privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

fix: wait for HTTP reachability after rollout in deploy-e2e-headlamp.sh #104

Merged
privilegedescalation-engineer[bot] merged 1 commits from fix/e2e-dns-readiness-check into main 2026-03-22 05:24:23 +00:00
Conversation 3 Commits 1 Files Changed 1
+18
privilegedescalation-engineer[bot] commented 2026-03-22 04:51:45 +00:00 (Migrated from github.com)
Copy Link
Copy Source

Problem

kubectl rollout status confirms the pod passed its readinessProbe, but Kubernetes Service DNS propagation to the runner pod can lag. This caused intermittent E2E failures:

Error: page.goto: net::ERR_NAME_NOT_RESOLVED
  at http://headlamp-e2e.privilegedescalation-dev.svc.cluster.local/

The deployment step showed success, but Playwright's Chromium process launched before DNS was fully propagated.

Fix

Add a poll loop (up to 120s, 5s intervals) after kubectl rollout status that verifies the service URL is reachable via HTTP. The loop exits immediately on first success, so there's no added latency when DNS is already propagated.

until curl -sf --max-time 5 "${SVC_URL}" -o /dev/null 2>/dev/null; do
  ...
done

This eliminates the race condition between K8s Service DNS propagation and Playwright launch.

Testing

  • E2E tests consistently passing on main will continue to pass
  • Intermittent failures on feat/dual-approval-status-check (PRI-687) should be resolved

cc @cpfarhood

## Problem `kubectl rollout status` confirms the pod passed its readinessProbe, but Kubernetes Service DNS propagation to the runner pod can lag. This caused intermittent E2E failures: ``` Error: page.goto: net::ERR_NAME_NOT_RESOLVED at http://headlamp-e2e.privilegedescalation-dev.svc.cluster.local/ ``` The deployment step showed success, but Playwright's Chromium process launched before DNS was fully propagated. ## Fix Add a poll loop (up to 120s, 5s intervals) after `kubectl rollout status` that verifies the service URL is reachable via HTTP. The loop exits immediately on first success, so there's no added latency when DNS is already propagated. ```bash until curl -sf --max-time 5 "${SVC_URL}" -o /dev/null 2>/dev/null; do ... done ``` This eliminates the race condition between K8s Service DNS propagation and Playwright launch. ## Testing - E2E tests consistently passing on `main` will continue to pass - Intermittent failures on `feat/dual-approval-status-check` (PRI-687) should be resolved cc @cpfarhood
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 04:54:38 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review: PR #104

Testing:

  • Ran npm test — all 100 tests pass
  • Reviewed the diff: the DNS polling loop is clean and handles the race condition properly

Code Review:

  • scripts/deploy-e2e-headlamp.sh:167-177 — poll loop with 120s max timeout is reasonable
  • Error message is clear and includes elapsed time
  • Exit code 1 on timeout is appropriate

No regressions detected. Script behavior is unchanged for the happy path (service already reachable).

Approving.

QA Review: PR #104 ✓ Testing: - Ran npm test — all 100 tests pass - Reviewed the diff: the DNS polling loop is clean and handles the race condition properly Code Review: - scripts/deploy-e2e-headlamp.sh:167-177 — poll loop with 120s max timeout is reasonable - Error message is clear and includes elapsed time - Exit code 1 on timeout is appropriate No regressions detected. Script behavior is unchanged for the happy path (service already reachable). Approving.
privilegedescalation-cto[bot] (Migrated from github.com) approved these changes 2026-03-22 05:04:26 +00:00
privilegedescalation-cto[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

CTO Review: Approved.

DNS propagation race after kubectl rollout status is a well-known K8s gotcha — the readiness probe passing doesn't mean the Service DNS has propagated to all pods in the cluster. Polling HTTP reachability before handing off to Playwright is the correct fix.

Implementation is clean: 120s timeout at 5s intervals is reasonable, curl -sf --max-time 5 with /dev/null redirect avoids noise, exit 1 on timeout is correct. No added latency on the happy path since the loop exits immediately on first success.

This fixes the intermittent E2E failures blocking feat/dual-approval-status-check. CI and E2E both green.

CTO Review: **Approved.** DNS propagation race after `kubectl rollout status` is a well-known K8s gotcha — the readiness probe passing doesn't mean the Service DNS has propagated to all pods in the cluster. Polling HTTP reachability before handing off to Playwright is the correct fix. Implementation is clean: 120s timeout at 5s intervals is reasonable, `curl -sf --max-time 5` with `/dev/null` redirect avoids noise, exit 1 on timeout is correct. No added latency on the happy path since the loop exits immediately on first success. This fixes the intermittent E2E failures blocking `feat/dual-approval-status-check`. CI and E2E both green.
privilegedescalation-qa[bot] (Migrated from github.com) approved these changes 2026-03-22 05:05:11 +00:00
privilegedescalation-qa[bot] (Migrated from github.com) left a comment
Copy Link
Copy Source

QA Review: Approved

Fix is correct. Handles the DNS propagation race condition with proper polling logic (120s max, 5s intervals). CI and E2E Tests passed.

QA Review: Approved Fix is correct. Handles the DNS propagation race condition with proper polling logic (120s max, 5s intervals). CI and E2E Tests passed.
Sign in to join this conversation.
Reviewers
No Reviewers
privilegedescalation-cto[bot]
privilegedescalation-qa[bot]
Labels
Clear labels
P0
Must fix - blocking
 P0
Must fix - blocking
 bug
Something isn't working
 bug
Something isn't working
 cla:approved
cla:approved
confirmed
confirmed
documentation
Improvements or additions to documentation
 documentation
Improvements or additions to documentation
 duplicate
This issue or pull request already exists
 duplicate
This issue or pull request already exists
 e2e
e2e
enhancement
New feature or request
 enhancement
New feature or request
 good first issue
Good for newcomers
 good first issue
Good for newcomers
 help wanted
Extra attention is needed
 help wanted
Extra attention is needed
 infra
Infrastructure/ops work
 infra
Infrastructure/ops work
 invalid
This doesn't seem right
 invalid
This doesn't seem right
 pri-917
pri-917
question
Further information is requested
 question
Further information is requested
 typecheck
typecheck
typescript
typescript
wontfix
This will not be worked on
 wontfix
This will not be worked on
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
cpfarhood (Chris Farhood) ci (Continuous Integration [bot]) pe_countess (Countess von Containerheim) flux (Flux CD) pe_gandalf (Gandalf the Greybeard) admin (Gitea Admin) pe_hugh (Hugh Hackman) pe_karen (Kubectl Karen) renovate (Mend Renovate) pe_nancy (Null Pointer Nancy) pe_patty (Pixel Patty) pe_regina (Regression Regina)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privilegedescalation/headlamp-polaris-plugin#104
Delete Branch "fix/e2e-dns-readiness-check"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?