From 53475296db3761c3087fe88c3497e942c03a9a88 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Sun, 3 May 2026 17:51:46 +0000
Subject: [PATCH] Apply RBAC manifest in CI before pre-flight check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Make the E2E workflow self-sufficient by applying the polaris-rbac.yaml
manifest before the pre-flight check, instead of requiring manual
cluster pre-configuration.

Before: workflow checked for RBAC and failed fast, but had no mechanism
to apply it — it was purely a detection step.
After: workflow applies the RBAC manifest (idempotent kubectl apply),
then verifies the resources exist as a correctness check.

Also collapses MISSING_ROLE and MISSING_ROLEBINDING into a single
boolean flag and drops the non-standard --quiet flag on kubectl get.

Fixes: PRI-324

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/e2e.yaml | 27 ++++++++-------------------
 1 file changed, 8 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 4d5ceb2..cb1c4c5 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -45,31 +45,20 @@ jobs:
       - name: Setup kubectl
         uses: azure/setup-kubectl@v4
 
+      - name: Apply RBAC for Polaris dashboard proxy
+        run: kubectl apply -f deployment/polaris-rbac.yaml
+
       - name: RBAC pre-flight check
         run: |
           echo "Checking RBAC resources in polaris namespace..."
-          MISSING_ROLE=false
-          MISSING_ROLEBINDING=false
-
-          if ! kubectl get role polaris-dashboard-proxy-reader -n polaris --quiet 2>/dev/null; then
-            echo "::error::Role polaris-dashboard-proxy-reader not found in polaris namespace."
-            MISSING_ROLE=true
-          fi
-
-          if ! kubectl get rolebinding polaris-dashboard-proxy-reader -n polaris --quiet 2>/dev/null; then
-            echo "::error::RoleBinding polaris-dashboard-proxy-reader not found in polaris namespace."
-            MISSING_ROLEBINDING=true
-          fi
-
-          if [ "$MISSING_ROLE" = true ] || [ "$MISSING_ROLEBINDING" = true ]; then
-            echo ""
-            echo "::error::RBAC not applied. Apply the RBAC manifests before running E2E tests:"
-            echo "::error::  kubectl apply -f deployment/polaris-rbac.yaml"
+          if kubectl get role polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 && \
+             kubectl get rolebinding polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1; then
+            echo "RBAC pre-flight check passed."
+          else
+            echo "::error::Role or RoleBinding not found in polaris namespace after apply."
             exit 1
           fi
 
-          echo "RBAC pre-flight check passed."
-
       - name: Install dependencies
         run: npm ci