Merge pull request #73 from privilegedescalation/gandalf/e2e-redesign-custom-image

refactor: redesign E2E to use ConfigMap volume mount with stock Headlamp image
2026-03-21 00:09:09 +00:00
parent dd782fbea0 74a5bb0a01
commit b3f1f65b2f
9 changed files with 274 additions and 313 deletions
@@ -7,9 +7,12 @@ on:
    branches: [main]
  workflow_dispatch:
 permissions:
  contents: read
 env:
-  HEADLAMP_NAMESPACE: kube-system
+  E2E_NAMESPACE: headlamp-e2e
-  HEADLAMP_DEPLOY: headlamp
+  E2E_RELEASE: headlamp-e2e
 jobs:
  e2e:
@@ -26,118 +29,45 @@ jobs:
          node-version: '22'
          cache: 'npm'
      - name: Setup kubectl
        uses: azure/setup-kubectl@v4
      - name: Setup Helm
        uses: azure/setup-helm@v4
      - name: Install dependencies
        run: npm ci
      - name: Build plugin
-        run: npm run build
+        run: npx @kinvolk/headlamp-plugin build
-      - name: Setup kubectl
+      - name: Deploy E2E Headlamp instance
-        uses: azure/setup-kubectl@v4
+        run: scripts/deploy-e2e-headlamp.sh
-      - name: Ensure PVC exists
+      - name: Load E2E environment
        run: kubectl apply -f deployment/headlamp-plugins-pvc.yaml
      - name: Patch Headlamp deployment with shared volume mount
        run: |
-          NS="$HEADLAMP_NAMESPACE"
+          if [ -f .env.e2e ]; then
-          DEPLOY="$HEADLAMP_DEPLOY"
+            cat .env.e2e >> "$GITHUB_ENV"
          # Check if the plugins volume and mount already exist (by name or mountPath)
          DEPLOY_JSON=$(kubectl get deploy "$DEPLOY" -n "$NS" -o json)
          HAS_VOL=$(echo "$DEPLOY_JSON" | \
            python3 -c "import sys,json; d=json.load(sys.stdin); vols=d['spec']['template']['spec'].get('volumes',[]); print('yes' if any(v.get('persistentVolumeClaim',{}).get('claimName')=='headlamp-plugins' or v.get('name')=='plugins' for v in vols) else '')")
          HAS_MOUNT=$(echo "$DEPLOY_JSON" | \
            python3 -c "import sys,json; d=json.load(sys.stdin); mounts=d['spec']['template']['spec']['containers'][0].get('volumeMounts',[]); print('yes' if any(m.get('mountPath')=='/headlamp/plugins' or m.get('name')=='plugins' for m in mounts) else '')")
          NEEDS_PATCH=false
          if [ -z "$HAS_VOL" ]; then
            echo "Adding plugins PVC volume..."
            kubectl patch deploy "$DEPLOY" -n "$NS" --type=json -p '[
              {"op":"add","path":"/spec/template/spec/volumes/-","value":{
                "name":"plugins",
                "persistentVolumeClaim":{"claimName":"headlamp-plugins"}
              }}
            ]'
            NEEDS_PATCH=true
          else
-            echo "Plugins volume already present, skipping."
+            echo "::error::deploy-e2e-headlamp.sh did not produce .env.e2e"
          fi
          if [ -z "$HAS_MOUNT" ]; then
            echo "Adding plugins volume mount..."
            kubectl patch deploy "$DEPLOY" -n "$NS" --type=json -p '[
              {"op":"add","path":"/spec/template/spec/containers/0/volumeMounts/-","value":{
                "name":"plugins",
                "mountPath":"/headlamp/plugins",
                "readOnly":true
              }}
            ]'
            NEEDS_PATCH=true
          else
            echo "Plugins volume mount already present, skipping."
          fi
          # Set the plugins directory via env var
          kubectl set env deploy/"$DEPLOY" -n "$NS" \
            HEADLAMP_CONFIG_PLUGIN_DIR=/headlamp/plugins
          # Wait for rollout
          kubectl rollout status deploy/"$DEPLOY" -n "$NS" --timeout=120s
      - name: Deploy plugin via shared volume
        run: scripts/deploy-plugin-via-volume.sh
      - name: Preflight — verify Headlamp and plugin availability
        env:
          HEADLAMP_URL: ${{ secrets.HEADLAMP_URL || 'http://headlamp.kube-system.svc.cluster.local' }}
        run: |
          PLUGIN_NAME=$(node -p "require('./package.json').name")
          EXPECTED=$(node -p "require('./package.json').version")
          echo "Expecting: $PLUGIN_NAME@$EXPECTED"
          # Wait for Headlamp to be reachable
          for i in $(seq 1 30); do
            HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' --connect-timeout 5 "$HEADLAMP_URL" || true)
            if [ "$HTTP_CODE" != "000" ]; then
              echo "Headlamp responded HTTP $HTTP_CODE"
              break
            fi
            echo "Waiting for Headlamp... ($i/30)"
            sleep 2
          done
          if [ "$HTTP_CODE" = "000" ]; then
            echo "::error::Cannot reach Headlamp at $HEADLAMP_URL after 60s"
            exit 1
          fi
          # Verify plugin is visible
          PLUGIN_JSON=$(curl -sf --connect-timeout 10 "$HEADLAMP_URL/plugins" 2>/dev/null || echo "[]")
          node -e "
            const plugins = JSON.parse(process.argv[1]);
            console.log('Installed plugins:');
            for (const p of plugins) console.log('  ' + p.name + '@' + (p.version||'unknown'));
            const ours = plugins.find(p => p.name === '$PLUGIN_NAME' || p.name === 'polaris' || p.name.includes('polaris'));
            if (!ours) {
              console.log('::warning::Plugin $PLUGIN_NAME not yet visible — Headlamp may need a restart');
            } else {
              console.log('Found plugin: ' + ours.name + ' at path ' + ours.path);
            }
          " "$PLUGIN_JSON"
      - name: Install Playwright browsers
        run: npx playwright install --with-deps chromium
      - name: Run E2E tests
        run: npm run e2e
        env:
-          HEADLAMP_URL: ${{ secrets.HEADLAMP_URL || 'http://headlamp.kube-system.svc.cluster.local' }}
+          HEADLAMP_URL: ${{ env.HEADLAMP_URL }}
-          HEADLAMP_TOKEN: ${{ secrets.HEADLAMP_TOKEN }}
+          HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }}
          AUTHENTIK_USERNAME: ${{ secrets.AUTHENTIK_USERNAME }}
          AUTHENTIK_PASSWORD: ${{ secrets.AUTHENTIK_PASSWORD }}
      - name: Teardown E2E instance
        if: always()
        run: scripts/teardown-e2e-headlamp.sh
      - name: Upload Playwright report
        uses: actions/upload-artifact@v4
        if: failure()
@@ -6,5 +6,6 @@ e2e/.auth/
 test-results/
 .playwright-mcp/
 .env
 .env.e2e
 .env.local
 .eslintcache
@@ -1,59 +1,73 @@
 ---
-# RBAC for the GitHub Actions CI runner to perform E2E test setup.
+# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
 # CI-only test fixture — NOT for production use.
 #
-# Grants the ARC runner service account namespace-scoped permissions in
+# Grants the ARC runner service account permissions in the headlamp-e2e
-# kube-system to patch the Headlamp deployment (add shared volume mount),
+# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
 # manage PVCs, run temporary pods, and restart deployments.
 #
-# No cluster-scoped permissions needed — the E2E workflow uses kubectl patch
+# No kube-system access needed — E2E tests use a separate namespace.
-# instead of helm upgrade, avoiding the need to read ClusterRole/ClusterRoleBinding.
+# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
 #
-# Apply with: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+# Prerequisites:
 #   kubectl create namespace headlamp-e2e
 #   kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: e2e-ci-runner
-  namespace: kube-system
+  namespace: headlamp-e2e
 rules:
  # Helm needs to manage these resources for the Headlamp chart
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
  - apiGroups: [""]
-    resources: ["persistentvolumeclaims"]
+    resources: ["services", "serviceaccounts", "configmaps", "secrets"]
    verbs: ["get", "list", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods"]
-    verbs: ["get", "list", "create", "delete", "watch"]
+    verbs: ["get", "list", "watch"]
  # Token creation for E2E test auth
  - apiGroups: [""]
-    resources: ["pods/attach"]
+    resources: ["serviceaccounts/token"]
-    verbs: ["create", "get"]
+    verbs: ["create"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "patch", "watch"]
  - apiGroups: ["apps"]
    resources: ["deployments/scale"]
    verbs: ["patch"]
  - apiGroups: [""]
    resources: ["secrets"]
    verbs: ["get", "list", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["configmaps"]
    verbs: ["get", "list", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["services"]
    verbs: ["get", "list", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["serviceaccounts"]
    verbs: ["get", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: e2e-ci-runner-binding
-  namespace: kube-system
+  namespace: headlamp-e2e
 subjects:
  - kind: ServiceAccount
-    name: local-ubuntu-latest-gha-rs-no-permission
+    name: runners-privilegedescalation-gha-rs-no-permission
    namespace: arc-runners
 roleRef:
  kind: Role
  name: e2e-ci-runner
  apiGroup: rbac.authorization.k8s.io
 ---
 # ClusterRole to allow the runner SA to verify the headlamp-e2e namespace
 # exists before attempting namespaced operations. kubectl get namespace is a
 # cluster-scoped operation not coverable by a namespaced Role.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: e2e-ci-namespace-reader
 rules:
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get"]
    resourceNames: ["headlamp-e2e"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: e2e-ci-namespace-reader-binding
 subjects:
  - kind: ServiceAccount
    name: runners-privilegedescalation-gha-rs-no-permission
    namespace: arc-runners
 roleRef:
  kind: ClusterRole
  name: e2e-ci-namespace-reader
  apiGroup: rbac.authorization.k8s.io
@@ -1,22 +1,31 @@
 ---
-# Headlamp Helm values for E2E testing with shared volume plugin deployment.
+# Headlamp Helm values for E2E testing.
 #
-# The CI runner and Headlamp pod share a PVC so that the runner can copy
+# Uses the stock Headlamp image with the plugin loaded via a ConfigMap
-# built plugin artifacts directly into Headlamp's plugins directory.
+# volume mount. No custom Docker images — the plugin dist/ is packaged
-# This is a CI-only mechanism — production plugin distribution uses ArtifactHub.
+# as a ConfigMap by deploy-e2e-headlamp.sh.
 #
 # Usage:
 #   helm install headlamp-e2e headlamp/headlamp \
 #     -n headlamp-e2e --create-namespace \
 #     -f deployment/headlamp-e2e-values.yaml \
 #     --set image.registry=ghcr.io \
 #     --set image.repository=headlamp-k8s/headlamp \
 #     --set image.tag=latest
 # Point Headlamp at the shared plugins mount
 config:
  pluginsDir: /headlamp/plugins
  watchPlugins: false
-# PVC-backed volume shared with the CI runner
+service:
-volumes:
+  type: ClusterIP
  - name: plugins
    persistentVolumeClaim:
      claimName: headlamp-plugins
-# Mount into the Headlamp container
+extraVolumes:
-volumeMounts:
+  - name: polaris-plugin
-  - name: plugins
+    configMap:
-    mountPath: /headlamp/plugins
+      name: headlamp-polaris-plugin
 extraVolumeMounts:
  - name: polaris-plugin
    mountPath: /headlamp/plugins/headlamp-polaris
    readOnly: true
@@ -1,14 +0,0 @@
 ---
 # PVC for sharing built plugin artifacts between the CI runner and Headlamp.
 # Used only in E2E test environments — not for production.
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: headlamp-plugins
  namespace: kube-system
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 128Mi
@@ -4,7 +4,16 @@ Playwright-based smoke tests that validate the Polaris plugin against a live Hea
 ## CI
-E2E tests run automatically in GitHub Actions on pushes to `main` and pull requests. The workflow (`.github/workflows/e2e.yaml`) uses either Authentik OIDC or token-based authentication via repository secrets.
+E2E tests run automatically in GitHub Actions on pushes to `main` and pull requests. The workflow (`.github/workflows/e2e.yaml`):
 1. Builds the plugin (`npm run build`)
 2. Creates a ConfigMap from the built `dist/` output
 3. Deploys a stock Headlamp instance via Helm with the plugin mounted as a ConfigMap volume
 4. Generates a ServiceAccount token for test auth
 5. Runs Playwright tests against the E2E instance
 6. Tears down the E2E instance
 This approach uses the stock `ghcr.io/headlamp-k8s/headlamp` image with no custom Docker builds. The plugin is loaded via `HEADLAMP_PLUGINS_DIR` volume mount.
 ### Required GitHub Secrets
@@ -12,12 +21,12 @@ Configure these in GitHub repository settings (Settings → Secrets and variable
 | Secret               | Required | Description                                                    |
 | -------------------- | -------- | -------------------------------------------------------------- |
 | `HEADLAMP_URL`       | Optional | Headlamp instance URL (defaults to `https://headlamp.animaniacs.farh.net`) |
 | `AUTHENTIK_USERNAME` | OIDC     | Authentik email or username for a CI user with Headlamp access |
 | `AUTHENTIK_PASSWORD` | OIDC     | Password for that user                                         |
 | `HEADLAMP_TOKEN`     | Token    | Kubernetes service account token (alternative to OIDC)         |
-Set either `AUTHENTIK_USERNAME` + `AUTHENTIK_PASSWORD` **or** `HEADLAMP_TOKEN`. OIDC takes priority if both are set.
+Token-based auth is auto-generated by the deploy script. OIDC secrets are only needed if testing against the shared Headlamp instance.
 No `GHCR_TOKEN` or Docker registry secrets are needed — the stock Headlamp image is public.
 ## Running Locally
@@ -47,12 +56,12 @@ HEADLAMP_URL=http://localhost:4466 npm run e2e:headed
 | Variable             | Required | Default                                | Description                             |
 | -------------------- | -------- | -------------------------------------- | --------------------------------------- |
-| `HEADLAMP_URL`       | No       | `https://headlamp.animaniacs.farh.net` | Base URL of the Headlamp instance       |
+| `HEADLAMP_URL`       | No       | `https://headlamp.animaniacs.farh.net` | Base URL of the Headlamp instance                    |
-| `AUTHENTIK_USERNAME` | OIDC     | —                                      | Authentik email/username                |
+| `AUTHENTIK_USERNAME` | OIDC     | —                                      | Authentik email/username                             |
-| `AUTHENTIK_PASSWORD` | OIDC     | —                                      | Authentik password                      |
+| `AUTHENTIK_PASSWORD` | OIDC     | —                                      | Authentik password                                   |
-| `HEADLAMP_TOKEN`     | Token    | —                                      | Kubernetes bearer token (fallback auth) |
+| `HEADLAMP_TOKEN`     | Token    | —                                      | Kubernetes bearer token (auto-generated in CI)       |
-Set either `AUTHENTIK_USERNAME` + `AUTHENTIK_PASSWORD` or `HEADLAMP_TOKEN`. OIDC takes priority if both are set.
+In CI, `HEADLAMP_URL` and `HEADLAMP_TOKEN` are set automatically by the deploy script. For local runs, set either OIDC credentials or a token manually.
 ## What the Tests Validate
@@ -249,25 +258,26 @@ test('plugin UI adapts to dark mode', async ({ page }) => {
 Tests run automatically in GitHub Actions on pushes to `main` and pull requests. See `.github/workflows/e2e.yaml` for workflow configuration.
-### Required Secrets
+### Architecture
-Configure these in GitHub repository settings (Settings → Secrets and variables → Actions):
+The E2E workflow deploys a **dedicated Headlamp instance** for each test run:
- `HEADLAMP_URL` (optional): Headlamp instance URL
+1. Build plugin (`npm run build`)
- `AUTHENTIK_USERNAME` + `AUTHENTIK_PASSWORD` (for OIDC auth)
+2. Create ConfigMap from `dist/` output (`scripts/deploy-e2e-headlamp.sh`)
- OR `HEADLAMP_TOKEN` (for token-based auth)
+3. Deploy stock Headlamp via Helm with ConfigMap volume mount
 4. Run Playwright tests against the E2E instance
 5. Tear down (`scripts/teardown-e2e-headlamp.sh`)
-### Workflow Overview
+No custom Docker images, no PVCs, no kubectl exec/cp, no patching of existing deployments. The plugin is mounted from a ConfigMap into the stock Headlamp image.
-1. Checkout code
+### Cluster Prerequisites
-2. Setup Node.js 20 with npm cache
+
-3. Install dependencies (`npm ci`)
+One-time setup by a cluster admin:
-4. Install Playwright browsers (`chromium` only)
+
-5. Run auth setup (creates session in `e2e/.auth/state.json`)
+```bash
-6. Run all E2E tests
+kubectl create namespace headlamp-e2e
-7. Upload artifacts on failure:
+kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
-   - `playwright-report/` - HTML test report
+```
   - `test-results/` - Screenshots, traces, videos
 ### Manual Trigger
@@ -0,0 +1,105 @@
 #!/usr/bin/env bash
 # deploy-e2e-headlamp.sh
 #
 # Deploys a stock Headlamp instance with the polaris plugin loaded via
 # a ConfigMap volume mount. No custom Docker images — the plugin is built
 # in CI and injected as a ConfigMap.
 #
 # Prerequisites:
 #   - Plugin built (dist/ exists with plugin-main.js + package.json)
 #   - kubectl configured with cluster access
 #   - Helm 3 installed
 #   - E2E namespace pre-created by cluster admin (see deployment/e2e-ci-runner-rbac.yaml)
 #
 # Environment:
 #   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-e2e)
 #   E2E_RELEASE       — Helm release name (default: headlamp-e2e)
 #   HEADLAMP_VERSION  — Headlamp image tag (default: latest)
 set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 DIST_DIR="$REPO_ROOT/dist"
 E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-e2e}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}"
 if [ ! -d "$DIST_DIR" ]; then
  echo "ERROR: dist/ not found. Run 'npm run build' first." >&2
  exit 1
 fi
 echo "=== E2E Headlamp Deployment ==="
 echo "  Image:     ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}"
 echo "  Namespace: $E2E_NAMESPACE"
 echo "  Release:   $E2E_RELEASE"
 # --- Verify namespace exists (must be pre-created by cluster admin) ---
 echo ""
 echo "Verifying namespace ${E2E_NAMESPACE} exists..."
 if ! kubectl get namespace "$E2E_NAMESPACE" >/dev/null 2>&1; then
  echo "ERROR: Namespace ${E2E_NAMESPACE} does not exist." >&2
  echo "A cluster admin must create it first: kubectl create namespace ${E2E_NAMESPACE}" >&2
  echo "Then apply RBAC: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2
  exit 1
 fi
 # --- Create ConfigMap from built plugin ---
 echo ""
 echo "Creating ConfigMap with plugin files..."
 # Delete existing ConfigMap if present (idempotent redeploy)
 kubectl delete configmap headlamp-polaris-plugin \
  -n "$E2E_NAMESPACE" --ignore-not-found
 # Create ConfigMap from dist/ contents and package.json
 kubectl create configmap headlamp-polaris-plugin \
  -n "$E2E_NAMESPACE" \
  --from-file="$DIST_DIR" \
  --from-file=package.json="$REPO_ROOT/package.json"
 # --- Deploy with Helm ---
 echo ""
 echo "Adding Headlamp Helm repo..."
 helm repo add headlamp https://headlamp-k8s.github.io/headlamp/ --force-update
 helm repo update
 echo "Installing/upgrading Headlamp E2E instance..."
 helm upgrade --install "$E2E_RELEASE" headlamp/headlamp \
  -n "$E2E_NAMESPACE" \
  -f "$REPO_ROOT/deployment/headlamp-e2e-values.yaml" \
  --set "image.registry=ghcr.io" \
  --set "image.repository=headlamp-k8s/headlamp" \
  --set "image.tag=${HEADLAMP_VERSION}" \
  --wait \
  --timeout 120s
 echo "Waiting for rollout..."
 kubectl rollout status "deployment/${E2E_RELEASE}-headlamp" \
  -n "$E2E_NAMESPACE" --timeout=120s
 # --- Generate a service URL for tests ---
 SVC_URL="http://${E2E_RELEASE}-headlamp.${E2E_NAMESPACE}.svc.cluster.local"
 echo ""
 echo "E2E Headlamp is ready at: ${SVC_URL}"
 echo "  export HEADLAMP_URL=${SVC_URL}"
 # --- Generate a token for test auth ---
 echo ""
 echo "Creating service account token for E2E auth..."
 kubectl create serviceaccount headlamp-e2e-test \
  -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
 TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "")
 if [ -n "$TOKEN" ]; then
  echo "  export HEADLAMP_TOKEN=<generated>"
  echo ""
  echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e"
  echo "HEADLAMP_TOKEN=${TOKEN}" >> "$REPO_ROOT/.env.e2e"
  echo "Wrote .env.e2e with HEADLAMP_URL and HEADLAMP_TOKEN"
 else
  echo "  WARNING: Could not generate token. Set HEADLAMP_TOKEN manually or use OIDC."
 fi
 echo ""
 echo "E2E deployment complete."
@@ -1,135 +0,0 @@
 #!/usr/bin/env bash
 # deploy-plugin-via-volume.sh
 #
 # Copies the built plugin into the shared PVC so Headlamp picks it up.
 # Uses a temporary Kubernetes Job to write to the PVC — the CI runner
 # does NOT need the PVC mounted locally.
 #
 # Usage:
 #   scripts/deploy-plugin-via-volume.sh
 #
 # Environment:
 #   HEADLAMP_NAMESPACE  — namespace where Headlamp runs (default: kube-system)
 #   HEADLAMP_DEPLOY     — Headlamp deployment name (default: headlamp)
 set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 HEADLAMP_NAMESPACE="${HEADLAMP_NAMESPACE:-kube-system}"
 HEADLAMP_DEPLOY="${HEADLAMP_DEPLOY:-headlamp}"
 # The deployed directory name must match the package.json name and
 # the registerPluginSettings name. Headlamp identifies plugins by
 # reading package.json from each subdirectory of the plugins dir.
 PLUGIN_DIR_NAME="headlamp-polaris"
 DIST_DIR="$REPO_ROOT/dist"
 if [ ! -d "$DIST_DIR" ]; then
  echo "ERROR: dist/ not found. Run 'npm run build' first." >&2
  exit 1
 fi
 echo "Deploying plugin to shared volume via temporary job..."
 echo "  Source:    $DIST_DIR"
 echo "  PVC:       headlamp-plugins"
 echo "  Plugin:    $PLUGIN_DIR_NAME"
 # Create tarball of plugin dist + package.json
 TAR_FILE=$(mktemp /tmp/plugin-XXXXXX.tar.gz)
 tar -czf "$TAR_FILE" -C "$DIST_DIR" . -C "$REPO_ROOT" package.json
 echo "  Tarball:   $TAR_FILE ($(du -h "$TAR_FILE" | cut -f1))"
 # Find the node where Headlamp is running — the PVC is ReadWriteOnce so
 # the deploy job must land on the same node to mount it.
 HEADLAMP_NODE=$(kubectl get pods -n "$HEADLAMP_NAMESPACE" \
  -l "app.kubernetes.io/name=headlamp" \
  -o jsonpath='{.items[0].spec.nodeName}' 2>/dev/null || true)
 if [ -z "$HEADLAMP_NODE" ]; then
  HEADLAMP_NODE=$(kubectl get pods -n "$HEADLAMP_NAMESPACE" \
    -l "app.kubernetes.io/instance=headlamp" \
    -o jsonpath='{.items[0].spec.nodeName}' 2>/dev/null || true)
 fi
 if [ -n "$HEADLAMP_NODE" ]; then
  echo "  Headlamp node: $HEADLAMP_NODE (scheduling deploy job there)"
 fi
 # Clean up any previous deploy resources
 kubectl delete pod plugin-deploy -n "$HEADLAMP_NAMESPACE" --ignore-not-found --wait=true 2>/dev/null || true
 kubectl delete configmap plugin-tarball -n "$HEADLAMP_NAMESPACE" --ignore-not-found 2>/dev/null || true
 sleep 2
 # Store the tarball in a ConfigMap (binary-safe via --from-file)
 echo "Creating ConfigMap with plugin tarball..."
 kubectl create configmap plugin-tarball \
  -n "$HEADLAMP_NAMESPACE" \
  --from-file=plugin.tar.gz="$TAR_FILE"
 # Build the Pod manifest as a temp file to avoid heredoc YAML escaping issues
 POD_FILE=$(mktemp /tmp/plugin-deploy-pod-XXXXXX.yaml)
 cat > "$POD_FILE" <<'YAMLDOC'
 apiVersion: v1
 kind: Pod
 metadata:
  name: plugin-deploy
 spec:
  restartPolicy: Never
  containers:
    - name: deploy
      image: busybox:1.36
      command: ["sh", "-c"]
      args:
        - |
          echo "Cleaning up stale plugin directories..."
          rm -rf /plugins/polaris /plugins/headlamp-polaris
          echo "Extracting plugin to shared volume..."
          mkdir -p /plugins/PLUGIN_DIR_PLACEHOLDER
          tar -xzf /tarball/plugin.tar.gz -C /plugins/PLUGIN_DIR_PLACEHOLDER
          echo "Files deployed:"
          ls -la /plugins/PLUGIN_DIR_PLACEHOLDER/
      volumeMounts:
        - name: plugins
          mountPath: /plugins
        - name: tarball
          mountPath: /tarball
          readOnly: true
  volumes:
    - name: plugins
      persistentVolumeClaim:
        claimName: headlamp-plugins
    - name: tarball
      configMap:
        name: plugin-tarball
 YAMLDOC
 # Substitute plugin dir name
 sed -i "s/PLUGIN_DIR_PLACEHOLDER/${PLUGIN_DIR_NAME}/g" "$POD_FILE"
 # Add nodeName if we know which node Headlamp is on
 if [ -n "$HEADLAMP_NODE" ]; then
  sed -i "/restartPolicy: Never/i\\  nodeName: ${HEADLAMP_NODE}" "$POD_FILE"
 fi
 echo "Starting deploy pod..."
 kubectl apply -n "$HEADLAMP_NAMESPACE" -f "$POD_FILE"
 rm -f "$POD_FILE"
 # Wait for the pod to complete (Succeeded phase)
 echo "Waiting for deploy pod to complete..."
 kubectl wait --for=jsonpath='{.status.phase}'=Succeeded pod/plugin-deploy \
  -n "$HEADLAMP_NAMESPACE" --timeout=120s
 # Show logs
 kubectl logs plugin-deploy -n "$HEADLAMP_NAMESPACE" 2>/dev/null || true
 # Clean up
 kubectl delete pod plugin-deploy -n "$HEADLAMP_NAMESPACE" --ignore-not-found 2>/dev/null || true
 kubectl delete configmap plugin-tarball -n "$HEADLAMP_NAMESPACE" --ignore-not-found 2>/dev/null || true
 rm -f "$TAR_FILE"
 # Restart Headlamp to pick up the new plugin
 echo "Restarting Headlamp deployment to load plugin..."
 kubectl rollout restart "deployment/$HEADLAMP_DEPLOY" -n "$HEADLAMP_NAMESPACE"
 kubectl rollout status "deployment/$HEADLAMP_DEPLOY" -n "$HEADLAMP_NAMESPACE" --timeout=120s
 echo "Plugin deployed successfully."
@@ -0,0 +1,41 @@
 #!/usr/bin/env bash
 # teardown-e2e-headlamp.sh
 #
 # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
 #
 # Environment:
 #   E2E_NAMESPACE  — namespace to clean up (default: headlamp-e2e)
 #   E2E_RELEASE    — Helm release to uninstall (default: headlamp-e2e)
 set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-e2e}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 # Exit early if the namespace does not exist — nothing to tear down.
 if ! kubectl get namespace "$E2E_NAMESPACE" >/dev/null 2>&1; then
  echo "Namespace $E2E_NAMESPACE does not exist, nothing to tear down."
  exit 0
 fi
 echo "=== E2E Headlamp Teardown ==="
 echo "  Namespace: $E2E_NAMESPACE"
 echo "  Release:   $E2E_RELEASE"
 echo "Uninstalling Helm release..."
 helm uninstall "$E2E_RELEASE" -n "$E2E_NAMESPACE" 2>/dev/null || echo "Release not found (already removed?)"
 echo "Cleaning up ConfigMap..."
 kubectl delete configmap headlamp-polaris-plugin -n "$E2E_NAMESPACE" --ignore-not-found
 echo "Cleaning up service account..."
 kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found
 # Note: namespace is NOT deleted — it is managed by a cluster admin.
 # The runner SA only has namespace-scoped permissions (see deployment/e2e-ci-runner-rbac.yaml).
 # Clean up local env file
 rm -f "$REPO_ROOT/.env.e2e"
 echo "Teardown complete."