fix(headlamp): allow egress to registry.npmjs.org so the plugin sidecar can bootstrap#2182
Merged
Merged
Conversation
…ar can bootstrap The headlamp-plugin sidecar runs `npx @headlamp-k8s/pluginctl ...`, which downloads pluginctl and its dependencies from registry.npmjs.org. That host is absent from the Cilium egress FQDN allow-list (a regression from the world:443 -> explicit-FQDN lockdown in #2019), so npm fails with ETIMEDOUT, the sidecar exits 1, and the pod CrashLoopBackOffs on every (re)start -- the dashboard never installs new plugins (e.g. the newly added crossview-headlamp plugin). Add registry.npmjs.org to the toFQDNs list, mirroring the earlier plugin-egress fix (#2112) that added the GitHub release-asset CDN. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
|
🎉 This PR is included in version 1.69.9 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
headlamppod'sheadlamp-pluginsidecar (node:lts-alpine) is in CrashLoopBackOff. Captured crash (previous-container logs):Root cause
The sidecar bootstraps each plugin with
npx --yes @headlamp-k8s/pluginctl@latest install ..., which must downloadpluginctl(+deps) fromregistry.npmjs.org. That host is not in the Cilium egresstoFQDNsallow-list, so Cilium's L7 DNS/FQDN policy drops the request →npm ETIMEDOUT→npxexits 1 → sidecar crashloops on every (re)start.This is a regression from the
world:443→ explicit-FQDN egress lockdown (#2019): the cached plugins on the PVC predate the lockdown, so the dashboard still renders, but the sidecar can no longer re-run pluginctl, and the newly addedcrossview-headlampplugin never installs.Fix
Add
registry.npmjs.orgto thetoFQDNslist ink8s/bases/apps/headlamp/networkpolicy.yaml— the same one-line pattern as the earlier plugin-egress fix (#2112, which added the GitHub release-asset CDN). The networkpolicy is identical local+prod, so the base file is the correct place (consistent with #2112).Validation
kubectl kustomize k8s/bases/apps/headlamp/builds;registry.npmjs.orgrenders in the allow-list.🤖 Generated with Claude Code