fix(PRI-564): add eslint/prettier/typescript as direct devDeps

pnpm strict isolation (-frozen-lockfile) only exposes binaries from direct devDependencies. eslint, prettier, and typescript were transitive peers of @kinvolk/headlamp-plugin and not accessible in CI. - eslint: ^8.57.1 - prettier: ^3.0.0 - typescript: ^5.6.2
Reference shared infra RBAC in deployment scripts
2026-05-06 12:47:16 +00:00 · 2026-05-05 16:53:42 +00:00 · 2026-05-05 03:10:42 +00:00 · 2026-05-05 01:47:25 +00:00 · 2026-05-05 01:09:30 +00:00 · 2026-05-05 00:50:35 +00:00
6 changed files with 12059 additions and 20 deletions
@@ -10,14 +10,94 @@ on:
 permissions:
  contents: read

+# Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
+# privilegedescalation-dev cannot be shared across concurrent runs.
+# cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
+# runs may skip the if: always() teardown, leaving dangling cluster resources.
 concurrency:
  group: e2e-${{ github.repository }}
  cancel-in-progress: false

+env:
+  E2E_NAMESPACE: privilegedescalation-dev
+  E2E_RELEASE: headlamp-e2e
+  # Pin to a known-good Headlamp version. Using :latest is risky because
+  # the tag can change between CI runs, causing flaky failures when a newer
+  # image is pulled on some nodes but not others (IfNotPresent pull policy).
+  # Update this when Headlamp is upgraded in production (kube-system).
+  HEADLAMP_VERSION: v0.40.1
+
 jobs:
  e2e:
-    uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@main
-    with:
-      node-version: '22'
-      headlamp-version: v0.40.1
-      e2e-namespace: headlamp-dev
+    runs-on: runners-privilegedescalation
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          cache: 'npm'
+
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build plugin
+        run: npx @kinvolk/headlamp-plugin build
+
+      - name: Deploy E2E Headlamp instance
+        run: scripts/deploy-e2e-headlamp.sh
+
+      - name: Load E2E environment
+        run: |
+          if [ -f .env.e2e ]; then
+            cat .env.e2e >> "$GITHUB_ENV"
+          else
+            echo "::error::deploy-e2e-headlamp.sh did not produce .env.e2e"
+            exit 1
+          fi
+
+      - name: Install Playwright browsers
+        run: npx playwright install --with-deps chromium
+
+      - name: Run E2E tests
+        run: npm run e2e
+        env:
+          HEADLAMP_URL: ${{ env.HEADLAMP_URL }}
+          HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }}
+
+      - name: Collect deployment diagnostics on failure
+        if: failure()
+        run: |
+          echo "=== Pod state ==="
+          kubectl get pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
+          echo "=== Pod describe ==="
+          kubectl describe pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
+          echo "=== Recent namespace events ==="
+          kubectl get events -n "$E2E_NAMESPACE" --sort-by='.lastTimestamp' 2>&1 | tail -20 || true
+
+      - name: Teardown E2E instance
+        if: always()
+        run: scripts/teardown-e2e-headlamp.sh
+
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@v7
+        if: failure()
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 7
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v7
+        if: failure()
+        with:
+          name: test-results
+          path: test-results/
+          retention-days: 7
@@ -0,0 +1,12 @@
+---
+# RBAC for the GitHub Actions CI runner to manage E2E Headlamp instances.
+# CI-only test fixture — NOT for production use.
+#
+# This file is a REFERENCE ONLY. The canonical manifest lives in:
+#   privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml
+#
+# The infra repo is managed by Flux GitOps and is the source of truth.
+# Do not apply this file directly — it is kept here for developer reference only.
+#
+# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
+# RBAC is managed via Flux from privilegedescalation/infra — do not apply manually.
@@ -36,16 +36,18 @@
    "@testing-library/jest-dom": "^6.4.8",
    "@testing-library/react": "^16.0.0",
    "@testing-library/user-event": "^14.5.2",
+    "eslint": "^8.57.1",
    "jsdom": "^24.0.0",
+    "prettier": "^3.0.0",
    "react": "^18.3.1",
    "react-dom": "^18.3.1",
    "react-router-dom": "^5.3.0",
+    "typescript": "^5.6.2",
    "vitest": "^3.0.5"
  },
  "overrides": {
    "tar": "^7.5.11",
    "undici": "^7.24.3",
-    "lodash": ">=4.18.0",
-    "elliptic": ">=6.6.1"
+    "lodash": ">=4.18.0"
  }
 }
@@ -5,16 +5,18 @@
 # a ConfigMap volume mount. No custom Docker images — the plugin is built
 # in CI and injected as a ConfigMap.
 #
-# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
+# E2E resources are deployed to the `headlamp-plugins-e2e` namespace. Nothing
 # persists beyond the test run — teardown cleans up all created resources.
 #
 # Prerequisites:
 #   - Plugin built (dist/ exists with plugin-main.js + package.json)
 #   - kubectl configured with cluster access
-#   - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+# RBAC is managed via Flux from privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml.
+# The infra repo is the source of truth — do not apply this file directly.
+# Apply RBAC first: kubectl apply -f privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml
 #
 # Environment:
-#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-dev)
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-plugins-e2e)
 #   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
 #   HEADLAMP_VERSION  — Headlamp image tag (default: latest)
 set -euo pipefail
@@ -22,7 +24,7 @@ set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 DIST_DIR="$REPO_ROOT/dist"

-E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-plugins-e2e}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}"

@@ -35,7 +37,7 @@ fi
 echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
 if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
  echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2
-  echo "  Apply RBAC first: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2
+  echo "  Apply RBAC first: kubectl apply -f privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml" >&2
  exit 1
 fi

@@ -59,15 +61,10 @@ kubectl create configmap headlamp-intel-gpu-plugin \
  --from-file=package.json="$REPO_ROOT/package.json"

 # --- Tear down any existing E2E deployment for a clean start ---
-# Deleting the Deployment forces a fresh pod (new ReplicaSet) regardless of
-# whether the pod spec changed. The ServiceAccount is also deleted for a clean
-# token state. The Service is NOT deleted — leaving it in place avoids an
-# Endpoints UID race (FailedToUpdateEndpoint) that causes DNS resolution
-# failures. kubectl apply below upserts the Service in-place, and the new
-# pod's IP is added to the existing Endpoints automatically.
 echo ""
 echo "Removing any existing E2E deployment (clean-start)..."
 kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
 kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait

 # --- Deploy Headlamp via kubectl apply ---
@@ -3,14 +3,17 @@
 #
 # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
 #
+# RBAC is managed via Flux from privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml.
+# The infra repo is the source of truth — do not apply this file directly.
+#
 # Environment:
-#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-dev)
+#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-plugins-e2e)
 #   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
 set -euo pipefail

 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"

-E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-plugins-e2e}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"

 echo "=== E2E Headlamp Teardown ==="
Author	SHA1	Message	Date
Chris Farhood	4c1545d8e8	fix(PRI-564): add eslint/prettier/typescript as direct devDeps pnpm strict isolation (-frozen-lockfile) only exposes binaries from direct devDependencies. eslint, prettier, and typescript were transitive peers of @kinvolk/headlamp-plugin and not accessible in CI. - eslint: ^8.57.1 - prettier: ^3.0.0 - typescript: ^5.6.2	2026-05-06 12:47:16 +00:00
Chris Farhood	f74d1a8b5f	Reference shared infra RBAC in deployment scripts PRI-750: update plugin repos to reference shared infra RBAC (PRI-695 follow-up) - deployment/e2e-ci-runner-rbac.yaml: replaced duplicate manifest with reference comment pointing to privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml - scripts/deploy-e2e-headlamp.sh: updated RBAC preflight comment and error message to reference infra path - scripts/teardown-e2e-headlamp.sh: added RBAC reference comment Infra RBAC is the source of truth managed by Flux GitOps. CI workflow unchanged (Hugh owns .github/workflows/).	2026-05-05 16:53:42 +00:00
Chris Farhood	f1aa256559	fix: use headlamp-plugins-e2e namespace for E2E tests, revert workflow headlamp-dev is Flux-managed (kustomization/headlamp-dev reconciles), causing E2E deployment conflicts and test failures. Use a dedicated headlamp-plugins-e2e namespace instead. Reverted .github/workflows/e2e.yaml — Hugh owns CI/CD; will file a child issue to update the workflow namespace.	2026-05-05 03:10:42 +00:00
Chris Farhood	8f998383eb	Replace privilegedescalation-dev with headlamp-dev namespace Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 01:47:25 +00:00
Chris Farhood	6fa4745aa1	docs: mark RBAC manifest as Flux-managed reference copy	2026-05-05 01:09:30 +00:00
Chris Farhood	8027e702d8	Fix RBAC manifest per QA review (PRI-554) - Remove rbac.authorization.k8s.io rule (create/delete on rolebindings was privilege escalation; no RBAC self-management needed) - Remove self-applying kubectl apply step from e2e workflow (runner cannot grant its own permissions; RBAC must be pre-applied via Flux from infra repo) Reviewed-by: Hugh Hackman	2026-05-05 00:50:35 +00:00
Chris Farhood	c815b2fd44	fix: remove create/delete on roles/rolebindings per QA review Removes privilege-escalation permissions from RBAC manifest per PRI-554 QA review. The rbac.authorization.k8s.io rule now grants only get/list/watch on rolebindings (needed for deploy script to verify existing bindings exist). Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-05 00:35:48 +00:00
Chris Farhood	97ef7788e2	chore: re-trigger E2E with updated infra RBAC (infra fix applied)	2026-05-05 00:26:32 +00:00
Chris Farhood	4942692e64	fix: add roles/rolebindings permissions to RBAC manifest (PRI-550) kubectl apply requires get/list/watch on roles/rolebindings to check existing state before patching. Without these, apply fails with Forbidden on the GET call itself. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 19:40:05 +00:00
Chris Farhood	645cd742a1	fix: add RBAC apply step to E2E workflow (PRI-550) Adds 'kubectl apply -f deployment/e2e-ci-runner-rbac.yaml' step to the E2E workflow before the deploy script runs. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 19:39:12 +00:00
Chris Farhood	2645b62290	Add RBAC manifest for E2E CI runner Adds deployment/e2e-ci-runner-rbac.yaml which grants the Arc Runners service account the minimum permissions needed to deploy/teardown an E2E Headlamp instance in privilegedescalation-dev. Fixes PRI-550. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 19:28:36 +00:00