Compare commits

..

1 Commits

Author SHA1 Message Date
Chris Farhood cedd07429f fix: add markdownlint config to resolve CI failures
- Add .markdownlint-cli2.jsonc with 18 rule disables appropriate for plugin docs
- Add .markdownlintignore to skip generated API reference docs

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-04 21:25:00 +00:00
9 changed files with 416 additions and 19324 deletions
-23
View File
@@ -1,23 +0,0 @@
name: E2E Tests
on:
push:
branches: [main]
pull_request:
branches: [main]
workflow_dispatch:
permissions:
contents: read
concurrency:
group: e2e-${{ github.repository }}
cancel-in-progress: false
jobs:
e2e:
uses: privilegedescalation/.github/.github/workflows/plugin-e2e.yaml@main
with:
node-version: "22"
headlamp-version: v0.40.1
e2e-namespace: headlamp-dev
+1 -1
View File
@@ -151,7 +151,7 @@ Plaintext values never leave your browser.
| Network sniffing | No plaintext on network | ✅ Protected | | Network sniffing | No plaintext on network | ✅ Protected |
| Compromised proxy | Only sees encrypted data | ✅ Protected | | Compromised proxy | Only sees encrypted data | ✅ Protected |
| Browser XSS | Headlamp CSP policies | ⚠️ Standard web security | | Browser XSS | Headlamp CSP policies | ⚠️ Standard web security |
| Supply chain | Package locks, Renovate | ⚠️ Ongoing monitoring | | Supply chain | Package locks, dependabot | ⚠️ Ongoing monitoring |
See: [ADR 003: Client-Side Encryption](docs/architecture/adr/003-client-side-crypto.md) See: [ADR 003: Client-Side Encryption](docs/architecture/adr/003-client-side-crypto.md)
+1 -1
View File
@@ -70,7 +70,7 @@ Key dependencies with security implications:
- **node-forge**: Used for client-side encryption of secret values with the cluster's sealing certificate. Keep this dependency up to date. - **node-forge**: Used for client-side encryption of secret values with the cluster's sealing certificate. Keep this dependency up to date.
- **@kinvolk/headlamp-plugin**: Peer dependency providing the Kubernetes API proxy. Update by upgrading your Headlamp installation. - **@kinvolk/headlamp-plugin**: Peer dependency providing the Kubernetes API proxy. Update by upgrading your Headlamp installation.
The project uses `npm audit` and Renovate to monitor for known vulnerabilities. The project uses `npm audit` and Dependabot to monitor for known vulnerabilities.
## Contact ## Contact
@@ -349,7 +349,7 @@ Added type safety:
**Supply Chain**: **Supply Chain**:
- Risk: Compromised node-forge dependency - Risk: Compromised node-forge dependency
- Mitigation: Package lock, Renovate, regular audits - Mitigation: Package lock, dependabot, regular audits
- Same risk as any JavaScript dependency - Same risk as any JavaScript dependency
**Browser Extensions**: **Browser Extensions**:
-18877
View File
File diff suppressed because it is too large Load Diff
+1 -3
View File
@@ -52,9 +52,7 @@
"overrides": { "overrides": {
"tar": "^7.5.11", "tar": "^7.5.11",
"undici": "^7.24.3", "undici": "^7.24.3",
"vite": ">=6.4.2", "vite": ">=6.4.2"
"lodash": ">=4.18.0",
"elliptic": ">=6.6.1"
}, },
"dependencies": { "dependencies": {
"node-forge": "^1.4.0" "node-forge": "^1.4.0"
+404 -404
View File
File diff suppressed because it is too large Load Diff
+6 -9
View File
@@ -5,18 +5,16 @@
# a ConfigMap volume mount. No custom Docker images — the plugin is built # a ConfigMap volume mount. No custom Docker images — the plugin is built
# in CI and injected as a ConfigMap. # in CI and injected as a ConfigMap.
# #
# E2E resources are deployed to the `headlamp-dev` namespace. Nothing # E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing
# persists beyond the test run — teardown cleans up all created resources. # persists beyond the test run — teardown cleans up all created resources.
# #
# Prerequisites: # Prerequisites:
# - Plugin built (dist/ exists with plugin-main.js + package.json) # - Plugin built (dist/ exists with plugin-main.js + package.json)
# - kubectl configured with cluster access # - kubectl configured with cluster access
# RBAC is managed via Flux from privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml. # - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
# The infra repo is the source of truth — do not apply this file directly.
# Apply RBAC first: kubectl apply -f privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml
# #
# Environment: # Environment:
# E2E_NAMESPACE — namespace for E2E Headlamp (default: headlamp-dev) # E2E_NAMESPACE — namespace for E2E Headlamp (default: privilegedescalation-dev)
# E2E_RELEASE — release/resource name prefix (default: headlamp-e2e) # E2E_RELEASE — release/resource name prefix (default: headlamp-e2e)
# HEADLAMP_VERSION — Headlamp image tag (default: latest) # HEADLAMP_VERSION — Headlamp image tag (default: latest)
set -euo pipefail set -euo pipefail
@@ -24,7 +22,7 @@ set -euo pipefail
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
DIST_DIR="$REPO_ROOT/dist" DIST_DIR="$REPO_ROOT/dist"
E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}" E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}" HEADLAMP_VERSION="${HEADLAMP_VERSION:-latest}"
@@ -37,7 +35,7 @@ fi
echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..." echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2 echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2
echo " Apply RBAC first: kubectl apply -f privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml" >&2 echo " Apply RBAC first: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2
exit 1 exit 1
fi fi
@@ -99,7 +97,7 @@ spec:
app.kubernetes.io/instance: ${E2E_RELEASE} app.kubernetes.io/instance: ${E2E_RELEASE}
spec: spec:
serviceAccountName: ${E2E_RELEASE} serviceAccountName: ${E2E_RELEASE}
automountServiceAccountToken: false automountServiceAccountToken: true
securityContext: {} securityContext: {}
containers: containers:
- name: headlamp - name: headlamp
@@ -161,7 +159,6 @@ spec:
EOF EOF
echo "Waiting for rollout..." echo "Waiting for rollout..."
sleep 2
kubectl rollout status "deployment/${E2E_RELEASE}" \ kubectl rollout status "deployment/${E2E_RELEASE}" \
-n "$E2E_NAMESPACE" --timeout=120s -n "$E2E_NAMESPACE" --timeout=120s
+2 -5
View File
@@ -3,17 +3,14 @@
# #
# Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh. # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
# #
# RBAC is managed via Flux from privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml.
# The infra repo is the source of truth — do not apply this file directly.
#
# Environment: # Environment:
# E2E_NAMESPACE — namespace to clean up (default: headlamp-dev) # E2E_NAMESPACE — namespace to clean up (default: privilegedescalation-dev)
# E2E_RELEASE — release/resource name prefix (default: headlamp-e2e) # E2E_RELEASE — release/resource name prefix (default: headlamp-e2e)
set -euo pipefail set -euo pipefail
REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)" REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}" E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}" E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
echo "=== E2E Headlamp Teardown ===" echo "=== E2E Headlamp Teardown ==="