diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 49ab07f..37f33a9 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -11,7 +11,7 @@ permissions: contents: read # Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in -# headlamp-dev cannot be shared across concurrent runs. +# privilegedescalation-dev cannot be shared across concurrent runs. # cancel-in-progress: false (queue, don't cancel) — cancelling in-flight # runs may skip the if: always() teardown, leaving dangling cluster resources. concurrency: @@ -19,7 +19,7 @@ concurrency: cancel-in-progress: false env: - E2E_NAMESPACE: headlamp-dev + E2E_NAMESPACE: privilegedescalation-dev E2E_RELEASE: headlamp-e2e # Pin to a known-good Headlamp version. Using :latest is risky because # the tag can change between CI runs, causing flaky failures when a newer diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml new file mode 100644 index 0000000..4f5aa3c --- /dev/null +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -0,0 +1,12 @@ +--- +# RBAC for the GitHub Actions CI runner to manage E2E Headlamp instances. +# CI-only test fixture — NOT for production use. +# +# This file is a REFERENCE ONLY. The canonical manifest lives in: +# privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml +# +# The infra repo is managed by Flux GitOps and is the source of truth. +# Do not apply this file directly — it is kept here for developer reference only. +# +# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run. +# RBAC is managed via Flux from privilegedescalation/infra — do not apply manually. diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh index 783c758..e3bbbb8 100755 --- a/scripts/deploy-e2e-headlamp.sh +++ b/scripts/deploy-e2e-headlamp.sh @@ -5,16 +5,18 @@ # a ConfigMap volume mount. No custom Docker images — the plugin is built # in CI and injected as a ConfigMap. # -# E2E resources are deployed to the `headlamp-dev` namespace. Nothing +# E2E resources are deployed to the `headlamp-plugins-e2e` namespace. Nothing # persists beyond the test run — teardown cleans up all created resources. # # Prerequisites: # - Plugin built (dist/ exists with plugin-main.js + package.json) # - kubectl configured with cluster access -# - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml +# RBAC is managed via Flux from privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml. +# The infra repo is the source of truth — do not apply this file directly. +# Apply RBAC first: kubectl apply -f privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml # # Environment: -# E2E_NAMESPACE — namespace for E2E Headlamp (default: headlamp-dev) +# E2E_NAMESPACE — namespace for E2E Headlamp (default: headlamp-plugins-e2e) # E2E_RELEASE — release/resource name prefix (default: headlamp-e2e) # HEADLAMP_VERSION — Headlamp image tag (default: latest) set -euo pipefail @@ -22,7 +24,7 @@ set -euo pipefail REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" DIST_DIR="$REPO_ROOT/dist" -E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}" +E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-plugins-e2e}" E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}" @@ -35,7 +37,7 @@ fi echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..." if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2 - echo " Apply RBAC first: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2 + echo " Apply RBAC first: kubectl apply -f privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml" >&2 exit 1 fi diff --git a/scripts/teardown-e2e-headlamp.sh b/scripts/teardown-e2e-headlamp.sh index d9bdf43..1af461e 100755 --- a/scripts/teardown-e2e-headlamp.sh +++ b/scripts/teardown-e2e-headlamp.sh @@ -3,14 +3,17 @@ # # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh. # +# RBAC is managed via Flux from privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml. +# The infra repo is the source of truth — do not apply this file directly. +# # Environment: -# E2E_NAMESPACE — namespace to clean up (default: headlamp-dev) +# E2E_NAMESPACE — namespace to clean up (default: headlamp-plugins-e2e) # E2E_RELEASE — release/resource name prefix (default: headlamp-e2e) set -euo pipefail REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" -E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}" +E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-plugins-e2e}" E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" echo "=== E2E Headlamp Teardown ==="