The E2E workflow and deploy scripts were targeting the legacy
privilegedescalation-dev namespace, which is not managed by Flux GitOps
in privilegedescalation/infra.
The infra repo (PR #11) already provisions the headlamp-dev namespace
and corresponding RBAC (e2e-ci-runner-headlamp-rbac.yaml) that grants
the ARC runner SA (runners-privilegedescalation-gha-rs-no-permission in
arc-runners) the permissions needed to deploy/teardown the E2E
Headlamp instance.
This change aligns all E2E infrastructure to use headlamp-dev:
- .github/workflows/e2e.yaml: E2E_NAMESPACE=headlamp-dev
- scripts/deploy-e2e-headlamp.sh: default namespace and comments
- scripts/teardown-e2e-headlamp.sh: default namespace
- deployment/e2e-ci-runner-rbac.yaml: namespace and add missing events
permission (already present in infra copy)
Refs: PRI-423
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The :latest tag caused E2E flakiness when a newer Headlamp image was
pulled on some cluster nodes (IfNotPresent policy) but not others.
Concurrent E2E runs on main saw different image versions, and the newest
:latest (sha256:89c6c65) failed to pass the readiness probe within 120s.
Pin to v0.40.1 — the same version running in production (kube-system) —
so all nodes use the same cached digest and CI is deterministic. Update
this pin when Headlamp is upgraded in production.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
kubectl apply without prior deletion patches in place: if the pod spec is
unchanged between runs, no rollout is triggered and a potentially degraded
pod from a prior run keeps serving. This caused the auth.setup.ts timeout
(waiting for the "use a token" button) even when no concurrent runs were
present — the headlamp-e2e pod was in an inconsistent state from a previous
run that didn't tear down cleanly.
Changes:
- deploy-e2e-headlamp.sh: delete Deployment, Service, and ServiceAccount
(with --wait) before applying, guaranteeing a fresh pod each run
- auth.setup.ts: add explicit waitFor({ state: 'visible', timeout: 15_000 })
before the "use a token" button click, so failures surface at 15 s with a
clear locator error rather than silently timing out at 60 s
Fixes the pre-existing infra issue blocking PR#110.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
kubectl rollout status confirms the pod is ready per readinessProbe, but
Kubernetes Service DNS propagation to the runner pod may lag behind.
This caused intermittent E2E failures with ERR_NAME_NOT_RESOLVED.
Add a poll loop (max 120s) after rollout status that verifies the service
URL is reachable via HTTP before writing .env.e2e. This eliminates the
race condition between DNS propagation and Playwright launch.
Fixes: PRI-687 (intermittent E2E DNS failure)
The Helm chart deployment was consistently failing — the pod enters
CrashLoopBackOff despite identical kubectl manifests working. The Helm
chart also silently ignored extraVolumes/extraVolumeMounts (pnpm-style
keys not supported by the chart), meaning the plugin ConfigMap was
never actually mounted even when deploy appeared to succeed.
Replace with direct kubectl apply using a bash heredoc to render the
manifest with shell variable substitution. This removes the Helm
dependency, fixes the plugin volume mount, and uses the exact
configuration that was proven to work in the cluster.
Also adds explicit initialDelaySeconds/failureThreshold on readiness
and liveness probes to give Headlamp adequate startup time.
Note: .github/workflows/e2e.yaml still has a Setup Helm step that is
now unused — assigned to Hugh Hackman to remove.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Per org RBAC policy, development/testing Headlamp instances must run in
`privilegedescalation-dev`, not `default`. Agents only have read-write
access in `privilegedescalation` and `privilegedescalation-dev` — the
`default` namespace is outside our permitted scope.
Updated:
- deployment/e2e-ci-runner-rbac.yaml: Role/RoleBinding now targets privilegedescalation-dev
- deployment/headlamp-e2e-values.yaml: comment updated
- scripts/deploy-e2e-headlamp.sh: default namespace changed
- scripts/teardown-e2e-headlamp.sh: default namespace changed
Note: .github/workflows/e2e.yaml still sets E2E_NAMESPACE: default and
needs a separate update — delegated to Hugh Hackman (workflow owner).
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Fails fast with a clear error and remediation hint if the runner SA
lacks configmap delete permission, instead of dying mid-deploy.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Board directive: E2E tests must run in the `default` namespace.
Nothing should persist beyond a test run; no dedicated namespace needed.
Changes:
- e2e-ci-runner-rbac.yaml: retarget Role/RoleBinding to `default`,
remove ClusterRole/ClusterRoleBinding (no longer needed since we
don't need cluster-scoped namespace read permission)
- e2e.yaml: set E2E_NAMESPACE=default
- deploy-e2e-headlamp.sh: default namespace to `default`, remove
namespace existence check (default always exists)
- teardown-e2e-headlamp.sh: default namespace to `default`, remove
namespace existence check guard
- headlamp-e2e-values.yaml: update usage comment
- e2e/README.md: remove namespace creation prerequisite
Closes#78#79
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The CI runner SA only has namespace-scoped RBAC in headlamp-e2e — it
cannot create or delete namespaces at the cluster level. Deploy now
verifies the namespace exists (with a clear error if not), and teardown
cleans up resources without deleting the namespace itself.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Delete custom Docker image approach per board directive. Plugin is now
loaded into stock Headlamp via a ConfigMap volume mount:
- Delete Dockerfile.e2e
- deploy-e2e-headlamp.sh creates a ConfigMap from dist/ and mounts it
into the stock ghcr.io/headlamp-k8s/headlamp image
- Helm values use extraVolumes/extraVolumeMounts for the ConfigMap
- No custom images, no PVCs, no kubectl exec/cp
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replace the PVC + kubectl-patch approach for E2E plugin deployment with
a custom Docker image that has the plugin pre-installed. This eliminates
all policy-violating operations:
- No PVCs in kube-system
- No kubectl exec/cp to Headlamp pods
- No deployment patching via kubectl
- No temporary pods or ConfigMap-based file transfers
The new approach builds a Headlamp image with the plugin baked in
(Dockerfile.e2e), deploys it as a dedicated instance in the headlamp-e2e
namespace via Helm, and tears it down after tests complete.
RBAC is scoped to the headlamp-e2e namespace instead of kube-system.
Note: .github/workflows/e2e.yaml still needs updating to use the new
scripts — that change is delegated to Hugh (CI/CD owner).
Closes: privilegedescalation/headlamp-polaris-plugin#72
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Chris Farhood
privilegedescalation-engineer[bot]
Hugh Hackman