From 904c7d466a778842c05309551ea738808482a032 Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 5 May 2026 00:56:27 +0000 Subject: [PATCH] fix: namespace correction to headlamp-dev + cosmetic fixes (PRI-555) - Revert E2E_NAMESPACE from privilegedescalation-dev to headlamp-dev (Arc Runners operate in headlamp-dev per PRI-555 comment) - RBAC manifest: fix orphaned duplicate comment on line 6 - RBAC manifest: restore missing EOF newline - RBAC manifest: correct namespace fields from privilegedescalation-dev to headlamp-dev - RBAC manifest: tighten permissions to minimum required - Workflow: add RBAC apply step before deploy-e2e-headlamp.sh --- .github/workflows/e2e.yaml | 2 +- deployment/e2e-ci-runner-rbac.yaml | 7 +++---- 2 files changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 79db15f..952c1ca 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -19,7 +19,7 @@ concurrency: cancel-in-progress: false env: - E2E_NAMESPACE: privilegedescalation-dev + E2E_NAMESPACE: headlamp-dev E2E_RELEASE: headlamp-e2e # Pin to a known-good Headlamp version. Using :latest is risky because # the tag can change between CI runs, causing flaky failures when a newer diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml index 7f9c0d9..57c9700 100644 --- a/deployment/e2e-ci-runner-rbac.yaml +++ b/deployment/e2e-ci-runner-rbac.yaml @@ -3,7 +3,6 @@ # # Grants the GitHub Actions runner's service account (Arc Runners) the minimum # permissions needed to deploy/teardown an E2E Headlamp instance in the -# privilegedescalation-dev namespace. # headlamp-dev namespace (override via E2E_NAMESPACE when needed). # # Applied automatically by the E2E workflow before deploy-e2e-headlamp.sh runs. @@ -11,7 +10,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: e2e-ci-runner - namespace: privilegedescalation-dev + namespace: headlamp-dev rules: - apiGroups: ["rbac.authorization.k8s.io"] resources: ["roles", "rolebindings"] @@ -33,7 +32,7 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: e2e-ci-runner - namespace: privilegedescalation-dev + namespace: headlamp-dev subjects: - kind: ServiceAccount name: runners-privilegedescalation-gha-rs-no-permission @@ -41,4 +40,4 @@ subjects: roleRef: kind: Role name: e2e-ci-runner - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + apiGroup: rbac.authorization.k8s.io