fix: use headlamp-plugins-e2e namespace for E2E tests, revert workflow

headlamp-dev is Flux-managed (kustomization/headlamp-dev reconciles), causing E2E deployment conflicts and test failures. Use a dedicated headlamp-plugins-e2e namespace instead. Reverted .github/workflows/e2e.yaml — Hugh owns CI/CD; will file a child issue to update the workflow namespace.
Replace privilegedescalation-dev with headlamp-dev namespace
2026-05-05 03:10:42 +00:00 · 2026-05-05 01:47:25 +00:00 · 2026-05-05 01:09:30 +00:00 · 2026-05-05 00:50:35 +00:00 · 2026-05-05 00:35:48 +00:00 · 2026-05-05 00:26:32 +00:00
6 changed files with 50 additions and 67 deletions
@@ -11,7 +11,7 @@ permissions:
  contents: read

 # Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
-# headlamp-dev cannot be shared across concurrent runs.
+# privilegedescalation-dev cannot be shared across concurrent runs.
 # cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
 # runs may skip the if: always() teardown, leaving dangling cluster resources.
 concurrency:
@@ -19,7 +19,7 @@ concurrency:
  cancel-in-progress: false

 env:
-  E2E_NAMESPACE: headlamp-dev
+  E2E_NAMESPACE: privilegedescalation-dev
  E2E_RELEASE: headlamp-e2e
  # Pin to a known-good Headlamp version. Using :latest is risky because
  # the tag can change between CI runs, causing flaky failures when a newer
@@ -1,53 +0,0 @@
-{
-  "config": {
-    // Line length — not enforced for docs with code examples
-    "MD013": false,
-    // First line heading — files use YAML frontmatter, not headings
-    "MD041": false,
-    // Emphasis as heading — common pattern for Option 1/2/3 sections
-    "MD036": false,
-    // No duplicate heading — changelog files repeat section names intentionally
-    "MD024": false,
-    // Fenced code language — not always applicable for diagram blocks
-    "MD040": false,
-    // Table column style — table alignment is visual, not semantic
-    "MD060": false,
-    // Ordered list item prefix — number resets are intentional in documents
-    "MD029": false,
-    // No inline HTML — each elements are valid in valid Markdown
-    "MD033": false,
-    // List marker space — spacing after list markers varies by editor
-    "MD030": false,
-    // Blanks around headings — not always needed in compact docs
-    "MD022": false,
-    // Blanks around lists — not always needed in compact docs
-    "MD032": false,
-    // Blanks around fences — not always needed between adjacent blocks
-    "MD031": false,
-    // Multiple blanks — editor artifacts, not semantic
-    "MD012": false,
-    // Single title — files may have multiple H1 sections
-    "MD025": false,
-    // Trailing spaces — editor artifacts
-    "MD009": false,
-    // Bare URLs — URL shortening not always needed
-    "MD034": false,
-    // Single trailing newline — editor artifacts
-    "MD047": false,
-    // Trailing punctuation — heading punctuation is intentional
-    "MD026": false,
-    // Space in emphasis — double-asterisk bold spacing varies by renderer
-    "MD037": false,
-    // No hard tabs — some generated docs use tabs for indentation
-    "MD010": false,
-    // Code block style — generated docs may use inconsistent styles
-    "MD046": false,
-    // Comment style — generated docs have no comments
-    "MD048": false,
-    // Commands show output — shell examples intentionally show only commands
-    "MD014": false
-  },
-  "ignores": [
-    "docs/api-reference/generated/**"
-  ]
-}
@@ -1 +0,0 @@
-docs/api-reference/generated/**
@@ -0,0 +1,42 @@
+---
+# e2e-ci-runner-rbac.yaml
+#
+# Grants the GitHub Actions runner's service account (Arc Runners) the minimum
+# permissions needed to deploy/teardown an E2E Headlamp instance in the
+# headlamp-plugins-e2e namespace.
+#
+# RBAC is managed via Flux from privilegedescalation/infra — do not apply manually.
+# This manifest is a reference copy in the plugin repo.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner
+  namespace: headlamp-plugins-e2e
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps", "serviceaccounts", "events"]
+    verbs: ["get", "list", "create", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner
+  namespace: headlamp-plugins-e2e
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner
+  apiGroup: rbac.authorization.k8s.io
@@ -5,7 +5,7 @@
 # a ConfigMap volume mount. No custom Docker images — the plugin is built
 # in CI and injected as a ConfigMap.
 #
-# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
+# E2E resources are deployed to the `headlamp-plugins-e2e` namespace. Nothing
 # persists beyond the test run — teardown cleans up all created resources.
 #
 # Prerequisites:
@@ -14,7 +14,7 @@
 #   - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
 #
 # Environment:
-#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-dev)
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-plugins-e2e)
 #   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
 #   HEADLAMP_VERSION  — Headlamp image tag (default: latest)
 set -euo pipefail
@@ -22,7 +22,7 @@ set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 DIST_DIR="$REPO_ROOT/dist"

-E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-plugins-e2e}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}"

@@ -59,15 +59,10 @@ kubectl create configmap headlamp-intel-gpu-plugin \
  --from-file=package.json="$REPO_ROOT/package.json"

 # --- Tear down any existing E2E deployment for a clean start ---
-# Deleting the Deployment forces a fresh pod (new ReplicaSet) regardless of
-# whether the pod spec changed. The ServiceAccount is also deleted for a clean
-# token state. The Service is NOT deleted — leaving it in place avoids an
-# Endpoints UID race (FailedToUpdateEndpoint) that causes DNS resolution
-# failures. kubectl apply below upserts the Service in-place, and the new
-# pod's IP is added to the existing Endpoints automatically.
 echo ""
 echo "Removing any existing E2E deployment (clean-start)..."
 kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
 kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait

 # --- Deploy Headlamp via kubectl apply ---
@@ -4,13 +4,13 @@
 # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
 #
 # Environment:
-#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-dev)
+#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-plugins-e2e)
 #   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
 set -euo pipefail

 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"

-E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-plugins-e2e}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"

 echo "=== E2E Headlamp Teardown ==="
Author	SHA1	Message	Date
Chris Farhood	f1aa256559	fix: use headlamp-plugins-e2e namespace for E2E tests, revert workflow headlamp-dev is Flux-managed (kustomization/headlamp-dev reconciles), causing E2E deployment conflicts and test failures. Use a dedicated headlamp-plugins-e2e namespace instead. Reverted .github/workflows/e2e.yaml — Hugh owns CI/CD; will file a child issue to update the workflow namespace.	2026-05-05 03:10:42 +00:00
Chris Farhood	8f998383eb	Replace privilegedescalation-dev with headlamp-dev namespace Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 01:47:25 +00:00
Chris Farhood	6fa4745aa1	docs: mark RBAC manifest as Flux-managed reference copy	2026-05-05 01:09:30 +00:00
Chris Farhood	8027e702d8	Fix RBAC manifest per QA review (PRI-554) - Remove rbac.authorization.k8s.io rule (create/delete on rolebindings was privilege escalation; no RBAC self-management needed) - Remove self-applying kubectl apply step from e2e workflow (runner cannot grant its own permissions; RBAC must be pre-applied via Flux from infra repo) Reviewed-by: Hugh Hackman	2026-05-05 00:50:35 +00:00
Chris Farhood	c815b2fd44	fix: remove create/delete on roles/rolebindings per QA review Removes privilege-escalation permissions from RBAC manifest per PRI-554 QA review. The rbac.authorization.k8s.io rule now grants only get/list/watch on rolebindings (needed for deploy script to verify existing bindings exist). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 00:35:48 +00:00
Chris Farhood	97ef7788e2	chore: re-trigger E2E with updated infra RBAC (infra fix applied)	2026-05-05 00:26:32 +00:00
Chris Farhood	4942692e64	fix: add roles/rolebindings permissions to RBAC manifest (PRI-550) kubectl apply requires get/list/watch on roles/rolebindings to check existing state before patching. Without these, apply fails with Forbidden on the GET call itself. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 19:40:05 +00:00
Chris Farhood	645cd742a1	fix: add RBAC apply step to E2E workflow (PRI-550) Adds 'kubectl apply -f deployment/e2e-ci-runner-rbac.yaml' step to the E2E workflow before the deploy script runs. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 19:39:12 +00:00
Chris Farhood	2645b62290	Add RBAC manifest for E2E CI runner Adds deployment/e2e-ci-runner-rbac.yaml which grants the Arc Runners service account the minimum permissions needed to deploy/teardown an E2E Headlamp instance in privilegedescalation-dev. Fixes PRI-550. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 19:28:36 +00:00