fix(e2e): add diagnostic output to RBAC apply step to diagnose remaining failure

E2E still failing at step 11 after --namespace fix. Adding detailed
diagnostic output to capture actual kubectl error message before
it cascades. Also verifying RoleExists before apply to detect if
Flux already synced the RBAC from infra repo.

Ref: PRI-851

.github/FUNDING.yml

@@ -0,0 +1 @@
+github_sponsors: [privilegedescalation]

.github/workflows/ci.yaml

@@ -2,9 +2,13 @@ name: CI
 
 on:
   push:
-    branches: [main]
+    branches: ['**']
   pull_request:
-    branches: [main]
+    branches: [main, dev]
+  workflow_dispatch:
+
+permissions:
+  contents: read
 
 jobs:
   ci:

.github/workflows/e2e.yaml

@@ -0,0 +1,222 @@
+name: E2E Tests
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+# Only one E2E run at a time — the shared E2E_RELEASE in headlamp-dev cannot
+# be shared across concurrent runs. cancel-in-progress: false queues rather
+# than cancels to avoid skipping the teardown step.
+concurrency:
+  group: e2e-${{ github.repository }}
+  cancel-in-progress: false
+
+env:
+  E2E_NAMESPACE: headlamp-dev
+  E2E_RELEASE: headlamp-e2e-argocd
+  HEADLAMP_VERSION: v0.40.1
+
+jobs:
+  e2e:
+    runs-on: runners-privilegedescalation
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Detect package manager
+        id: pkg-manager
+        run: |
+          if [ -f "pnpm-lock.yaml" ]; then
+            echo "manager=pnpm" >> $GITHUB_OUTPUT
+            PM=$(python3 -c "import json,sys; d=json.load(open('package.json')); print('true' if d.get('packageManager','').startswith('pnpm@') else 'false')" 2>/dev/null || echo "false")
+            echo "has_package_manager=$PM" >> $GITHUB_OUTPUT
+          else
+            echo "manager=npm" >> $GITHUB_OUTPUT
+            echo "has_package_manager=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Setup Node
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          cache: ${{ steps.pkg-manager.outputs.manager == 'npm' && 'npm' || '' }}
+
+      - name: Setup pnpm (Corepack, respects packageManager field)
+        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'true'
+        run: |
+          npm install -g corepack
+          corepack enable pnpm
+          corepack prepare $(node -p "require('./package.json').packageManager") --activate
+
+      - name: Setup pnpm (version latest, no packageManager field)
+        if: steps.pkg-manager.outputs.manager == 'pnpm' && steps.pkg-manager.outputs.has_package_manager == 'false'
+        uses: pnpm/action-setup@v5
+        with:
+          run_install: false
+          version: latest
+
+      - name: Get pnpm store directory
+        id: pnpm-store
+        if: steps.pkg-manager.outputs.manager == 'pnpm'
+        run: echo "dir=$(pnpm store path --silent)" >> $GITHUB_OUTPUT
+
+      - name: Cache pnpm store
+        if: steps.pkg-manager.outputs.manager == 'pnpm'
+        uses: actions/cache@v5
+        with:
+          path: ${{ steps.pnpm-store.outputs.dir }}
+          key: ${{ runner.os }}-pnpm-${{ hashFiles('**/pnpm-lock.yaml') }}
+          restore-keys: |
+            ${{ runner.os }}-pnpm-
+
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v4
+        with:
+          version: 'latest'
+
+      - name: Get kubeconfig
+        run: |
+          set -euo pipefail
+          echo "=== Runner kubeconfig diagnostic ==="
+          echo "KUBECONFIG=${KUBECONFIG:-}"
+          for path in /runner/config /home/runner/.kube/config "${HOME:-}/.kube/config"; do
+            if [ -f "$path" ]; then
+              echo "FOUND kubeconfig at: $path"
+            fi
+          done
+          echo ""
+          echo "=== In-cluster service account check ==="
+          in_cluster=false
+          if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
+            echo "Service account token present — in-cluster mode available"
+            in_cluster=true
+          fi
+          if [ -f /runner/config ]; then
+            echo "KUBECONFIG=/runner/config" >> "$GITHUB_ENV"
+          elif [ -f /home/runner/.kube/config ]; then
+            echo "KUBECONFIG=/home/runner/.kube/config" >> "$GITHUB_ENV"
+          elif [ -f "${HOME:-}/.kube/config" ]; then
+            echo "KUBECONFIG=${HOME:-}/.kube/config" >> "$GITHUB_ENV"
+          elif [ "$in_cluster" = true ]; then
+            echo "No static kubeconfig found — generating in-cluster kubeconfig"
+            KUBECFG_DIR="${HOME:-}/.kube"
+            mkdir -p "$KUBECFG_DIR"
+            kubectl config set-cluster in-cluster \
+              --server="https://${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}:${KUBERNETES_SERVICE_PORT:-443}" \
+              --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
+              --embed-certs=true \
+              --kubeconfig="$KUBECFG_DIR/config"
+            kubectl config set-credentials in-cluster \
+              --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
+              --kubeconfig="$KUBECFG_DIR/config"
+            kubectl config set-context in-cluster \
+              --cluster=in-cluster \
+              --user=in-cluster \
+              --kubeconfig="$KUBECFG_DIR/config"
+            kubectl config use-context in-cluster \
+              --kubeconfig="$KUBECFG_DIR/config"
+            echo "KUBECONFIG=$KUBECFG_DIR/config" >> "$GITHUB_ENV"
+          else
+            echo "::error::No kubeconfig found"
+            exit 1
+          fi
+
+      - name: Apply RBAC for E2E pipeline
+        run: |
+          set -x
+          echo "=== Verifying RBAC is available in headlamp-dev namespace ==="
+          kubectl get role e2e-ci-runner -n headlamp-dev && echo "Role e2e-ci-runner already exists" || echo "Role e2e-ci-runner not found"
+          kubectl get rolebinding e2e-ci-runner-binding -n headlamp-dev && echo "RoleBinding e2e-ci-runner-binding already exists" || echo "RoleBinding not found"
+          echo "Applying RBAC from deployment/e2e-ci-runner-rbac.yaml..."
+          kubectl apply -f deployment/e2e-ci-runner-rbac.yaml || echo "apply returned exit code $?"
+          echo "Waiting for RBAC propagation..."
+          sleep 5
+          kubectl get role e2e-ci-runner -n headlamp-dev
+          kubectl get rolebinding e2e-ci-runner-binding -n headlamp-dev 2>&1 | tail -3 || true
+          set +x
+
+      - name: Install dependencies
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            pnpm install --frozen-lockfile
+          else
+            npm ci
+          fi
+
+      - name: Build plugin
+        run: npx @kinvolk/headlamp-plugin build
+
+      - name: Deploy E2E Headlamp instance
+        run: scripts/deploy-e2e-headlamp.sh
+
+      - name: Load E2E environment
+        run: |
+          if [ -f .env.e2e ]; then
+            cat .env.e2e >> "$GITHUB_ENV"
+          else
+            echo "::error::deploy-e2e-headlamp.sh did not produce .env.e2e"
+            exit 1
+          fi
+
+      - name: Install Playwright browsers
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            pnpm exec playwright install --with-deps chromium
+          else
+            npx playwright install --with-deps chromium
+          fi
+
+      - name: Run E2E tests
+        run: |
+          if [ "${{ steps.pkg-manager.outputs.manager }}" = "pnpm" ]; then
+            pnpm run e2e
+          else
+            npm run e2e
+          fi
+        env:
+          HEADLAMP_URL: ${{ env.HEADLAMP_URL }}
+          HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }}
+
+      - name: Collect deployment diagnostics on failure
+        if: failure()
+        run: |
+          echo "=== Pod state ==="
+          kubectl get pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
+          echo "=== Pod describe ==="
+          kubectl describe pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
+          echo "=== Container logs (current) ==="
+          kubectl logs -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" \
+            --tail=100 2>&1 || true
+          echo "=== Container logs (previous, if crashed) ==="
+          kubectl logs -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" \
+            --previous --tail=100 2>&1 || true
+          echo "=== Recent namespace events ==="
+          kubectl get events -n "$E2E_NAMESPACE" --sort-by='.lastTimestamp' 2>&1 | tail -20 || true
+
+      - name: Teardown E2E instance
+        if: always()
+        run: scripts/teardown-e2e-headlamp.sh
+
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@v7
+        if: failure()
+        with:
+          name: playwright-report
+          path: playwright-report/
+          retention-days: 7
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v7
+        if: failure()
+        with:
+          name: test-results
+          path: test-results/
+          retention-days: 7

.markdownlint-cli2.jsonc

@@ -0,0 +1,53 @@
+{
+  "config": {
+    // Line length — not enforced for docs with code examples
+    "MD013": false,
+    // First line heading — files use YAML frontmatter, not headings
+    "MD041": false,
+    // Emphasis as heading — common pattern for Option 1/2/3 sections
+    "MD036": false,
+    // No duplicate heading — changelog files repeat section names intentionally
+    "MD024": false,
+    // Fenced code language — not always applicable for diagram blocks
+    "MD040": false,
+    // Table column style — table alignment is visual, not semantic
+    "MD060": false,
+    // Ordered list item prefix — number resets are intentional in documents
+    "MD029": false,
+    // No inline HTML — each elements are valid in valid Markdown
+    "MD033": false,
+    // List marker space — spacing after list markers varies by editor
+    "MD030": false,
+    // Blanks around headings — not always needed in compact docs
+    "MD022": false,
+    // Blanks around lists — not always needed in compact docs
+    "MD032": false,
+    // Blanks around fences — not always needed between adjacent blocks
+    "MD031": false,
+    // Multiple blanks — editor artifacts, not semantic
+    "MD012": false,
+    // Single title — files may have multiple H1 sections
+    "MD025": false,
+    // Trailing spaces — editor artifacts
+    "MD009": false,
+    // Bare URLs — URL shortening not always needed
+    "MD034": false,
+    // Single trailing newline — editor artifacts
+    "MD047": false,
+    // Trailing punctuation — heading punctuation is intentional
+    "MD026": false,
+    // Space in emphasis — double-asterisk bold spacing varies by renderer
+    "MD037": false,
+    // No hard tabs — some generated docs use tabs for indentation
+    "MD010": false,
+    // Code block style — generated docs may use inconsistent styles
+    "MD046": false,
+    // Comment style — generated docs have no comments
+    "MD048": false,
+    // Commands show output — shell examples intentionally show only commands
+    "MD014": false
+  },
+  "ignores": [
+    "docs/api-reference/generated/**"
+  ]
+}

.markdownlintignore

@@ -0,0 +1 @@
+docs/api-reference/generated/**

README.md

@@ -32,3 +32,4 @@ gh workflow run Release --field version=0.1.0
 ## License
 
 Apache-2.0
+

artifacthub-pkg.yml

@@ -1,4 +1,4 @@
-version: "0.1.0"
+version: "0.1.2"
 name: headlamp-argocd
 displayName: ArgoCD Headlamp Plugin
 createdAt: "2026-04-21T00:00:00Z"
@@ -26,8 +26,8 @@ maintainers:
 provider:
   name: privilegedescalation
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.0/headlamp-argocd-0.1.0.tar.gz"
-  headlamp/plugin/archive-checksum: "sha256:1f4df43f79b795bdf4f70e1e3aa5bacadf689ea5584fdadf92fb677faab21c2c"
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-argocd-plugin/releases/download/v0.1.2/privilegedescalation-headlamp-argocd-plugin-0.1.2.tar.gz"
+  headlamp/plugin/archive-checksum: sha256:e71f84913eed1fd7e2d074912e3bfa668c4b1fefcbb069731a4e4277a998ca28
   headlamp/plugin/version-compat: ">=0.26"
   headlamp/plugin/distro-compat: "in-cluster"
 changes:

deployment/e2e-ci-runner-rbac.yaml

@@ -0,0 +1,36 @@
+---
+# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
+# CI-only test fixture — NOT for production use.
+#
+# Grants the ARC runner service account permissions in the headlamp-dev
+# namespace to deploy and tear down a dedicated Headlamp instance.
+# E2E resources run in `headlamp-dev` — nothing persists beyond a test run.
+#
+# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
+#
+# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/)
+# and managed by Flux GitOps. The infra repo is the source of truth.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner
+  namespace: headlamp-dev
+rules:
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
+  - apiGroups: [""]
+    resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["pods/log"]
+    verbs: ["get"]
+  - apiGroups: [""]
+    resources: ["serviceaccounts/token"]
+    verbs: ["create"]
+  - apiGroups: ["rbac.authorization.k8s.io"]
+    resources: ["roles", "rolebindings"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]

e2e/argocd.spec.ts

@@ -0,0 +1,18 @@
+import { test, expect } from '@playwright/test';
+
+test.describe('ArgoCD plugin smoke tests', () => {
+  test('sidebar contains ArgoCD entry', async ({ page }) => {
+    await page.goto('/');
+    const sidebar = page.getByRole('navigation', { name: 'Navigation' });
+    await expect(sidebar).toBeVisible({ timeout: 15_000 });
+    await expect(sidebar.getByRole('button', { name: 'ArgoCD' })).toBeVisible();
+  });
+
+  test('applications list page loads', async ({ page }) => {
+    await page.goto('/c/main/argocd');
+
+    await expect(
+      page.getByRole('heading', { name: /argo.*cd/i })
+    ).toBeVisible({ timeout: 15_000 });
+  });
+});

e2e/auth.setup.ts

@@ -0,0 +1,34 @@
+import { test as setup, expect, Page } from '@playwright/test';
+
+const AUTH_STATE_PATH = 'e2e/.auth/state.json';
+
+async function authenticateWithToken(page: Page, token: string): Promise<void> {
+  await page.goto('/');
+  await page.waitForURL(/\/(login|token)$/);
+
+  if (page.url().includes('/login')) {
+    const useTokenBtn = page.getByRole('button', { name: /use a token/i });
+    await useTokenBtn.waitFor({ state: 'visible', timeout: 15_000 });
+    await useTokenBtn.click();
+    await page.waitForURL('**/token');
+  }
+
+  await page.getByRole('textbox', { name: /id token/i }).fill(token);
+  await page.getByRole('button', { name: /authenticate/i }).click();
+
+  await expect(page.getByRole('navigation', { name: 'Navigation' })).toBeVisible({
+    timeout: 15_000,
+  });
+}
+
+setup('authenticate with Headlamp', async ({ page }) => {
+  const token = process.env.HEADLAMP_TOKEN;
+
+  if (!token) {
+    throw new Error('Set HEADLAMP_TOKEN for token auth');
+  }
+
+  await authenticateWithToken(page, token);
+
+  await page.context().storageState({ path: AUTH_STATE_PATH });
+});

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@privilegedescalation/headlamp-argocd-plugin",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Headlamp plugin for ArgoCD visibility — monitors ArgoCD Applications, Rollouts, and health status",
   "repository": {
     "type": "git",
@@ -23,20 +23,12 @@
     "format": "prettier --write src/",
     "format:check": "prettier --check src/",
     "test": "vitest run",
-    "test:watch": "vitest"
-  },
-  "peerDependencies": {
-    "react": "^18.0.0",
-    "react-dom": "^18.0.0"
-  },
-  "pnpm": {
-    "overrides": {
-      "tar": "^7.5.11",
-      "undici": "^7.24.3",
-      "flatted": "^3.4.2"
-    }
+"test:watch": "vitest",
+    "e2e": "playwright test",
+    "e2e:headed": "playwright test --headed"
   },
   "devDependencies": {
+    "@playwright/test": "^1.58.2",
     "@kinvolk/headlamp-plugin": "^0.13.0",
     "@mui/material": "^5.15.14",
     "@testing-library/jest-dom": "^6.4.8",
@@ -52,9 +44,7 @@
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-router-dom": "^5.3.0",
-    "tar": "^7.5.11",
     "typescript": "~5.6.2",
-    "undici": "^7.24.3",
     "vitest": "^3.0.5"
   }
-}
+}

playwright.config.ts

@@ -0,0 +1,27 @@
+import { defineConfig, devices } from '@playwright/test';
+
+export default defineConfig({
+  testDir: './e2e',
+  timeout: 30_000,
+  expect: { timeout: 10_000 },
+  fullyParallel: false,
+  forbidOnly: !!process.env.CI,
+  retries: process.env.CI ? 1 : 0,
+  reporter: 'list',
+  use: {
+    baseURL: process.env.HEADLAMP_URL || 'http://headlamp-e2e-argocd.headlamp-dev.svc.cluster.local',
+    trace: 'on-first-retry',
+    screenshot: 'only-on-failure',
+  },
+  projects: [
+    { name: 'setup', testMatch: /auth\.setup\.ts/, timeout: 60_000 },
+    {
+      name: 'chromium',
+      use: {
+        ...devices['Desktop Chrome'],
+        storageState: 'e2e/.auth/state.json',
+      },
+      dependencies: ['setup'],
+    },
+  ],
+});

pnpm-lock.yaml

@@ -4,11 +4,6 @@ settings:
   autoInstallPeers: true
   excludeLinksFromLockfile: false
 
-overrides:
-  tar: ^7.5.11
-  undici: ^7.24.3
-  flatted: ^3.4.2
-
 importers:
 
   .:
@@ -22,6 +17,9 @@ importers:
       '@mui/material':
         specifier: ^5.15.14
         version: 5.18.0(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@emotion/styled@11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react@18.3.1))(@types/react@19.2.14)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
+      '@playwright/test':
+        specifier: ^1.58.2
+        version: 1.59.1
       '@testing-library/jest-dom':
         specifier: ^6.4.8
         version: 6.9.1
@@ -58,15 +56,9 @@ importers:
       react-router-dom:
         specifier: ^5.3.0
         version: 5.3.4(react@18.3.1)
-      tar:
-        specifier: ^7.5.11
-        version: 7.5.13
       typescript:
         specifier: ~5.6.2
         version: 5.6.3
-      undici:
-        specifier: ^7.24.3
-        version: 7.25.0
       vitest:
         specifier: ^3.0.5
         version: 3.2.4(@types/debug@4.1.13)(@types/node@20.19.39)(jsdom@24.1.3)(msw@2.4.9(typescript@5.6.3))(terser@5.46.1)(yaml@2.8.3)
@@ -1007,6 +999,11 @@ packages:
     resolution: {integrity: sha512-+1VkjdD0QBLPodGrJUeqarH8VAIvQODIbwh9XpP5Syisf7YoQgsJKPNFoqqLQlu+VQ/tVSshMR6loPMn8U+dPg==}
     engines: {node: '>=14'}
 
+  '@playwright/test@1.59.1':
+    resolution: {integrity: sha512-PG6q63nQg5c9rIi4/Z5lR5IVF7yU5MqmKaPOe0HSc0O2cX1fPi96sUQu5j7eo4gKCkB2AnNGoWt7y4/Xx3Kcqg==}
+    engines: {node: '>=18'}
+    hasBin: true
+
   '@popperjs/core@2.11.8':
     resolution: {integrity: sha512-P1st0aksCrn9sGZhp8GMYwBnQsbvAWsZAX44oXNNvLHGqAOcoVxmjZiohstwQ7SqKnbR47akdNi+uleWD8+g6A==}
 
@@ -3088,6 +3085,11 @@ packages:
   fs.realpath@1.0.0:
     resolution: {integrity: sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==}
 
+  fsevents@2.3.2:
+    resolution: {integrity: sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==}
+    engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
+    os: [darwin]
+
   fsevents@2.3.3:
     resolution: {integrity: sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==}
     engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
@@ -4227,6 +4229,16 @@ packages:
     resolution: {integrity: sha512-NPE8TDbzl/3YQYY7CSS228s3g2ollTFnc+Qi3tqmqJp9Vg2ovUpixcJEo2HJScN2Ez+kEaal6y70c0ehqJBJeA==}
     engines: {node: '>=10'}
 
+  playwright-core@1.59.1:
+    resolution: {integrity: sha512-HBV/RJg81z5BiiZ9yPzIiClYV/QMsDCKUyogwH9p3MCP6IYjUFu/MActgYAvK0oWyV9NlwM3GLBjADyWgydVyg==}
+    engines: {node: '>=18'}
+    hasBin: true
+
+  playwright@1.59.1:
+    resolution: {integrity: sha512-C8oWjPR3F81yljW9o5OxcWzfh6avkVwDD2VYdwIGqTkl+OGFISgypqzfu7dOe4QNLL2aqcWBmI3PMtLIK233lw==}
+    engines: {node: '>=18'}
+    hasBin: true
+
   possible-typed-array-names@1.1.0:
     resolution: {integrity: sha512-/+5VFTchJDoVj3bhoqi6UeymcD00DAwb1nJwamzPvHEszJ4FpF6SNNbUbOS8yI56qHzdV8eK0qEfOSiodkTdxg==}
     engines: {node: '>= 0.4'}
@@ -6235,10 +6247,10 @@ snapshots:
       jsdom: 24.1.3
       jsonpath-plus: 10.4.0
       lodash: 4.18.1
-      material-react-table: 2.13.3(330725fe5432f245d076f0c0dda1a7a7)
+      material-react-table: 2.13.3(0078ddeddc9e779fa84c03996c1db10e)
       monaco-editor: 0.52.2
       msw: 2.4.9(typescript@5.6.2)
-      msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.3))
+      msw-storybook-addon: 2.0.3(msw@2.4.9(typescript@5.6.2))
       notistack: 3.0.2(csstype@3.2.3)(react-dom@18.3.1(react@18.3.1))(react@18.3.1)
       path-browserify: 1.0.1
       prettier: 2.8.8
@@ -6633,6 +6645,10 @@ snapshots:
   '@pkgjs/parseargs@0.11.0':
     optional: true
 
+  '@playwright/test@1.59.1':
+    dependencies:
+      playwright: 1.59.1
+
   '@popperjs/core@2.11.8': {}
 
   '@reduxjs/toolkit@2.11.2(react-redux@9.2.0(@types/react@18.3.28)(react@18.3.1)(redux@5.0.1))(react@18.3.1)':
@@ -9191,6 +9207,9 @@ snapshots:
 
   fs.realpath@1.0.0: {}
 
+  fsevents@2.3.2:
+    optional: true
+
   fsevents@2.3.3:
     optional: true
 
@@ -9937,7 +9956,7 @@ snapshots:
       '@types/minimatch': 3.0.5
       minimatch: 3.1.5
 
-  material-react-table@2.13.3(330725fe5432f245d076f0c0dda1a7a7):
+  material-react-table@2.13.3(0078ddeddc9e779fa84c03996c1db10e):
     dependencies:
       '@emotion/react': 11.14.0(@types/react@18.3.28)(react@18.3.1)
       '@emotion/styled': 11.14.1(@emotion/react@11.14.0(@types/react@19.2.14)(react@18.3.1))(@types/react@18.3.28)(react@18.3.1)
@@ -10243,7 +10262,7 @@ snapshots:
 
   ms@2.1.3: {}
 
-  msw-storybook-addon@2.0.3(msw@2.4.9(typescript@5.6.3)):
+  msw-storybook-addon@2.0.3(msw@2.4.9(typescript@5.6.2)):
     dependencies:
       is-node-process: 1.2.0
       msw: 2.4.9(typescript@5.6.2)
@@ -10573,6 +10592,14 @@ snapshots:
     dependencies:
       find-up: 5.0.0
 
+  playwright-core@1.59.1: {}
+
+  playwright@1.59.1:
+    dependencies:
+      playwright-core: 1.59.1
+    optionalDependencies:
+      fsevents: 2.3.2
+
   possible-typed-array-names@1.1.0: {}
 
   postcss-modules-extract-imports@3.1.0(postcss@8.5.10):

renovate.json

@@ -0,0 +1,4 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["github>privilegedescalation/.github:renovate-config"]
+}

scripts/deploy-e2e-headlamp.sh

@@ -0,0 +1,173 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+DIST_DIR="$REPO_ROOT/dist"
+
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e-argocd}"
+HEADLAMP_VERSION="${HEADLAMP_VERSION:-v0.40.1}"
+
+if [ ! -d "$DIST_DIR" ]; then
+  echo "ERROR: dist/ not found. Run 'npm run build' first." >&2
+  exit 1
+fi
+
+echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
+if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
+  echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2
+  exit 1
+fi
+
+echo "=== E2E Headlamp Deployment ==="
+echo "  Image:     ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}"
+echo "  Namespace: $E2E_NAMESPACE"
+echo "  Release:   $E2E_RELEASE"
+
+echo ""
+echo "Creating ConfigMap with plugin files..."
+
+kubectl delete configmap headlamp-argocd-plugin \
+  -n "$E2E_NAMESPACE" --ignore-not-found
+
+kubectl create configmap headlamp-argocd-plugin \
+  -n "$E2E_NAMESPACE" \
+  --from-file="$DIST_DIR" \
+  --from-file=package.json="$REPO_ROOT/package.json"
+
+echo ""
+echo "Removing any existing E2E deployment (clean-start)..."
+kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
+
+echo ""
+echo "Deploying Headlamp E2E instance..."
+
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: headlamp
+      app.kubernetes.io/instance: ${E2E_RELEASE}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: headlamp
+        app.kubernetes.io/instance: ${E2E_RELEASE}
+    spec:
+      serviceAccountName: ${E2E_RELEASE}
+      automountServiceAccountToken: true
+      securityContext: {}
+      containers:
+        - name: headlamp
+          image: ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            privileged: false
+            runAsUser: 100
+            runAsGroup: 101
+          args:
+            - "-in-cluster"
+            - "-in-cluster-context-name=main"
+            - "-plugins-dir=/headlamp/plugins"
+          ports:
+            - name: http
+              containerPort: 4466
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          volumeMounts:
+            - name: argocd-plugin
+              mountPath: /headlamp/plugins/headlamp-argocd
+              readOnly: true
+      volumes:
+        - name: argocd-plugin
+          configMap:
+            name: headlamp-argocd-plugin
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+      protocol: TCP
+EOF
+
+echo "Waiting for rollout..."
+kubectl rollout status "deployment/${E2E_RELEASE}" \
+  -n "$E2E_NAMESPACE" --timeout=120s
+
+SVC_URL="http://${E2E_RELEASE}.${E2E_NAMESPACE}.svc.cluster.local"
+
+echo ""
+echo "Waiting for ${SVC_URL} to be reachable..."
+ATTEMPTS=0
+MAX_ATTEMPTS=24
+until curl -sf --max-time 5 "${SVC_URL}" -o /dev/null 2>/dev/null; do
+  ATTEMPTS=$((ATTEMPTS + 1))
+  if [ "$ATTEMPTS" -ge "$MAX_ATTEMPTS" ]; then
+    echo "ERROR: ${SVC_URL} not reachable after $((MAX_ATTEMPTS * 5))s" >&2
+    exit 1
+  fi
+  echo "  [${ATTEMPTS}/${MAX_ATTEMPTS}] not yet reachable, retrying in 5s..."
+  sleep 5
+done
+echo ""
+echo "E2E Headlamp is ready at: ${SVC_URL}"
+
+echo ""
+echo "Creating service account token for E2E auth..."
+kubectl create serviceaccount headlamp-e2e-test \
+  -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
+
+TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "")
+if [ -n "$TOKEN" ]; then
+  echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e"
+  echo "HEADLAMP_TOKEN=${TOKEN}" >> "$REPO_ROOT/.env.e2e"
+  echo "Wrote .env.e2e with HEADLAMP_URL and HEADLAMP_TOKEN"
+else
+  echo "  WARNING: Could not generate token."
+fi
+
+echo ""
+echo "E2E deployment complete."

scripts/teardown-e2e-headlamp.sh

@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
+E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e-argocd}"
+
+echo "=== E2E Teardown ==="
+echo "  Namespace: $E2E_NAMESPACE"
+echo "  Release:   $E2E_RELEASE"
+
+kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found || true
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found || true
+kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found || true
+kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found || true
+kubectl delete configmap headlamp-argocd-plugin -n "$E2E_NAMESPACE" --ignore-not-found || true
+
+echo "Teardown complete."

src/__tests__/PageInjections.test.tsx

@@ -0,0 +1,142 @@
+import { describe, expect, it } from "vitest";
+import type { ArgoCDApplication } from "../api/argocd";
+
+// --- Matching helpers (copied for unit testing) ---
+
+function appsForNamespace(
+  apps: ArgoCDApplication[],
+  namespace: string
+): ArgoCDApplication[] {
+  return apps.filter((app) => app.spec?.destination?.namespace === namespace);
+}
+
+function appsForDeployment(
+  apps: ArgoCDApplication[],
+  deploymentName: string
+): ArgoCDApplication[] {
+  return apps.filter((app) =>
+    (app.status?.resources ?? []).some(
+      (res) => res.kind === "Deployment" && res.name === deploymentName
+    )
+  );
+}
+
+// --- Fixture factory ---
+
+function makeApp(
+  overrides: Partial<ArgoCDApplication> = {}
+): ArgoCDApplication {
+  return {
+    metadata: { name: "test-app", namespace: "argocd" },
+    spec: { project: "default" },
+    status: {},
+    ...overrides,
+  } as ArgoCDApplication;
+}
+
+// --- appsForNamespace tests ---
+
+describe("appsForNamespace", () => {
+  it("returns apps whose destination.namespace matches", () => {
+    const apps = [
+      makeApp({
+        metadata: { name: "app-a", namespace: "argocd" },
+        spec: { project: "default", destination: { namespace: "web" } },
+      }),
+      makeApp({
+        metadata: { name: "app-b", namespace: "argocd" },
+        spec: { project: "default", destination: { namespace: "data" } },
+      }),
+    ];
+    expect(appsForNamespace(apps, "web").map((a) => a.metadata.name)).toEqual([
+      "app-a",
+    ]);
+  });
+
+  it("returns empty array when no match", () => {
+    const apps = [
+      makeApp({
+        metadata: { name: "app-a", namespace: "argocd" },
+        spec: { project: "default", destination: { namespace: "web" } },
+      }),
+    ];
+    expect(appsForNamespace(apps, "data")).toEqual([]);
+  });
+
+  it("returns empty array for empty app list", () => {
+    expect(appsForNamespace([], "web")).toEqual([]);
+  });
+
+  it("returns empty array when destination is undefined", () => {
+    const apps = [
+      makeApp({
+        metadata: { name: "app-a", namespace: "argocd" },
+        spec: { project: "default" },
+      }),
+    ];
+    expect(appsForNamespace(apps, "web")).toEqual([]);
+  });
+});
+
+// --- appsForDeployment tests ---
+
+describe("appsForDeployment", () => {
+  it("returns apps that manage the deployment via status.resources", () => {
+    const apps = [
+      makeApp({
+        metadata: { name: "app-a", namespace: "argocd" },
+        status: {
+          resources: [{ kind: "Deployment", name: "nginx", namespace: "web" }],
+        },
+      }),
+      makeApp({
+        metadata: { name: "app-b", namespace: "argocd" },
+        status: {
+          resources: [{ kind: "Service", name: "nginx", namespace: "web" }],
+        },
+      }),
+    ];
+    expect(
+      appsForDeployment(apps, "nginx").map((a) => a.metadata.name)
+    ).toEqual(["app-a"]);
+  });
+
+  it("returns empty array when no deployment resource matches", () => {
+    const apps = [
+      makeApp({
+        metadata: { name: "app-a", namespace: "argocd" },
+        status: {
+          resources: [{ kind: "Service", name: "nginx", namespace: "web" }],
+        },
+      }),
+    ];
+    expect(appsForDeployment(apps, "nginx")).toEqual([]);
+  });
+
+  it("returns empty array for empty app list", () => {
+    expect(appsForDeployment([], "nginx")).toEqual([]);
+  });
+
+  it("returns empty array when resources is undefined", () => {
+    const apps = [
+      makeApp({ metadata: { name: "app-a", namespace: "argocd" }, status: {} }),
+    ];
+    expect(appsForDeployment(apps, "nginx")).toEqual([]);
+  });
+
+  it("returns multiple apps that manage the same deployment", () => {
+    const apps = [
+      makeApp({
+        metadata: { name: "app-a", namespace: "argocd" },
+        status: { resources: [{ kind: "Deployment", name: "nginx" }] },
+      }),
+      makeApp({
+        metadata: { name: "app-b", namespace: "argocd" },
+        status: { resources: [{ kind: "Deployment", name: "nginx" }] },
+      }),
+    ];
+    expect(
+      appsForDeployment(apps, "nginx").map((a) => a.metadata.name)
+    ).toEqual(["app-a", "app-b"]);
+  });
+});

src/components/DeploymentArgoBadge.tsx

@@ -0,0 +1,101 @@
+import { ApiProxy } from "@kinvolk/headlamp-plugin/lib";
+import {
+  Link,
+  StatusLabel,
+} from "@kinvolk/headlamp-plugin/lib/CommonComponents";
+import React, { useEffect, useState } from "react";
+import { ArgoCDApplication, ArgoCDApplicationsList } from "../api/argocd";
+import { syncStatusToColor } from "./ApplicationsList";
+
+// --- API ---
+
+const ARGOCD_API_PATH =
+  "/api/v1/namespaces/argocd/services/argocd-server/proxy/api/v1/applications";
+
+async function fetchApplications(): Promise<ArgoCDApplicationsList> {
+  const response = (await ApiProxy.request(
+    ARGOCD_API_PATH
+  )) as ArgoCDApplicationsList;
+  return response;
+}
+
+// --- Matching helper ---
+
+/**
+ * Returns ArgoCD applications that manage the given Deployment by matching
+ * kind=Deployment and name in Application.status.resources[].
+ */
+export function appsForDeployment(
+  apps: ArgoCDApplication[],
+  deploymentName: string
+): ArgoCDApplication[] {
+  return apps.filter((app) =>
+    (app.status?.resources ?? []).some(
+      (res) => res.kind === "Deployment" && res.name === deploymentName
+    )
+  );
+}
+
+// --- Component ---
+
+interface DeploymentArgoBadgeProps {
+  deploymentName: string;
+}
+
+export default function DeploymentArgoBadge({
+  deploymentName,
+}: DeploymentArgoBadgeProps) {
+  const [apps, setApps] = useState<ArgoCDApplication[] | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    let cancelled = false;
+    fetchApplications()
+      .then((data) => {
+        if (cancelled) return;
+        const matched = appsForDeployment(data.items ?? [], deploymentName);
+        setApps(matched);
+        setLoading(false);
+      })
+      .catch((err: unknown) => {
+        if (cancelled) return;
+        setError(err instanceof Error ? err.message : String(err));
+        setLoading(false);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [deploymentName]);
+
+  if (loading || error || !apps || apps.length === 0) {
+    return null; // Show nothing when no matching application
+  }
+
+  const app = apps[0]; // Show first matching app
+  const lastSynced = app.status?.history?.length
+    ? app.status.history[app.status.history.length - 1]?.dexKey
+    : null;
+  const lastSyncedStr = lastSynced
+    ? new Date(lastSynced).toLocaleString()
+    : "—";
+
+  return (
+    <span>
+      &nbsp;
+      <Link to={`/argocd/applications/${app.metadata.name}`}>
+        ArgoCD: {app.metadata.name}
+      </Link>
+      &nbsp;
+      <StatusLabel
+        status={syncStatusToColor(app.status?.sync?.status ?? "Unknown")}
+      >
+        {app.status?.sync?.status ?? "Unknown"}
+      </StatusLabel>
+      &nbsp;
+      <span style={{ fontSize: "0.85em", opacity: 0.8 }}>
+        Last sync: {lastSyncedStr}
+      </span>
+    </span>
+  );
+}

src/components/NamespaceArgoSection.tsx

@@ -0,0 +1,120 @@
+import { ApiProxy } from "@kinvolk/headlamp-plugin/lib";
+import {
+  Link,
+  SectionBox,
+  StatusLabel,
+} from "@kinvolk/headlamp-plugin/lib/CommonComponents";
+import React, { useEffect, useState } from "react";
+import { ArgoCDApplication, ArgoCDApplicationsList } from "../api/argocd";
+import {
+  healthStatusToColor,
+  healthStatusToLabel,
+  syncStatusToColor,
+} from "./ApplicationsList";
+
+// --- API ---
+
+const ARGOCD_API_PATH =
+  "/api/v1/namespaces/argocd/services/argocd-server/proxy/api/v1/applications";
+
+async function fetchApplications(): Promise<ArgoCDApplicationsList> {
+  const response = (await ApiProxy.request(
+    ARGOCD_API_PATH
+  )) as ArgoCDApplicationsList;
+  return response;
+}
+
+// --- Matching helper ---
+
+/**
+ * Returns ArgoCD applications whose spec.destination.namespace matches
+ * the given namespace name.
+ */
+export function appsForNamespace(
+  apps: ArgoCDApplication[],
+  namespace: string
+): ArgoCDApplication[] {
+  return apps.filter((app) => app.spec?.destination?.namespace === namespace);
+}
+
+// --- Component ---
+
+interface NamespaceArgoSectionProps {
+  namespaceName: string;
+}
+
+export default function NamespaceArgoSection({
+  namespaceName,
+}: NamespaceArgoSectionProps) {
+  const [apps, setApps] = useState<ArgoCDApplication[] | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    let cancelled = false;
+    fetchApplications()
+      .then((data) => {
+        if (cancelled) return;
+        const matched = appsForNamespace(data.items ?? [], namespaceName);
+        setApps(matched);
+        setLoading(false);
+      })
+      .catch((err: unknown) => {
+        if (cancelled) return;
+        setError(err instanceof Error ? err.message : String(err));
+        setLoading(false);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [namespaceName]);
+
+  if (loading) {
+    return (
+      <SectionBox title="ArgoCD">
+        <StatusLabel status="warning">Loading...</StatusLabel>
+      </SectionBox>
+    );
+  }
+
+  if (error || !apps) {
+    return (
+      <SectionBox title="ArgoCD">
+        <StatusLabel status="error">ArgoCD unreachable</StatusLabel>
+      </SectionBox>
+    );
+  }
+
+  if (apps.length === 0) {
+    return null; // Show nothing when no matching application
+  }
+
+  return (
+    <SectionBox title="ArgoCD">
+      <StatusLabel status="success">{apps.length} application(s)</StatusLabel>
+      <ul style={{ paddingLeft: 20, margin: "8px 0" }}>
+        {apps.map((app) => (
+          <li key={app.metadata.name} style={{ marginBottom: 8 }}>
+            <Link to={`/argocd/applications/${app.metadata.name}`}>
+              {app.metadata.name}
+            </Link>
+            &nbsp;
+            <StatusLabel
+              status={healthStatusToColor(
+                app.status?.health?.status ?? "Unknown"
+              )}
+            >
+              {healthStatusToLabel(app.status?.health?.status ?? "Unknown")}
+            </StatusLabel>
+            &nbsp;
+            <StatusLabel
+              status={syncStatusToColor(app.status?.sync?.status ?? "Unknown")}
+            >
+              {app.status?.sync?.status ?? "Unknown"}
+            </StatusLabel>
+          </li>
+        ))}
+      </ul>
+    </SectionBox>
+  );
+}

src/components/PageInjections.tsx

@@ -0,0 +1,207 @@
+/**
+ * Page injection registrations for ArgoCD plugin.
+ * Registers detail view sections on Namespace and Deployment pages.
+ */
+import { ApiProxy } from "@kinvolk/headlamp-plugin/lib";
+import { KubeObject } from "@kinvolk/headlamp-plugin/lib/lib/k8s/KubeObject";
+import { registerDetailsViewSection } from "@kinvolk/headlamp-plugin/lib";
+import {
+  SectionBox,
+  StatusLabel,
+} from "@kinvolk/headlamp-plugin/lib/CommonComponents";
+import { Link } from "react-router-dom";
+import React, { useEffect, useState } from "react";
+import { ArgoCDApplication, ArgoCDApplicationsList } from "../api/argocd";
+import {
+  healthStatusToColor,
+  healthStatusToLabel,
+  syncStatusToColor,
+} from "./ApplicationsList";
+
+// --- API ---
+
+const ARGOCD_API_PATH =
+  "/api/v1/namespaces/argocd/services/argocd-server/proxy/api/v1/applications";
+
+async function fetchApplications(): Promise<ArgoCDApplicationsList> {
+  const response = (await ApiProxy.request(
+    ARGOCD_API_PATH
+  )) as ArgoCDApplicationsList;
+  return response;
+}
+
+// --- Namespace section ---
+
+function NamespaceArgoSection({ resource }: { resource: KubeObject }) {
+  const namespaceName = resource.metadata.name;
+  const [apps, setApps] = useState<ArgoCDApplication[] | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    let cancelled = false;
+    fetchApplications()
+      .then((data) => {
+        if (cancelled) return;
+        const matched = (data.items ?? []).filter(
+          (app) => app.spec?.destination?.namespace === namespaceName
+        );
+        setApps(matched);
+        setLoading(false);
+      })
+      .catch((err: unknown) => {
+        if (cancelled) return;
+        setError(err instanceof Error ? err.message : String(err));
+        setLoading(false);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [namespaceName]);
+
+  if (loading) {
+    return (
+      <SectionBox title="ArgoCD">
+        <StatusLabel status="warning">Loading...</StatusLabel>
+      </SectionBox>
+    );
+  }
+
+  if (error || !apps) {
+    return (
+      <SectionBox title="ArgoCD">
+        <StatusLabel status="error">ArgoCD unreachable</StatusLabel>
+      </SectionBox>
+    );
+  }
+
+  if (apps.length === 0) {
+    return null;
+  }
+
+  return (
+    <SectionBox title="ArgoCD">
+      <StatusLabel status="success">{apps.length} application(s)</StatusLabel>
+      <ul style={{ paddingLeft: 20, margin: "8px 0" }}>
+        {apps.map((app) => (
+          <li key={app.metadata.name} style={{ marginBottom: 8 }}>
+            <Link to={`/argocd/applications/${app.metadata.name}`}>
+              {app.metadata.name}
+            </Link>
+            &nbsp;
+            <StatusLabel
+              status={healthStatusToColor(
+                (app.status?.health?.status as
+                  | "Healthy"
+                  | "Degraded"
+                  | "Progressing"
+                  | "Missing"
+                  | "Unknown") ?? "Unknown"
+              )}
+            >
+              {healthStatusToLabel(
+                (app.status?.health?.status as
+                  | "Healthy"
+                  | "Degraded"
+                  | "Progressing"
+                  | "Missing"
+                  | "Unknown") ?? "Unknown"
+              )}
+            </StatusLabel>
+            &nbsp;
+            <StatusLabel
+              status={syncStatusToColor(
+                (app.status?.sync?.status as
+                  | "Synced"
+                  | "OutOfSync"
+                  | "Unknown") ?? "Unknown"
+              )}
+            >
+              {app.status?.sync?.status ?? "Unknown"}
+            </StatusLabel>
+          </li>
+        ))}
+      </ul>
+    </SectionBox>
+  );
+}
+
+// --- Deployment badge ---
+
+function DeploymentArgoBadge({ resource }: { resource: KubeObject }) {
+  const deploymentName = resource.metadata.name;
+  const [apps, setApps] = useState<ArgoCDApplication[] | null>(null);
+  const [loading, setLoading] = useState(true);
+  const [error, setError] = useState<string | null>(null);
+
+  useEffect(() => {
+    let cancelled = false;
+    fetchApplications()
+      .then((data) => {
+        if (cancelled) return;
+        const matched = (data.items ?? []).filter((app) =>
+          (app.status?.resources ?? []).some(
+            (res) => res.kind === "Deployment" && res.name === deploymentName
+          )
+        );
+        setApps(matched);
+        setLoading(false);
+      })
+      .catch((err: unknown) => {
+        if (cancelled) return;
+        setError(err instanceof Error ? err.message : String(err));
+        setLoading(false);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [deploymentName]);
+
+  if (loading || error || !apps || apps.length === 0) {
+    return null;
+  }
+
+  const app = apps[0];
+  const lastSynced = app.status?.history?.length
+    ? app.status.history[app.status.history.length - 1]?.dexKey
+    : null;
+  const lastSyncedStr = lastSynced
+    ? new Date(lastSynced).toLocaleString()
+    : "—";
+
+  return (
+    <span>
+      &nbsp;
+      <Link to={`/argocd/applications/${app.metadata.name}`}>
+        ArgoCD: {app.metadata.name}
+      </Link>
+      &nbsp;
+      <StatusLabel
+        status={syncStatusToColor(
+          (app.status?.sync?.status as "Synced" | "OutOfSync" | "Unknown") ??
+            "Unknown"
+        )}
+      >
+        {app.status?.sync?.status ?? "Unknown"}
+      </StatusLabel>
+      &nbsp;
+      <span style={{ fontSize: "0.85em", opacity: 0.8 }}>
+        Last sync: {lastSyncedStr}
+      </span>
+    </span>
+  );
+}
+
+// --- Registration ---
+
+registerDetailsViewSection(({ resource }: { resource: KubeObject }) => {
+  if (resource.kind === "Namespace") {
+    return <NamespaceArgoSection resource={resource} />;
+  }
+
+  if (resource.kind === "Deployment") {
+    return <DeploymentArgoBadge resource={resource} />;
+  }
+
+  return null;
+});

src/index.tsx

@@ -9,6 +9,7 @@ import {
 import React from "react";
 import ApplicationDetail from "./components/ApplicationDetail";
 import ApplicationsList from "./components/ApplicationsList";
+import "./components/PageInjections"; // side-effect: registers detail view sections
 
 // --- Error boundary for plugin components ---