From 202ce66c61e9148fcc5700b2dd09e2cc6bc2f250 Mon Sep 17 00:00:00 2001
From: "privilegedescalation-engineer[bot]"
 <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com>
Date: Mon, 4 May 2026 10:50:27 +0000
Subject: [PATCH] fix(e2e): migrate E2E namespace from privilegedescalation-dev
 to headlamp-dev (#130)

The E2E workflow and deploy scripts were targeting the legacy
privilegedescalation-dev namespace, which is not managed by Flux GitOps
in privilegedescalation/infra.

The infra repo (PR #11) already provisions the headlamp-dev namespace
and corresponding RBAC (e2e-ci-runner-headlamp-rbac.yaml) that grants
the ARC runner SA (runners-privilegedescalation-gha-rs-no-permission in
arc-runners) the permissions needed to deploy/teardown the E2E
Headlamp instance.

This change aligns all E2E infrastructure to use headlamp-dev:
- .github/workflows/e2e.yaml: E2E_NAMESPACE=headlamp-dev
- scripts/deploy-e2e-headlamp.sh: default namespace and comments
- scripts/teardown-e2e-headlamp.sh: default namespace
- deployment/e2e-ci-runner-rbac.yaml: namespace and add missing events
  permission (already present in infra copy)

Refs: PRI-423

Co-authored-by: Chris Farhood <chris@farhood.org>
Co-authored-by: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/e2e.yaml         |  6 +++---
 deployment/e2e-ci-runner-rbac.yaml | 14 +++++++-------
 scripts/deploy-e2e-headlamp.sh     | 10 +++++-----
 scripts/teardown-e2e-headlamp.sh   |  4 ++--
 4 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 37f33a9..7ee92ce 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -11,15 +11,15 @@ permissions:
   contents: read
 
 # Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
-# privilegedescalation-dev cannot be shared across concurrent runs.
+# headlamp-dev cannot be shared across concurrent runs.
 # cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
-# runs may skip the if: always() teardown, leaving dangling cluster resources.
+# runs may skip the if:always() teardown, leaving dangling cluster resources.
 concurrency:
   group: e2e-${{ github.repository }}
   cancel-in-progress: false
 
 env:
-  E2E_NAMESPACE: privilegedescalation-dev
+  E2E_NAMESPACE: headlamp-dev
   E2E_RELEASE: headlamp-e2e
   # Pin to a known-good Headlamp version. Using :latest is risky because
   # the tag can change between CI runs, causing flaky failures when a newer
diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml
index ea93cff..e6bf4ff 100644
--- a/deployment/e2e-ci-runner-rbac.yaml
+++ b/deployment/e2e-ci-runner-rbac.yaml
@@ -2,26 +2,26 @@
 # RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
 # CI-only test fixture — NOT for production use.
 #
-# Grants the ARC runner service account permissions in the privilegedescalation-dev
+# Grants the ARC runner service account permissions in the headlamp-dev
 # namespace to deploy and tear down a dedicated Headlamp instance via Helm.
-# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
+# E2E resources run in `headlamp-dev` — nothing persists beyond a test run.
 #
 # Plugin is loaded via ConfigMap volume mount — no custom Docker images.
 #
-# Prerequisites:
-#   kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/)
+# and managed by Flux GitOps. The infra repo is the source of truth.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: e2e-ci-runner
-  namespace: privilegedescalation-dev
+  namespace: headlamp-dev
 rules:
   # Helm needs to manage these resources for the Headlamp chart
   - apiGroups: ["apps"]
     resources: ["deployments"]
     verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
   - apiGroups: [""]
-    resources: ["services", "serviceaccounts", "configmaps", "secrets"]
+    resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
   - apiGroups: [""]
     resources: ["pods"]
@@ -35,7 +35,7 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: e2e-ci-runner-binding
-  namespace: privilegedescalation-dev
+  namespace: headlamp-dev
 subjects:
   - kind: ServiceAccount
     name: runners-privilegedescalation-gha-rs-no-permission
diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh
index 528c017..8314b7d 100755
--- a/scripts/deploy-e2e-headlamp.sh
+++ b/scripts/deploy-e2e-headlamp.sh
@@ -5,16 +5,16 @@
 # a ConfigMap volume mount. No custom Docker images — the plugin is built
 # in CI and injected as a ConfigMap.
 #
-# E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing
-# persists beyond the test run — teardown cleans up all created resources.
+# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
+# persists beyond a test run — teardown cleans up all created resources.
 #
 # Prerequisites:
 #   - Plugin built (dist/ exists with plugin-main.js + package.json)
 #   - kubectl configured with cluster access
-#   - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+#   - RBAC applied (managed by Flux GitOps in privilegedescalation/infra)
 #
 # Environment:
-#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: privilegedescalation-dev)
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-dev)
 #   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
 #   HEADLAMP_VERSION  — Headlamp image tag (default: v0.40.1, pinned to match production)
 set -euo pipefail
@@ -22,7 +22,7 @@ set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 DIST_DIR="$REPO_ROOT/dist"
 
-E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 HEADLAMP_VERSION="${HEADLAMP_VERSION:-v0.40.1}"
 
diff --git a/scripts/teardown-e2e-headlamp.sh b/scripts/teardown-e2e-headlamp.sh
index b8ed7e6..00d4f5a 100755
--- a/scripts/teardown-e2e-headlamp.sh
+++ b/scripts/teardown-e2e-headlamp.sh
@@ -4,13 +4,13 @@
 # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
 #
 # Environment:
-#   E2E_NAMESPACE  — namespace to clean up (default: privilegedescalation-dev)
+#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-dev)
 #   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
 set -euo pipefail
 
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 
-E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 
 echo "=== E2E Headlamp Teardown ==="