diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index aa50bfa..a28cb07 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -32,9 +32,6 @@ jobs:
       - name: Setup kubectl
         uses: azure/setup-kubectl@v4
 
-      - name: Setup Helm
-        uses: azure/setup-helm@v4
-
       - name: Install dependencies
         run: npm ci
 
@@ -61,8 +58,6 @@ jobs:
         env:
           HEADLAMP_URL: ${{ env.HEADLAMP_URL }}
           HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }}
-          AUTHENTIK_USERNAME: ${{ secrets.AUTHENTIK_USERNAME }}
-          AUTHENTIK_PASSWORD: ${{ secrets.AUTHENTIK_PASSWORD }}
 
       - name: Teardown E2E instance
         if: always()
diff --git a/deployment/headlamp-e2e-values.yaml b/deployment/headlamp-e2e-values.yaml
deleted file mode 100644
index dddd973..0000000
--- a/deployment/headlamp-e2e-values.yaml
+++ /dev/null
@@ -1,34 +0,0 @@
----
-# Headlamp Helm values for E2E testing.
-#
-# Uses the stock Headlamp image with the plugin loaded via a ConfigMap
-# volume mount. No custom Docker images — the plugin dist/ is packaged
-# as a ConfigMap by deploy-e2e-headlamp.sh.
-#
-# Usage:
-#   helm install headlamp-e2e headlamp/headlamp \
-#     -n privilegedescalation-dev \
-#     -f deployment/headlamp-e2e-values.yaml \
-#     --set image.registry=ghcr.io \
-#     --set image.repository=headlamp-k8s/headlamp \
-#     --set image.tag=latest
-
-config:
-  pluginsDir: /headlamp/plugins
-  watchPlugins: false
-
-clusterRoleBinding:
-  create: false
-
-service:
-  type: ClusterIP
-
-extraVolumes:
-  - name: polaris-plugin
-    configMap:
-      name: headlamp-polaris-plugin
-
-extraVolumeMounts:
-  - name: polaris-plugin
-    mountPath: /headlamp/plugins/headlamp-polaris
-    readOnly: true
diff --git a/e2e/auth.setup.ts b/e2e/auth.setup.ts
index 817f003..2bc6d1d 100644
--- a/e2e/auth.setup.ts
+++ b/e2e/auth.setup.ts
@@ -39,13 +39,16 @@ async function authenticateWithOIDC(page: Page, username: string, password: stri
 }
 
 async function authenticateWithToken(page: Page, token: string): Promise<void> {
-  // Navigate to login — Headlamp redirects / to /c/main/login
   await page.goto('/');
-  await page.waitForURL('**/login');
+  // Headlamp goes to /token directly when no OIDC is configured,
+  // or through /login when OIDC is configured
+  await page.waitForURL(/\/(login|token)$/);
 
-  // Click the token auth option
-  await page.getByRole('button', { name: /use a token/i }).click();
-  await page.waitForURL('**/token');
+  if (page.url().includes('/login')) {
+    // OIDC login page — click "use a token" to reach token auth
+    await page.getByRole('button', { name: /use a token/i }).click();
+    await page.waitForURL('**/token');
+  }
 
   // Fill the "ID token" field and submit
   await page.getByRole('textbox', { name: /id token/i }).fill(token);
diff --git a/scripts/deploy-e2e-headlamp.sh b/scripts/deploy-e2e-headlamp.sh
index 77378ba..412dd89 100755
--- a/scripts/deploy-e2e-headlamp.sh
+++ b/scripts/deploy-e2e-headlamp.sh
@@ -11,12 +11,11 @@
 # Prerequisites:
 #   - Plugin built (dist/ exists with plugin-main.js + package.json)
 #   - kubectl configured with cluster access
-#   - Helm 3 installed
 #   - RBAC applied: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
 #
 # Environment:
 #   E2E_NAMESPACE     — namespace for E2E Headlamp (default: privilegedescalation-dev)
-#   E2E_RELEASE       — Helm release name (default: headlamp-e2e)
+#   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
 #   HEADLAMP_VERSION  — Headlamp image tag (default: latest)
 set -euo pipefail
 
@@ -59,28 +58,105 @@ kubectl create configmap headlamp-polaris-plugin \
   --from-file="$DIST_DIR" \
   --from-file=package.json="$REPO_ROOT/package.json"
 
-# --- Deploy with Helm ---
+# --- Deploy Headlamp via kubectl apply ---
 echo ""
-echo "Adding Headlamp Helm repo..."
-helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/ --force-update
-helm repo update
+echo "Deploying Headlamp E2E instance..."
 
-echo "Installing/upgrading Headlamp E2E instance..."
-helm upgrade --install "$E2E_RELEASE" headlamp/headlamp \
-  -n "$E2E_NAMESPACE" \
-  -f "$REPO_ROOT/deployment/headlamp-e2e-values.yaml" \
-  --set "image.registry=ghcr.io" \
-  --set "image.repository=headlamp-k8s/headlamp" \
-  --set "image.tag=${HEADLAMP_VERSION}" \
-  --wait \
-  --timeout 120s
+kubectl apply -f - <<EOF
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: headlamp
+      app.kubernetes.io/instance: ${E2E_RELEASE}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: headlamp
+        app.kubernetes.io/instance: ${E2E_RELEASE}
+    spec:
+      serviceAccountName: ${E2E_RELEASE}
+      automountServiceAccountToken: true
+      securityContext: {}
+      containers:
+        - name: headlamp
+          image: ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsNonRoot: true
+            privileged: false
+            runAsUser: 100
+            runAsGroup: 101
+          args:
+            - "-in-cluster"
+            - "-in-cluster-context-name=main"
+            - "-plugins-dir=/headlamp/plugins"
+          ports:
+            - name: http
+              containerPort: 4466
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 5
+            failureThreshold: 6
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          volumeMounts:
+            - name: polaris-plugin
+              mountPath: /headlamp/plugins/headlamp-polaris
+              readOnly: true
+      volumes:
+        - name: polaris-plugin
+          configMap:
+            name: headlamp-polaris-plugin
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ${E2E_RELEASE}
+  namespace: ${E2E_NAMESPACE}
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: ${E2E_RELEASE}
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+      protocol: TCP
+EOF
 
 echo "Waiting for rollout..."
-kubectl rollout status "deployment/${E2E_RELEASE}-headlamp" \
+kubectl rollout status "deployment/${E2E_RELEASE}" \
   -n "$E2E_NAMESPACE" --timeout=120s
 
 # --- Generate a service URL for tests ---
-SVC_URL="http://${E2E_RELEASE}-headlamp.${E2E_NAMESPACE}.svc.cluster.local"
+SVC_URL="http://${E2E_RELEASE}.${E2E_NAMESPACE}.svc.cluster.local"
 echo ""
 echo "E2E Headlamp is ready at: ${SVC_URL}"
 echo "  export HEADLAMP_URL=${SVC_URL}"
diff --git a/scripts/teardown-e2e-headlamp.sh b/scripts/teardown-e2e-headlamp.sh
index cf310cf..b8ed7e6 100755
--- a/scripts/teardown-e2e-headlamp.sh
+++ b/scripts/teardown-e2e-headlamp.sh
@@ -5,7 +5,7 @@
 #
 # Environment:
 #   E2E_NAMESPACE  — namespace to clean up (default: privilegedescalation-dev)
-#   E2E_RELEASE    — Helm release to uninstall (default: headlamp-e2e)
+#   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
 set -euo pipefail
 
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
@@ -17,13 +17,15 @@ echo "=== E2E Headlamp Teardown ==="
 echo "  Namespace: $E2E_NAMESPACE"
 echo "  Release:   $E2E_RELEASE"
 
-echo "Uninstalling Helm release..."
-helm uninstall "$E2E_RELEASE" -n "$E2E_NAMESPACE" 2>/dev/null || echo "Release not found (already removed?)"
+echo "Removing Headlamp Deployment, Service, and ServiceAccount..."
+kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
+kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
+kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
 
 echo "Cleaning up ConfigMap..."
 kubectl delete configmap headlamp-polaris-plugin -n "$E2E_NAMESPACE" --ignore-not-found
 
-echo "Cleaning up service account..."
+echo "Cleaning up test service account..."
 kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found
 
 # Clean up local env file