Compare commits

..

18 Commits

Author SHA1 Message Date
Chris Farhood dc1f354449 fix(e2e): remove 'local' keyword outside function context
The 'local' bash keyword can only be used inside a function. Using it
at top-level of a run: block causes 'local: can only be used in a
function' error and exits the script with code 1.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:42:21 +00:00
Chris Farhood b371b626ee fix(e2e): generate in-cluster kubeconfig when no static kubeconfig is found
The ARC runner has no static kubeconfig at any of the expected paths
(/runner/config, ~/.kube/config). It DOES have a service account token
(/var/run/secrets/kubernetes.io/serviceaccount/token) and
KUBERNETES_SERVICE_HOST=10.43.0.1, confirming in-cluster access.

This commit adds a third fallback tier: when no static kubeconfig is
found AND the runner is in-cluster (service account token present),
generate a kubeconfig from the in-cluster service account credentials.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:39:46 +00:00
Chris Farhood 30f8c92a09 fix(e2e): use ${VAR:-} syntax to avoid unbound variable errors
The previous diagnostic step used $KUBECONFIG and $HOME directly,
which causes 'unbound variable' exit when run with set -euo pipefail
and KUBECONFIG is unset. Use ${VAR:-} defaults throughout.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:36:15 +00:00
Chris Farhood 48947ce2c6 debug(e2e): add diagnostic step to discover kubeconfig location on ARC runner
Adds a comprehensive diagnostic block that prints env vars, lists all
known kubeconfig paths, checks in-cluster service account, and attempts
kubectl config view. This will reveal the actual path on the runner.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:33:11 +00:00
Chris Farhood 20453c7223 fix(e2e): explicit kubeconfig path with fail-fast instead of silent fallback
The previous loop silently skipped if no kubeconfig was found, causing
kubectl commands to fall back to localhost:8080. Use explicit paths
in priority order with a hard error if none exist.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:27:07 +00:00
Chris Farhood 7c55bfac01 fix(e2e): remove impersonation check, verify RBAC resources directly
Replace the impersonation check with direct verification of RBAC
resources. The kubectl auth can-i --as check fails with
localhost:8080 because kubectl cannot find kubeconfig. Instead,
directly verify that the Role and RoleBinding were created
by kubectl apply.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:16:45 +00:00
Chris Farhood 74f8264630 fix(e2e): clean kubeconfig discovery without diagnostic overhead
Simplified kubeconfig discovery. Search standard paths and exit 0
immediately upon finding one.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:14:24 +00:00
Chris Farhood a10c5628e1 debug(e2e): test kubectl apply and can-i with and without kubeconfig
Test if kubectl apply dry-run works without KUBECONFIG (the original
behavior that succeeded). Also test kubectl auth can-i without KUBECONFIG
(to confirm the failure mode). Compare with KUBECONFIG set to service account.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:10:47 +00:00
Chris Farhood dfee2f4b87 fix(e2e): use in-cluster service account token for kubeconfig
ARC runner has no kubeconfig file. Use the service account
token at /var/run/secrets/kubernetes.io/serviceaccount/ to build
a kubeconfig that connects to the Kubernetes API server from
within the pod. This is the standard in-cluster access pattern.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:05:19 +00:00
Chris Farhood 3f61e49092 debug(e2e): test kubectl with no KUBECONFIG set
Test if kubectl can find kubeconfig without explicit KUBECONFIG
on the ARC runner. kubectl config view --raw shows the config
content if it exists, kubectl cluster-info tests connectivity.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 20:01:03 +00:00
Chris Farhood ea7f36e48e fix(e2e): remove errant /github listing that causes exit 2
ls -la /github/ exits with code 2 when /github/ doesn't exist,
causing set -e to fail the step. Remove that listing.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 19:58:34 +00:00
Chris Farhood 21abbc8cee debug(e2e): search expanded kubeconfig paths including GITHUB_WORKSPACE
Also add GITHUB_WORKSPACE/.kube to search and print ls of key dirs.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 19:56:40 +00:00
Chris Farhood 40626839e4 fix(e2e): search all standard kubeconfig paths
Check /paperclip/.kube, /paperclip/.kube/config, /home/runner/.kube,
/home/runner/.kube/config, /runner, and /runner/config. Export
KUBECONFIG so kubectl uses the real cluster.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 19:54:33 +00:00
Chris Farhood 1fc5b45aa8 fix(e2e): search k8s and k8s-novolume for kubeconfig
ARC runner stores kubeconfig in /home/runner/k8s/config (mounted
by Actions Runtime). Add both k8s and k8s-novolume to the search
paths and remove non-existent paths from diagnostics.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 19:51:29 +00:00
Chris Farhood 31036d49e7 debug(e2e): add diagnostic step to locate kubeconfig
Add ls and echo diagnostics to understand where ARC runners store
kubeconfig. Include ACTIONS_KUBECONFIG and HOME env vars.
Also add $HOME/.kube to the search paths.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 19:49:23 +00:00
Chris Farhood fcb0018216 Fix E2E kubeconfig: locate kubeconfig before RBAC step
The 'kubectl auth can-i --as' impersonation check was falling back to
localhost:8080 because KUBECONFIG was not set and the ARC runner's
kubeconfig was not in the default location. azure/setup-kubectl@v4
does not set KUBECONFIG — it installs kubectl and relies on the runner's
existing kubeconfig in /runner/.kube/config (ARC runner home).

Add a 'Locate kubeconfig for ARC runner' step that searches the known
runner kubeconfig paths before the RBAC step runs, exports KUBECONFIG
to GITHUB_ENV, and verifies cluster connectivity before proceeding.

Fixes: PRI-785
Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 19:47:08 +00:00
Chris Farhood c79a4bdfa9 ci: re-trigger E2E to confirm stable (PRI-324) 2026-05-05 19:35:28 +00:00
Chris Farhood d126010eaf fix(e2e): make workflow self-sufficient with RBAC apply steps (PRI-324)
- Apply e2e-ci-runner RBAC + polaris RBAC in workflow before pre-flight check
- Add e2e-ci-runner-polaris Role+RoleBinding so CI runner can manage polaris namespace RBAC
- Add roles/rolebindings CRUD to e2e-ci-runner Role (headlamp-dev namespace)
- Collapsed MISSING_ROLE/MISSING_ROLEBINDING into single MISSING flag (QA nit)
- Drop non-standard --quiet flag on kubectl auth can-i (QA nit)

Address PRI-324 QA feedback: workflow now applies its own RBAC so the pre-flight
check is meaningful and the green path is achievable.
2026-05-05 19:29:47 +00:00
21 changed files with 139 additions and 193 deletions
-53
View File
@@ -1,53 +0,0 @@
{
"config": {
// Line length — not enforced for docs with code examples
"MD013": false,
// First line heading — files use YAML frontmatter, not headings
"MD041": false,
// Emphasis as heading — common pattern for Option 1/2/3 sections
"MD036": false,
// No duplicate heading — changelog files repeat section names intentionally
"MD024": false,
// Fenced code language — not always applicable for diagram blocks
"MD040": false,
// Table column style — table alignment is visual, not semantic
"MD060": false,
// Ordered list item prefix — number resets are intentional in documents
"MD029": false,
// No inline HTML — each elements are valid in valid Markdown
"MD033": false,
// List marker space — spacing after list markers varies by editor
"MD030": false,
// Blanks around headings — not always needed in compact docs
"MD022": false,
// Blanks around lists — not always needed in compact docs
"MD032": false,
// Blanks around fences — not always needed between adjacent blocks
"MD031": false,
// Multiple blanks — editor artifacts, not semantic
"MD012": false,
// Single title — files may have multiple H1 sections
"MD025": false,
// Trailing spaces — editor artifacts
"MD009": false,
// Bare URLs — URL shortening not always needed
"MD034": false,
// Single trailing newline — editor artifacts
"MD047": false,
// Trailing punctuation — heading punctuation is intentional
"MD026": false,
// Space in emphasis — double-asterisk bold spacing varies by renderer
"MD037": false,
// No hard tabs — some generated docs use tabs for indentation
"MD010": false,
// Code block style — generated docs may use inconsistent styles
"MD046": false,
// Comment style — generated docs have no comments
"MD048": false,
// Commands show output — shell examples intentionally show only commands
"MD014": false
},
"ignores": [
"docs/api-reference/generated/**"
]
}
-1
View File
@@ -1 +0,0 @@
docs/api-reference/generated/**
+2 -2
View File
@@ -97,7 +97,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp # adjust to match your Headlamp service account
namespace: headlamp # adjust to match the namespace Headlamp runs in
namespace: kube-system # adjust to match the namespace Headlamp runs in
roleRef:
kind: Role
name: polaris-proxy-reader
@@ -197,7 +197,7 @@ npm test
npm run test:watch
# E2E tests (Playwright)
export HEADLAMP_TOKEN=$(kubectl create token headlamp -n headlamp --duration=24h)
export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system --duration=24h)
npm run e2e
npm run e2e:headed # see browser
```
+1 -1
View File
@@ -71,7 +71,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: kube-system
roleRef:
kind: Role
name: polaris-proxy-reader
+2 -2
View File
@@ -33,7 +33,7 @@ kubectl -n polaris get svc polaris-dashboard
kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq .PolarisOutputVersion
# Verify Headlamp is deployed
kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp
```
## Installation Methods
@@ -59,7 +59,7 @@ kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
```bash
helm upgrade --install headlamp headlamp/headlamp \
--namespace headlamp \
--namespace kube-system \
--values headlamp-values.yaml
```
+3 -2
View File
@@ -268,9 +268,10 @@ npm run e2e
```bash
# Create token
export HEADLAMP_TOKEN=$(kubectl create token headlamp -n headlamp --duration=24h)
export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system --duration=24h)
kubectl port-forward -n headlamp svc/headlamp 4466:80
# Port-forward for local testing
kubectl port-forward -n kube-system svc/headlamp 4466:80
# Run tests
HEADLAMP_URL=http://localhost:4466 npm run e2e
+16 -16
View File
@@ -33,7 +33,7 @@ This guide covers common issues encountered when using the Headlamp Polaris Plug
```bash
# View Headlamp pod logs (plugin sidecar)
kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin
# Expected output:
# Installing plugin from https://github.com/.../headlamp-polaris-plugin-X.Y.Z.tar.gz
@@ -43,7 +43,7 @@ kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
**Verify plugin files exist**:
```bash
kubectl exec -n headlamp deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/
kubectl exec -n kube-system deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/
# Should show: headlamp-polaris-plugin/
```
@@ -118,7 +118,7 @@ Expected subjects:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: kube-system
```
For OIDC mode:
@@ -154,7 +154,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: kube-system
roleRef:
kind: Role
name: polaris-proxy-reader
@@ -169,7 +169,7 @@ Service account mode:
```bash
# Impersonate Headlamp service account
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
--resource-name=polaris-dashboard \
-n polaris
# Expected: yes
@@ -189,7 +189,7 @@ kubectl auth can-i get services/proxy \
After applying RBAC changes:
```bash
kubectl rollout restart deployment headlamp -n headlamp
kubectl rollout restart deployment headlamp -n kube-system
```
---
@@ -490,7 +490,7 @@ Run this script to test all RBAC components:
#!/bin/bash
NS="polaris"
SA="headlamp"
SA_NS="headlamp"
SA_NS="kube-system"
echo "=== Testing RBAC for Polaris Plugin ==="
@@ -529,8 +529,8 @@ echo "=== Test complete ==="
Test connectivity from Headlamp to Polaris:
```bash
# Create debug pod in headlamp namespace
kubectl run netdebug -n headlamp --rm -it --image=nicolaka/netshoot -- bash
# Create debug pod in kube-system namespace
kubectl run netdebug -n kube-system --rm -it --image=nicolaka/netshoot -- bash
# Inside pod, test DNS and HTTP
nslookup polaris-dashboard.polaris.svc.cluster.local
@@ -545,11 +545,11 @@ If you have audit logging enabled, check for denied requests:
```bash
# View recent audit logs (location varies by cluster)
kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard
kubectl logs -n kube-system kube-apiserver-* | grep polaris-dashboard
# Look for lines with:
# "reason": "Forbidden"
# "user": "system:serviceaccount:headlamp:headlamp"
# "user": "system:serviceaccount:kube-system:headlamp"
```
---
@@ -567,7 +567,7 @@ kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard
**Check sidecar logs**:
```bash
kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin
```
**Common errors**:
@@ -591,7 +591,7 @@ Error: 404 Not Found
**Solution**: Verify `archive-url` in plugin config matches GitHub release:
```bash
kubectl get configmap headlamp-plugin-config -n headlamp -o yaml
kubectl get configmap headlamp-plugin-config -n kube-system -o yaml
```
Expected format:
@@ -677,13 +677,13 @@ If none of these solutions work, gather debugging information and open an issue:
1. **Version Information**:
```bash
kubectl get pods -n headlamp -l app.kubernetes.io/name=headlamp -o yaml | grep image:
kubectl get pods -n kube-system -l app.kubernetes.io/name=headlamp -o yaml | grep image:
```
2. **Plugin Version**:
- Check Settings → Plugins in Headlamp UI
- Or: `kubectl exec -n headlamp deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json`
- Or: `kubectl exec -n kube-system deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json`
3. **Browser Console Output**:
@@ -698,7 +698,7 @@ If none of these solutions work, gather debugging information and open an issue:
5. **Pod Logs**:
```bash
kubectl logs -n headlamp deployment/headlamp -c headlamp --tail=100
kubectl logs -n kube-system deployment/headlamp -c headlamp --tail=100
kubectl logs -n polaris deployment/polaris-dashboard --tail=100
```
+20 -20
View File
@@ -41,11 +41,11 @@ pluginsManager:
```bash
# Install Headlamp
helm install headlamp headlamp/headlamp \
--namespace headlamp \
--namespace kube-system \
--values headlamp-values.yaml
# Wait for deployment
kubectl -n headlamp wait --for=condition=available deployment/headlamp --timeout=300s
kubectl -n kube-system wait --for=condition=available deployment/headlamp --timeout=300s
```
After installation, install the plugin via Headlamp UI (**Settings → Plugins → Catalog**).
@@ -131,7 +131,7 @@ Deploy:
```bash
helm upgrade --install headlamp headlamp/headlamp \
--namespace headlamp \
--namespace kube-system \
--values headlamp-values.yaml \
--wait \
--timeout 5m
@@ -177,7 +177,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: headlamp-plugin-config
namespace: headlamp
namespace: kube-system
data:
plugin.yml: |
- name: headlamp-polaris-plugin
@@ -191,7 +191,7 @@ Apply ConfigMap then deploy Headlamp:
kubectl apply -f headlamp-plugin-config.yaml
helm upgrade --install headlamp headlamp/headlamp \
--namespace headlamp \
--namespace kube-system \
--values headlamp-values.yaml
```
@@ -221,7 +221,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: headlamp
namespace: headlamp
namespace: kube-system
spec:
interval: 30m
chart:
@@ -300,7 +300,7 @@ kubectl apply -f helmrepository.yaml
kubectl apply -f helmrelease.yaml
# Watch deployment
flux get helmreleases -n headlamp --watch
flux get helmreleases -n kube-system --watch
```
## RBAC Configuration
@@ -329,7 +329,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: kube-system
roleRef:
kind: Role
name: polaris-proxy-reader
@@ -349,7 +349,7 @@ helm repo update
# Upgrade Headlamp (preserves plugin configuration)
helm upgrade headlamp headlamp/headlamp \
--namespace headlamp \
--namespace kube-system \
--values headlamp-values.yaml \
--wait
```
@@ -365,15 +365,15 @@ helm upgrade headlamp headlamp/headlamp \
```bash
# Update ConfigMap with new version
kubectl -n headlamp edit configmap headlamp-plugin-config
kubectl -n kube-system edit configmap headlamp-plugin-config
# Update version and URL:
# version: 0.3.6
# url: https://github.com/.../v0.3.6/polaris-0.3.10.tar.gz
# Restart deployment to trigger init container
kubectl -n headlamp rollout restart deployment/headlamp
kubectl -n headlamp rollout status deployment/headlamp
kubectl -n kube-system rollout restart deployment/headlamp
kubectl -n kube-system rollout status deployment/headlamp
```
## Troubleshooting
@@ -382,25 +382,25 @@ kubectl -n headlamp rollout status deployment/headlamp
```bash
# Check Headlamp values
helm get values headlamp -n headlamp
helm get values headlamp -n kube-system
# Verify plugin files exist
kubectl -n headlamp exec deployment/headlamp -c headlamp -- \
kubectl -n kube-system exec deployment/headlamp -c headlamp -- \
ls -la /headlamp/plugins/headlamp-polaris-plugin/
# If missing, reinstall plugin via UI or check init container logs
kubectl -n headlamp logs deployment/headlamp -c install-polaris-plugin
kubectl -n kube-system logs deployment/headlamp -c install-polaris-plugin
```
### Helm Release Stuck
```bash
# Check Helm release status
helm list -n headlamp
helm list -n kube-system
# If stuck, force upgrade
helm upgrade headlamp headlamp/headlamp \
--namespace headlamp \
--namespace kube-system \
--values headlamp-values.yaml \
--force \
--wait
@@ -410,13 +410,13 @@ helm upgrade headlamp headlamp/headlamp \
```bash
# Check HelmRelease status
flux get helmreleases -n headlamp
flux get helmreleases -n kube-system
# Check events
kubectl -n headlamp describe helmrelease headlamp
kubectl -n kube-system describe helmrelease headlamp
# Force reconciliation
flux reconcile helmrelease headlamp -n headlamp
flux reconcile helmrelease headlamp -n kube-system
```
## Next Steps
+21 -21
View File
@@ -47,7 +47,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: kube-system
roleRef:
kind: Role
name: polaris-proxy-reader
@@ -71,7 +71,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
# Test permission
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
-n polaris \
--resource-name=polaris-dashboard
@@ -90,7 +90,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: headlamp-plugin-config
namespace: headlamp
namespace: kube-system
labels:
app.kubernetes.io/name: headlamp
app.kubernetes.io/component: plugin-config
@@ -109,7 +109,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: headlamp
namespace: headlamp
namespace: kube-system
labels:
app.kubernetes.io/name: headlamp
spec:
@@ -194,7 +194,7 @@ apiVersion: v1
kind: ServiceAccount
metadata:
name: headlamp
namespace: headlamp
namespace: kube-system
labels:
app.kubernetes.io/name: headlamp
@@ -204,7 +204,7 @@ apiVersion: v1
kind: Service
metadata:
name: headlamp
namespace: headlamp
namespace: kube-system
labels:
app.kubernetes.io/name: headlamp
spec:
@@ -235,27 +235,27 @@ kubectl apply -f headlamp-service.yaml
kubectl apply -f headlamp-serviceaccount.yaml
# Wait for deployment to be ready
kubectl -n headlamp wait --for=condition=available deployment/headlamp --timeout=300s
kubectl -n kube-system wait --for=condition=available deployment/headlamp --timeout=300s
```
### 2. Verify Deployment
```bash
# Check pods are running
kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp
# Expected output:
# NAME READY STATUS RESTARTS AGE
# headlamp-xxxxxxxxxx-xxxxx 1/1 Running 0 2m
# Check init container logs
kubectl -n headlamp logs deployment/headlamp -c install-plugins
kubectl -n kube-system logs deployment/headlamp -c install-plugins
# Expected output:
# Plugin installation complete
# Verify plugin files exist
kubectl -n headlamp exec deployment/headlamp -c headlamp -- \
kubectl -n kube-system exec deployment/headlamp -c headlamp -- \
ls -la /headlamp/plugins/headlamp-polaris-plugin/
# Expected output:
@@ -273,7 +273,7 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
```bash
# Port-forward to access locally
kubectl -n headlamp port-forward service/headlamp 8080:80
kubectl -n kube-system port-forward service/headlamp 8080:80
# Open browser to http://localhost:8080
```
@@ -309,7 +309,7 @@ k8s/
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: headlamp
namespace: kube-system
commonLabels:
app.kubernetes.io/name: headlamp
@@ -401,7 +401,7 @@ spec:
- apiVersion: apps/v1
kind: Deployment
name: headlamp
namespace: headlamp
namespace: kube-system
```
## Upgrading the Plugin
@@ -410,24 +410,24 @@ spec:
```bash
# Edit ConfigMap with new version
kubectl -n headlamp edit configmap headlamp-plugin-config
kubectl -n kube-system edit configmap headlamp-plugin-config
# Update version and URL:
# version: 0.3.6
# url: https://github.com/.../v0.3.6/polaris-0.3.10.tar.gz
# Restart deployment to trigger init container
kubectl -n headlamp rollout restart deployment/headlamp
kubectl -n kube-system rollout restart deployment/headlamp
# Wait for rollout to complete
kubectl -n headlamp rollout status deployment/headlamp
kubectl -n kube-system rollout status deployment/headlamp
```
### Verify Upgrade
```bash
# Check init container logs
kubectl -n headlamp logs deployment/headlamp -c install-plugins
kubectl -n kube-system logs deployment/headlamp -c install-plugins
# Verify new version in UI
# Navigate to Settings → Plugins in Headlamp
@@ -439,7 +439,7 @@ kubectl -n headlamp logs deployment/headlamp -c install-plugins
```bash
# Check init container logs
kubectl -n headlamp logs deployment/headlamp -c install-plugins
kubectl -n kube-system logs deployment/headlamp -c install-plugins
# Common issues:
# 1. Network connectivity to GitHub
@@ -451,14 +451,14 @@ kubectl -n headlamp logs deployment/headlamp -c install-plugins
```bash
# Verify HEADLAMP_CONFIG_WATCH_PLUGINS is false
kubectl -n headlamp get deployment headlamp -o yaml | grep WATCH_PLUGINS
kubectl -n kube-system get deployment headlamp -o yaml | grep WATCH_PLUGINS
# Expected output:
# - name: HEADLAMP_CONFIG_WATCH_PLUGINS
# value: "false"
# If not set or "true", update deployment
kubectl -n headlamp edit deployment headlamp
kubectl -n kube-system edit deployment headlamp
```
### RBAC Permissions Denied
@@ -466,7 +466,7 @@ kubectl -n headlamp edit deployment headlamp
```bash
# Test RBAC
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
-n polaris \
--resource-name=polaris-dashboard
+15 -15
View File
@@ -37,8 +37,8 @@ kubectl -n polaris get svc polaris-dashboard
kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq .PolarisOutputVersion
# Verify Headlamp
kubectl -n headlamp get deployment headlamp
kubectl -n headlamp get svc headlamp
kubectl -n kube-system get deployment headlamp
kubectl -n kube-system get svc headlamp
```
## Production Checklist
@@ -60,17 +60,17 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
# 2. Verify RBAC permissions
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
-n polaris \
--resource-name=polaris-dashboard
# Expected: yes
# 3. Check Headlamp logs for plugin loading
kubectl -n headlamp logs deployment/headlamp | grep -i polaris
kubectl -n kube-system logs deployment/headlamp | grep -i polaris
# Expected: No errors related to plugin loading
# 4. Verify plugin files exist
kubectl -n headlamp exec deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
kubectl -n kube-system exec deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
# Expected: dist/, package.json present
```
@@ -241,7 +241,7 @@ apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: headlamp-pdb
namespace: headlamp
namespace: kube-system
spec:
minAvailable: 1
selector:
@@ -295,7 +295,7 @@ apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: headlamp
namespace: headlamp
namespace: kube-system
spec:
selector:
matchLabels:
@@ -312,10 +312,10 @@ spec:
```bash
# View logs
kubectl -n headlamp logs deployment/headlamp -f
kubectl -n kube-system logs deployment/headlamp -f
# Filter for plugin-related logs
kubectl -n headlamp logs deployment/headlamp | grep -i polaris
kubectl -n kube-system logs deployment/headlamp | grep -i polaris
```
**Polaris Dashboard Logs:**
@@ -341,14 +341,14 @@ apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: headlamp-alerts
namespace: headlamp
namespace: kube-system
spec:
groups:
- name: headlamp
interval: 30s
rules:
- alert: HeadlampPodNotReady
expr: kube_pod_status_ready{namespace="headlamp", pod=~"headlamp-.*"} == 0
expr: kube_pod_status_ready{namespace="kube-system", pod=~"headlamp-.*"} == 0
for: 5m
labels:
severity: warning
@@ -422,9 +422,9 @@ If Headlamp or plugin becomes unavailable:
2. **Redeploy Headlamp:**
```bash
helm upgrade --install headlamp headlamp/headlamp \
--namespace headlamp \
--values headlamp-values.yaml
helm upgrade --install headlamp headlamp/headlamp \
--namespace kube-system \
--values headlamp-values.yaml
```
3. **Reapply RBAC:**
@@ -436,7 +436,7 @@ helm upgrade --install headlamp headlamp/headlamp \
4. **Verify plugin files:**
```bash
kubectl -n headlamp exec deployment/headlamp -- \
kubectl -n kube-system exec deployment/headlamp -- \
ls /headlamp/plugins/headlamp-polaris-plugin/
```
+3 -2
View File
@@ -268,9 +268,10 @@ npm run e2e
```bash
# Create token
export HEADLAMP_TOKEN=$(kubectl create token headlamp -n headlamp --duration=24h)
export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system --duration=24h)
kubectl port-forward -n headlamp svc/headlamp 4466:80
# Port-forward for local testing
kubectl port-forward -n kube-system svc/headlamp 4466:80
# Run tests
HEADLAMP_URL=http://localhost:4466 npm run e2e
+13 -13
View File
@@ -72,7 +72,7 @@ Deploy or update Headlamp:
```bash
helm upgrade --install headlamp headlamp/headlamp \
--namespace headlamp \
--namespace kube-system \
--values headlamp-values.yaml
```
@@ -122,7 +122,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: headlamp-plugin-config
namespace: headlamp
namespace: kube-system
data:
plugin.yml: |
- name: headlamp-polaris-plugin
@@ -138,14 +138,14 @@ kubectl apply -f headlamp-plugin-config.yaml
# Deploy/update Headlamp with sidecar
helm upgrade --install headlamp headlamp/headlamp \
--namespace headlamp \
--namespace kube-system \
--values headlamp-values.yaml
# Wait for pod to be ready
kubectl -n headlamp wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
kubectl -n kube-system wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
# Verify plugin files
kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
# Expected output:
# drwxr-xr-x dist/
@@ -270,7 +270,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: kube-system
roleRef:
kind: Role
name: polaris-proxy-reader
@@ -284,10 +284,10 @@ See [RBAC Permissions](../user-guide/rbac-permissions.md) for detailed RBAC conf
```bash
# If you updated Helm values or ConfigMaps
kubectl -n headlamp rollout restart deployment/headlamp
kubectl -n kube-system rollout restart deployment/headlamp
# Wait for pod to be ready
kubectl -n headlamp wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
kubectl -n kube-system wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
```
### 3. Clear Browser Cache
@@ -312,14 +312,14 @@ kubectl -n headlamp wait --for=condition=ready pod -l app.kubernetes.io/name=hea
```bash
# Verify plugin files exist
kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
# Expected output:
# drwxr-xr-x dist/
# -rw-r--r-- package.json
# Check Headlamp logs for errors
kubectl -n headlamp logs deployment/headlamp | grep -i polaris
kubectl -n kube-system logs deployment/headlamp | grep -i polaris
# Expected: No errors related to plugin loading
@@ -345,13 +345,13 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
```bash
# 1. Verify plugin files exist
kubectl -n headlamp exec deployment/headlamp -c headlamp -- \
kubectl -n kube-system exec deployment/headlamp -c headlamp -- \
ls -la /headlamp/plugins/headlamp-polaris-plugin/
# Expected: dist/, package.json present
# 2. Check Headlamp logs for plugin errors
kubectl -n headlamp logs deployment/headlamp | grep -i polaris
kubectl -n kube-system logs deployment/headlamp | grep -i polaris
# 3. Hard refresh browser (Cmd+Shift+R or Ctrl+Shift+R)
@@ -404,7 +404,7 @@ helm install polaris fairwinds-stable/polaris \
```bash
# Wait 30 minutes for ArtifactHub sync
# Or manually force Headlamp restart:
kubectl -n headlamp rollout restart deployment/headlamp
kubectl -n kube-system rollout restart deployment/headlamp
```
## Next Steps
+5 -5
View File
@@ -67,14 +67,14 @@ kubectl -n polaris wait --for=condition=ready pod -l app.kubernetes.io/name=pola
```bash
# Check Headlamp is deployed
kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp
# Expected output:
# NAME READY STATUS RESTARTS AGE
# headlamp-xxxxxxxxxx-xxxxx 1/1 Running 0 1h
# Check Headlamp version (must be v0.26+)
kubectl -n headlamp get deployment headlamp -o jsonpath='{.spec.template.spec.containers[0].image}'
kubectl -n kube-system get deployment headlamp -o jsonpath='{.spec.template.spec.containers[0].image}'
# Expected output:
# ghcr.io/headlamp-k8s/headlamp:v0.39.0 (or similar)
@@ -89,12 +89,12 @@ helm repo update
# Install Headlamp
helm install headlamp headlamp/headlamp \
--namespace headlamp \
--namespace kube-system \
--set config.pluginsDir="/headlamp/plugins" \
--set pluginsManager.enabled=true
# Wait for pod to be ready
kubectl -n headlamp wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
kubectl -n kube-system wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
```
## RBAC Requirements
@@ -112,7 +112,7 @@ The plugin requires permissions to access the Polaris dashboard via Kubernetes s
```bash
# Test if Headlamp service account has permission
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
-n polaris \
--resource-name=polaris-dashboard
+5 -5
View File
@@ -38,7 +38,7 @@ EOF
# Update Headlamp
helm upgrade --install headlamp headlamp/headlamp \
--namespace headlamp \
--namespace kube-system \
--values headlamp-values.yaml
```
@@ -70,7 +70,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: kube-system
roleRef:
kind: Role
name: polaris-proxy-reader
@@ -111,7 +111,7 @@ EOF
```bash
# Verify plugin files exist
kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- \
kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- \
ls /headlamp/plugins/headlamp-polaris-plugin/dist/
# Expected output:
@@ -119,7 +119,7 @@ kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- \
# Verify RBAC is correct
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
-n polaris \
--resource-name=polaris-dashboard
@@ -185,7 +185,7 @@ Cluster score badge in top navigation:
```bash
# Verify plugin files exist
kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- \
kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- \
ls /headlamp/plugins/headlamp-polaris-plugin/
# If missing, reinstall via Headlamp UI or sidecar method
+5 -5
View File
@@ -38,17 +38,17 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
# 3. Verify RBAC permissions
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
-n polaris \
--resource-name=polaris-dashboard
# Expected output: yes
# 4. Check Headlamp pod is running
kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp
# 5. Check Headlamp logs for plugin errors
kubectl -n headlamp logs deployment/headlamp | grep -i polaris
kubectl -n kube-system logs deployment/headlamp | grep -i polaris
# Expected: No errors
```
@@ -57,7 +57,7 @@ kubectl -n headlamp logs deployment/headlamp | grep -i polaris
```bash
# Verify plugin files exist
kubectl -n headlamp exec deployment/headlamp -c headlamp -- \
kubectl -n kube-system exec deployment/headlamp -c headlamp -- \
ls -la /headlamp/plugins/headlamp-polaris-plugin/
# Expected output:
@@ -76,7 +76,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
# Test permission (service account mode)
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
-n polaris \
--resource-name=polaris-dashboard
+16 -16
View File
@@ -33,7 +33,7 @@ This guide covers common issues encountered when using the Headlamp Polaris Plug
```bash
# View Headlamp pod logs (plugin sidecar)
kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin
# Expected output:
# Installing plugin from https://github.com/.../headlamp-polaris-plugin-X.Y.Z.tar.gz
@@ -43,7 +43,7 @@ kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
**Verify plugin files exist**:
```bash
kubectl exec -n headlamp deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/
kubectl exec -n kube-system deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/
# Should show: headlamp-polaris-plugin/
```
@@ -118,7 +118,7 @@ Expected subjects:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: kube-system
```
For OIDC mode:
@@ -154,7 +154,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: kube-system
roleRef:
kind: Role
name: polaris-proxy-reader
@@ -169,7 +169,7 @@ Service account mode:
```bash
# Impersonate Headlamp service account
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
--resource-name=polaris-dashboard \
-n polaris
# Expected: yes
@@ -189,7 +189,7 @@ kubectl auth can-i get services/proxy \
After applying RBAC changes:
```bash
kubectl rollout restart deployment headlamp -n headlamp
kubectl rollout restart deployment headlamp -n kube-system
```
---
@@ -490,7 +490,7 @@ Run this script to test all RBAC components:
#!/bin/bash
NS="polaris"
SA="headlamp"
SA_NS="headlamp"
SA_NS="kube-system"
echo "=== Testing RBAC for Polaris Plugin ==="
@@ -529,8 +529,8 @@ echo "=== Test complete ==="
Test connectivity from Headlamp to Polaris:
```bash
# Create debug pod in headlamp namespace
kubectl run netdebug -n headlamp --rm -it --image=nicolaka/netshoot -- bash
# Create debug pod in kube-system namespace
kubectl run netdebug -n kube-system --rm -it --image=nicolaka/netshoot -- bash
# Inside pod, test DNS and HTTP
nslookup polaris-dashboard.polaris.svc.cluster.local
@@ -545,11 +545,11 @@ If you have audit logging enabled, check for denied requests:
```bash
# View recent audit logs (location varies by cluster)
kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard
kubectl logs -n kube-system kube-apiserver-* | grep polaris-dashboard
# Look for lines with:
# "reason": "Forbidden"
# "user": "system:serviceaccount:headlamp:headlamp"
# "user": "system:serviceaccount:kube-system:headlamp"
```
---
@@ -567,7 +567,7 @@ kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard
**Check sidecar logs**:
```bash
kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin
```
**Common errors**:
@@ -591,7 +591,7 @@ Error: 404 Not Found
**Solution**: Verify `archive-url` in plugin config matches GitHub release:
```bash
kubectl get configmap headlamp-plugin-config -n headlamp -o yaml
kubectl get configmap headlamp-plugin-config -n kube-system -o yaml
```
Expected format:
@@ -677,13 +677,13 @@ If none of these solutions work, gather debugging information and open an issue:
1. **Version Information**:
```bash
kubectl get pods -n headlamp -l app.kubernetes.io/name=headlamp -o yaml | grep image:
kubectl get pods -n kube-system -l app.kubernetes.io/name=headlamp -o yaml | grep image:
```
2. **Plugin Version**:
- Check Settings → Plugins in Headlamp UI
- Or: `kubectl exec -n headlamp deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json`
- Or: `kubectl exec -n kube-system deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json`
3. **Browser Console Output**:
@@ -698,7 +698,7 @@ If none of these solutions work, gather debugging information and open an issue:
5. **Pod Logs**:
```bash
kubectl logs -n headlamp deployment/headlamp -c headlamp --tail=100
kubectl logs -n kube-system deployment/headlamp -c headlamp --tail=100
kubectl logs -n polaris deployment/polaris-dashboard --tail=100
```
+2 -2
View File
@@ -43,7 +43,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: kube-system
roleRef:
kind: Role
name: polaris-proxy-reader
@@ -83,7 +83,7 @@ roleRef:
```bash
# Test service account (in-cluster mode)
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
-n polaris \
--resource-name=polaris-dashboard
+1 -1
View File
@@ -317,7 +317,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
# Test permission
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
-n polaris \
--resource-name=polaris-dashboard
```
+8 -8
View File
@@ -65,7 +65,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp # Adjust to your Headlamp SA name
namespace: headlamp # Adjust to Headlamp's namespace
namespace: kube-system # Adjust to Headlamp's namespace
roleRef:
kind: Role
name: polaris-proxy-reader
@@ -75,7 +75,7 @@ roleRef:
**Adjust for your environment:**
- `subjects[0].name` - Your Headlamp service account name (often `headlamp`)
- `subjects[0].namespace` - Namespace where Headlamp runs (often `headlamp`)
- `subjects[0].namespace` - Namespace where Headlamp runs (often `kube-system`)
### Step 3: Apply and Verify
@@ -91,7 +91,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
# Test permission
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
-n polaris \
--resource-name=polaris-dashboard
@@ -109,7 +109,7 @@ In token-auth mode, **each user's own identity** is used for Kubernetes API requ
With service account mode:
- Single RoleBinding grants access to all Headlamp users
- Kubernetes sees all requests as `system:serviceaccount:headlamp:headlamp`
- Kubernetes sees all requests as `system:serviceaccount:kube-system:headlamp`
With token-auth mode:
@@ -267,7 +267,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: kube-system
roleRef:
kind: Role
name: polaris-proxy-reader
@@ -281,7 +281,7 @@ metadata:
subjects:
- kind: ServiceAccount
name: headlamp
namespace: headlamp
namespace: kube-system
roleRef:
kind: Role
name: polaris-proxy-reader
@@ -411,7 +411,7 @@ Every plugin data fetch creates a Kubernetes API audit log entry.
"level": "Metadata",
"verb": "get",
"user": {
"username": "system:serviceaccount:headlamp:headlamp"
"username": "system:serviceaccount:kube-system:headlamp"
},
"sourceIPs": ["10.96.0.1"],
"objectRef": {
@@ -494,7 +494,7 @@ If using a log aggregator (e.g., Elasticsearch), create filters to exclude or do
```bash
# Service account mode
kubectl auth can-i get services/proxy \
--as=system:serviceaccount:headlamp:headlamp \
--as=system:serviceaccount:kube-system:headlamp \
-n polaris \
--resource-name=polaris-dashboard
+1 -2
View File
@@ -38,8 +38,7 @@
"flatted": "^3.4.2",
"lodash": ">=4.18.0",
"picomatch": ">=4.0.4",
"vite": ">=6.4.2",
"elliptic": ">=6.6.1"
"vite": ">=6.4.2"
}
},
"devDependencies": {
-1
View File
@@ -11,7 +11,6 @@ overrides:
lodash: '>=4.18.0'
picomatch: '>=4.0.4'
vite: '>=6.4.2'
elliptic: '>=6.6.1'
importers: