PR #146 moved RBAC management to the infra repo (Flux). The local
RBAC apply steps were removed from the E2E workflow, but this file
was inadvertently left behind. It is now orphaned since the
polaris-dashboard-proxy-reader Role and RoleBinding are managed
by Flux.
See PRI-916 for context.
The 'local' bash keyword can only be used inside a function. Using it
at top-level of a run: block causes 'local: can only be used in a
function' error and exits the script with code 1.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The ARC runner has no static kubeconfig at any of the expected paths
(/runner/config, ~/.kube/config). It DOES have a service account token
(/var/run/secrets/kubernetes.io/serviceaccount/token) and
KUBERNETES_SERVICE_HOST=10.43.0.1, confirming in-cluster access.
This commit adds a third fallback tier: when no static kubeconfig is
found AND the runner is in-cluster (service account token present),
generate a kubeconfig from the in-cluster service account credentials.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The previous diagnostic step used $KUBECONFIG and $HOME directly,
which causes 'unbound variable' exit when run with set -euo pipefail
and KUBECONFIG is unset. Use ${VAR:-} defaults throughout.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Adds a comprehensive diagnostic block that prints env vars, lists all
known kubeconfig paths, checks in-cluster service account, and attempts
kubectl config view. This will reveal the actual path on the runner.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The previous loop silently skipped if no kubeconfig was found, causing
kubectl commands to fall back to localhost:8080. Use explicit paths
in priority order with a hard error if none exist.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Replace the impersonation check with direct verification of RBAC
resources. The kubectl auth can-i --as check fails with
localhost:8080 because kubectl cannot find kubeconfig. Instead,
directly verify that the Role and RoleBinding were created
by kubectl apply.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Test if kubectl apply dry-run works without KUBECONFIG (the original
behavior that succeeded). Also test kubectl auth can-i without KUBECONFIG
(to confirm the failure mode). Compare with KUBECONFIG set to service account.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
ARC runner has no kubeconfig file. Use the service account
token at /var/run/secrets/kubernetes.io/serviceaccount/ to build
a kubeconfig that connects to the Kubernetes API server from
within the pod. This is the standard in-cluster access pattern.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Test if kubectl can find kubeconfig without explicit KUBECONFIG
on the ARC runner. kubectl config view --raw shows the config
content if it exists, kubectl cluster-info tests connectivity.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
ls -la /github/ exits with code 2 when /github/ doesn't exist,
causing set -e to fail the step. Remove that listing.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Check /paperclip/.kube, /paperclip/.kube/config, /home/runner/.kube,
/home/runner/.kube/config, /runner, and /runner/config. Export
KUBECONFIG so kubectl uses the real cluster.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
ARC runner stores kubeconfig in /home/runner/k8s/config (mounted
by Actions Runtime). Add both k8s and k8s-novolume to the search
paths and remove non-existent paths from diagnostics.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Add ls and echo diagnostics to understand where ARC runners store
kubeconfig. Include ACTIONS_KUBECONFIG and HOME env vars.
Also add $HOME/.kube to the search paths.
Co-Authored-By: Paperclip <noreply@paperclip.ing>
The 'kubectl auth can-i --as' impersonation check was falling back to
localhost:8080 because KUBECONFIG was not set and the ARC runner's
kubeconfig was not in the default location. azure/setup-kubectl@v4
does not set KUBECONFIG — it installs kubectl and relies on the runner's
existing kubeconfig in /runner/.kube/config (ARC runner home).
Add a 'Locate kubeconfig for ARC runner' step that searches the known
runner kubeconfig paths before the RBAC step runs, exports KUBECONFIG
to GITHUB_ENV, and verifies cluster connectivity before proceeding.
Fixes: PRI-785
Co-Authored-By: Paperclip <noreply@paperclip.ing>
- Apply e2e-ci-runner RBAC + polaris RBAC in workflow before pre-flight check
- Add e2e-ci-runner-polaris Role+RoleBinding so CI runner can manage polaris namespace RBAC
- Add roles/rolebindings CRUD to e2e-ci-runner Role (headlamp-dev namespace)
- Collapsed MISSING_ROLE/MISSING_ROLEBINDING into single MISSING flag (QA nit)
- Drop non-standard --quiet flag on kubectl auth can-i (QA nit)
Address PRI-324 QA feedback: workflow now applies its own RBAC so the pre-flight
check is meaningful and the green path is achievable.
Chris Farhood