From b371b626ee43b237945f70639d339d18d3a0ea81 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Tue, 5 May 2026 20:39:46 +0000
Subject: [PATCH] fix(e2e): generate in-cluster kubeconfig when no static
 kubeconfig is found

The ARC runner has no static kubeconfig at any of the expected paths
(/runner/config, ~/.kube/config). It DOES have a service account token
(/var/run/secrets/kubernetes.io/serviceaccount/token) and
KUBERNETES_SERVICE_HOST=10.43.0.1, confirming in-cluster access.

This commit adds a third fallback tier: when no static kubeconfig is
found AND the runner is in-cluster (service account token present),
generate a kubeconfig from the in-cluster service account credentials.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/e2e.yaml | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index 8cf4014..334004b 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -68,22 +68,16 @@ jobs:
           done
           echo ""
           echo "=== In-cluster service account check ==="
+          local in_cluster=false
           if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
             echo "Service account token present — in-cluster mode available"
             echo "KUBERNETES_SERVICE_HOST=${KUBERNETES_SERVICE_HOST:-}"
             echo "KUBERNETES_SERVICE_PORT=${KUBERNETES_SERVICE_PORT:-}"
+            in_cluster=true
           else
             echo "No service account token at /var/run/secrets/kubernetes.io/serviceaccount/"
           fi
           echo ""
-          echo "=== Attempting kubeconfig from in-cluster env ==="
-          if [ -n "${KUBERNETES_SERVICE_HOST:-}" ]; then
-            echo "In-cluster: yes"
-            kubectl config view --raw 2>&1 | head -5 || echo "kubectl config view failed"
-          else
-            echo "In-cluster: no"
-          fi
-          echo ""
           if [ -f /runner/config ]; then
             echo "KUBECONFIG=/runner/config" >> "$GITHUB_ENV"
             echo "Using kubeconfig from /runner/config"
@@ -93,8 +87,28 @@ jobs:
           elif [ -f "${HOME:-}/.kube/config" ]; then
             echo "KUBECONFIG=${HOME:-}/.kube/config" >> "$GITHUB_ENV"
             echo "Using kubeconfig from HOME"
+          elif [ "$in_cluster" = true ]; then
+            echo "No static kubeconfig found — generating in-cluster kubeconfig"
+            KUBECFG_DIR="${HOME:-}/.kube"
+            mkdir -p "$KUBECFG_DIR"
+            kubectl config set-cluster in-cluster \
+              --server="https://${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}:${KUBERNETES_SERVICE_PORT:-443}" \
+              --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+              --embed-certs=true \
+              --kubeconfig="$KUBECFG_DIR/config" 2>&1
+            kubectl config set-credentials in-cluster \
+              --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+              --kubeconfig="$KUBECFG_DIR/config" 2>&1
+            kubectl config set-context in-cluster \
+              --cluster=in-cluster \
+              --user=in-cluster \
+              --kubeconfig="$KUBECFG_DIR/config" 2>&1
+            kubectl config use-context in-cluster \
+              --kubeconfig="$KUBECFG_DIR/config" 2>&1
+            echo "KUBECONFIG=$KUBECFG_DIR/config" >> "$GITHUB_ENV"
+            echo "Generated in-cluster kubeconfig at $KUBECFG_DIR/config"
           else
-            echo "::error::No kubeconfig found in /runner/config, /home/runner/.kube/config, or HOME"
+            echo "::error::No kubeconfig found in /runner/config, /home/runner/.kube/config, HOME, or in-cluster service account"
             exit 1
           fi