Previous approaches (port-forward to Service/Pod) failed with 'connection
refused' — the runner cannot tunnel to pod IPs through the API server.
Switch to LoadBalancer service type:
- After rollout, poll kubectl get svc for status.loadBalancer.ingress[0].ip
- Once assigned, poll http://<lb-ip>:80 until reachable
- Write HEADLAMP_URL=http://<lb-ip>:80 to .env.e2e
The runner pod (in the cluster) can reach LoadBalancer IPs assigned
by the cloud controller or metallb.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Previous attempt used kubectl port-forward to a Service, which failed
with 'connection refused' — the API server could not reach pod IPs.
Switch to NodePort (30080) service type and use the node's InternalIP
for HEADLAMP_URL, reachable from the GitHub Actions runner pod.
- Change Service type from ClusterIP to NodePort with nodePort: 30080
- After rollout, get node InternalIP via kubectl get nodes
- Poll http://<node-ip>:30080 until reachable
- Write HEADLAMP_URL=http://<node-ip>:30080 to .env.e2e
- Remove port-forward leftover cleanup from teardown script
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The browser runs outside the cluster and cannot resolve
headlamp-e2e.${E2E_NAMESPACE}.svc.cluster.local DNS names.
- Start kubectl port-forward in background after service rollout
- Poll until localhost:4466 is reachable before writing .env.e2e
- Write HEADLAMP_URL=http://localhost:4466 so Playwright browser can connect
- teardown: kill port-forward processes with pkill
Fixes PRI-752.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The kube-vip page has both 'kube-vip — Overview' (h1) and 'kube-vip Not Detected' (h2) headings.
getByRole('heading', { name: /kube.vip/i }) resolves to both in strict mode. Using .first()
to match the first one (the overview heading) instead.
- Adds e2e/auth.setup.ts, e2e/kube-vip.spec.ts with waitForSidebar helper
- Adds playwright.config.ts, scripts/deploy-e2e-headlamp.sh, scripts/teardown-e2e-headlamp.sh
- Adds .github/workflows/e2e.yaml
- Fixes plugin settings test to wait for list before searching
workflow_call reusable workflow that exposes a GitHub App installation
token. Mend Renovate will use this token to push commits.
Refs: PRI-413
Co-authored-by: Chris Farhood <chris@farhood.org>
Defensive override floor for GHSA-r5fr-rjxr-66jc. Main already resolves lodash@4.18.1 transitively, so override prevents future regressions. CI green on 1d65d51. Approved by CEO via admin override per stopgap during PRI-309 adapter outage.
Vite versions >=6.0.0 <=6.4.1 are vulnerable to arbitrary file read via
the Vite Dev Server WebSocket (server.fs.deny bypass with queries).
CVE: GHSA-p9ff-h696-f583
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
pnpm/action-setup@v5 requires either a version key in the action config
or a packageManager field in package.json. Add the field to unblock the
release workflow.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add eslint@^8.57.0, @headlamp-k8s/eslint-config@^0.6.0, prettier@^2.8.8,
typescript@~5.6.2 as explicit devDependencies. pnpm strict hoisting does
not expose transitive bins, so these must be direct deps.
Replaces the duplicated Renovate config with a simple extend from the
org-level preset (privilegedescalation/.github:renovate-config). All
rules (schedule, pinDigests, npm/github-actions minor+patch+major groups)
are now inherited from the org config, which was updated in PR #66 to add
major-version update rules for GitHub Actions.
This eliminates config drift between repos and reduces maintenance toil —
future rule changes only need to be made in one place.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds pinDigests: true so Renovate pins all GitHub Actions references to
full commit SHAs for supply-chain hardening. This repo extends
config:recommended directly, so pinDigests must be set here explicitly —
the org-level config alone is not sufficient.
Recreated from main after closing stale PR #23 (branch was created before
the dual-approval PR #22 landed).
Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Calls the shared privilegedescalation/.github dual-approval-check
reusable workflow to enforce CTO + QA approval as a GitHub status check.
Once privilegedescalation/.github#47 is merged, this status check can
be added to required_status_checks in branch protection.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The shared release workflow now requires RELEASE_APP_ID and
RELEASE_APP_PRIVATE_KEY secrets for PR creation, since the org
blocks GITHUB_TOKEN from creating PRs.
Depends on privilegedescalation/.github#31
Co-authored-by: privilegedescalation-paperclip[bot] <268365651+privilegedescalation-paperclip[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
The reusable release workflow declares pull-requests:write but the
caller didn't grant it, causing startup_failure on GitHub Actions.
Co-authored-by: Hugh Hackman [bot] <hugh-hackman[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Resolves lockfile mismatch where undici@7.24.1 did not satisfy the
^7.24.3 override. Running npm install updated the resolved version
to undici@7.24.4.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Only the ArtifactHub/Plugin Manager installation path is supported.
Removed manual Helm-based and kubectl-based install sections.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Per CEO directive, ArtifactHub via the Headlamp plugin installer is the
only approved installation method. No exceptions.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: add explicit dev dependencies and fix React test environment
- Add react, react-dom, vitest, jsdom, and testing-library as explicit
devDependencies instead of relying on transitive deps from
@kinvolk/headlamp-plugin
- Add peerDependencies for react/react-dom
- Set process.env.NODE_ENV to "test" in vitest config to prevent React
from loading its production build (which blocks act())
- Do NOT include canvas as a dependency — it requires native build tools
(pangocairo, etc.) not present in the CI node:22 container
Fixes CI install failures from prior PR #10 which included canvas.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: add react-router-dom devDep and remove unused vite types
- Add react-router-dom as explicit devDependency to fix
ServicesPage.test.tsx import resolution failure
- Remove vite/client and vite-plugin-svgr/client from tsconfig types
(not needed, aligns with polaris plugin pattern)
Addresses QA review feedback on PR#11.
---------
Co-authored-by: gandalf-the-greybeard[bot] <gandalf-the-greybeard[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Chris Farhood
privilegedescalation-engineer[bot]
Pawla Abdul
Hugh Hackman