i });
+  await usernameField.waitFor({ state: 'visible', timeout: 15_000 });
+  await usernameField.fill(username);
+  await popup.getByRole('button', { name: /log in/i }).click();
+
+  await popup.waitForLoadState('networkidle');
+  const passwordField = popup.getByRole('textbox', { name: /password/i });
+  await passwordField.waitFor({ state: 'visible', timeout: 15_000 });
+  await passwordField.fill(password);
+  await popup.getByRole('button', { name: /continue|log in/i }).click();
+
+  await popup.waitForEvent('close', { timeout: 15_000 });
+
+  await expect(page.getByRole('navigation', { name: 'Navigation' })).toBeVisible({
+    timeout: 15_000,
+  });
+}
+
+async function authenticateWithToken(page: Page, token: string): Promise<void> {
+  await page.goto('/');
+  await page.waitForURL(/\/(login|token)$/);
+
+  if (page.url().includes('/login')) {
+    const useTokenBtn = page.getByRole('button', { name: /use a token/i });
+    await useTokenBtn.waitFor({ state: 'visible', timeout: 15_000 });
+    await useTokenBtn.click();
+    await page.waitForURL('**/token');
+  }
+
+  await page.getByRole('textbox', { name: /id token/i }).fill(token);
+  await page.getByRole('button', { name: /authenticate/i }).click();
+
+  await expect(page.getByRole('navigation', { name: 'Navigation' })).toBeVisible({
+    timeout: 15_000,
+  });
+}
+
+setup('authenticate with Headlamp', async ({ page }) => {
+  const username = process.env.AUTHENTIK_USERNAME;
+  const password = process.env.AUTHENTIK_PASSWORD;
+  const token = process.env.HEADLAMP_TOKEN;
+
+  if (username && password) {
+    await authenticateWithOIDC(page, username, password);
+  } else if (token) {
+    await authenticateWithToken(page, token);
+  } else {
+    throw new Error(
+      'Set AUTHENTIK_USERNAME + AUTHENTIK_PASSWORD for OIDC auth, or HEADLAMP_TOKEN for token auth'
+    );
+  }
+
+  await page.context().storageState({ path: AUTH_STATE_PATH });
+});
@@ -1,6 +1,6 @@
 {
  "name": "@privilegedescalation/headlamp-argocd-plugin",
-  "version": "0.1.2",
+  "version": "0.1.0",
  "description": "Headlamp plugin for ArgoCD visibility — monitors ArgoCD Applications, Rollouts, and health status",
  "repository": {
    "type": "git",
@@ -23,7 +23,9 @@
    "format": "prettier --write src/",
    "format:check": "prettier --check src/",
    "test": "vitest run",
-    "test:watch": "vitest"
+    "test:watch": "vitest",
+    "e2e": "playwright test",
+    "e2e:headed": "playwright test --headed"
  },
  "peerDependencies": {
    "react": "^18.0.0",
@@ -33,13 +35,13 @@
    "overrides": {
      "tar": "^7.5.11",
      "undici": "^7.24.3",
-      "flatted": "^3.4.2",
-      "elliptic": ">=6.6.1"
+      "flatted": "^3.4.2"
    }
  },
  "devDependencies": {
    "@kinvolk/headlamp-plugin": "^0.13.0",
    "@mui/material": "^5.15.14",
+    "@playwright/test": "^1.58.2",
    "@testing-library/jest-dom": "^6.4.8",
    "@testing-library/react": "^16.0.0",
    "@testing-library/user-event": "^14.5.2",
@@ -0,0 +1,27 @@
+import { defineConfig, devices } from '@playwright/test';
+
+export default defineConfig({
+  testDir: './e2e',
+  timeout: 30_000,
+  expect: { timeout: 10_000 },
+  fullyParallel: false,
+  forbidOnly: !!process.env.CI,
+  retries: process.env.CI ? 1 : 0,
+  reporter: 'list',
+  use: {
+    baseURL: process.env.HEADLAMP_URL || (() => { throw new Error('HEADLAMP_URL is required — run scripts/deploy-e2e-headlamp.sh first'); })(),
+    trace: 'on-first-retry',
+    screenshot: 'only-on-failure',
+  },
+  projects: [
+    { name: 'setup', testMatch: /auth\.setup\.ts/, timeout: 60_000 },
+    {
+      name: 'chromium',
+      use: {
+        ...devices['Desktop Chrome'],
+        storageState: 'e2e/.auth/state.json',
+      },
+      dependencies: ['setup'],
+    },
+  ],
+});
@@ -8,7 +8,6 @@ overrides:
  tar: ^7.5.11
  undici: ^7.24.3
  flatted: ^3.4.2
-  elliptic: '>=6.6.1'

 importers:

@@ -23,6 +22,9 @@ importers:
      '@mui/material':
        specifier: ^5.15.14
        version: 5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
+      '@playwright/test':
+        specifier: ^1.58.2
+        version: 1.59.1
      '@testing-library/jest-dom':
        specifier: ^6.4.8
        version: 6.9.1
@@ -1002,6 +1004,11 @@ packages:
    resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==}
    engines: {node: '>=14'}

+  '@playwright/test@1.59.1':
+    resolution: {integrity: sha512-PG6q63nQg5c9rIi4/Z5lR5IVF7yU5MqmKaPOe0HSc0O2cX1fPi96sUQu5j7eo4gKCkB2AnNGoWt7y4/Xx3Kcqg==}
+    engines: {node: '>=18'}
+    hasBin: true
+
  '@popperjs/core@2.11.8':
    resolution: {integrity: sha512-P1st0aksCrn9sGZhp8GMYwBnQsbvAWsZAX44oXNNvLHGqAOcoVxmjZiohstwQ7SqKnbR47akdNi+uleWD8+g6A==}

@@ -3083,6 +3090,11 @@ packages:
  fs.realpath@1.0.0:
    resolution: {integrity: sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==}

+  fsevents@2.3.2:
+    resolution: {integrity: sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==}
+    engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
+    os: [darwin]
+
  fsevents@2.3.3:
    resolution: {integrity: sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==}
    engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
@@ -4222,6 +4234,16 @@ packages:
    resolution: {integrity: sha512-NPE8TDbzl/3YQYY7CSS228s3g2ollTFnc+Qi3tqmqJp9Vg2ovUpixcJEo2HJScN2Ez+kEaal6y70c0ehqJBJeA==}
    engines: {node: '>=10'}

+  playwright-core@1.59.1:
+    resolution: {integrity: sha512-HBV/RJg81z5BiiZ9yPzIiClYV/QMsDCKUyogwH9p3MCP6IYjUFu/MActgYAvK0oWyV9NlwM3GLBjADyWgydVyg==}
+    engines: {node: '>=18'}
+    hasBin: true
+
+  playwright@1.59.1:
+    resolution: {integrity: sha512-C8oWjPR3F81yljW9o5OxcWzfh6avkVwDD2VYdwIGqTkl+OGFISgypqzfu7dOe4QNLL2aqcWBmI3PMtLIK233lw==}
+    engines: {node: '>=18'}
+    hasBin: true
+
  possible-typed-array-names@1.1.0:
    resolution: {integrity: sha512-/+5VFTchJDoVj3bhoqi6UeymcD00DAwb1nJwamzPvHEszJ4FpF6SNNbUbOS8yI56qHzdV8eK0qEfOSiodkTdxg==}
    engines: {node: '>= 0.4'}
@@ -6628,6 +6650,10 @@ snapshots:
  '@pkgjs/parseargs@0.11.0':
    optional: true

+  '@playwright/test@1.59.1':
+    dependencies:
+      playwright: 1.59.1
+
  '@popperjs/core@2.11.8': {}

  '@reduxjs/toolkit@2.11.2(react-redux@9.2.0(@types/react@18.3.28)(react@18.3.1)(redux@5.0.1))(react@18.3.1)':
@@ -9186,6 +9212,9 @@ snapshots:

  fs.realpath@1.0.0: {}

+  fsevents@2.3.2:
+    optional: true
+
  fsevents@2.3.3:
    optional: true

@@ -10568,6 +10597,14 @@ snapshots:
    dependencies:
      find-up: 5.0.0

+  playwright-core@1.59.1: {}
+
+  playwright@1.59.1:
+    dependencies:
+      playwright-core: 1.59.1
+    optionalDependencies:
+      fsevents: 2.3.2
+
  possible-typed-array-names@1.1.0: {}

  postcss-modules-extract-imports@3.1.0(postcss@8.5.10):
@@ -1,4 +0,0 @@
-{
-  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>privilegedescalation/.github:renovate-config"]
-}
@@ -0,0 +1,182 @@
+#!/usr/bin/env bash
+# deploy-e2e-headlamp.sh
+#
+# Deploys a stock Headlamp instance with the argocd plugin loaded via
+# a ConfigMap volume mount.
+#
+# Environment:
+#   E2E_NAMESPACE     — namespace (default: headlamp-dev)
+#   E2E_RELEASE       — release name prefix (default: headlamp-e2e)
+#   HEADLAMP_VERSION  — Headlamp image tag (default: latest)
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+DIST_DIR="$REPO_ROOT/dist"
+
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
+HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}"
+
+if [ ! -d "$DIST_DIR" ]; then
+  echo "ERROR: dist/ not found. Run 'pnpm build' first." >&2
+  exit 1
+fi
+
+echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
+if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
+  echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2
+  exit 1
+fi
+
+echo "=== E2E Headlamp Deployment ==="
+echo "  Image:     ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}"
+echo "  Namespace: $E2E_NAMESPACE"
+echo "  Release:   $E2E_RELEASE"
+
+echo ""
+echo "Creating ConfigMap with plugin files..."
+
+kubectl delete configmap headlamp-argocd-plugin \
+  -n "$E2E_NAMESPACE" --ignore-not-found
+
+kubectl create configmap headlamp-argocd-plugin \
+  -n "$E2E_NAMESPACE" \
+  --from-file="$DIST_DIR" \
+  --from-file=package.json="$REPO_ROOT/package.json"
+
+echo ""
+echo "Removing any existing E2E deployment (clean-start)..."
+kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+
+echo ""
+echo "Deploying Headlamp E2E instance..."
+
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: headlamp
+      app.kubernetes.io/instance: ${E2E_RELEASE}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: headlamp
+        app.kubernetes.io/instance: ${E2E_RELEASE}
+    spec:
+      serviceAccountName: ${E2E_RELEASE}
+      automountServiceAccountToken: true
+      securityContext: {}
+      containers:
+        - name: headlamp
+          image: ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            privileged: false
+            runAsUser: 100
+            runAsGroup: 101
+          args:
+            - "-in-cluster"
+            - "-in-cluster-context-name=main"
+            - "-plugins-dir=/headlamp/plugins"
+          ports:
+            - name: http
+              containerPort: 4466
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          volumeMounts:
+            - name: argocd-plugin
+              mountPath: /headlamp/plugins/headlamp-argocd
+              readOnly: true
+      volumes:
+        - name: argocd-plugin
+          configMap:
+            name: headlamp-argocd-plugin
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+      protocol: TCP
+EOF
+
+echo "Waiting for rollout..."
+kubectl rollout status "deployment/${E2E_RELEASE}" \
+  -n "$E2E_NAMESPACE" --timeout=120s
+
+SVC_URL="http://${E2E_RELEASE}.${E2E_NAMESPACE}.svc.cluster.local"
+
+echo ""
+echo "Waiting for ${SVC_URL} to be reachable..."
+ATTEMPTS=0
+MAX_ATTEMPTS=24
+until curl -sf --max-time 5 "${SVC_URL}" -o /dev/null 2>/dev/null; do
+  ATTEMPTS=$((ATTEMPTS + 1))
+  if [ "$ATTEMPTS" -ge "$MAX_ATTEMPTS" ]; then
+    echo "ERROR: ${SVC_URL} not reachable after $((MAX_ATTEMPTS * 5))s" >&2
+    exit 1
+  fi
+  echo "  [${ATTEMPTS}/${MAX_ATTEMPTS}] not yet reachable, retrying in 5s..."
+  sleep 5
+done
+echo ""
+echo "E2E Headlamp is ready at: ${SVC_URL}"
+
+echo ""
+echo "Creating service account token for E2E auth..."
+kubectl create serviceaccount headlamp-e2e-test \
+  -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
+
+TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "")
+if [ -n "$TOKEN" ]; then
+  echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e"
+  echo "HEADLAMP_TOKEN=${TOKEN}" >> "$REPO_ROOT/.env.e2e"
+  echo "Wrote .env.e2e with HEADLAMP_URL and HEADLAMP_TOKEN"
+else
+  echo "  WARNING: Could not generate token."
+fi
+
+echo ""
+echo "E2E deployment complete."
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# teardown-e2e-headlamp.sh
+#
+# Tears down the dedicated E2E Headlamp instance.
+#
+# Environment:
+#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-dev)
+#   E2E_RELEASE    — release name prefix (default: headlamp-e2e)
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
+
+echo "=== E2E Headlamp Teardown ==="
+echo "  Namespace: $E2E_NAMESPACE"
+echo "  Release:   $E2E_RELEASE"
+
+echo "Removing Headlamp Deployment, Service, and ServiceAccount..."
+kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
+kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
+
+echo "Cleaning up ConfigMap..."
+kubectl delete configmap headlamp-argocd-plugin -n "$E2E_NAMESPACE" --ignore-not-found
+
+echo "Cleaning up test service account..."
+kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found
+
+if [ -f "$REPO_ROOT/.env.e2e" ]; then
+  rm "$REPO_ROOT/.env.e2e"
+  echo "Removed .env.e2e"
+fi
+
+echo ""
+echo "E2E teardown complete."