refactor: replace kubectl exec/cp plugin deploy with ConfigMap + init container
Redesigns E2E plugin deployment to eliminate all kubectl exec/cp access to Headlamp pods, per board policy. The new approach: 1. Packages built plugin as a tarball stored in a ConfigMap 2. Patches the Headlamp deployment with an init container that extracts the plugin into the static-plugins volume before Headlamp starts 3. Waits for rollout and verifies readiness RBAC is reduced to configmaps (create/get/patch), deployments (get/patch), replicasets and pods (get/list for rollout status) — no exec or cp needed. Note: .github/workflows/e2e.yaml update requires workflows permission and must be applied separately by a user with repo admin access. Co-Authored-By: Paperclip <noreply@paperclip.ing>
This commit is contained in:
Gandalf the Greybeard
@@ -0,0 +1,53 @@
|
||||
---
|
||||
# RBAC for the self-hosted GitHub Actions runner ServiceAccount to deploy
|
||||
# plugins to Headlamp via ConfigMap + deployment patch.
|
||||
#
|
||||
# This grants ONLY the permissions needed by scripts/deploy-plugin-to-headlamp.sh:
|
||||
# - configmaps: create/get/update (store the plugin tarball)
|
||||
# - deployments: get/patch (add the init container that extracts the plugin)
|
||||
# - replicasets: get/list (for kubectl rollout status)
|
||||
#
|
||||
# No pod exec or pod cp access is required.
|
||||
#
|
||||
# Apply with:
|
||||
# kubectl apply -f deployment/e2e-runner-rbac.yaml
|
||||
#
|
||||
# The runner SA name comes from the ARC (Actions Runner Controller) deployment.
|
||||
# Adjust the serviceaccount name/namespace if your runner uses a different identity.
|
||||
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: e2e-plugin-deployer
|
||||
namespace: kube-system
|
||||
rules:
|
||||
# Store plugin tarball in a ConfigMap
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps"]
|
||||
verbs: ["create", "get", "update", "patch"]
|
||||
# Patch the Headlamp deployment to add the init container
|
||||
- apiGroups: ["apps"]
|
||||
resources: ["deployments"]
|
||||
verbs: ["get", "patch"]
|
||||
# Required for kubectl rollout status
|
||||
- apiGroups: ["apps"]
|
||||
resources: ["replicasets"]
|
||||
verbs: ["get", "list"]
|
||||
# Required for rollout status pod readiness check
|
||||
- apiGroups: [""]
|
||||
resources: ["pods"]
|
||||
verbs: ["get", "list"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: e2e-plugin-deployer
|
||||
namespace: kube-system
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: local-ubuntu-latest-gha-rs-no-permission
|
||||
namespace: arc-runners
|
||||
roleRef:
|
||||
kind: Role
|
||||
name: e2e-plugin-deployer
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
Reference in New Issue
Block a user