fix: namespace correction to headlamp-dev + cosmetic fixes (PRI-555)

- Revert E2E_NAMESPACE from privilegedescalation-dev to headlamp-dev (Arc Runners operate in headlamp-dev per PRI-555 comment) - RBAC manifest: fix orphaned duplicate comment on line 6 - RBAC manifest: restore missing EOF newline - RBAC manifest: correct namespace fields from privilegedescalation-dev to headlamp-dev - RBAC manifest: tighten permissions to minimum required - Workflow: add RBAC apply step before deploy-e2e-headlamp.sh
chore: re-trigger E2E with updated infra RBAC (infra fix applied)
2026-05-05 00:56:27 +00:00 · 2026-05-05 00:26:50 +00:00 · 2026-05-04 19:40:24 +00:00 · 2026-05-04 19:30:17 +00:00 · 2026-05-04 19:29:53 +00:00 · 2026-05-04 11:01:53 +00:00
8 changed files with 555 additions and 175 deletions
@@ -11,15 +11,15 @@ permissions:
  contents: read

 # Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
-# privilegedescalation-dev cannot be shared across concurrent runs.
+# headlamp-dev cannot be shared across concurrent runs.
 # cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
-# runs may skip the if: always() teardown, leaving dangling cluster resources.
+# runs may skip the if:always() teardown, leaving dangling cluster resources.
 concurrency:
  group: e2e-${{ github.repository }}
  cancel-in-progress: false

 env:
-  E2E_NAMESPACE: privilegedescalation-dev
+  E2E_NAMESPACE: headlamp-dev
  E2E_RELEASE: headlamp-e2e
  # Pin to a known-good Headlamp version. Using :latest is risky because
  # the tag can change between CI runs, causing flaky failures when a newer
@@ -51,6 +51,9 @@ jobs:
      - name: Build plugin
        run: npx @kinvolk/headlamp-plugin build

+      - name: Apply RBAC for E2E runner
+        run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+
      - name: Deploy E2E Headlamp instance
        run: scripts/deploy-e2e-headlamp.sh

@@ -229,7 +229,7 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 **Action Items:**
 - [ ] Parallelize test execution
 - [ ] Add npm cache to GitHub Actions
- [ ] Integrate Dependabot
+- [x] Renovate is configured org-wide via `github>privilegedescalation/.github:renovate-config`
 - [ ] Add semantic-release

 ---
@@ -212,7 +212,7 @@ If you discover a security vulnerability in this plugin, please report it via:

 The project uses:
 - **npm audit**: Runs automatically during `npm install`
- **Dependabot**: GitHub Dependabot monitors dependencies and creates PRs for updates
+- **Renovate**: Automated dependency updates via Mend Renovate (org-wide configured)
 - **GitHub Actions**: CI workflow runs `npm audit` on every commit

 ### Updating Dependencies
@@ -1,41 +1,38 @@
 ---
-# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
-# CI-only test fixture — NOT for production use.
+# e2e-ci-runner-rbac.yaml
 #
-# Grants the ARC runner service account permissions in the privilegedescalation-dev
-# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
-# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
+# Grants the GitHub Actions runner's service account (Arc Runners) the minimum
+# permissions needed to deploy/teardown an E2E Headlamp instance in the
+# headlamp-dev namespace (override via E2E_NAMESPACE when needed).
 #
-# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
-#
-# Prerequisites:
-#   kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+# Applied automatically by the E2E workflow before deploy-e2e-headlamp.sh runs.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: e2e-ci-runner
-  namespace: privilegedescalation-dev
+  namespace: headlamp-dev
 rules:
-  # Helm needs to manage these resources for the Headlamp chart
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["configmaps", "serviceaccounts", "events"]
+    verbs: ["get", "list", "create", "delete"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
-    verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
+    verbs: ["get", "create", "delete"]
  - apiGroups: [""]
-    resources: ["services", "serviceaccounts", "configmaps", "secrets"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+    resources: ["services"]
+    verbs: ["get", "create", "delete"]
  - apiGroups: [""]
    resources: ["pods"]
-    verbs: ["get", "list", "watch"]
-  # Token creation for E2E test auth
-  - apiGroups: [""]
-    resources: ["serviceaccounts/token"]
-    verbs: ["create"]
+    verbs: ["get", "list"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: e2e-ci-runner-binding
-  namespace: privilegedescalation-dev
+  name: e2e-ci-runner
+  namespace: headlamp-dev
 subjects:
  - kind: ServiceAccount
    name: runners-privilegedescalation-gha-rs-no-permission
@@ -35,7 +35,10 @@
    "overrides": {
      "tar": "^7.5.11",
      "undici": "^7.24.3",
-      "flatted": "^3.4.2"
+      "flatted": "^3.4.2",
+      "lodash": ">=4.18.0",
+      "picomatch": ">=4.0.4",
+      "vite": ">=6.4.2"
    }
  },
  "devDependencies": {
@@ -5,16 +5,16 @@
 # a ConfigMap volume mount. No custom Docker images — the plugin is built
 # in CI and injected as a ConfigMap.
 #
-# E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing
-# persists beyond the test run — teardown cleans up all created resources.
+# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
+# persists beyond a test run — teardown cleans up all created resources.
 #
 # Prerequisites:
 #   - Plugin built (dist/ exists with plugin-main.js + package.json)
 #   - kubectl configured with cluster access
-#   - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+#   - RBAC applied (managed by Flux GitOps in privilegedescalation/infra)
 #
 # Environment:
-#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: privilegedescalation-dev)
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-dev)
 #   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
 #   HEADLAMP_VERSION  — Headlamp image tag (default: v0.40.1, pinned to match production)
 set -euo pipefail
@@ -22,7 +22,7 @@ set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 DIST_DIR="$REPO_ROOT/dist"

-E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 HEADLAMP_VERSION="${HEADLAMP_VERSION:-v0.40.1}"

@@ -4,13 +4,13 @@
 # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
 #
 # Environment:
-#   E2E_NAMESPACE  — namespace to clean up (default: privilegedescalation-dev)
+#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-dev)
 #   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
 set -euo pipefail

 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"

-E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"

 echo "=== E2E Headlamp Teardown ==="
Author	SHA1	Message	Date
Chris Farhood	904c7d466a	fix: namespace correction to headlamp-dev + cosmetic fixes (PRI-555) - Revert E2E_NAMESPACE from privilegedescalation-dev to headlamp-dev (Arc Runners operate in headlamp-dev per PRI-555 comment) - RBAC manifest: fix orphaned duplicate comment on line 6 - RBAC manifest: restore missing EOF newline - RBAC manifest: correct namespace fields from privilegedescalation-dev to headlamp-dev - RBAC manifest: tighten permissions to minimum required - Workflow: add RBAC apply step before deploy-e2e-headlamp.sh	2026-05-05 00:56:27 +00:00
Chris Farhood	cafc7eed9f	chore: re-trigger E2E with updated infra RBAC (infra fix applied)	2026-05-05 00:26:50 +00:00
Chris Farhood	e15db57f57	fix: add roles/rolebindings permissions to RBAC manifest (PRI-550) kubectl apply requires get/list/watch on roles/rolebindings to check existing state before patching. Without these, apply fails with Forbidden on the GET call itself. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 19:40:24 +00:00
Chris Farhood	25530faf84	fix: add RBAC apply step to E2E workflow (PRI-550) Adds 'kubectl apply -f deployment/e2e-ci-runner-rbac.yaml' step to the E2E workflow before the deploy script runs. Also corrects E2E_NAMESPACE from headlamp-dev to privilegedescalation-dev to match the actual namespace where Arc Runners operates. Fixes PRI-550. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 19:30:17 +00:00
Chris Farhood	84bd885b56	Add RBAC manifest for E2E CI runner Adds deployment/e2e-ci-runner-rbac.yaml which grants the Arc Runners service account the minimum permissions to deploy/teardown an E2E Headlamp instance in headlamp-dev (or privilegedescalation-dev when E2E_NAMESPACE is overridden). Note: polaris-plugin also needs the E2E_NAMESPACE in the workflow env block changed to privilegedescalation-dev to match intel-gpu-plugin. Fixes PRI-550. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 19:29:53 +00:00
privilegedescalation-engineer[bot]	aa1db9215a	fix: patch high-severity vulnerabilities in picomatch and vite (#128 ) * chore: replace Dependabot references with Renovate - SECURITY.md: update to mention Renovate (org-wide Mend Renovate) - PROJECT_ASSESSMENT.md: mark Renovate as integrated (org-wide config) Closes PRI-389. Parent PRI-387. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: override picomatch >=4.0.4 and vite >=6.4.2 to patch high-severity vulnerabilities Resolves 3 high-severity vulnerabilities from pnpm audit: - GHSA-c2c7-rcm5-vvqj: Picomatch ReDoS via extglob quantifiers (>=4.0.0 <4.0.4) - GHSA-p9ff-h696-f583: Vite arbitrary file read via dev server WebSocket - GHSA-4w7w-66w2-5vf9: Vite path traversal in optimized deps .map handling Also addresses moderate GHSA-3v7f-55p6-f55p (picomatch method injection). Remaining vulnerabilities (moderate/low) are in transitive dependencies managed by @kinvolk/headlamp-plugin and @headlamp-k8s/eslint-config which require upstream updates to those packages. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-04 11:01:53 +00:00
privilegedescalation-engineer[bot]	202ce66c61	fix(e2e): migrate E2E namespace from privilegedescalation-dev to headlamp-dev (#130 ) The E2E workflow and deploy scripts were targeting the legacy privilegedescalation-dev namespace, which is not managed by Flux GitOps in privilegedescalation/infra. The infra repo (PR #11) already provisions the headlamp-dev namespace and corresponding RBAC (e2e-ci-runner-headlamp-rbac.yaml) that grants the ARC runner SA (runners-privilegedescalation-gha-rs-no-permission in arc-runners) the permissions needed to deploy/teardown the E2E Headlamp instance. This change aligns all E2E infrastructure to use headlamp-dev: - .github/workflows/e2e.yaml: E2E_NAMESPACE=headlamp-dev - scripts/deploy-e2e-headlamp.sh: default namespace and comments - scripts/teardown-e2e-headlamp.sh: default namespace - deployment/e2e-ci-runner-rbac.yaml: namespace and add missing events permission (already present in infra copy) Refs: PRI-423 Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-04 10:50:27 +00:00
privilegedescalation-engineer[bot]	58c9597388	fix: override lodash >=4.18.0 to patch code injection vulnerability (#120 ) * fix: override lodash >=4.18.0 to patch code injection vulnerability GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash below 4.18.0. The vulnerable transitive dependency comes through @kinvolk/headlamp-plugin. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix: update pnpm-lock.yaml to satisfy lodash override The package.json pnpm.overrides requires lodash >=4.18.0, but the lockfile had an older version. Regenerated lockfile with pnpm install. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): scope heading locators to main content area Fix E2E test failures by scoping heading locators to the main content area instead of searching the entire page. This prevents matching headings in the sidebar or other non-content areas. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): scope remaining getByText to main element The 'Cluster Score' text matcher was still searching the entire page instead of being scoped to the main content area. This could cause false positives if the same text appears in the sidebar. Co-Authored-By: Paperclip <noreply@paperclip.ing> * ci: trigger fresh E2E run Re-pushing to trigger a new CI run since the last E2E was cancelled. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): use [role=main] instead of main element Switch from 'main' element selector to '[role="main"]' attribute selector for better compatibility with Headlamp's app structure. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): hybrid approach - unscoped headings, main-scoped text Use broader heading selectors matching intel-gpu pattern, but keep text checks scoped to main element to avoid sidebar conflicts. Co-Authored-By: Paperclip <noreply@paperclip.ing> * ci: re-test original code to verify baseline --------- Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-03 17:43:58 +00:00