Compare commits

..

19 Commits

Author SHA1 Message Date
Chris Farhood 1d6584742e chore: remove orphaned deployment/polaris-rbac.yaml (PRI-917)
PR #146 moved RBAC management to the infra repo (Flux). The local
RBAC apply steps were removed from the E2E workflow, but this file
was inadvertently left behind. It is now orphaned since the
polaris-dashboard-proxy-reader Role and RoleBinding are managed
by Flux.

See PRI-916 for context.
2026-05-06 16:36:56 +00:00
Chris Farhood dc1f354449 fix(e2e): remove 'local' keyword outside function context
The 'local' bash keyword can only be used inside a function. Using it
at top-level of a run: block causes 'local: can only be used in a
function' error and exits the script with code 1.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:42:21 +00:00
Chris Farhood b371b626ee fix(e2e): generate in-cluster kubeconfig when no static kubeconfig is found
The ARC runner has no static kubeconfig at any of the expected paths
(/runner/config, ~/.kube/config). It DOES have a service account token
(/var/run/secrets/kubernetes.io/serviceaccount/token) and
KUBERNETES_SERVICE_HOST=10.43.0.1, confirming in-cluster access.

This commit adds a third fallback tier: when no static kubeconfig is
found AND the runner is in-cluster (service account token present),
generate a kubeconfig from the in-cluster service account credentials.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:39:46 +00:00
Chris Farhood 30f8c92a09 fix(e2e): use ${VAR:-} syntax to avoid unbound variable errors
The previous diagnostic step used $KUBECONFIG and $HOME directly,
which causes 'unbound variable' exit when run with set -euo pipefail
and KUBECONFIG is unset. Use ${VAR:-} defaults throughout.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:36:15 +00:00
Chris Farhood 48947ce2c6 debug(e2e): add diagnostic step to discover kubeconfig location on ARC runner
Adds a comprehensive diagnostic block that prints env vars, lists all
known kubeconfig paths, checks in-cluster service account, and attempts
kubectl config view. This will reveal the actual path on the runner.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:33:11 +00:00
Chris Farhood 20453c7223 fix(e2e): explicit kubeconfig path with fail-fast instead of silent fallback
The previous loop silently skipped if no kubeconfig was found, causing
kubectl commands to fall back to localhost:8080. Use explicit paths
in priority order with a hard error if none exist.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:27:07 +00:00
Chris Farhood 7c55bfac01 fix(e2e): remove impersonation check, verify RBAC resources directly
Replace the impersonation check with direct verification of RBAC
resources. The kubectl auth can-i --as check fails with
localhost:8080 because kubectl cannot find kubeconfig. Instead,
directly verify that the Role and RoleBinding were created
by kubectl apply.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:16:45 +00:00
Chris Farhood 74f8264630 fix(e2e): clean kubeconfig discovery without diagnostic overhead
Simplified kubeconfig discovery. Search standard paths and exit 0
immediately upon finding one.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:14:24 +00:00
Chris Farhood a10c5628e1 debug(e2e): test kubectl apply and can-i with and without kubeconfig
Test if kubectl apply dry-run works without KUBECONFIG (the original
behavior that succeeded). Also test kubectl auth can-i without KUBECONFIG
(to confirm the failure mode). Compare with KUBECONFIG set to service account.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:10:47 +00:00
Chris Farhood dfee2f4b87 fix(e2e): use in-cluster service account token for kubeconfig
ARC runner has no kubeconfig file. Use the service account
token at /var/run/secrets/kubernetes.io/serviceaccount/ to build
a kubeconfig that connects to the Kubernetes API server from
within the pod. This is the standard in-cluster access pattern.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:05:19 +00:00
Chris Farhood 3f61e49092 debug(e2e): test kubectl with no KUBECONFIG set
Test if kubectl can find kubeconfig without explicit KUBECONFIG
on the ARC runner. kubectl config view --raw shows the config
content if it exists, kubectl cluster-info tests connectivity.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:01:03 +00:00
Chris Farhood ea7f36e48e fix(e2e): remove errant /github listing that causes exit 2
ls -la /github/ exits with code 2 when /github/ doesn't exist,
causing set -e to fail the step. Remove that listing.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 19:58:34 +00:00
Chris Farhood 21abbc8cee debug(e2e): search expanded kubeconfig paths including GITHUB_WORKSPACE
Also add GITHUB_WORKSPACE/.kube to search and print ls of key dirs.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 19:56:40 +00:00
Chris Farhood 40626839e4 fix(e2e): search all standard kubeconfig paths
Check /paperclip/.kube, /paperclip/.kube/config, /home/runner/.kube,
/home/runner/.kube/config, /runner, and /runner/config. Export
KUBECONFIG so kubectl uses the real cluster.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 19:54:33 +00:00
Chris Farhood 1fc5b45aa8 fix(e2e): search k8s and k8s-novolume for kubeconfig
ARC runner stores kubeconfig in /home/runner/k8s/config (mounted
by Actions Runtime). Add both k8s and k8s-novolume to the search
paths and remove non-existent paths from diagnostics.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 19:51:29 +00:00
Chris Farhood 31036d49e7 debug(e2e): add diagnostic step to locate kubeconfig
Add ls and echo diagnostics to understand where ARC runners store
kubeconfig. Include ACTIONS_KUBECONFIG and HOME env vars.
Also add $HOME/.kube to the search paths.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 19:49:23 +00:00
Chris Farhood fcb0018216 Fix E2E kubeconfig: locate kubeconfig before RBAC step
The 'kubectl auth can-i --as' impersonation check was falling back to
localhost:8080 because KUBECONFIG was not set and the ARC runner's
kubeconfig was not in the default location. azure/setup-kubectl@v4
does not set KUBECONFIG — it installs kubectl and relies on the runner's
existing kubeconfig in /runner/.kube/config (ARC runner home).

Add a 'Locate kubeconfig for ARC runner' step that searches the known
runner kubeconfig paths before the RBAC step runs, exports KUBECONFIG
to GITHUB_ENV, and verifies cluster connectivity before proceeding.

Fixes: PRI-785
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 19:47:08 +00:00
Chris Farhood c79a4bdfa9 ci: re-trigger E2E to confirm stable (PRI-324) 2026-05-05 19:35:28 +00:00
Chris Farhood d126010eaf fix(e2e): make workflow self-sufficient with RBAC apply steps (PRI-324)
- Apply e2e-ci-runner RBAC + polaris RBAC in workflow before pre-flight check
- Add e2e-ci-runner-polaris Role+RoleBinding so CI runner can manage polaris namespace RBAC
- Add roles/rolebindings CRUD to e2e-ci-runner Role (headlamp-dev namespace)
- Collapsed MISSING_ROLE/MISSING_ROLEBINDING into single MISSING flag (QA nit)
- Drop non-standard --quiet flag on kubectl auth can-i (QA nit)

Address PRI-324 QA feedback: workflow now applies its own RBAC so the pre-flight
check is meaningful and the green path is achievable.
2026-05-05 19:29:47 +00:00
6 changed files with 1 additions and 99 deletions
-14
View File
@@ -1,14 +0,0 @@
name: Renovate
on:
schedule:
- cron: '0 3 * * *'
workflow_dispatch:
jobs:
renovate:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: renovatebot/github-action@v40.3.0
with:
configurationFile: renovate.json
renovate-json5: true
-53
View File
@@ -1,53 +0,0 @@
{
"config": {
// Line length — not enforced for docs with code examples
"MD013": false,
// First line heading — files use YAML frontmatter, not headings
"MD041": false,
// Emphasis as heading — common pattern for Option 1/2/3 sections
"MD036": false,
// No duplicate heading — changelog files repeat section names intentionally
"MD024": false,
// Fenced code language — not always applicable for diagram blocks
"MD040": false,
// Table column style — table alignment is visual, not semantic
"MD060": false,
// Ordered list item prefix — number resets are intentional in documents
"MD029": false,
// No inline HTML — each elements are valid in valid Markdown
"MD033": false,
// List marker space — spacing after list markers varies by editor
"MD030": false,
// Blanks around headings — not always needed in compact docs
"MD022": false,
// Blanks around lists — not always needed in compact docs
"MD032": false,
// Blanks around fences — not always needed between adjacent blocks
"MD031": false,
// Multiple blanks — editor artifacts, not semantic
"MD012": false,
// Single title — files may have multiple H1 sections
"MD025": false,
// Trailing spaces — editor artifacts
"MD009": false,
// Bare URLs — URL shortening not always needed
"MD034": false,
// Single trailing newline — editor artifacts
"MD047": false,
// Trailing punctuation — heading punctuation is intentional
"MD026": false,
// Space in emphasis — double-asterisk bold spacing varies by renderer
"MD037": false,
// No hard tabs — some generated docs use tabs for indentation
"MD010": false,
// Code block style — generated docs may use inconsistent styles
"MD046": false,
// Comment style — generated docs have no comments
"MD048": false,
// Commands show output — shell examples intentionally show only commands
"MD014": false
},
"ignores": [
"docs/api-reference/generated/**"
]
}
-1
View File
@@ -1 +0,0 @@
docs/api-reference/generated/**
-28
View File
@@ -1,28 +0,0 @@
# RBAC to allow authenticated users to proxy to the Polaris dashboard service.
# The polaris plugin reads audit data via the Kubernetes service proxy:
# /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/results.json
# Without this Role + RoleBinding, users get a 403 when Headlamp proxies the request.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: polaris-dashboard-proxy-reader
namespace: polaris
rules:
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["polaris-dashboard", "http:polaris-dashboard:80"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: polaris-dashboard-proxy-reader
namespace: polaris
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: polaris-dashboard-proxy-reader
apiGroup: rbac.authorization.k8s.io
+1 -2
View File
@@ -38,8 +38,7 @@
"flatted": "^3.4.2",
"lodash": ">=4.18.0",
"picomatch": ">=4.0.4",
"vite": ">=6.4.2",
"elliptic": ">=6.6.1"
"vite": ">=6.4.2"
}
},
"devDependencies": {
-1
View File
@@ -11,7 +11,6 @@ overrides:
lodash: '>=4.18.0'
picomatch: '>=4.0.4'
vite: '>=6.4.2'
elliptic: '>=6.6.1'
importers: