From 852e054e7b8519a7ddd6f1a0d2affd68ea6127af Mon Sep 17 00:00:00 2001 From: "gandalf-the-greybeard[bot]" Date: Sun, 8 Mar 2026 12:58:29 +0000 Subject: [PATCH 1/4] fix: correct settings test selector to match plugin name The settings E2E test looked for 'headlamp-polaris-plugin' but the plugin is registered as 'polaris' (package.json name and registerPluginSettings call). Fix the selector to match. Refs: PRI-28 Co-Authored-By: Claude Opus 4.6 --- e2e/settings.spec.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/e2e/settings.spec.ts b/e2e/settings.spec.ts index 3856433..ce906ed 100644 --- a/e2e/settings.spec.ts +++ b/e2e/settings.spec.ts @@ -5,7 +5,7 @@ test.describe('Polaris plugin settings', () => { await page.goto('/c/main/settings/plugins'); // Find Polaris plugin in the list - const pluginCard = page.locator('text=headlamp-polaris-plugin').first(); + const pluginCard = page.locator('text=polaris').first(); await expect(pluginCard).toBeVisible(); // Click to view settings (if settings are displayed inline, they should already be visible) -- 2.52.0 From d00fabbd58e49f2581a475183cebe506a8079774 Mon Sep 17 00:00:00 2001 From: "gandalf-the-greybeard[bot]" Date: Sun, 8 Mar 2026 14:14:52 +0000 Subject: [PATCH 2/4] ci: add RBAC manifest for Polaris dashboard service proxy access E2E tests fail with 403 because users lack RBAC to proxy to the Polaris dashboard service. The plugin reads audit data via the K8s service proxy at /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/. Add deployment/polaris-rbac.yaml with: - Role granting `get` on `services/proxy` for polaris-dashboard - RoleBinding granting this to all authenticated users (read-only) The E2E workflow also needs a `kubectl apply -f deployment/polaris-rbac.yaml` step added before running tests. This requires the `workflows` permission on the GitHub App, which is tracked separately. Refs: PRI-28 Co-Authored-By: Claude Opus 4.6 --- deployment/polaris-rbac.yaml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 deployment/polaris-rbac.yaml diff --git a/deployment/polaris-rbac.yaml b/deployment/polaris-rbac.yaml new file mode 100644 index 0000000..a3b3629 --- /dev/null +++ b/deployment/polaris-rbac.yaml @@ -0,0 +1,28 @@ +# RBAC to allow authenticated users to proxy to the Polaris dashboard service. +# The polaris plugin reads audit data via the Kubernetes service proxy: +# /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/results.json +# Without this Role + RoleBinding, users get a 403 when Headlamp proxies the request. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: polaris-dashboard-proxy-reader + namespace: polaris +rules: + - apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["polaris-dashboard", "http:polaris-dashboard:80"] + verbs: ["get"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: polaris-dashboard-proxy-reader + namespace: polaris +subjects: + - kind: Group + name: system:authenticated + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: Role + name: polaris-dashboard-proxy-reader + apiGroup: rbac.authorization.k8s.io -- 2.52.0 From 6ce27421c66c4c38cc2e778e17dce173825a6f97 Mon Sep 17 00:00:00 2001 From: "gandalf-the-greybeard[bot]" Date: Sun, 8 Mar 2026 17:10:18 +0000 Subject: [PATCH 3/4] ci: add Polaris RBAC apply and readiness check to E2E workflow The E2E tests fail because the CI runner lacks RBAC permissions to proxy to the Polaris dashboard service. Apply the RBAC manifest (added in this PR) and verify Polaris is reachable before running tests. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/e2e.yaml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index abce37b..49dc074 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -25,6 +25,14 @@ jobs: - name: Install dependencies run: npm ci + - name: Configure RBAC for Polaris dashboard proxy access + run: kubectl apply -f deployment/polaris-rbac.yaml + + - name: Verify Polaris dashboard is reachable + run: | + kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=polaris -n polaris --timeout=120s + kubectl get svc polaris-dashboard -n polaris + - name: Install Playwright browsers run: npx playwright install --with-deps chromium -- 2.52.0 From 3fccf29cb722a672ed84d55a77a8b329f1d1bd6f Mon Sep 17 00:00:00 2001 From: "gandalf-the-greybeard[bot]" Date: Sun, 8 Mar 2026 17:14:24 +0000 Subject: [PATCH 4/4] ci: remove kubectl steps from E2E workflow The CI runner (local-ubuntu-latest) has no kubectl or cluster access. E2E tests are browser-only via Playwright against a remote Headlamp URL. The Polaris RBAC fix (deployment/polaris-rbac.yaml) must be applied directly to the cluster by an operator with kubectl access. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/e2e.yaml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 49dc074..abce37b 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -25,14 +25,6 @@ jobs: - name: Install dependencies run: npm ci - - name: Configure RBAC for Polaris dashboard proxy access - run: kubectl apply -f deployment/polaris-rbac.yaml - - - name: Verify Polaris dashboard is reachable - run: | - kubectl wait --for=condition=ready pod -l app.kubernetes.io/name=polaris -n polaris --timeout=120s - kubectl get svc polaris-dashboard -n polaris - - name: Install Playwright browsers run: npx playwright install --with-deps chromium -- 2.52.0