chore: remove orphaned deployment/polaris-rbac.yaml (PRI-917)

PR #146 moved RBAC management to the infra repo (Flux). The local
RBAC apply steps were removed from the E2E workflow, but this file
was inadvertently left behind. It is now orphaned since the
polaris-dashboard-proxy-reader Role and RoleBinding are managed
by Flux.

See PRI-916 for context.

.github/workflows/dual-approval.yaml

@@ -16,3 +16,5 @@ jobs:
   dual-approval:
     uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
     secrets: inherit
+    with:
+      pr_number: ${{ github.event.pull_request.number }}

.github/workflows/e2e.yaml

@@ -10,9 +10,22 @@ on:
 permissions:
   contents: read
 
+# Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
+# headlamp-dev cannot be shared across concurrent runs.
+# cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
+# runs may skip the if:always() teardown, leaving dangling cluster resources.
+concurrency:
+  group: e2e-${{ github.repository }}
+  cancel-in-progress: false
+
 env:
-  E2E_NAMESPACE: privilegedescalation-dev
+  E2E_NAMESPACE: headlamp-dev
   E2E_RELEASE: headlamp-e2e
+  # Pin to a known-good Headlamp version. Using :latest is risky because
+  # the tag can change between CI runs, causing flaky failures when a newer
+  # image is pulled on some nodes but not others (IfNotPresent pull policy).
+  # Update this when Headlamp is upgraded in production (kube-system).
+  HEADLAMP_VERSION: v0.40.1
 
 jobs:
   e2e:
@@ -32,6 +45,104 @@ jobs:
       - name: Setup kubectl
         uses: azure/setup-kubectl@v4
 
+      - name: Get kubeconfig
+        run: |
+          set -euo pipefail
+          echo "=== Runner environment diagnostic ==="
+          echo "HOME=${HOME:-}"
+          echo "KUBECONFIG=${KUBECONFIG:-}"
+          echo "ACTIONS_KUBECONFIG=${ACTIONS_KUBECONFIG:-}"
+          echo "RUNNER_CONFIG=${RUNNER_CONFIG:-}"
+          echo "RUNNER_CONFIG_DIR=${RUNNER_CONFIG_DIR:-}"
+          echo ""
+          echo "=== Checking known kubeconfig locations ==="
+          for path in /runner/config /home/runner/.kube/config "${HOME:-}/.kube/config" "${HOME:-}/.kube"; do
+            if [ -f "$path" ]; then
+              echo "FOUND kubeconfig at: $path"
+            elif [ -d "$path" ]; then
+              echo "DIR exists at: $path, contents:"
+              ls -la "$path" 2>&1 || echo "  (cannot list)"
+            else
+              echo "NOT FOUND: $path"
+            fi
+          done
+          echo ""
+          echo "=== In-cluster service account check ==="
+          in_cluster=false
+          if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
+            echo "Service account token present — in-cluster mode available"
+            echo "KUBERNETES_SERVICE_HOST=${KUBERNETES_SERVICE_HOST:-}"
+            echo "KUBERNETES_SERVICE_PORT=${KUBERNETES_SERVICE_PORT:-}"
+            in_cluster=true
+          else
+            echo "No service account token at /var/run/secrets/kubernetes.io/serviceaccount/"
+          fi
+          echo ""
+          if [ -f /runner/config ]; then
+            echo "KUBECONFIG=/runner/config" >> "$GITHUB_ENV"
+            echo "Using kubeconfig from /runner/config"
+          elif [ -f /home/runner/.kube/config ]; then
+            echo "KUBECONFIG=/home/runner/.kube/config" >> "$GITHUB_ENV"
+            echo "Using kubeconfig from /home/runner/.kube/config"
+          elif [ -f "${HOME:-}/.kube/config" ]; then
+            echo "KUBECONFIG=${HOME:-}/.kube/config" >> "$GITHUB_ENV"
+            echo "Using kubeconfig from HOME"
+          elif [ "$in_cluster" = true ]; then
+            echo "No static kubeconfig found — generating in-cluster kubeconfig"
+            KUBECFG_DIR="${HOME:-}/.kube"
+            mkdir -p "$KUBECFG_DIR"
+            kubectl config set-cluster in-cluster \
+              --server="https://${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}:${KUBERNETES_SERVICE_PORT:-443}" \
+              --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+              --embed-certs=true \
+              --kubeconfig="$KUBECFG_DIR/config" 2>&1
+            kubectl config set-credentials in-cluster \
+              --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+              --kubeconfig="$KUBECFG_DIR/config" 2>&1
+            kubectl config set-context in-cluster \
+              --cluster=in-cluster \
+              --user=in-cluster \
+              --kubeconfig="$KUBECFG_DIR/config" 2>&1
+            kubectl config use-context in-cluster \
+              --kubeconfig="$KUBECFG_DIR/config" 2>&1
+            echo "KUBECONFIG=$KUBECFG_DIR/config" >> "$GITHUB_ENV"
+            echo "Generated in-cluster kubeconfig at $KUBECFG_DIR/config"
+          else
+            echo "::error::No kubeconfig found in /runner/config, /home/runner/.kube/config, HOME, or in-cluster service account"
+            exit 1
+          fi
+
+      - name: Apply RBAC for E2E pipeline
+        run: |
+          set -x
+          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml --dry-run=server 2>&1 || true
+          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml 2>&1
+          echo "exit code: $?"
+          echo "Waiting for RBAC propagation..."
+          sleep 5
+          echo "Verifying RBAC resources were created..."
+          kubectl get role e2e-ci-runner -n headlamp-dev 2>&1 | tail -3
+          kubectl get role e2e-ci-runner-polaris -n headlamp-dev 2>&1 | tail -3
+          kubectl get rolebinding e2e-ci-runner-binding -n headlamp-dev 2>&1 | tail -3
+          set +x
+
+      - name: Apply Polaris dashboard RBAC
+        run: kubectl apply -f deployment/polaris-rbac.yaml
+
+      - name: RBAC pre-flight check
+        run: |
+          echo "Checking RBAC resources..."
+          MISSING=0
+          kubectl get role polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
+          kubectl get rolebinding polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
+          kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" 2>/dev/null || MISSING=1
+          if [ "$MISSING" -eq 0 ]; then
+            echo "RBAC pre-flight check passed."
+          else
+            echo "::error::RBAC pre-flight check failed. Missing required permissions."
+            exit 1
+          fi
+
       - name: Install dependencies
         run: npm ci
 
@@ -59,6 +170,16 @@ jobs:
           HEADLAMP_URL: ${{ env.HEADLAMP_URL }}
           HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }}
 
+      - name: Collect deployment diagnostics on failure
+        if: failure()
+        run: |
+          echo "=== Pod state ==="
+          kubectl get pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
+          echo "=== Pod describe ==="
+          kubectl describe pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
+          echo "=== Recent namespace events ==="
+          kubectl get events -n "$E2E_NAMESPACE" --sort-by='.lastTimestamp' 2>&1 | tail -20 || true
+
       - name: Teardown E2E instance
         if: always()
         run: scripts/teardown-e2e-headlamp.sh

PROJECT_ASSESSMENT.md

@@ -229,7 +229,7 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 **Action Items:**
 - [ ] Parallelize test execution
 - [ ] Add npm cache to GitHub Actions
-- [ ] Integrate Dependabot
+- [x] Renovate is configured org-wide via `github>privilegedescalation/.github:renovate-config`
 - [ ] Add semantic-release
 
 ---

SECURITY.md

@@ -212,7 +212,7 @@ If you discover a security vulnerability in this plugin, please report it via:
 
 The project uses:
 - **npm audit**: Runs automatically during `npm install`
-- **Dependabot**: GitHub Dependabot monitors dependencies and creates PRs for updates
+- **Renovate**: Automated dependency updates via Mend Renovate (org-wide configured)
 - **GitHub Actions**: CI workflow runs `npm audit` on every commit
 
 ### Updating Dependencies

SPEC-PRI-324.md

@@ -0,0 +1,98 @@
+# PRI-324 Spec: Make E2E Workflow Self-Sufficient with RBAC
+
+## Context
+
+PR #123 introduced an RBAC pre-flight check to the E2E workflow. QA (Nancy, acting as QA) verified the "fails fast without RBAC" path works, but found that the "with RBAC passes" path had no green CI evidence — the workflow did not apply RBAC before the pre-flight check.
+
+PR #131 attempted to fix this by adding `kubectl apply` steps and extending the CI runner RBAC, but its merge commit (739db6fe) was reverted by the next commit on main (aa1db921) due to a vulnerability fix PR (#128).
+
+The current E2E workflow on `main` lacks the RBAC apply steps and CI runner permissions needed to make the pre-flight check meaningful.
+
+## Required Changes
+
+### 1. `.github/workflows/e2e.yaml`
+
+Add between the "Setup kubectl" and "Install dependencies" steps:
+
+```yaml
+      - name: Apply RBAC for E2E pipeline
+        run: |
+          set -x
+          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml --dry-run=server 2>&1 || true
+          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml 2>&1
+          echo "exit code: $?"
+          echo "Waiting for RBAC propagation..."
+          sleep 5
+          echo "Verifying CI runner permissions..."
+          kubectl auth can-i create roles -n headlamp-dev --as="system:serviceaccount:arc-runners:runners-privilegedescalation-gha-rs-no-permission" 2>&1 || { echo "::error::CI runner still lacks roles permission after propagation wait"; exit 1; }
+          set +x
+
+      - name: Apply Polaris dashboard RBAC
+        run: kubectl apply -f deployment/polaris-rbac.yaml
+
+      - name: RBAC pre-flight check
+        run: |
+          echo "Checking RBAC resources..."
+          MISSING=0
+          kubectl get role polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
+          kubectl get rolebinding polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1
+          kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null || MISSING=1
+          if [ "$MISSING" -eq 0 ]; then
+            echo "RBAC pre-flight check passed."
+          else
+            echo "::error::RBAC pre-flight check failed. Missing required permissions."
+            exit 1
+          fi
+```
+
+### 2. `deployment/e2e-ci-runner-rbac.yaml`
+
+Add a new Role + RoleBinding for the `polaris` namespace (from PR #131):
+
+```yaml
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner-polaris
+  namespace: polaris
+rules:
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner-polaris
+  namespace: polaris
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner-polaris
+  apiGroup: rbac.authorization.k8s.io
+```
+
+And add to the existing `e2e-ci-runner` Role in the `headlamp-dev` namespace:
+```yaml
+  # Apply Polaris dashboard RBAC in the polaris namespace
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+```
+
+## Acceptance Criteria
+
+- [ ] Workflow applies `deployment/e2e-ci-runner-rbac.yaml` before the pre-flight check
+- [ ] Workflow applies `deployment/polaris-rbac.yaml` before the pre-flight check
+- [ ] CI runner has RBAC to apply the manifests (added via new Role+RoleBinding in polaris namespace)
+- [ ] E2E pipeline passes on the PR branch (proof of green path)
+- [ ] `kubectl get … --quiet` flag removed (QA nit)
+- [ ] `MISSING_ROLE`/`MISSING_ROLEBINDING` collapsed to single `MISSING` flag (QA nit)
+
+## Definition of Done
+
+PR #123 QA changes-requested are addressed: the workflow is self-sufficient (applies its own RBAC), the green path is demonstrated, and QA review is re-requested.

deployment/e2e-ci-runner-rbac.yaml

@@ -2,26 +2,26 @@
 # RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
 # CI-only test fixture — NOT for production use.
 #
-# Grants the ARC runner service account permissions in the privilegedescalation-dev
+# Grants the ARC runner service account permissions in the headlamp-dev
 # namespace to deploy and tear down a dedicated Headlamp instance via Helm.
-# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
+# E2E resources run in `headlamp-dev` — nothing persists beyond a test run.
 #
 # Plugin is loaded via ConfigMap volume mount — no custom Docker images.
 #
-# Prerequisites:
-#   kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/)
+# and managed by Flux GitOps. The infra repo is the source of truth.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: e2e-ci-runner
-  namespace: privilegedescalation-dev
+  namespace: headlamp-dev
 rules:
   # Helm needs to manage these resources for the Headlamp chart
   - apiGroups: ["apps"]
     resources: ["deployments"]
     verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
   - apiGroups: [""]
-    resources: ["services", "serviceaccounts", "configmaps", "secrets"]
+    resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"]
     verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
   - apiGroups: [""]
     resources: ["pods"]
@@ -30,12 +30,40 @@ rules:
   - apiGroups: [""]
     resources: ["serviceaccounts/token"]
     verbs: ["create"]
+  # Apply Polaris dashboard RBAC in the polaris namespace
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner-polaris
+  namespace: polaris
+rules:
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner-polaris
+  namespace: polaris
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner-polaris
+  apiGroup: rbac.authorization.k8s.io
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: e2e-ci-runner-binding
-  namespace: privilegedescalation-dev
+  namespace: headlamp-dev
 subjects:
   - kind: ServiceAccount
     name: runners-privilegedescalation-gha-rs-no-permission

deployment/polaris-rbac.yaml

@@ -1,28 +0,0 @@
-# RBAC to allow authenticated users to proxy to the Polaris dashboard service.
-# The polaris plugin reads audit data via the Kubernetes service proxy:
-#   /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/results.json
-# Without this Role + RoleBinding, users get a 403 when Headlamp proxies the request.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: polaris-dashboard-proxy-reader
-  namespace: polaris
-rules:
-  - apiGroups: [""]
-    resources: ["services/proxy"]
-    resourceNames: ["polaris-dashboard", "http:polaris-dashboard:80"]
-    verbs: ["get"]
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: polaris-dashboard-proxy-reader
-  namespace: polaris
-subjects:
-  - kind: Group
-    name: system:authenticated
-    apiGroup: rbac.authorization.k8s.io
-roleRef:
-  kind: Role
-  name: polaris-dashboard-proxy-reader
-  apiGroup: rbac.authorization.k8s.io

e2e/auth.setup.ts

@@ -45,8 +45,12 @@ async function authenticateWithToken(page: Page, token: string): Promise<void> {
   await page.waitForURL(/\/(login|token)$/);
 
   if (page.url().includes('/login')) {
-    // OIDC login page — click "use a token" to reach token auth
-    await page.getByRole('button', { name: /use a token/i }).click();
+    // OIDC login page — click "use a token" to reach token auth.
+    // Wait explicitly before clicking so failures surface at 15 s
+    // with a clear message rather than silently timing out at 60 s.
+    const useTokenBtn = page.getByRole('button', { name: /use a token/i });
+    await useTokenBtn.waitFor({ state: 'visible', timeout: 15_000 });
+    await useTokenBtn.click();
     await page.waitForURL('**/token');
   }
 

package.json

@@ -35,7 +35,10 @@
     "overrides": {
       "tar": "^7.5.11",
       "undici": "^7.24.3",
-      "flatted": "^3.4.2"
+      "flatted": "^3.4.2",
+      "lodash": ">=4.18.0",
+      "picomatch": ">=4.0.4",
+      "vite": ">=6.4.2"
     }
   },
   "devDependencies": {

renovate.json

@@ -1,21 +1,5 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["config:recommended"],
-  "baseBranches": ["main"],
-  "schedule": ["every weekend"],
-  "prConcurrentLimit": 10,
-  "pinDigests": true,
-  "packageRules": [
-    {
-      "matchManagers": ["npm"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "groupName": "npm minor and patch"
-    },
-    {
-      "matchManagers": ["github-actions"],
-      "matchUpdateTypes": ["minor", "patch"],
-      "groupName": "github-actions minor and patch"
-    }
-  ]
+  "extends": ["github>privilegedescalation/.github:renovate-config"]
 }
 

scripts/deploy-e2e-headlamp.sh

@@ -5,26 +5,26 @@
 # a ConfigMap volume mount. No custom Docker images — the plugin is built
 # in CI and injected as a ConfigMap.
 #
-# E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing
-# persists beyond the test run — teardown cleans up all created resources.
+# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
+# persists beyond a test run — teardown cleans up all created resources.
 #
 # Prerequisites:
 #   - Plugin built (dist/ exists with plugin-main.js + package.json)
 #   - kubectl configured with cluster access
-#   - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+#   - RBAC applied (managed by Flux GitOps in privilegedescalation/infra)
 #
 # Environment:
-#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: privilegedescalation-dev)
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-dev)
 #   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
-#   HEADLAMP_VERSION  — Headlamp image tag (default: latest)
+#   HEADLAMP_VERSION  — Headlamp image tag (default: v0.40.1, pinned to match production)
 set -euo pipefail
 
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 DIST_DIR="$REPO_ROOT/dist"
 
-E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
-HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}"
+HEADLAMP_VERSION="${HEADLAMP_VERSION:-v0.40.1}"
 
 if [ ! -d "$DIST_DIR" ]; then
   echo "ERROR: dist/ not found. Run 'npm run build' first." >&2
@@ -58,6 +58,16 @@ kubectl create configmap headlamp-polaris-plugin \
   --from-file="$DIST_DIR" \
   --from-file=package.json="$REPO_ROOT/package.json"
 
+# --- Tear down any existing E2E deployment for a clean start ---
+# kubectl apply without prior deletion only patches in-place: if the pod spec is
+# unchanged between runs, no new rollout is triggered and a degraded pod keeps
+# serving. Delete first to guarantee a fresh pod regardless of prior state.
+echo ""
+echo "Removing any existing E2E deployment (clean-start)..."
+kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+
 # --- Deploy Headlamp via kubectl apply ---
 echo ""
 echo "Deploying Headlamp E2E instance..."

scripts/teardown-e2e-headlamp.sh

@@ -4,13 +4,13 @@
 # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
 #
 # Environment:
-#   E2E_NAMESPACE  — namespace to clean up (default: privilegedescalation-dev)
+#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-dev)
 #   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
 set -euo pipefail
 
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 
-E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 
 echo "=== E2E Headlamp Teardown ==="