privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity

refactor: redesign E2E to use ConfigMap volume mount with stock Headlamp image #73

Merged
ghost merged 7 commits from gandalf/e2e-redesign-custom-image into main 2026-03-21 00:09:09 +00:00
Conversation 20 Commits 7 Files Changed 9
+274 -313

7 Commits

Author SHA1 Message Date
Gandalf the Greybeard 74a5bb0a01 fix: teardown-e2e-headlamp.sh gracefully skips missing namespace 
When the headlamp-e2e namespace does not exist, teardown now exits
early with a clear message instead of failing with a misleading RBAC
error. Addresses PRI-443.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-20 22:45:39 +00:00
Gandalf the Greybeard 9249f151a8 fix: add ClusterRole for runner SA to verify headlamp-e2e namespace 
kubectl get namespace is cluster-scoped and requires a ClusterRole.
The runner SA only had a namespaced Role, causing E2E to fail with
Forbidden even when the namespace existed. Adds a minimal ClusterRole
restricted to get on headlamp-e2e only.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-20 22:29:00 +00:00
Hugh Hackman 0a52a8effa fix: remove namespace create/delete from E2E scripts 
The CI runner SA only has namespace-scoped RBAC in headlamp-e2e — it
cannot create or delete namespaces at the cluster level. Deploy now
verifies the namespace exists (with a clear error if not), and teardown
cleans up resources without deleting the namespace itself.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-20 01:13:02 +00:00
Hugh Hackman 902f206e32 ci: update E2E workflow for ConfigMap approach 
Match deploy-e2e-headlamp.sh changes:
- Remove Docker image build/push steps (no custom images)
- Remove packages:write permission (no GHCR push needed)
- Add kubectl and Helm setup steps
- Deploy script creates ConfigMap from dist/ and uses stock Headlamp image
 2026-03-20 01:05:39 +00:00
Gandalf the Greybeard 4344d33349 refactor: replace Dockerfile.e2e with ConfigMap volume mount for E2E plugin loading 
Delete custom Docker image approach per board directive. Plugin is now
loaded into stock Headlamp via a ConfigMap volume mount:

- Delete Dockerfile.e2e
- deploy-e2e-headlamp.sh creates a ConfigMap from dist/ and mounts it
  into the stock ghcr.io/headlamp-k8s/headlamp image
- Helm values use extraVolumes/extraVolumeMounts for the ConfigMap
- No custom images, no PVCs, no kubectl exec/cp

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-20 01:01:39 +00:00
Hugh Hackman 8ac890a1c6 ci: update E2E workflow for Docker image approach 
Replace PVC/kubectl-patch E2E workflow with the new Docker image approach:
- Build custom Headlamp image with plugin pre-installed (Dockerfile.e2e)
- Push to ghcr.io/privilegedescalation/headlamp-polaris-e2e
- Deploy dedicated instance in headlamp-e2e namespace via Helm
- Auto-generate auth token via deploy-e2e-headlamp.sh
- Teardown after tests (always runs)

No more PVCs, kubectl exec/cp, or kube-system deployment patching.
 2026-03-20 01:01:11 +00:00
Gandalf the Greybeard 6189f2b983 refactor: redesign E2E to use custom Docker image instead of PVC/kubectl 
Replace the PVC + kubectl-patch approach for E2E plugin deployment with
a custom Docker image that has the plugin pre-installed. This eliminates
all policy-violating operations:

- No PVCs in kube-system
- No kubectl exec/cp to Headlamp pods
- No deployment patching via kubectl
- No temporary pods or ConfigMap-based file transfers

The new approach builds a Headlamp image with the plugin baked in
(Dockerfile.e2e), deploys it as a dedicated instance in the headlamp-e2e
namespace via Helm, and tears it down after tests complete.

RBAC is scoped to the headlamp-e2e namespace instead of kube-system.

Note: .github/workflows/e2e.yaml still needs updating to use the new
scripts — that change is delegated to Hugh (CI/CD owner).

Closes: privilegedescalation/headlamp-polaris-plugin#72

Co-Authored-By: Paperclip <noreply@paperclip.ing>
 2026-03-20 00:33:09 +00:00