fix: use headlamp-plugins-e2e namespace for E2E tests, revert workflow

headlamp-dev is Flux-managed (kustomization/headlamp-dev reconciles), causing
E2E deployment conflicts and test failures. Use a dedicated headlamp-plugins-e2e
namespace instead. Reverted .github/workflows/e2e.yaml — Hugh owns CI/CD; will
file a child issue to update the workflow namespace.

.github/workflows/e2e.yaml

@@ -11,7 +11,7 @@ permissions:
   contents: read
 
 # Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
-# headlamp-dev cannot be shared across concurrent runs.
+# privilegedescalation-dev cannot be shared across concurrent runs.
 # cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
 # runs may skip the if: always() teardown, leaving dangling cluster resources.
 concurrency:
@@ -19,7 +19,7 @@ concurrency:
   cancel-in-progress: false
 
 env:
-  E2E_NAMESPACE: headlamp-dev
+  E2E_NAMESPACE: privilegedescalation-dev
   E2E_RELEASE: headlamp-e2e
   # Pin to a known-good Headlamp version. Using :latest is risky because
   # the tag can change between CI runs, causing flaky failures when a newer

.github/workflows/renovate.yml

@@ -1,14 +0,0 @@
-name: Renovate
-on:
-  schedule:
-    - cron: '0 3 * * *'
-  workflow_dispatch:
-jobs:
-  renovate:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: renovatebot/github-action@v40.3.0
-        with:
-          configurationFile: renovate.json
-          renovate-json5: true

deployment/e2e-ci-runner-rbac.yaml

@@ -0,0 +1,42 @@
+---
+# e2e-ci-runner-rbac.yaml
+#
+# Grants the GitHub Actions runner's service account (Arc Runners) the minimum
+# permissions needed to deploy/teardown an E2E Headlamp instance in the
+# headlamp-plugins-e2e namespace.
+#
+# RBAC is managed via Flux from privilegedescalation/infra — do not apply manually.
+# This manifest is a reference copy in the plugin repo.
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner
+  namespace: headlamp-plugins-e2e
+rules:
+  - apiGroups: [""]
+    resources: ["configmaps", "serviceaccounts", "events"]
+    verbs: ["get", "list", "create", "delete"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner
+  namespace: headlamp-plugins-e2e
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner
+  apiGroup: rbac.authorization.k8s.io

package.json

@@ -45,7 +45,6 @@
   "overrides": {
     "tar": "^7.5.11",
     "undici": "^7.24.3",
-    "lodash": ">=4.18.0",
+    "lodash": ">=4.18.0"
-    "elliptic": ">=6.6.1"
   }
 }

scripts/deploy-e2e-headlamp.sh

@@ -5,7 +5,7 @@
 # a ConfigMap volume mount. No custom Docker images — the plugin is built
 # in CI and injected as a ConfigMap.
 #
-# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
+# E2E resources are deployed to the `headlamp-plugins-e2e` namespace. Nothing
 # persists beyond the test run — teardown cleans up all created resources.
 #
 # Prerequisites:
@@ -14,7 +14,7 @@
 #   - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
 #
 # Environment:
-#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-dev)
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-plugins-e2e)
 #   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
 #   HEADLAMP_VERSION  — Headlamp image tag (default: latest)
 set -euo pipefail
@@ -22,7 +22,7 @@ set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 DIST_DIR="$REPO_ROOT/dist"
 
-E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-plugins-e2e}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}"
 
@@ -59,15 +59,10 @@ kubectl create configmap headlamp-intel-gpu-plugin \
   --from-file=package.json="$REPO_ROOT/package.json"
 
 # --- Tear down any existing E2E deployment for a clean start ---
-# Deleting the Deployment forces a fresh pod (new ReplicaSet) regardless of
-# whether the pod spec changed. The ServiceAccount is also deleted for a clean
-# token state. The Service is NOT deleted — leaving it in place avoids an
-# Endpoints UID race (FailedToUpdateEndpoint) that causes DNS resolution
-# failures. kubectl apply below upserts the Service in-place, and the new
-# pod's IP is added to the existing Endpoints automatically.
 echo ""
 echo "Removing any existing E2E deployment (clean-start)..."
 kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
 kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
 
 # --- Deploy Headlamp via kubectl apply ---

scripts/teardown-e2e-headlamp.sh

@@ -4,13 +4,13 @@
 # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
 #
 # Environment:
-#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-dev)
+#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-plugins-e2e)
 #   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
 set -euo pipefail
 
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 
-E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-plugins-e2e}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 
 echo "=== E2E Headlamp Teardown ==="