privilegedescalation/headlamp-sealed-secrets-plugin
12
0
Fork 0
Code Issues 2 Pull Requests 2 Actions Packages Projects Releases 27 Wiki Activity
57 Commits 20 Branches 27 Tags
2d6fc15fde4ff2290f7a2f20d044183cadfa8ecd
Commit Graph

9 Commits

Author SHA1 Message Date
Chris Farhood 2d6fc15fde fix: explicitly specify tarball name instead of glob 2026-02-12 15:08:18 -05:00
Chris Farhood 9bfcb2316f fix: add contents write permission to prepare-release 2026-02-12 15:05:20 -05:00
Chris Farhood fdfa7e8102 fix: use simple runner label format (not array) 2026-02-12 15:03:51 -05:00
Chris Farhood 482736e27b test: add runner test workflow 2026-02-12 15:00:47 -05:00
Chris Farhood 4d99360694 fix: use array format for self-hosted runners at org level 
Changed runs-on from 'local-ubuntu-latest' to '[self-hosted, local-ubuntu-latest]'
to properly match organization-level ARC runner scale sets.

For organization-level runners, GitHub Actions requires the self-hosted
label along with the runner scale set name.
 2026-02-12 14:38:08 -05:00
Chris Farhood b8afb29ebe ci: adopt polaris-plugin workflow architecture 
Replaced monolithic publish workflow with cleaner 3-workflow pattern
from headlamp-polaris-plugin:

Changes:
- ci.yaml: Basic lint/test on push/PR (simplified)
- prepare-release.yaml: NEW - Manual workflow to bump version and tag
- release.yaml: NEW - Two-job pattern (build → update-metadata)

Key improvements:
- Uses npx @kinvolk/headlamp-plugin package (standard CLI)
- Separates version bumping from release building
- Two-job release: build artifacts, then update main with checksum
- Better validation (tarball name, contents)
- Cleaner git history (metadata updates are separate commits)
- Matches polaris-plugin proven pattern

Breaking changes:
- No longer uses publish.yml
- Release process now requires prepare-release workflow first
- Checksums updated via separate job after release completes

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
 2026-02-12 13:54:08 -05:00
Chris Farhood 78f5074818 chore: optimize Git workflow and CI/CD for Headlamp plugin releases 
Implements comprehensive workflow redesign addressing:
- Non-deterministic builds → Fixed with consistent Node version and npm ci
- Manual checksum management → Automated in publish workflow
- Multiple artifact locations → Single source of truth (GitHub releases)
- Individual file releases → Single tarball artifact
- Artifact Hub mismatches → No rebuild risk, use released tarball

Key improvements:
- CI workflow: faster builds with npm cache, artifact verification
- Publish workflow: deterministic builds, automatic checksum calculation,
  auto-commit of metadata updates, single tarball release
- Branch protection: require PR review and passing CI before merge
- Release process: simplified from manual to 5-minute automated workflow

Documentation:
- GIT_WORKFLOW.md: branching strategy, commit conventions, release process
- RELEASE_GUIDE.md: detailed step-by-step release instructions
- RELEASE_QUICK_REFERENCE.md: copy-paste commands for quick releases
- CI_CD_DESIGN.md: technical architecture and design decisions
- GITHUB_SETUP_CHECKLIST.md: repository configuration guide
- WORKFLOW_OPTIMIZATION_SUMMARY.md: executive summary of changes

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-02-12 13:43:39 -05:00
Chris Farhood 630152270f ci: update workflows to use local-ubuntu-latest runner 
Changed both CI and publish workflows to target local self-hosted
runner instead of GitHub-hosted ubuntu-latest.

Changes:
- .github/workflows/ci.yml: runs-on: local-ubuntu-latest
- .github/workflows/publish.yml: runs-on: local-ubuntu-latest

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
 2026-02-12 12:26:55 -05:00
Chris Farhood dddbd30677 Initial release: Headlamp Sealed Secrets plugin v0.1.0 
Features:
- Complete SealedSecret CRD integration with Headlamp
- Client-side encryption using controller's public key
- Support for all three scoping modes (strict, namespace-wide, cluster-wide)
- List and detail views for SealedSecrets
- Encryption dialog for creating new SealedSecrets
- Decryption support with RBAC awareness
- Sealing keys management
- Settings page for controller configuration
- Integration with Secret detail view

Technical:
- Full TypeScript with strict mode
- ~1,345 lines of code
- Build size: 339.42 kB (93.21 kB gzipped)
- Compatible with Headlamp v0.13.0+
- Apache 2.0 license

Security:
- All encryption performed client-side
- RSA-OAEP + AES-256-GCM (kubeseal-compatible)
- Auto-hide decrypted values after 30 seconds

Closes: Initial implementation
 2026-02-11 20:31:20 -05:00