Fix E2E namespace to headlamp-dev and add RBAC manifest

- Changed E2E_NAMESPACE from privilegedescalation-dev to headlamp-dev in e2e.yaml, deploy-e2e-headlamp.sh, and teardown-e2e-headlamp.sh - Added deployment/e2e-ci-runner-rbac.yaml (copy from polaris repo) - The ARC runner SA has RBAC scoped to headlamp-dev, not privilegedescalation-dev — this caused E2E run failures. - PRI-619 QA review feedback from Regina Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-05 06:08:28 +00:00
parent 935fec988c
commit 907d45621e
4 changed files with 41 additions and 6 deletions
@@ -0,0 +1,35 @@
+---
+# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
+# CI-only test fixture — NOT for production use.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner
+  namespace: headlamp-dev
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
+  - apiGroups: [""]
+    resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["serviceaccounts/token"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner-binding
+  namespace: headlamp-dev
+subjects:
+  - kind: ServiceAccount
+    name: runners-privilegedescalation-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner
+  apiGroup: rbac.authorization.k8s.io