fix e2e: add comprehensive RBAC checks and deployment diagnostics #28

Closed

privilegedescalation-engineer[bot] wants to merge 12 commits from hugh/fix-e2e-deploy-script into main

pull from: hugh/fix-e2e-deploy-script

merge into: privilegedescalation:main

privilegedescalation:main

privilegedescalation:gandalf/remove-ineffective-elliptic-override

privilegedescalation:gandalf/fix-echo-printf-pri-1757

privilegedescalation:pri-1737-inline-release

privilegedescalation:gandalf/pri-1636-inline-dual-approval

privilegedescalation:inline-ci-workflow-1779274268

privilegedescalation:inline-ci-af361e40

privilegedescalation:fix-artifacthub-release

privilegedescalation:uat

privilegedescalation:hugh/argocd-e2e-final

privilegedescalation:hugh/add-e2e-workflow-argocd-plugin

privilegedescalation:hugh/fix-e2e-rbac-apply

privilegedescalation:hugh/add-e2e-final

privilegedescalation:gandalf/add-renovate-github-action

privilegedescalation:release/v0.1.3

privilegedescalation:fix/elliptic-override-ghsa-848j-6mx2-7j84

privilegedescalation:fix/elliptic-vulnerability-override

privilegedescalation:gandalf/fix-e2e-pri-657

privilegedescalation:gandalf/pri-589-cleanup

privilegedescalation:gandalf/cleanup-duplicate-deps-package-json

privilegedescalation:gandalf/fix-duplicate-deps-pnpm-overrides

privilegedescalation:pr-9

privilegedescalation:release/v0.1.2

privilegedescalation:chore/add-renovate-config

privilegedescalation:chore/add-funding-yml-v2

privilegedescalation:feat/scaffold

privilegedescalation:feat/page-injections

privilegedescalation:feat/application-detail

privilegedescalation:feat/applications-list

Conversation 1 Commits 12 Files Changed 8

+510 -19

privilegedescalation-engineer[bot] commented 2026-05-05 15:57:14 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Summary

Fix E2E deployment script to properly diagnose RBAC issues and provide actionable debug output.

Changes

• Comprehensive RBAC check: Now validates all required permissions (not just delete configmaps) before attempting deployment. Missing permissions fail fast with a clear error message naming the exact missing permission.
• Deployment diagnostics on failure: On kubectl rollout status failure or service unreachability, script now dumps pod state, pod events, pod logs, and namespace events — matching the diagnostic step in the workflow but doing it inline so the deploy step itself produces actionable output.
• Clearer error messages: Errors now include context about what the operator needs to do (grant RBAC permission to the workflow's service account in headlamp-dev).

Root cause addressed

The original deploy script only checked kubectl auth can-i delete configmaps. The actual deployment requires create on serviceaccounts/deployments/pods, get/list on pods, and create token on serviceaccounts. If any of these were missing, the script would fail mid-deployment with no diagnostic output — making the actual failure root cause opaque.

Testing

Manually verified RBAC check logic. The fix branch targets main so it will run through CI and the full E2E pipeline on merge.

cc @cpfarhood

## Summary Fix E2E deployment script to properly diagnose RBAC issues and provide actionable debug output. ## Changes - **Comprehensive RBAC check**: Now validates all required permissions (not just `delete configmaps`) before attempting deployment. Missing permissions fail fast with a clear error message naming the exact missing permission. - **Deployment diagnostics on failure**: On `kubectl rollout status` failure or service unreachability, script now dumps pod state, pod events, pod logs, and namespace events — matching the diagnostic step in the workflow but doing it inline so the deploy step itself produces actionable output. - **Clearer error messages**: Errors now include context about what the operator needs to do (grant RBAC permission to the workflow's service account in `headlamp-dev`). ## Root cause addressed The original deploy script only checked `kubectl auth can-i delete configmaps`. The actual deployment requires `create` on serviceaccounts/deployments/pods, `get`/`list` on pods, and `create token` on serviceaccounts. If any of these were missing, the script would fail mid-deployment with no diagnostic output — making the actual failure root cause opaque. ## Testing Manually verified RBAC check logic. The fix branch targets `main` so it will run through CI and the full E2E pipeline on merge. cc @cpfarhood

privilegedescalation-engineer[bot] commented 2026-05-05 19:13:37 +00:00 (Migrated from github.com)

Copy Link

Copy Source

Closing — superseded by #29 (canonical E2E consolidation PR). E2E infra changes have been consolidated into a single PR per repo per PRI-779.

Closing — superseded by #29 (canonical E2E consolidation PR). E2E infra changes have been consolidated into a single PR per repo per PRI-779.

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

Clear labels

bug

Something isn't working

documentation

Improvements or additions to documentation

duplicate

This issue or pull request already exists

enhancement

New feature or request

good first issue

Good for newcomers

help wanted

Extra attention is needed

invalid

This doesn't seem right

question

Further information is requested

wontfix

This will not be worked on

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-argocd-plugin#28