fix(e2e): add cluster-scoped RBAC for E2E service account

The headlamp-e2e-test service account needs cluster-wide read permissions
for storageclasses, cephclusters, persistentvolumes, and
persistentvolumeclaims so the Rook plugin sidebar can populate these
resources without errors.

- Add ClusterRole headlamp-e2e-test-reader with get/list/watch on
  storageclasses, cephclusters, cephclusters/status, persistentvolumes,
  persistentvolumeclaims
- Add ClusterRoleBinding headlamp-e2e-test-crb binding the role to
  the headlamp-e2e-test service account
- Update teardown to also clean up the ClusterRole and ClusterRoleBinding

Fixes: PRI-741

Co-Authored-By: Paperclip <noreply@paperclip.ing>

scripts/deploy-e2e-headlamp.sh

@@ -53,9 +53,54 @@ kubectl create configmap headlamp-rook-plugin \
 
 echo ""
 echo "Removing any existing E2E deployment (clean-start)..."
+kubectl delete clusterrolebinding headlamp-e2e-test-crb --ignore-not-found 2>/dev/null || true
 kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
 kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
 kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found 2>/dev/null || true
+
+echo ""
+echo "Creating E2E service account..."
+kubectl create serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE"
+
+echo ""
+echo "Creating RBAC for E2E service account..."
+kubectl apply -f - <<EOF
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: headlamp-e2e-test-reader
+rules:
+  - apiGroups: [""]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["ceph.rook.io"]
+    resources: ["cephclusters"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["ceph.rook.io"]
+    resources: ["cephclusters/status"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: headlamp-e2e-test-crb
+subjects:
+  - kind: ServiceAccount
+    name: headlamp-e2e-test
+    namespace: ${E2E_NAMESPACE}
+roleRef:
+  kind: ClusterRole
+  name: headlamp-e2e-test-reader
+  apiGroup: rbac.authorization.k8s.io
+EOF
 
 echo ""
 echo "Deploying Headlamp E2E instance..."
@@ -173,9 +218,6 @@ echo "E2E Headlamp is ready at: ${SVC_URL}"
 
 echo ""
 echo "Creating service account token for E2E auth..."
-kubectl create serviceaccount headlamp-e2e-test \
-  -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
-
 TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "")
 if [ -n "$TOKEN" ]; then
   echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e"

scripts/teardown-e2e-headlamp.sh

@@ -25,8 +25,10 @@ kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-
 echo "Cleaning up ConfigMap..."
 kubectl delete configmap headlamp-rook-plugin -n "$E2E_NAMESPACE" --ignore-not-found
 
-echo "Cleaning up test service account..."
+echo "Cleaning up test service account and RBAC..."
 kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found
+kubectl delete clusterrolebinding headlamp-e2e-test-crb --ignore-not-found 2>/dev/null || true
+kubectl delete clusterrole headlamp-e2e-test-reader --ignore-not-found 2>/dev/null || true
 
 if [ -f "$REPO_ROOT/.env.e2e" ]; then
   rm "$REPO_ROOT/.env.e2e"