From d97ce04c6f9a66be5cdb54965eed9096b1fdefef Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Wed, 6 May 2026 11:49:05 +0000 Subject: [PATCH] fix(e2e): reference shared infra RBAC instead of local file (PRI-720) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove deployment/e2e-ci-runner-rbac.yaml — RBAC is now managed via Flux GitOps from privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml. Changes: - .github/workflows/e2e.yaml: Remove local RBAC apply steps (no longer applying local file); RBAC pre-flight check now verifies all required roles/rolebindings are present (managed elsewhere via Flux) - scripts/deploy-e2e-headlamp.sh: Update error message to point to the infra repo raw URL instead of the removed local file Co-Authored-By: Paperclip --- .github/workflows/e2e.yaml | 23 +++------- deployment/e2e-ci-runner-rbac.yaml | 74 ------------------------------ scripts/deploy-e2e-headlamp.sh | 2 +- 3 files changed, 7 insertions(+), 92 deletions(-) delete mode 100644 deployment/e2e-ci-runner-rbac.yaml diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 688cae3..eb967ab 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -112,27 +112,15 @@ jobs: exit 1 fi - - name: Apply RBAC for E2E pipeline - run: | - set -x - kubectl apply -f deployment/e2e-ci-runner-rbac.yaml --dry-run=server 2>&1 || true - kubectl apply -f deployment/e2e-ci-runner-rbac.yaml 2>&1 - echo "exit code: $?" - echo "Waiting for RBAC propagation..." - sleep 5 - echo "Verifying RBAC resources were created..." - kubectl get role e2e-ci-runner -n headlamp-dev 2>&1 | tail -3 - kubectl get role e2e-ci-runner-polaris -n headlamp-dev 2>&1 | tail -3 - kubectl get rolebinding e2e-ci-runner-binding -n headlamp-dev 2>&1 | tail -3 - set +x - - - name: Apply Polaris dashboard RBAC - run: kubectl apply -f deployment/polaris-rbac.yaml - - name: RBAC pre-flight check run: | echo "Checking RBAC resources..." + echo "RBAC is managed via Flux from privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml" MISSING=0 + kubectl get role e2e-ci-runner -n headlamp-dev -o name >/dev/null 2>&1 || MISSING=1 + kubectl get rolebinding e2e-ci-runner-binding -n headlamp-dev -o name >/dev/null 2>&1 || MISSING=1 + kubectl get role e2e-ci-runner-polaris -n polaris -o name >/dev/null 2>&1 || MISSING=1 + kubectl get rolebinding e2e-ci-runner-polaris-binding -n polaris -o name >/dev/null 2>&1 || MISSING=1 kubectl get role polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1 kubectl get rolebinding polaris-dashboard-proxy-reader -n polaris -o name >/dev/null 2>&1 || MISSING=1 kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" 2>/dev/null || MISSING=1 @@ -140,6 +128,7 @@ jobs: echo "RBAC pre-flight check passed." else echo "::error::RBAC pre-flight check failed. Missing required permissions." + echo "Ensure privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml is applied by Flux." exit 1 fi diff --git a/deployment/e2e-ci-runner-rbac.yaml b/deployment/e2e-ci-runner-rbac.yaml deleted file mode 100644 index 069c5ee..0000000 --- a/deployment/e2e-ci-runner-rbac.yaml +++ /dev/null @@ -1,74 +0,0 @@ ---- -# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance. -# CI-only test fixture — NOT for production use. -# -# Grants the ARC runner service account permissions in the headlamp-dev -# namespace to deploy and tear down a dedicated Headlamp instance via Helm. -# E2E resources run in `headlamp-dev` — nothing persists beyond a test run. -# -# Plugin is loaded via ConfigMap volume mount — no custom Docker images. -# -# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/) -# and managed by Flux GitOps. The infra repo is the source of truth. -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: e2e-ci-runner - namespace: headlamp-dev -rules: - # Helm needs to manage these resources for the Headlamp chart - - apiGroups: ["apps"] - resources: ["deployments"] - verbs: ["get", "list", "create", "update", "patch", "delete", "watch"] - - apiGroups: [""] - resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"] - verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - - apiGroups: [""] - resources: ["pods"] - verbs: ["get", "list", "watch"] - # Token creation for E2E test auth - - apiGroups: [""] - resources: ["serviceaccounts/token"] - verbs: ["create"] - # Apply Polaris dashboard RBAC in the polaris namespace - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles", "rolebindings"] - verbs: ["get", "list", "create", "update", "patch", "delete"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: e2e-ci-runner-polaris - namespace: polaris -rules: - - apiGroups: ["rbac.authorization.k8s.io"] - resources: ["roles", "rolebindings"] - verbs: ["get", "list", "create", "update", "patch", "delete"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: e2e-ci-runner-polaris - namespace: polaris -subjects: - - kind: ServiceAccount - name: runners-privilegedescalation-gha-rs-no-permission - namespace: arc-runners -roleRef: - kind: Role - name: e2e-ci-runner-polaris - apiGroup: rbac.authorization.k8s.io ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: e2e-ci-runner-binding - namespace: headlamp-dev -subjects: - - kind: ServiceAccount - name: runners-privilegedescalation-gha-rs-no-permission - namespace: arc-runners -roleRef: - kind: Role - name: e2e-ci-runner - apiGroup: rbac.authorization.k8s.io diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh index 8314b7d..c80350f 100755 --- a/scripts/deploy-e2e-headlamp.sh +++ b/scripts/deploy-e2e-headlamp.sh @@ -35,7 +35,7 @@ fi echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..." if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2 - echo " Apply RBAC first: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2 + echo " Apply RBAC from infra: kubectl apply -f https://raw.githubusercontent.com/privilegedescalation/infra/main/base/rbac/e2e-ci-runner-headlamp-rbac.yaml" >&2 exit 1 fi -- 2.52.0