From 27212a91e12fefa54a228e4d021992224c5f8a02 Mon Sep 17 00:00:00 2001 From: "privilegedescalation-engineer[bot]" Date: Tue, 24 Mar 2026 21:28:38 +0000 Subject: [PATCH] fix(e2e): pin Headlamp image to v0.40.1 instead of :latest MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The :latest tag caused E2E flakiness when a newer Headlamp image was pulled on some cluster nodes (IfNotPresent policy) but not others. Concurrent E2E runs on main saw different image versions, and the newest :latest (sha256:89c6c65) failed to pass the readiness probe within 120s. Pin to v0.40.1 — the same version running in production (kube-system) — so all nodes use the same cached digest and CI is deterministic. Update this pin when Headlamp is upgraded in production. Co-Authored-By: Paperclip --- .github/workflows/e2e.yaml | 5 +++++ scripts/deploy-e2e-headlamp.sh | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index cae592f..06ccf99 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -21,6 +21,11 @@ concurrency: env: E2E_NAMESPACE: privilegedescalation-dev E2E_RELEASE: headlamp-e2e + # Pin to a known-good Headlamp version. Using :latest is risky because + # the tag can change between CI runs, causing flaky failures when a newer + # image is pulled on some nodes but not others (IfNotPresent pull policy). + # Update this when Headlamp is upgraded in production (kube-system). + HEADLAMP_VERSION: v0.40.1 jobs: e2e: diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh index 1b19583..528c017 100755 --- a/scripts/deploy-e2e-headlamp.sh +++ b/scripts/deploy-e2e-headlamp.sh @@ -16,7 +16,7 @@ # Environment: # E2E_NAMESPACE — namespace for E2E Headlamp (default: privilegedescalation-dev) # E2E_RELEASE — release/resource name prefix (default: headlamp-e2e) -# HEADLAMP_VERSION — Headlamp image tag (default: latest) +# HEADLAMP_VERSION — Headlamp image tag (default: v0.40.1, pinned to match production) set -euo pipefail REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" @@ -24,7 +24,7 @@ DIST_DIR="$REPO_ROOT/dist" E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}" E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" -HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}" +HEADLAMP_VERSION="${HEADLAMP_VERSION:-v0.40.1}" if [ ! -d "$DIST_DIR" ]; then echo "ERROR: dist/ not found. Run 'npm run build' first." >&2 -- 2.52.0