From 169d2ec91b0f2e4c989dae18d01da158c21f41be Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Tue, 5 May 2026 16:12:03 +0000 Subject: [PATCH] fix(e2e): add cluster-scoped RBAC for E2E service account The headlamp-e2e-test service account needs cluster-wide read permissions for storageclasses, cephclusters, persistentvolumes, and persistentvolumeclaims so the Rook plugin sidebar can populate these resources without errors. - Add ClusterRole headlamp-e2e-test-reader with get/list/watch on storageclasses, cephclusters, cephclusters/status, persistentvolumes, persistentvolumeclaims - Add ClusterRoleBinding headlamp-e2e-test-crb binding the role to the headlamp-e2e-test service account - Update teardown to also clean up the ClusterRole and ClusterRoleBinding Fixes: PRI-741 Co-Authored-By: Paperclip --- scripts/deploy-e2e-headlamp.sh | 48 ++++++++++++++++++++++++++++++-- scripts/teardown-e2e-headlamp.sh | 4 ++- 2 files changed, 48 insertions(+), 4 deletions(-) diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh index 30edb91..bf20565 100755 --- a/scripts/deploy-e2e-headlamp.sh +++ b/scripts/deploy-e2e-headlamp.sh @@ -53,9 +53,54 @@ kubectl create configmap headlamp-rook-plugin \ echo "" echo "Removing any existing E2E deployment (clean-start)..." +kubectl delete clusterrolebinding headlamp-e2e-test-crb --ignore-not-found 2>/dev/null || true kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait +kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found 2>/dev/null || true + +echo "" +echo "Creating E2E service account..." +kubectl create serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" + +echo "" +echo "Creating RBAC for E2E service account..." +kubectl apply -f - </dev/null || echo "") if [ -n "$TOKEN" ]; then echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e" diff --git a/scripts/teardown-e2e-headlamp.sh b/scripts/teardown-e2e-headlamp.sh index 218d74b..28063df 100755 --- a/scripts/teardown-e2e-headlamp.sh +++ b/scripts/teardown-e2e-headlamp.sh @@ -25,8 +25,10 @@ kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not- echo "Cleaning up ConfigMap..." kubectl delete configmap headlamp-rook-plugin -n "$E2E_NAMESPACE" --ignore-not-found -echo "Cleaning up test service account..." +echo "Cleaning up test service account and RBAC..." kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found +kubectl delete clusterrolebinding headlamp-e2e-test-crb --ignore-not-found 2>/dev/null || true +kubectl delete clusterrole headlamp-e2e-test-reader --ignore-not-found 2>/dev/null || true if [ -f "$REPO_ROOT/.env.e2e" ]; then rm "$REPO_ROOT/.env.e2e"