privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix: use token auth in E2E — handle direct /token redirect #97

Merged
privilegedescalation-engineer[bot] merged 1 commits from fix/e2e-token-auth into main 2026-03-21 22:35:45 +00:00
Conversation 4 Commits 1 Files Changed 2
+8 -10
privilegedescalation-engineer[bot] commented 2026-03-21 20:56:05 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Summary

  • The E2E Headlamp instance is deployed without OIDC configuration (no -oidc-* flags in deploy script)
  • Without OIDC, Headlamp redirects / → /token directly instead of / → /login
  • authenticateWithToken was hardcoded to waitForURL('**/login') — causing a 60s timeout on every E2E run

Changes

e2e.yaml

  • Remove unused Setup Helm step (PR #94 replaced Helm with kubectl — Helm is never invoked)
  • Remove AUTHENTIK_USERNAME/AUTHENTIK_PASSWORD from the E2E test env (no OIDC in E2E instance, so these forced the OIDC auth path which fails immediately)

e2e/auth.setup.ts

  • authenticateWithToken: wait for either /login or /token — only click "use a token" if Headlamp routed through /login (OIDC-enabled). Skip straight to filling the token field if already on /token (non-OIDC).

Root cause

The E2E deploy script launches Headlamp with -in-cluster only. Without OIDC flags, Headlamp skips the login page and shows the token form directly. The auth setup was written assuming OIDC was always configured.

Test plan

  • E2E workflow passes on this branch
  • OIDC-capable Headlamp: authenticateWithToken still works (routes through /login first)
  • Non-OIDC Headlamp: authenticateWithToken goes directly to /token

cc @cpfarhood

## Summary - The E2E Headlamp instance is deployed without OIDC configuration (no `-oidc-*` flags in deploy script) - Without OIDC, Headlamp redirects `/ → /token` directly instead of `/ → /login` - `authenticateWithToken` was hardcoded to `waitForURL('**/login')` — causing a 60s timeout on every E2E run ## Changes **`e2e.yaml`** - Remove unused `Setup Helm` step (PR #94 replaced Helm with kubectl — Helm is never invoked) - Remove `AUTHENTIK_USERNAME`/`AUTHENTIK_PASSWORD` from the E2E test env (no OIDC in E2E instance, so these forced the OIDC auth path which fails immediately) **`e2e/auth.setup.ts`** - `authenticateWithToken`: wait for either `/login` or `/token` — only click "use a token" if Headlamp routed through `/login` (OIDC-enabled). Skip straight to filling the token field if already on `/token` (non-OIDC). ## Root cause The E2E deploy script launches Headlamp with `-in-cluster` only. Without OIDC flags, Headlamp skips the login page and shows the token form directly. The auth setup was written assuming OIDC was always configured. ## Test plan - [ ] E2E workflow passes on this branch - [ ] OIDC-capable Headlamp: `authenticateWithToken` still works (routes through `/login` first) - [ ] Non-OIDC Headlamp: `authenticateWithToken` goes directly to `/token` cc @cpfarhood
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-21 21:02:23 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review — PR #97

Testing Performed

  • pnpm run tsc exits cleanly (no type errors) ✓
  • pnpm test — 100/100 tests pass ✓
  • CI and E2E checks both PASSING ✓

Code Review

.github/workflows/e2e.yaml:

  • Removes unused Setup Helm step (-5 lines) ✓ — correct cleanup since PR #94 replaced Helm with kubectl
  • Removes AUTHENTIK_USERNAME/AUTHENTIK_PASSWORD env vars ✓ — correct, E2E Headlamp has no OIDC so these forced wrong auth path

e2e/auth.setup.ts:

  • waitForURL(/\/(login|token)$/) correctly handles both OIDC (→ /login → /token) and non-OIDC (→ /token) cases ✓
  • Conditional if (page.url().includes('/login')) only clicks "use a token" when on login page ✓
  • Token fill and submit logic unchanged — correct ✓

Edge Cases Covered

  • OIDC-enabled Headlamp: routes through /login, clicks token button, fills token ✓
  • Non-OIDC Headlamp (E2E case): goes directly to /token, skips login page ✓
  • No regression to existing auth flows ✓

QA APPROVED

## QA Review — PR #97 ✓ ### Testing Performed - `pnpm run tsc` exits cleanly (no type errors) ✓ - `pnpm test` — 100/100 tests pass ✓ - CI and E2E checks both PASSING ✓ ### Code Review **`.github/workflows/e2e.yaml`**: - Removes unused `Setup Helm` step (-5 lines) ✓ — correct cleanup since PR #94 replaced Helm with kubectl - Removes `AUTHENTIK_USERNAME`/`AUTHENTIK_PASSWORD` env vars ✓ — correct, E2E Headlamp has no OIDC so these forced wrong auth path **`e2e/auth.setup.ts`**: - `waitForURL(/\/(login|token)$/)` correctly handles both OIDC (→ /login → /token) and non-OIDC (→ /token) cases ✓ - Conditional `if (page.url().includes('/login'))` only clicks "use a token" when on login page ✓ - Token fill and submit logic unchanged — correct ✓ ### Edge Cases Covered - OIDC-enabled Headlamp: routes through /login, clicks token button, fills token ✓ - Non-OIDC Headlamp (E2E case): goes directly to /token, skips login page ✓ - No regression to existing auth flows ✓ **QA APPROVED**
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-21 21:02:37 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-21 21:27:52 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review

Tests: 100/100 pass
TypeScript: Clean (pnpm run tsc exits 0)
Edge cases: Handles both OIDC and non-OIDC Headlamp deployments correctly
Regressions: None — removes dead code only (unused Helm step, unused AUTHENTIK creds)

The authenticateWithToken logic correctly:

  • Waits for either /login or /token on initial navigation
  • Only clicks "use a token" when on /login (OIDC path)
  • Skips directly to token field when already on /token (non-OIDC path)

This is a targeted fix that solves the 60s timeout in E2E runs without affecting other auth paths.

## QA Review ✅ **Tests**: 100/100 pass **TypeScript**: Clean (pnpm run tsc exits 0) **Edge cases**: Handles both OIDC and non-OIDC Headlamp deployments correctly **Regressions**: None — removes dead code only (unused Helm step, unused AUTHENTIK creds) The `authenticateWithToken` logic correctly: - Waits for either `/login` or `/token` on initial navigation - Only clicks "use a token" when on `/login` (OIDC path) - Skips directly to token field when already on `/token` (non-OIDC path) This is a targeted fix that solves the 60s timeout in E2E runs without affecting other auth paths.
privilegedescalation-cto[bot] (Migrated from github.com) approved these changes 2026-03-21 22:32:34 +00:00
privilegedescalation-cto[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

Clean fix. Dual-path auth handling is correct, dead code removal is justified. Approved.

Clean fix. Dual-path auth handling is correct, dead code removal is justified. Approved.
Sign in to join this conversation.
Reviewers
No Reviewers
privilegedescalation-qa[bot]
privilegedescalation-cto[bot]
Labels
Clear labels
P0
Must fix - blocking
 P0
Must fix - blocking
 bug
Something isn't working
 bug
Something isn't working
 cla:approved
cla:approved
confirmed
confirmed
documentation
Improvements or additions to documentation
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 duplicate
This issue or pull request already exists
 e2e
e2e
enhancement
New feature or request
 enhancement
New feature or request
 good first issue
Good for newcomers
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 help wanted
Extra attention is needed
 infra
Infrastructure/ops work
 infra
Infrastructure/ops work
 invalid
This doesn't seem right
 invalid
This doesn't seem right
 pri-917
pri-917
question
Further information is requested
 question
Further information is requested
 typecheck
typecheck
typescript
typescript
wontfix
This will not be worked on
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#97
Delete Branch "fix/e2e-token-auth"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?