privilegedescalation/headlamp-polaris-plugin
Archived
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity
281 Commits 35 Branches 51 Tags
95a814c91a94349c62115d86468b58c529e2f287
Commit Graph

3 Commits

Author SHA1 Message Date
Gandalf the Greybeard 95a814c91a ci: add ConfigMap + init container E2E plugin deploy (CI-only) 
Adds a CI-only test fixture for deploying freshly-built plugin artifacts
to a test Headlamp instance without kubectl exec/cp. Approved under CTO
decision PRI-200 as a narrowly-scoped CI exception — production plugin
distribution remains ArtifactHub-only.

- scripts/deploy-plugin-to-headlamp.sh: packages plugin as tarball →
  stores in ConfigMap → patches Headlamp deployment with init container
  that extracts to static-plugins volume
- deployment/e2e-runner-rbac.yaml: minimal RBAC (configmaps, deployments,
  replicasets, pods — no exec/cp)
- scripts/deploy-plugin-to-headlamp.test.sh: precondition and policy
  compliance tests (9 assertions)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-16 11:55:21 +00:00
gandalf-the-greybeard[bot] 222346759e fix: E2E tests — RBAC for Polaris service proxy + settings selector (#22) 
* fix: correct settings test selector to match plugin name

The settings E2E test looked for 'headlamp-polaris-plugin' but the
plugin is registered as 'polaris' (package.json name and
registerPluginSettings call). Fix the selector to match.

Refs: PRI-28

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* ci: add RBAC manifest for Polaris dashboard service proxy access

E2E tests fail with 403 because users lack RBAC to proxy to the Polaris
dashboard service. The plugin reads audit data via the K8s service proxy
at /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/.

Add deployment/polaris-rbac.yaml with:
- Role granting `get` on `services/proxy` for polaris-dashboard
- RoleBinding granting this to all authenticated users (read-only)

The E2E workflow also needs a `kubectl apply -f deployment/polaris-rbac.yaml`
step added before running tests. This requires the `workflows` permission
on the GitHub App, which is tracked separately.

Refs: PRI-28

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* ci: add Polaris RBAC apply and readiness check to E2E workflow

The E2E tests fail because the CI runner lacks RBAC permissions to
proxy to the Polaris dashboard service. Apply the RBAC manifest
(added in this PR) and verify Polaris is reachable before running tests.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* ci: remove kubectl steps from E2E workflow

The CI runner (local-ubuntu-latest) has no kubectl or cluster access.
E2E tests are browser-only via Playwright against a remote Headlamp URL.
The Polaris RBAC fix (deployment/polaris-rbac.yaml) must be applied
directly to the cluster by an operator with kubectl access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: gandalf-the-greybeard[bot] <gandalf-the-greybeard[bot]@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-08 22:08:51 +00:00
Chris Farhood 20e8063cbb chore: bump version to 0.3.1 
- Update package.json version
- Update artifacthub-pkg.yml version and archive URL
- Add PROJECT_ASSESSMENT.md for tracking improvements
- Add deployment/ directory with plugin loading fix documentation

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
 2026-02-11 21:48:04 -05:00