gandalf-the-greybeard[bot]
222346759e
* fix: correct settings test selector to match plugin name The settings E2E test looked for 'headlamp-polaris-plugin' but the plugin is registered as 'polaris' (package.json name and registerPluginSettings call). Fix the selector to match. Refs: PRI-28 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * ci: add RBAC manifest for Polaris dashboard service proxy access E2E tests fail with 403 because users lack RBAC to proxy to the Polaris dashboard service. The plugin reads audit data via the K8s service proxy at /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/. Add deployment/polaris-rbac.yaml with: - Role granting `get` on `services/proxy` for polaris-dashboard - RoleBinding granting this to all authenticated users (read-only) The E2E workflow also needs a `kubectl apply -f deployment/polaris-rbac.yaml` step added before running tests. This requires the `workflows` permission on the GitHub App, which is tracked separately. Refs: PRI-28 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * ci: add Polaris RBAC apply and readiness check to E2E workflow The E2E tests fail because the CI runner lacks RBAC permissions to proxy to the Polaris dashboard service. Apply the RBAC manifest (added in this PR) and verify Polaris is reachable before running tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * ci: remove kubectl steps from E2E workflow The CI runner (local-ubuntu-latest) has no kubectl or cluster access. E2E tests are browser-only via Playwright against a remote Headlamp URL. The Polaris RBAC fix (deployment/polaris-rbac.yaml) must be applied directly to the cluster by an operator with kubectl access. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> --------- Co-authored-by: gandalf-the-greybeard[bot] <gandalf-the-greybeard[bot]@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
29 lines
923 B
YAML
29 lines
923 B
YAML
# RBAC to allow authenticated users to proxy to the Polaris dashboard service.
|
|
# The polaris plugin reads audit data via the Kubernetes service proxy:
|
|
# /api/v1/namespaces/polaris/services/http:polaris-dashboard:80/proxy/results.json
|
|
# Without this Role + RoleBinding, users get a 403 when Headlamp proxies the request.
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: polaris-dashboard-proxy-reader
|
|
namespace: polaris
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["services/proxy"]
|
|
resourceNames: ["polaris-dashboard", "http:polaris-dashboard:80"]
|
|
verbs: ["get"]
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: RoleBinding
|
|
metadata:
|
|
name: polaris-dashboard-proxy-reader
|
|
namespace: polaris
|
|
subjects:
|
|
- kind: Group
|
|
name: system:authenticated
|
|
apiGroup: rbac.authorization.k8s.io
|
|
roleRef:
|
|
kind: Role
|
|
name: polaris-dashboard-proxy-reader
|
|
apiGroup: rbac.authorization.k8s.io
|