fix(e2e): replace helm upgrade with kubectl patch to avoid cluster RBAC

The CI runner SA cannot access cluster-scoped resources (ClusterRole, ClusterRoleBinding) needed by helm upgrade's 3-way merge. Replace the helm upgrade step with kubectl patch commands that add the shared volume mount directly to the Headlamp deployment. This eliminates the need for cluster-admin intervention: - kubectl patch adds PVC volume + volumeMount to the deployment - kubectl set env configures the plugins directory - kubectl rollout status waits for the update Also removes the now-unnecessary ClusterRole/ClusterRoleBinding from the RBAC manifest — only namespace-scoped Role/RoleBinding is needed. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-17 17:07:38 +00:00
parent d5d16b2fe3
commit e679216660
2 changed files with 45 additions and 43 deletions
@@ -35,23 +35,45 @@ jobs:
      - name: Setup kubectl
        uses: azure/setup-kubectl@v4

-      - name: Setup Helm
-        uses: azure/setup-helm@v4
-
-      - name: Add Headlamp Helm repo
-        run: helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/ && helm repo update
-
      - name: Ensure PVC exists
        run: kubectl apply -f deployment/headlamp-plugins-pvc.yaml

-      - name: Upgrade Headlamp with shared volume mount
+      - name: Patch Headlamp deployment with shared volume mount
        run: |
-          helm upgrade headlamp headlamp/headlamp \
-            --namespace "$HEADLAMP_NAMESPACE" \
-            --reuse-values \
-            -f deployment/headlamp-e2e-values.yaml \
-            --set config.sessionTTL=1 \
-            --wait --timeout 120s
+          NS="$HEADLAMP_NAMESPACE"
+          DEPLOY="$HEADLAMP_DEPLOY"
+
+          # Add the PVC volume if not already present
+          HAS_VOL=$(kubectl get deploy "$DEPLOY" -n "$NS" \
+            -o jsonpath='{.spec.template.spec.volumes[?(@.name=="plugins")].name}')
+          if [ -z "$HAS_VOL" ]; then
+            kubectl patch deploy "$DEPLOY" -n "$NS" --type=json -p '[
+              {"op":"add","path":"/spec/template/spec/volumes/-","value":{
+                "name":"plugins",
+                "persistentVolumeClaim":{"claimName":"headlamp-plugins"}
+              }}
+            ]'
+          fi
+
+          # Add the volume mount to the first container if not already present
+          HAS_MOUNT=$(kubectl get deploy "$DEPLOY" -n "$NS" \
+            -o jsonpath='{.spec.template.spec.containers[0].volumeMounts[?(@.name=="plugins")].name}')
+          if [ -z "$HAS_MOUNT" ]; then
+            kubectl patch deploy "$DEPLOY" -n "$NS" --type=json -p '[
+              {"op":"add","path":"/spec/template/spec/containers/0/volumeMounts/-","value":{
+                "name":"plugins",
+                "mountPath":"/headlamp/plugins",
+                "readOnly":true
+              }}
+            ]'
+          fi
+
+          # Set the plugins directory via env var
+          kubectl set env deploy/"$DEPLOY" -n "$NS" \
+            HEADLAMP_CONFIG_PLUGIN_DIR=/headlamp/plugins
+
+          # Wait for rollout
+          kubectl rollout status deploy/"$DEPLOY" -n "$NS" --timeout=120s

      - name: Deploy plugin via shared volume
        run: scripts/deploy-plugin-via-volume.sh