From 169d2ec91b0f2e4c989dae18d01da158c21f41be Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Tue, 5 May 2026 16:12:03 +0000
Subject: [PATCH 1/3] fix(e2e): add cluster-scoped RBAC for E2E service account

The headlamp-e2e-test service account needs cluster-wide read permissions
for storageclasses, cephclusters, persistentvolumes, and
persistentvolumeclaims so the Rook plugin sidebar can populate these
resources without errors.

- Add ClusterRole headlamp-e2e-test-reader with get/list/watch on
  storageclasses, cephclusters, cephclusters/status, persistentvolumes,
  persistentvolumeclaims
- Add ClusterRoleBinding headlamp-e2e-test-crb binding the role to
  the headlamp-e2e-test service account
- Update teardown to also clean up the ClusterRole and ClusterRoleBinding

Fixes: PRI-741

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 scripts/deploy-e2e-headlamp.sh   | 48 ++++++++++++++++++++++++++++++--
 scripts/teardown-e2e-headlamp.sh |  4 ++-
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh
index 30edb91..bf20565 100755
--- a/scripts/deploy-e2e-headlamp.sh
+++ b/scripts/deploy-e2e-headlamp.sh
@@ -53,9 +53,54 @@ kubectl create configmap headlamp-rook-plugin \
 
 echo ""
 echo "Removing any existing E2E deployment (clean-start)..."
+kubectl delete clusterrolebinding headlamp-e2e-test-crb --ignore-not-found 2>/dev/null || true
 kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
 kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
 kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found 2>/dev/null || true
+
+echo ""
+echo "Creating E2E service account..."
+kubectl create serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE"
+
+echo ""
+echo "Creating RBAC for E2E service account..."
+kubectl apply -f - <<EOF
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: headlamp-e2e-test-reader
+rules:
+  - apiGroups: [""]
+    resources: ["storageclasses"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["ceph.rook.io"]
+    resources: ["cephclusters"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["ceph.rook.io"]
+    resources: ["cephclusters/status"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: headlamp-e2e-test-crb
+subjects:
+  - kind: ServiceAccount
+    name: headlamp-e2e-test
+    namespace: ${E2E_NAMESPACE}
+roleRef:
+  kind: ClusterRole
+  name: headlamp-e2e-test-reader
+  apiGroup: rbac.authorization.k8s.io
+EOF
 
 echo ""
 echo "Deploying Headlamp E2E instance..."
@@ -173,9 +218,6 @@ echo "E2E Headlamp is ready at: ${SVC_URL}"
 
 echo ""
 echo "Creating service account token for E2E auth..."
-kubectl create serviceaccount headlamp-e2e-test \
-  -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
-
 TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "")
 if [ -n "$TOKEN" ]; then
   echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e"
diff --git a/scripts/teardown-e2e-headlamp.sh b/scripts/teardown-e2e-headlamp.sh
index 218d74b..28063df 100755
--- a/scripts/teardown-e2e-headlamp.sh
+++ b/scripts/teardown-e2e-headlamp.sh
@@ -25,8 +25,10 @@ kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-
 echo "Cleaning up ConfigMap..."
 kubectl delete configmap headlamp-rook-plugin -n "$E2E_NAMESPACE" --ignore-not-found
 
-echo "Cleaning up test service account..."
+echo "Cleaning up test service account and RBAC..."
 kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found
+kubectl delete clusterrolebinding headlamp-e2e-test-crb --ignore-not-found 2>/dev/null || true
+kubectl delete clusterrole headlamp-e2e-test-reader --ignore-not-found 2>/dev/null || true
 
 if [ -f "$REPO_ROOT/.env.e2e" ]; then
   rm "$REPO_ROOT/.env.e2e"
-- 
2.52.0


From 215c79ae1926ea3cadf746ddf9b466c0f6aa5d83 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Wed, 6 May 2026 13:33:41 +0000
Subject: [PATCH 2/3] fix(e2e): write HEADLAMP_URL before token gen; add pods
 RBAC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix two bugs from PRI-879 QA review:

- HEADLAMP_URL is now written to .env.e2e unconditionally, before
  attempting token generation. Previously it was only written when
  token generation succeeded, causing tests to fail if the token
  command errored.

- ClusterRole headlamp-e2e-test-reader now includes pods get/list/watch
  so the Rook PodsPage can populate without permission errors.

Does not address the popup race in auth.setup.ts — that file was not
changed because the popup race claim in PRI-879 does not match the
actual code order. The popupPromise (line 9) is already captured before
the click (line 10) in the source file.

Fixes: PRI-879

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 scripts/deploy-e2e-headlamp.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh
index bf20565..7e7fb12 100755
--- a/scripts/deploy-e2e-headlamp.sh
+++ b/scripts/deploy-e2e-headlamp.sh
@@ -87,6 +87,9 @@ rules:
   - apiGroups: [""]
     resources: ["persistentvolumeclaims"]
     verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -216,15 +219,18 @@ done
 echo ""
 echo "E2E Headlamp is ready at: ${SVC_URL}"
 
+echo ""
+echo "Writing E2E env file..."
+echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e"
+
 echo ""
 echo "Creating service account token for E2E auth..."
 TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "")
 if [ -n "$TOKEN" ]; then
-  echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e"
   echo "HEADLAMP_TOKEN=${TOKEN}" >> "$REPO_ROOT/.env.e2e"
   echo "Wrote .env.e2e with HEADLAMP_URL and HEADLAMP_TOKEN"
 else
-  echo "  WARNING: Could not generate token."
+  echo "Wrote .env.e2e with HEADLAMP_URL only (token generation failed, using OIDC fallback)"
 fi
 
 echo ""
-- 
2.52.0


From fe69dee84e3f4096ca9d4c7cfb9062a8bd0826f7 Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Wed, 6 May 2026 17:11:07 +0000
Subject: [PATCH 3/3] fix e2e: use button role for storage classes sidebar
 selector

The storage classes sidebar entry is rendered as a button, not a link.
Fix the flaky E2E test by changing getByRole('link') to getByRole('button').

Fixes PRI-935

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 e2e/rook.spec.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/e2e/rook.spec.ts b/e2e/rook.spec.ts
index bb6f15d..972ddb8 100644
--- a/e2e/rook.spec.ts
+++ b/e2e/rook.spec.ts
@@ -44,7 +44,7 @@ test.describe('Rook plugin smoke tests', () => {
     await page.goto('/c/main/rook-ceph');
 
     const sidebar = page.getByRole('navigation', { name: 'Navigation' });
-    const storageClassesLink = sidebar.getByRole('link', { name: /storage classes/i });
+    const storageClassesLink = sidebar.getByRole('button', { name: /storage classes/i });
     await expect(storageClassesLink).toBeVisible({ timeout: 10_000 });
     await storageClassesLink.click();
 
-- 
2.52.0