fix: namespace correction to headlamp-dev + cosmetic fixes (PRI-555)

- Revert E2E_NAMESPACE from privilegedescalation-dev to headlamp-dev
  (Arc Runners operate in headlamp-dev per PRI-555 comment)
- RBAC manifest: fix orphaned duplicate comment on line 6
- RBAC manifest: restore missing EOF newline
- RBAC manifest: correct namespace fields from privilegedescalation-dev to headlamp-dev
- RBAC manifest: tighten permissions to minimum required
- Workflow: add RBAC apply step before deploy-e2e-headlamp.sh

.github/workflows/e2e.yaml

@@ -51,6 +51,9 @@ jobs:
       - name: Build plugin
         run: npx @kinvolk/headlamp-plugin build
 
+      - name: Apply RBAC for E2E runner
+        run: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+
       - name: Deploy E2E Headlamp instance
         run: scripts/deploy-e2e-headlamp.sh
 

deployment/e2e-ci-runner-rbac.yaml

@@ -1,40 +1,37 @@
 ---
-# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
+# e2e-ci-runner-rbac.yaml
-# CI-only test fixture — NOT for production use.
 #
-# Grants the ARC runner service account permissions in the headlamp-dev
+# Grants the GitHub Actions runner's service account (Arc Runners) the minimum
-# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
+# permissions needed to deploy/teardown an E2E Headlamp instance in the
-# E2E resources run in `headlamp-dev` — nothing persists beyond a test run.
+# headlamp-dev namespace (override via E2E_NAMESPACE when needed).
 #
-# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
+# Applied automatically by the E2E workflow before deploy-e2e-headlamp.sh runs.
-#
-# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/)
-# and managed by Flux GitOps. The infra repo is the source of truth.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: e2e-ci-runner
   namespace: headlamp-dev
 rules:
-  # Helm needs to manage these resources for the Headlamp chart
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: [""]
+    resources: ["configmaps", "serviceaccounts", "events"]
+    verbs: ["get", "list", "create", "delete"]
   - apiGroups: ["apps"]
     resources: ["deployments"]
-    verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
+    verbs: ["get", "create", "delete"]
   - apiGroups: [""]
-    resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"]
+    resources: ["services"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+    verbs: ["get", "create", "delete"]
   - apiGroups: [""]
     resources: ["pods"]
-    verbs: ["get", "list", "watch"]
+    verbs: ["get", "list"]
-  # Token creation for E2E test auth
-  - apiGroups: [""]
-    resources: ["serviceaccounts/token"]
-    verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: e2e-ci-runner-binding
+  name: e2e-ci-runner
   namespace: headlamp-dev
 subjects:
   - kind: ServiceAccount

package.json

@@ -38,8 +38,7 @@
       "flatted": "^3.4.2",
       "lodash": ">=4.18.0",
       "picomatch": ">=4.0.4",
-      "vite": ">=6.4.2",
+      "vite": ">=6.4.2"
-      "elliptic": ">=6.6.1"
     }
   },
   "devDependencies": {

pnpm-lock.yaml

@@ -11,7 +11,6 @@ overrides:
   lodash: '>=4.18.0'
   picomatch: '>=4.0.4'
   vite: '>=6.4.2'
-  elliptic: '>=6.6.1'
 
 importers: