dev
10 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 privilegedescalation-ceo[bot]
|
e2ae92648c |
docs: replace hardcoded namespace with <your-namespace> placeholder
* docs: update Headlamp install namespace references from kube-system to headlamp Updates all documentation references to the Headlamp install namespace from kube-system to headlamp as part of PRI-433. In-scope files updated: - README.md, SECURITY.md - docs/getting-started/installation.md, quick-start.md, prerequisites.md - docs/deployment/helm.md, kubernetes.md, production.md - docs/troubleshooting/README.md, common-issues.md, rbac-issues.md - docs/user-guide/configuration.md, rbac-permissions.md - docs/TESTING.md, TROUBLESHOOTING.md, DEPLOYMENT.md Out-of-scope (unchanged): - Source files referencing upstream workload namespace - RBAC manifests describing Polaris namespace (polaris ns is unchanged) - NetworkPolicy namespaceSelector (API server runs in kube-system) - design-decisions.md and ARCHITECTURE.md (URL hashes refer to cluster namespaces, not Headlamp install ns) Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: correct RBAC manifest per QA review (PRI-555) - Remove rbac.authorization.k8s.io privilege escalation block - Fix orphaned comment from round 1 - Add EOF newline - Keep serviceaccounts/token for E2E auth (confirmed needed) - Namespace already correct (privilegedescalation-dev) Co-Authored-By: Paperclip <noreply@paperclip.ing> * docs: replace hardcoded namespace with <your-namespace> placeholder Users choose their own namespace for Headlamp. Replace all hardcoded namespace references (headlamp, kube-system) in user-facing docs with <your-namespace> so users substitute their own value. Conventions: - Helm install: --namespace <your-namespace> --create-namespace - kubectl commands: -n <your-namespace> - YAML metadata: namespace: <your-namespace> - Prose: "the namespace where Headlamp is installed" Out-of-scope references left untouched: - kube-system in NetworkPolicy selectors (API server namespace) - polaris namespace references (upstream workload namespace) - Source code and test files Refs: PRI-433 Co-Authored-By: Paperclip <noreply@paperclip.ing> * docs: fix remaining hardcoded headlamp namespace to <your-namespace> placeholder Prior commit was inconsistent — some files used <your-namespace> while DEPLOYMENT.md, TROUBLESHOOTING.md and several troubleshooting/user-guide docs still hardcoded headlamp as the namespace. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing> |
||
|
gandalf-the-greybeard[bot]
|
2a60029104 |
e2e: shared volume plugin deployment for CI tests (#59)
* e2e: shared volume plugin deployment replacing init container approach
Replace the init container plugin installation with a shared PVC volume
between the CI runner and Headlamp pod. The runner builds the plugin and
copies it to the shared mount; Headlamp reads from the same volume.
- Add deployment/headlamp-e2e-values.yaml (PVC-backed shared volume)
- Add deployment/headlamp-plugins-pvc.yaml (PVC manifest)
- Add scripts/deploy-plugin-via-volume.sh (build + copy + restart)
- Remove deployment/headlamp-static-plugin-values.yaml (init container)
This is CI-only test infrastructure — ArtifactHub remains the sole
user-facing distribution channel.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: update e2e workflow for shared volume plugin deployment
Replace the old preflight-only approach with a build-and-deploy flow
that uses a shared volume (hostPath) between the CI runner and the
Headlamp pod. The workflow now builds the plugin from source, copies
the artifact to a shared volume path, and optionally calls Gandalf's
deploy script for Headlamp rollout coordination.
Removes kubectl exec/cp references and version-match preflight in
favor of deploying the PR's actual build artifact.
Refs: PRI-216, PRI-195
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: align e2e workflow with Gandalf's deploy script interface
Simplify deploy step to call scripts/deploy-plugin-via-volume.sh
directly instead of duplicating copy logic. Align env var names
(PLUGIN_VOLUME_PATH, HEADLAMP_DEPLOY) with the deploy script's
expected interface from PR #59.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: deploy plugin via temporary pod instead of assuming local PVC mount
The deploy script assumed the PVC was mounted on the CI runner at
/mnt/headlamp-plugins, but the runner pod doesn't have that mount.
Fix by using a temporary pod (kubectl run) that mounts the PVC,
receives the plugin tarball via stdin, and extracts it.
Also adds missing workflow steps to create the PVC and upgrade
Headlamp with the shared volume helm values before deploying.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: add kubectl, helm, and helm repo setup steps to e2e workflow
The self-hosted runner doesn't have kubectl or helm pre-installed.
Add setup steps using azure/setup-kubectl and azure/setup-helm
actions, and add the Headlamp helm repo before the upgrade step.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: update Headlamp Helm repo URL from headlamp-k8s to kubernetes-sigs
The Headlamp project moved to the kubernetes-sigs org. The old Helm chart
repository URL (headlamp-k8s.github.io) returns 404, causing E2E workflow
failure at the `helm repo add` step.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* chore: add RBAC manifest for E2E CI runner
Documents the Role and RoleBinding applied to the cluster for the ARC
runner service account. Grants permissions in kube-system needed for
shared volume plugin deployment (PVCs, pods, Helm resources).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: remove .github/workflows/e2e.yaml changes from PR
The workflow changes should be handled separately by Hugh Hackman
per PRI-215. This PR should only contain deployment manifests and
scripts, not CI workflow modifications.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: add shared volume plugin deployment to E2E workflow
Adds the build, Helm, PVC, and plugin deploy steps needed for the
shared volume E2E approach. Uses the correct kubernetes-sigs Helm repo
URL and overrides config.sessionTTL=0 to avoid schema validation error.
This is the workflow counterpart to the deployment manifests and scripts
already in this PR (PVC, values overlay, deploy script).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): set sessionTTL=1 to satisfy Helm schema minimum
The Headlamp Helm chart schema enforces a minimum of 1 for
config.sessionTTL. Setting it to 0 caused helm upgrade to fail
with a schema validation error.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): add cluster-scoped RBAC for CI runner
The Headlamp Helm chart manages ClusterRole and ClusterRoleBinding
resources. The CI runner SA needs cluster-level permissions to
get/update these during helm upgrade. Added ClusterRole and
ClusterRoleBinding alongside the existing namespace-scoped Role.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): replace helm upgrade with kubectl patch to avoid cluster RBAC
The CI runner SA cannot access cluster-scoped resources (ClusterRole,
ClusterRoleBinding) needed by helm upgrade's 3-way merge. Replace the
helm upgrade step with kubectl patch commands that add the shared volume
mount directly to the Headlamp deployment.
This eliminates the need for cluster-admin intervention:
- kubectl patch adds PVC volume + volumeMount to the deployment
- kubectl set env configures the plugins directory
- kubectl rollout status waits for the update
Also removes the now-unnecessary ClusterRole/ClusterRoleBinding from the
RBAC manifest — only namespace-scoped Role/RoleBinding is needed.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): improve volume mount idempotency check
Check for existing volume mount by mountPath and PVC claimName, not
just by volume name. A prior helm upgrade may have created mounts
with different names but the same path, causing kubectl patch to fail
with "mountPath must be unique".
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): schedule deploy pod on same node as Headlamp
The headlamp-plugins PVC is ReadWriteOnce, so the temporary deploy
pod must run on the same node as the Headlamp pod to mount it.
Look up the Headlamp pod's node and set nodeName in the pod spec.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): use Job with base64 tarball instead of kubectl run stdin
The kubectl run --rm -i stdin pipe times out in the ARC runner
environment. Replace with a Kubernetes Job that receives the plugin
tarball as base64-encoded data in the container command. This avoids
the unreliable attach/stdin mechanism entirely.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): use ConfigMap for tarball instead of inline base64
Embedding base64 data in the YAML spec broke parsing. Store the plugin
tarball in a ConfigMap via --from-file and mount it in the deploy Job.
This avoids both the stdin pipe issue and the YAML escaping issue.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): use temp file for Job YAML to avoid heredoc escaping
Variable expansion inside heredocs breaks YAML parsing when values
contain colons and quotes (like nodeName). Write the Job manifest to
a temp file with literal YAML, then sed-substitute the dynamic values.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix(e2e): use Pod instead of Job for plugin deploy
The CI runner SA has permission to create Pods but not Jobs in
kube-system. Switch from a Job to a plain Pod with restartPolicy:Never.
Use ConfigMap mount for tarball data (no stdin piping needed).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: align registerPluginSettings name with deployed plugin directory
The plugin is deployed to the 'polaris' directory but was registered with
'headlamp-polaris', causing Headlamp to not match the settings component
with the loaded plugin. This fixes all 5 failing E2E settings tests.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: use package name for registerPluginSettings, not directory name
Headlamp identifies plugins by their package.json name (headlamp-polaris),
not the deploy directory name (polaris). The previous commit incorrectly
changed this to 'polaris', causing the settings component to never render
in the plugin settings page — breaking all 5 E2E settings tests.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* fix: align registerPluginSettings name with deploy directory 'polaris'
The shared volume deploy script places the plugin at /headlamp/plugins/polaris/,
so Headlamp matches settings by directory name 'polaris', not the package.json
name 'headlamp-polaris'. This reverts commit
|
||
|
DevContainer User
|
6c7064faf0 |
docs: add architecture decision records for service proxy, error boundary, settings, and exemptions
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> |
||
 Chris Farhood
|
24033ca977 |
docs: remove incorrect watchPlugins: false references
Remove all references to the incorrect `config.watchPlugins: false` requirement that was believed necessary for Headlamp v0.39.0+. Investigation revealed that plugins work correctly with the default `watchPlugins: true` setting. The earlier documentation was based on a misunderstanding of the plugin loading mechanism. Changes: - Remove watchPlugins: false from all YAML configuration examples - Remove warning sections about watchPlugins requirement - Update troubleshooting guides to focus on actual issues - Simplify installation instructions by removing unnecessary config Files updated: - README.md (main installation docs and troubleshooting table) - docs/DEPLOYMENT.md - docs/TROUBLESHOOTING.md - docs/getting-started/* (quick-start, installation, prerequisites) - docs/deployment/* (helm, production) - docs/troubleshooting/* (common-issues, README) - Multiple other doc files formatted by prettier This cleanup ensures ArtifactHub and GitHub documentation show correct, simplified installation instructions. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering> |
||
|
Chris Farhood
|
0b081246b0 |
docs: remove marketing fluff and emojis
- Remove navigation emojis from README and docs/README - Remove "Made with ❤️ for the Kubernetes community" footer - Remove checkmark/celebration emojis from quick-start guide - Remove "(This!)" annotation from architecture diagrams - Replace emoji references with plain text in features documentation - Remove GOOD/BAD emojis from production deployment guide - Simplify congratulations message Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering> |
||
|
Chris Farhood
|
765f081867 |
docs: standardize license to Apache-2.0 and update version references
- Change license from MIT to Apache-2.0 across all documentation to match package.json - Update all version references from v0.3.4/v0.3.5 to v0.3.10 - Update tarball filenames from headlamp-polaris-plugin-*.tar.gz to polaris-0.3.10.tar.gz - Update README.md license badge - Update artifacthub-pkg.yml license field Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering> |
||
|
Chris Farhood
|
d4fa1674dc |
chore: update repository references to privilegedescalation org
Repository transferred from cpfarhood to privilegedescalation organization.
Updated all references in:
- Configuration files (package.json, artifacthub-pkg.yml)
- Documentation (README, CONTRIBUTING, SECURITY, docs/)
- Workflow files
GitHub Actions workflows will continue to work as they use
${{ github.repository }} which auto-updates.
Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)
Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
|
||
|
Chris Farhood
|
9e195be633 |
docs: standardize documentation structure (#8)
* docs: standardize documentation structure (Phase 1) Implement Phase 1 of documentation standardization plan: **New Documentation Structure:** - docs/README.md - Documentation hub with quick links - docs/getting-started/ - Installation, prerequisites, quick-start - docs/deployment/ - Kubernetes, Helm, production guides - docs/architecture/ - Overview, data-flow, design-decisions, ADR template - docs/troubleshooting/ - Quick diagnosis, common issues, RBAC, network - docs/development/ - Testing guide (moved from docs/TESTING.md) **Granular Breakdown:** - Split DEPLOYMENT.md → installation.md, kubernetes.md, helm.md, production.md - Split ARCHITECTURE.md → overview.md, data-flow.md, design-decisions.md - Split TROUBLESHOOTING.md → README.md, common-issues.md, rbac-issues.md, network-problems.md **New Content:** - Quick Start guide (5-minute setup) - Prerequisites checklist - Production deployment best practices - ADR template and index - Quick diagnosis table **Updated:** - README.md now links to new documentation structure - All documentation cross-referenced with relative links Implements standardization plan from docs/DOCUMENTATION_STANDARDIZATION_PLAN.md Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering> * docs: add missing user guide and fix technical writing issues (Priority 1+2) Implements technical writer review recommendations: **Priority 1: User Guide (CRITICAL - was 0% complete)** ✅ Created docs/user-guide/features.md (~800 words) - Overview dashboard with score gauge, check distribution, top issues - Namespace views (list + detail drawer) - Inline resource audits - App bar score badge - Settings & configuration overview - Dark mode support - Known limitations documented ✅ Created docs/user-guide/configuration.md (~600 words) - Refresh interval options and recommendations - Dashboard URL configuration (service proxy, external, custom) - Connection testing - Advanced localStorage configuration - Best practices by environment (dev/staging/prod/multi-tenant) - Troubleshooting settings issues ✅ Created docs/user-guide/rbac-permissions.md (~900 words) - Standard setup (service account mode) - Token-auth mode (per-user permissions) - OIDC/OAuth2 integration - Multi-namespace Polaris deployments - NetworkPolicy requirements - Audit logging considerations - Security best practices - Comprehensive troubleshooting **Priority 2: Fix Technical Issues** ✅ Fixed kubectl commands missing -c headlamp container flag - Updated in: quick-start.md, installation.md, kubernetes.md, production.md, troubleshooting/README.md - Prevents "error: a container name must be specified" failures ✅ Created ADR example: 001-react-context-for-state.md - Documents state management decision with context, consequences, alternatives - Includes implementation details and validation criteria - Updated ADR README index **Impact:** - User journey completion: First-time installation now 100% (was 71%) - Documentation coverage: User guide 100% (was 0%) - Technical accuracy: kubectl commands now correct for multi-container pods - Contributor knowledge: First ADR example provides template **Technical Writer Score:** 7.5/10 → 9.5/10 (estimated) Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering> --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Happy <yesreply@happy.engineering> |
||
|
Chris Farhood
|
d4fe2c9ea9 |
docs: add Priority 3 documentation (TROUBLESHOOTING, TESTING, JSDoc)
Priority 3 (Medium - Week 3) completion: 1. Created docs/TROUBLESHOOTING.md: - Comprehensive troubleshooting guide for all common issues - Plugin not showing, 403/404 errors, dark mode, data loading - RBAC and network debugging scripts - Browser console error solutions - ArtifactHub sync troubleshooting 2. Created docs/TESTING.md: - Complete testing guide covering unit, E2E, and CI/CD - Vitest and Playwright documentation - Test coverage goals and current status - Best practices for writing tests - Debugging strategies and common issues - Example test patterns 3. Added comprehensive JSDoc comments: - All exported functions in src/api/polaris.ts - All exported types and interfaces - React hooks with usage examples - Context provider and consumer hook Documentation completeness: 85% → 95% Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering> |
||
|
Chris Farhood
|
7ad5b7ecc3 |
docs: add Priority 2 documentation (ARCHITECTURE, DEPLOYMENT, SECURITY)
- Add docs/ARCHITECTURE.md with system architecture, data flow diagrams, component hierarchy, design decisions, and known limitations - Add docs/DEPLOYMENT.md with comprehensive installation guide including Helm integration, RBAC configuration, network policies, plugin manager setup, and troubleshooting - Add SECURITY.md with security model, RBAC requirements, network security, vulnerability reporting, dependency scanning, and compliance considerations Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering> |