PRI-750: update plugin repos to reference shared infra RBAC (PRI-695 follow-up)
- deployment/e2e-ci-runner-rbac.yaml: replaced duplicate manifest with
reference comment pointing to privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml
- scripts/deploy-e2e-headlamp.sh: updated RBAC preflight comment and error
message to reference infra path
- scripts/teardown-e2e-headlamp.sh: added RBAC reference comment
Infra RBAC is the source of truth managed by Flux GitOps. CI workflow
unchanged (Hugh owns .github/workflows/).
When the E2E deploy step fails (rollout timeout, pod not ready, etc.),
previously required manual cluster investigation to diagnose the root
cause. This heartbeat had to grep CI logs and query kubectl separately
to determine a :latest image drift issue.
The new step captures pod state, pod describe output, and recent namespace
events immediately when a failure occurs — surfacing the root cause
directly in the CI run log.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The :latest tag caused E2E flakiness when a newer Headlamp image was
pulled on some cluster nodes (IfNotPresent policy) but not others.
Concurrent E2E runs on main saw different image versions, and the newest
:latest (sha256:89c6c65) failed to pass the readiness probe within 120s.
Pin to v0.40.1 — the same version running in production (kube-system) —
so all nodes use the same cached digest and CI is deterministic. Update
this pin when Headlamp is upgraded in production.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
kubectl apply without prior deletion patches in place: if the pod spec is
unchanged between runs, no rollout is triggered and a potentially degraded
pod from a prior run keeps serving. This caused the auth.setup.ts timeout
(waiting for the "use a token" button) even when no concurrent runs were
present — the headlamp-e2e pod was in an inconsistent state from a previous
run that didn't tear down cleanly.
Changes:
- deploy-e2e-headlamp.sh: delete Deployment, Service, and ServiceAccount
(with --wait) before applying, guaranteeing a fresh pod each run
- auth.setup.ts: add explicit waitFor({ state: 'visible', timeout: 15_000 })
before the "use a token" button click, so failures surface at 15 s with a
clear locator error rather than silently timing out at 60 s
Fixes the pre-existing infra issue blocking PR#110.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
cancel-in-progress: true would cancel in-flight E2E runs when a new one
arrives. GitHub Actions does not guarantee that if: always() steps run on
cancelled jobs, so teardown-e2e-headlamp.sh may be skipped — leaving the
headlamp-e2e Deployment/Service/ConfigMap dangling in privilegedescalation-dev.
Switching to false (queue) ensures the running job always completes its
teardown before the next run starts.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Prevents parallel E2E runs from conflicting over the shared
headlamp-e2e Helm release in privilegedescalation-dev. With
cancel-in-progress: true, a new push cancels any in-progress
run on the same repo — only one E2E suite runs at a time.
Observed failure: PR#109 and PR#108 ran concurrently and the
auth setup in PR#109 timed out, likely due to resource contention
on the shared headlamp-e2e instance.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replaces the duplicated Renovate config with a simple extend from the
org-level preset (privilegedescalation/.github:renovate-config). All
rules (schedule, pinDigests, npm/github-actions minor+patch+major groups)
are now inherited from the org config, which was updated in PR #66 to add
major-version update rules for GitHub Actions.
This eliminates config drift between repos and reduces maintenance toil —
future rule changes only need to be made in one place.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Remove "Coverage threshold: Vitest coverage threshold enforced in CI
(#82)" — the shared CI workflow does not run coverage; this line was
inaccurate.
- Fix [1.0.0] compare link from v0.6.0...v1.0.0 to v0.7.2...v1.0.0
to accurately reflect the last tagged release.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Bump version to 1.0.0 in package.json and package-lock.json
- Update artifacthub-pkg.yml: version, archive-url, and changes section
- Add v1.0.0 CHANGELOG entry covering changes since v0.7.2
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: add packageManager field to pin pnpm version
Pins pnpm@10.32.1 via the packageManager field. This allows
pnpm/action-setup@v4 to resolve the version from package.json instead
of relying on `version: latest`, preventing silent breakage on major
pnpm version bumps.
Fixes: PRI-674
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: trigger fresh CI run after Corepack fix merges in .github PR #57
The shared plugin-ci.yaml now uses Corepack when packageManager field
is set, avoiding the 'Multiple versions of pnpm specified' error.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
* ci: retrigger CI with updated shared workflow (python3 pnpm detection)
---------
Co-authored-by: Hugh Hackman <github-actions[bot]@users.noreply.github.com>
Co-authored-by: Paperclip <noreply@paperclip.ing>
Co-authored-by: privilegedescalation-ceo[bot] <269721483+privilegedescalation-ceo[bot]@users.noreply.github.com>
Co-authored-by: Hugh Hackman <hugh@privilegedescalation.paperclip.ing>
Co-authored-by: Hugh Hackman <hugh@privilegedescalation.com>
The org renovate-config.json (PR #63) adds pinDigests: true at the org level,
but this repo extends config:recommended directly. Adding pinDigests: true here
ensures GitHub Actions are pinned to full commit SHAs regardless of whether the
org config is extended.
Related: privilegedescalation/.github#63, PRI-757
kubectl rollout status confirms the pod is ready per readinessProbe, but
Kubernetes Service DNS propagation to the runner pod may lag behind.
This caused intermittent E2E failures with ERR_NAME_NOT_RESOLVED.
Add a poll loop (max 120s) after rollout status that verifies the service
URL is reachable via HTTP before writing .env.e2e. This eliminates the
race condition between DNS propagation and Playwright launch.
Fixes: PRI-687 (intermittent E2E DNS failure)
Calls the shared privilegedescalation/.github dual-approval-check
reusable workflow to enforce CTO + QA approval as a GitHub status check.
Once privilegedescalation/.github#47 is merged, this status check can
be added to required_status_checks in branch protection.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
pnpm strict mode does not hoist transitive deps. @headlamp-k8s/eslint-config
was only available via @kinvolk/headlamp-plugin, causing ESLint to fail with
"Cannot find config @headlamp-k8s/eslint-config to extend from". Adding it
as a direct devDependency makes it accessible at the root node_modules level.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
pnpm strict mode does not expose transitive dependency binaries.
Adding prettier@^2.8.8 alongside eslint@^8.57.0 so that
pnpm run format:check works in CI without 'prettier: not found'.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pnpm's strict node_modules layout does not expose transitive dependency
binaries. eslint was only a transitive dep via @kinvolk/headlamp-plugin,
causing 'eslint: not found' when running pnpm run lint in CI.
Adding eslint@^8.57.0 as a direct devDependency ensures the binary is
available in node_modules/.bin/ under pnpm.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Move vulnerability overrides from npm-format top-level `overrides` to
pnpm-format `pnpm.overrides`. Add flatted override to patch the
high-severity prototype pollution CVE. All 5 high + 3 moderate severity
issues are now resolved.
Remaining: elliptic (low, no patch available upstream).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The E2E Headlamp instance is deployed without OIDC configuration, so
Headlamp redirects / → /token directly instead of / → /login. The
authenticateWithToken function was hardcoded to expect /login first,
causing a 60s timeout on every run.
- e2e.yaml: remove unused Setup Helm step (deploy script uses kubectl)
- e2e.yaml: remove AUTHENTIK_USERNAME/PASSWORD (no OIDC in E2E instance)
- auth.setup.ts: waitForURL accepts both /login and /token; only clicks
"use a token" if landed on /login (OIDC-configured Headlamp)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pnpm run tsc failed with "tsc not found" because typescript was only
available as a transitive dependency from @kinvolk/headlamp-plugin.
Adding it explicitly as a direct devDependency ensures tsc is always
accessible regardless of pnpm hoisting behavior.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The Helm chart deployment was consistently failing — the pod enters
CrashLoopBackOff despite identical kubectl manifests working. The Helm
chart also silently ignored extraVolumes/extraVolumeMounts (pnpm-style
keys not supported by the chart), meaning the plugin ConfigMap was
never actually mounted even when deploy appeared to succeed.
Replace with direct kubectl apply using a bash heredoc to render the
manifest with shell variable substitution. This removes the Helm
dependency, fixes the plugin volume mount, and uses the exact
configuration that was proven to work in the cluster.
Also adds explicit initialDelaySeconds/failureThreshold on readiness
and liveness probes to give Headlamp adequate startup time.
Note: .github/workflows/e2e.yaml still has a Setup Helm step that is
now unused — assigned to Hugh Hackman to remove.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The Headlamp chart defaults to creating a ClusterRoleBinding, but the
ARC runner service account lacks cluster-scoped RBAC permissions. E2E
tests only need Headlamp to serve the UI — no cluster-admin required.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Align workflow with org RBAC policy — agents have read-write access only
in privilegedescalation-dev, not the default namespace.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Per org RBAC policy, development/testing Headlamp instances must run in
`privilegedescalation-dev`, not `default`. Agents only have read-write
access in `privilegedescalation` and `privilegedescalation-dev` — the
`default` namespace is outside our permitted scope.
Updated:
- deployment/e2e-ci-runner-rbac.yaml: Role/RoleBinding now targets privilegedescalation-dev
- deployment/headlamp-e2e-values.yaml: comment updated
- scripts/deploy-e2e-headlamp.sh: default namespace changed
- scripts/teardown-e2e-headlamp.sh: default namespace changed
Note: .github/workflows/e2e.yaml still sets E2E_NAMESPACE: default and
needs a separate update — delegated to Hugh Hackman (workflow owner).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Chris Farhood
privilegedescalation-engineer[bot]
Hugh Hackman