privilegedescalation/headlamp-polaris-plugin
12
0
Fork 0
Code Issues 4 Pull Requests 3 Actions Packages Projects Releases 50 Wiki Activity
Files
e679216660ca3fa3b3ca0eaefab8ed18f1942604
headlamp-polaris-plugin/.github/workflows/e2e.yaml
T
Hugh Hackman e679216660 fix(e2e): replace helm upgrade with kubectl patch to avoid cluster RBAC 
The CI runner SA cannot access cluster-scoped resources (ClusterRole,
ClusterRoleBinding) needed by helm upgrade's 3-way merge. Replace the
helm upgrade step with kubectl patch commands that add the shared volume
mount directly to the Headlamp deployment.

This eliminates the need for cluster-admin intervention:
- kubectl patch adds PVC volume + volumeMount to the deployment
- kubectl set env configures the plugins directory
- kubectl rollout status waits for the update

Also removes the now-unnecessary ClusterRole/ClusterRoleBinding from the
RBAC manifest — only namespace-scoped Role/RoleBinding is needed.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-03-17 17:07:38 +00:00

145 lines
4.8 KiB
YAML
Raw Blame History

name: E2E Tests
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
env:
HEADLAMP_NAMESPACE: kube-system
HEADLAMP_DEPLOY: headlamp
jobs:
e2e:
runs-on: local-ubuntu-latest
timeout-minutes: 15
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- name: Install dependencies
run: npm ci
- name: Build plugin
run: npm run build
- name: Setup kubectl
uses: azure/setup-kubectl@v4
- name: Ensure PVC exists
run: kubectl apply -f deployment/headlamp-plugins-pvc.yaml
- name: Patch Headlamp deployment with shared volume mount
run: |
NS="$HEADLAMP_NAMESPACE"
DEPLOY="$HEADLAMP_DEPLOY"
# Add the PVC volume if not already present
HAS_VOL=$(kubectl get deploy "$DEPLOY" -n "$NS" \
-o jsonpath='{.spec.template.spec.volumes[?(@.name=="plugins")].name}')
if [ -z "$HAS_VOL" ]; then
kubectl patch deploy "$DEPLOY" -n "$NS" --type=json -p '[
{"op":"add","path":"/spec/template/spec/volumes/-","value":{
"name":"plugins",
"persistentVolumeClaim":{"claimName":"headlamp-plugins"}
}}
]'
fi
# Add the volume mount to the first container if not already present
HAS_MOUNT=$(kubectl get deploy "$DEPLOY" -n "$NS" \
-o jsonpath='{.spec.template.spec.containers[0].volumeMounts[?(@.name=="plugins")].name}')
if [ -z "$HAS_MOUNT" ]; then
kubectl patch deploy "$DEPLOY" -n "$NS" --type=json -p '[
{"op":"add","path":"/spec/template/spec/containers/0/volumeMounts/-","value":{
"name":"plugins",
"mountPath":"/headlamp/plugins",
"readOnly":true
}}
]'
fi
# Set the plugins directory via env var
kubectl set env deploy/"$DEPLOY" -n "$NS" \
HEADLAMP_CONFIG_PLUGIN_DIR=/headlamp/plugins
# Wait for rollout
kubectl rollout status deploy/"$DEPLOY" -n "$NS" --timeout=120s
- name: Deploy plugin via shared volume
run: scripts/deploy-plugin-via-volume.sh
- name: Preflight — verify Headlamp and plugin availability
env:
HEADLAMP_URL: ${{ secrets.HEADLAMP_URL || 'http://headlamp.kube-system.svc.cluster.local' }}
run: |
PLUGIN_NAME=$(node -p "require('./package.json').name")
EXPECTED=$(node -p "require('./package.json').version")
echo "Expecting: $PLUGIN_NAME@$EXPECTED"
# Wait for Headlamp to be reachable
for i in $(seq 1 30); do
HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' --connect-timeout 5 "$HEADLAMP_URL" || true)
if [ "$HTTP_CODE" != "000" ]; then
echo "Headlamp responded HTTP $HTTP_CODE"
break
fi
echo "Waiting for Headlamp... ($i/30)"
sleep 2
done
if [ "$HTTP_CODE" = "000" ]; then
echo "::error::Cannot reach Headlamp at $HEADLAMP_URL after 60s"
exit 1
fi
# Verify plugin is visible
PLUGIN_JSON=$(curl -sf --connect-timeout 10 "$HEADLAMP_URL/plugins" 2>/dev/null || echo "[]")
node -e "
const plugins = JSON.parse(process.argv[1]);
console.log('Installed plugins:');
for (const p of plugins) console.log(' ' + p.name + '@' + (p.version||'unknown'));
const ours = plugins.find(p => p.name === '$PLUGIN_NAME' || p.name === 'polaris' || p.name.includes('polaris'));
if (!ours) {
console.log('::warning::Plugin $PLUGIN_NAME not yet visible — Headlamp may need a restart');
} else {
console.log('Found plugin: ' + ours.name + ' at path ' + ours.path);
}
" "$PLUGIN_JSON"
- name: Install Playwright browsers
run: npx playwright install --with-deps chromium
- name: Run E2E tests
run: npm run e2e
env:
HEADLAMP_URL: ${{ secrets.HEADLAMP_URL || 'http://headlamp.kube-system.svc.cluster.local' }}
HEADLAMP_TOKEN: ${{ secrets.HEADLAMP_TOKEN }}
AUTHENTIK_USERNAME: ${{ secrets.AUTHENTIK_USERNAME }}
AUTHENTIK_PASSWORD: ${{ secrets.AUTHENTIK_PASSWORD }}
- name: Upload Playwright report
uses: actions/upload-artifact@v4
if: failure()
with:
name: playwright-report
path: playwright-report/
retention-days: 7
- name: Upload test results
uses: actions/upload-artifact@v4
if: failure()
with:
name: test-results
path: test-results/
retention-days: 7
Reference in New Issue View Git Blame Copy Permalink