fix(e2e): make Polaris e2e CI self-sufficient with RBAC in workflow #131

Closed

privilegedescalation-engineer[bot] wants to merge 3 commits from hugh/pri-513-canonical-rbac-fix into main

Author	SHA1	Message	Date
Chris Farhood	7079d2ff0d	debug(e2e): add verbose kubectl output to diagnose RBAC apply failure Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 17:19:00 +00:00
Chris Farhood	599d5e4be7	fix(e2e): add RBAC propagation delay and verification step Add sleep 5 after applying e2e-ci-runner RBAC to handle Kubernetes subject access review caching. Without this delay, the CI runner's token does not immediately inherit the new permissions, causing the subsequent 'Apply Polaris dashboard RBAC' step to fail with: forbidden from roles in rbac.authorization.k8s.io API group Also add an explicit permission verification step that fails fast if the CI runner still lacks roles permission after the wait, rather than letting the error cascade into later steps. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 17:13:58 +00:00
Chris Farhood	47475e3357	fix(e2e): make Polaris e2e CI self-sufficient with RBAC in workflow Canonical fix for PRI-513: resolve Polaris e2e CI failures by applying RBAC directly in the workflow rather than depending on pre-existing Flux-managed RBAC that may not have converged. Changes: - .github/workflows/e2e.yaml: add workflow steps to apply both e2e-ci-runner-rbac.yaml (headlamp-dev namespace) and polaris-rbac.yaml (polaris namespace) before the pre-flight check, plus a pre-flight RBAC verification step - deployment/e2e-ci-runner-rbac.yaml: add a Role + RoleBinding for the polaris namespace so the CI runner can apply polaris-rbac.yaml This is the canonical form combining the best elements of stacking PRs: - Self-sufficient workflow (no external RBAC dependency) - RBAC pre-flight check for fast failure - read-write permissions for polaris namespace (same as main stacks) Supersedes: PRs #122, #124, #125 Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-04 15:20:03 +00:00

Author

SHA1

Message

Date

Chris Farhood

7079d2ff0d

debug(e2e): add verbose kubectl output to diagnose RBAC apply failure

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-05-04 17:19:00 +00:00

Chris Farhood

599d5e4be7

fix(e2e): add RBAC propagation delay and verification step

Add sleep 5 after applying e2e-ci-runner RBAC to handle Kubernetes
subject access review caching. Without this delay, the CI runner's
token does not immediately inherit the new permissions, causing
the subsequent 'Apply Polaris dashboard RBAC' step to fail with:
  forbidden from roles in rbac.authorization.k8s.io API group

Also add an explicit permission verification step that fails fast
if the CI runner still lacks roles permission after the wait,
rather than letting the error cascade into later steps.

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-05-04 17:13:58 +00:00

Chris Farhood

47475e3357

fix(e2e): make Polaris e2e CI self-sufficient with RBAC in workflow

Canonical fix for PRI-513: resolve Polaris e2e CI failures by applying
RBAC directly in the workflow rather than depending on pre-existing
Flux-managed RBAC that may not have converged.

Changes:
- .github/workflows/e2e.yaml: add workflow steps to apply both
  e2e-ci-runner-rbac.yaml (headlamp-dev namespace) and polaris-rbac.yaml
  (polaris namespace) before the pre-flight check, plus a pre-flight
  RBAC verification step
- deployment/e2e-ci-runner-rbac.yaml: add a Role + RoleBinding for the
  polaris namespace so the CI runner can apply polaris-rbac.yaml

This is the canonical form combining the best elements of stacking PRs:
- Self-sufficient workflow (no external RBAC dependency)
- RBAC pre-flight check for fast failure
- read-write permissions for polaris namespace (same as main stacks)

Supersedes: PRs #122, #124, #125

Co-Authored-By: Paperclip <noreply@paperclip.ing>

2026-05-04 15:20:03 +00:00

fix(e2e): make Polaris e2e CI self-sufficient with RBAC in workflow #131

3 Commits