chore: regenerate pnpm-lock.yaml with elliptic override

fix: add elliptic override for GHSA-848j-6mx2-7j84
Add pnpm.overrides.elliptic to prevent version regression on the transitive elliptic vulnerability (CVE-2025-14505). Vulnerability path: @kinvolk/headlamp-plugin → vite-plugin-node-polyfills → node-stdlib-browser → crypto-browserify → browserify-sign → elliptic Note: pnpm audit will still report the vulnerability until upstream publishes elliptic 6.6.2+. This override safeguards against pulling a worse version. Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-06 00:59:53 +00:00 · 2026-05-06 00:44:50 +00:00 · 2026-05-04 11:01:53 +00:00 · 2026-05-04 10:50:27 +00:00 · 2026-05-03 17:43:58 +00:00
26 changed files with 722 additions and 309 deletions
@@ -11,15 +11,15 @@ permissions:
  contents: read
 # Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
-# privilegedescalation-dev cannot be shared across concurrent runs.
+# headlamp-dev cannot be shared across concurrent runs.
 # cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
-# runs may skip the if: always() teardown, leaving dangling cluster resources.
+# runs may skip the if:always() teardown, leaving dangling cluster resources.
 concurrency:
  group: e2e-${{ github.repository }}
  cancel-in-progress: false
 env:
-  E2E_NAMESPACE: privilegedescalation-dev
+  E2E_NAMESPACE: headlamp-dev
  E2E_RELEASE: headlamp-e2e
  # Pin to a known-good Headlamp version. Using :latest is risky because
  # the tag can change between CI runs, causing flaky failures when a newer
@@ -229,7 +229,7 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 **Action Items:**
 - [ ] Parallelize test execution
 - [ ] Add npm cache to GitHub Actions
- [ ] Integrate Dependabot
+- [x] Renovate is configured org-wide via `github>privilegedescalation/.github:renovate-config`
 - [ ] Add semantic-release
 ---
@@ -97,7 +97,7 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: headlamp # adjust to match your Headlamp service account
-    namespace: headlamp # adjust to match the namespace Headlamp runs in
+    namespace: kube-system # adjust to match the namespace Headlamp runs in
 roleRef:
  kind: Role
  name: polaris-proxy-reader
@@ -197,7 +197,7 @@ npm test
 npm run test:watch
 # E2E tests (Playwright)
-export HEADLAMP_TOKEN=$(kubectl create token headlamp -n headlamp --duration=24h)
+export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system --duration=24h)
 npm run e2e
 npm run e2e:headed   # see browser
 ```
@@ -71,7 +71,7 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: headlamp
-    namespace: headlamp
+    namespace: kube-system
 roleRef:
  kind: Role
  name: polaris-proxy-reader
@@ -212,7 +212,7 @@ If you discover a security vulnerability in this plugin, please report it via:
 The project uses:
 - **npm audit**: Runs automatically during `npm install`
- **Dependabot**: GitHub Dependabot monitors dependencies and creates PRs for updates
+- **Renovate**: Automated dependency updates via Mend Renovate (org-wide configured)
 - **GitHub Actions**: CI workflow runs `npm audit` on every commit
 ### Updating Dependencies
@@ -1,12 +1,46 @@
 ---
-# RBAC for the GitHub Actions CI runner to manage E2E Headlamp instances.
+# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
 # CI-only test fixture — NOT for production use.
 #
-# This file is a REFERENCE ONLY. The canonical manifest lives in:
+# Grants the ARC runner service account permissions in the headlamp-dev
-#   privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml
+# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
 # E2E resources run in `headlamp-dev` — nothing persists beyond a test run.
 #
-# The infra repo is managed by Flux GitOps and is the source of truth.
+# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
 # Do not apply this file directly — it is kept here for developer reference only.
 #
-# E2E resources run in `privilegedescalation-dev` — nothing persists beyond a test run.
+# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/)
-# RBAC is managed via Flux from privilegedescalation/infra — do not apply manually.
+# and managed by Flux GitOps. The infra repo is the source of truth.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: e2e-ci-runner
  namespace: headlamp-dev
 rules:
  # Helm needs to manage these resources for the Headlamp chart
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
  - apiGroups: [""]
    resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"]
    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
  - apiGroups: [""]
    resources: ["pods"]
    verbs: ["get", "list", "watch"]
  # Token creation for E2E test auth
  - apiGroups: [""]
    resources: ["serviceaccounts/token"]
    verbs: ["create"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: e2e-ci-runner-binding
  namespace: headlamp-dev
 subjects:
  - kind: ServiceAccount
    name: runners-privilegedescalation-gha-rs-no-permission
    namespace: arc-runners
 roleRef:
  kind: Role
  name: e2e-ci-runner
  apiGroup: rbac.authorization.k8s.io
@@ -33,7 +33,7 @@ kubectl -n polaris get svc polaris-dashboard
 kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq .PolarisOutputVersion
 # Verify Headlamp is deployed
-kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
+kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp
 ```
 ## Installation Methods
@@ -59,7 +59,7 @@ kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
   ```bash
   helm upgrade --install headlamp headlamp/headlamp \
-     --namespace headlamp \
+     --namespace kube-system \
     --values headlamp-values.yaml
   ```
@@ -268,9 +268,10 @@ npm run e2e
 ```bash
 # Create token
-export HEADLAMP_TOKEN=$(kubectl create token headlamp -n headlamp --duration=24h)
+export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system --duration=24h)
-kubectl port-forward -n headlamp svc/headlamp 4466:80
+# Port-forward for local testing
 kubectl port-forward -n kube-system svc/headlamp 4466:80
 # Run tests
 HEADLAMP_URL=http://localhost:4466 npm run e2e
@@ -33,7 +33,7 @@ This guide covers common issues encountered when using the Headlamp Polaris Plug
 ```bash
 # View Headlamp pod logs (plugin sidecar)
-kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
+kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin
 # Expected output:
 # Installing plugin from https://github.com/.../headlamp-polaris-plugin-X.Y.Z.tar.gz
@@ -43,7 +43,7 @@ kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
 **Verify plugin files exist**:
 ```bash
-kubectl exec -n headlamp deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/
+kubectl exec -n kube-system deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/
 # Should show: headlamp-polaris-plugin/
 ```
@@ -118,7 +118,7 @@ Expected subjects:
 subjects:
  - kind: ServiceAccount
    name: headlamp
-    namespace: headlamp
+    namespace: kube-system
 ```
 For OIDC mode:
@@ -154,7 +154,7 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: headlamp
-    namespace: headlamp
+    namespace: kube-system
 roleRef:
  kind: Role
  name: polaris-proxy-reader
@@ -169,7 +169,7 @@ Service account mode:
 ```bash
 # Impersonate Headlamp service account
 kubectl auth can-i get services/proxy \
-  --as=system:serviceaccount:headlamp:headlamp \
+  --as=system:serviceaccount:kube-system:headlamp \
  --resource-name=polaris-dashboard \
  -n polaris
 # Expected: yes
@@ -189,7 +189,7 @@ kubectl auth can-i get services/proxy \
 After applying RBAC changes:
 ```bash
-kubectl rollout restart deployment headlamp -n headlamp
+kubectl rollout restart deployment headlamp -n kube-system
 ```
 ---
@@ -490,7 +490,7 @@ Run this script to test all RBAC components:
 #!/bin/bash
 NS="polaris"
 SA="headlamp"
-SA_NS="headlamp"
+SA_NS="kube-system"
 echo "=== Testing RBAC for Polaris Plugin ==="
@@ -529,8 +529,8 @@ echo "=== Test complete ==="
 Test connectivity from Headlamp to Polaris:
 ```bash
-# Create debug pod in headlamp namespace
+# Create debug pod in kube-system namespace
-kubectl run netdebug -n headlamp --rm -it --image=nicolaka/netshoot -- bash
+kubectl run netdebug -n kube-system --rm -it --image=nicolaka/netshoot -- bash
 # Inside pod, test DNS and HTTP
 nslookup polaris-dashboard.polaris.svc.cluster.local
@@ -545,11 +545,11 @@ If you have audit logging enabled, check for denied requests:
 ```bash
 # View recent audit logs (location varies by cluster)
-kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard
+kubectl logs -n kube-system kube-apiserver-* | grep polaris-dashboard
 # Look for lines with:
 # "reason": "Forbidden"
-# "user": "system:serviceaccount:headlamp:headlamp"
+# "user": "system:serviceaccount:kube-system:headlamp"
 ```
 ---
@@ -567,7 +567,7 @@ kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard
 **Check sidecar logs**:
 ```bash
-kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
+kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin
 ```
 **Common errors**:
@@ -591,7 +591,7 @@ Error: 404 Not Found
 **Solution**: Verify `archive-url` in plugin config matches GitHub release:
 ```bash
-kubectl get configmap headlamp-plugin-config -n headlamp -o yaml
+kubectl get configmap headlamp-plugin-config -n kube-system -o yaml
 ```
 Expected format:
@@ -677,13 +677,13 @@ If none of these solutions work, gather debugging information and open an issue:
 1. **Version Information**:
   ```bash
-   kubectl get pods -n headlamp -l app.kubernetes.io/name=headlamp -o yaml | grep image:
+   kubectl get pods -n kube-system -l app.kubernetes.io/name=headlamp -o yaml | grep image:
   ```
 2. **Plugin Version**:
   - Check Settings → Plugins in Headlamp UI
-   - Or: `kubectl exec -n headlamp deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json`
+   - Or: `kubectl exec -n kube-system deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json`
 3. **Browser Console Output**:
@@ -698,7 +698,7 @@ If none of these solutions work, gather debugging information and open an issue:
 5. **Pod Logs**:
   ```bash
-   kubectl logs -n headlamp deployment/headlamp -c headlamp --tail=100
+   kubectl logs -n kube-system deployment/headlamp -c headlamp --tail=100
   kubectl logs -n polaris deployment/polaris-dashboard --tail=100
   ```
@@ -41,11 +41,11 @@ pluginsManager:
 ```bash
 # Install Headlamp
 helm install headlamp headlamp/headlamp \
-  --namespace headlamp \
+  --namespace kube-system \
  --values headlamp-values.yaml
 # Wait for deployment
-kubectl -n headlamp wait --for=condition=available deployment/headlamp --timeout=300s
+kubectl -n kube-system wait --for=condition=available deployment/headlamp --timeout=300s
 ```
 After installation, install the plugin via Headlamp UI (**Settings → Plugins → Catalog**).
@@ -131,7 +131,7 @@ Deploy:
 ```bash
 helm upgrade --install headlamp headlamp/headlamp \
-  --namespace headlamp \
+  --namespace kube-system \
  --values headlamp-values.yaml \
  --wait \
  --timeout 5m
@@ -177,7 +177,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: headlamp-plugin-config
-  namespace: headlamp
+  namespace: kube-system
 data:
  plugin.yml: |
    - name: headlamp-polaris-plugin
@@ -191,7 +191,7 @@ Apply ConfigMap then deploy Headlamp:
 kubectl apply -f headlamp-plugin-config.yaml
 helm upgrade --install headlamp headlamp/headlamp \
-  --namespace headlamp \
+  --namespace kube-system \
  --values headlamp-values.yaml
 ```
@@ -221,7 +221,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
  name: headlamp
-  namespace: headlamp
+  namespace: kube-system
 spec:
  interval: 30m
  chart:
@@ -300,7 +300,7 @@ kubectl apply -f helmrepository.yaml
 kubectl apply -f helmrelease.yaml
 # Watch deployment
-flux get helmreleases -n headlamp --watch
+flux get helmreleases -n kube-system --watch
 ```
 ## RBAC Configuration
@@ -329,7 +329,7 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: headlamp
-namespace: headlamp
+    namespace: kube-system
 roleRef:
  kind: Role
  name: polaris-proxy-reader
@@ -349,7 +349,7 @@ helm repo update
 # Upgrade Headlamp (preserves plugin configuration)
 helm upgrade headlamp headlamp/headlamp \
-  --namespace headlamp \
+  --namespace kube-system \
  --values headlamp-values.yaml \
  --wait
 ```
@@ -365,15 +365,15 @@ helm upgrade headlamp headlamp/headlamp \
 ```bash
 # Update ConfigMap with new version
-kubectl -n headlamp edit configmap headlamp-plugin-config
+kubectl -n kube-system edit configmap headlamp-plugin-config
 # Update version and URL:
 # version: 0.3.6
 # url: https://github.com/.../v0.3.6/polaris-0.3.10.tar.gz
 # Restart deployment to trigger init container
-kubectl -n headlamp rollout restart deployment/headlamp
+kubectl -n kube-system rollout restart deployment/headlamp
-kubectl -n headlamp rollout status deployment/headlamp
+kubectl -n kube-system rollout status deployment/headlamp
 ```
 ## Troubleshooting
@@ -382,25 +382,25 @@ kubectl -n headlamp rollout status deployment/headlamp
 ```bash
 # Check Headlamp values
-helm get values headlamp -n headlamp
+helm get values headlamp -n kube-system
 # Verify plugin files exist
-kubectl -n headlamp exec deployment/headlamp -c headlamp -- \
+kubectl -n kube-system exec deployment/headlamp -c headlamp -- \
  ls -la /headlamp/plugins/headlamp-polaris-plugin/
 # If missing, reinstall plugin via UI or check init container logs
-kubectl -n headlamp logs deployment/headlamp -c install-polaris-plugin
+kubectl -n kube-system logs deployment/headlamp -c install-polaris-plugin
 ```
 ### Helm Release Stuck
 ```bash
 # Check Helm release status
-helm list -n headlamp
+helm list -n kube-system
 # If stuck, force upgrade
 helm upgrade headlamp headlamp/headlamp \
-  --namespace headlamp \
+  --namespace kube-system \
  --values headlamp-values.yaml \
  --force \
  --wait
@@ -410,13 +410,13 @@ helm upgrade headlamp headlamp/headlamp \
 ```bash
 # Check HelmRelease status
-flux get helmreleases -n headlamp
+flux get helmreleases -n kube-system
 # Check events
-kubectl -n headlamp describe helmrelease headlamp
+kubectl -n kube-system describe helmrelease headlamp
 # Force reconciliation
-flux reconcile helmrelease headlamp -n headlamp
+flux reconcile helmrelease headlamp -n kube-system
 ```
 ## Next Steps
@@ -47,7 +47,7 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: headlamp
-    namespace: headlamp
+    namespace: kube-system
 roleRef:
  kind: Role
  name: polaris-proxy-reader
@@ -71,7 +71,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
 # Test permission
 kubectl auth can-i get services/proxy \
-  --as=system:serviceaccount:headlamp:headlamp \
+  --as=system:serviceaccount:kube-system:headlamp \
  -n polaris \
  --resource-name=polaris-dashboard
@@ -90,7 +90,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: headlamp-plugin-config
-  namespace: headlamp
+  namespace: kube-system
  labels:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/component: plugin-config
@@ -109,7 +109,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
-  namespace: headlamp
+  namespace: kube-system
  labels:
    app.kubernetes.io/name: headlamp
 spec:
@@ -194,7 +194,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
-  namespace: headlamp
+  namespace: kube-system
  labels:
    app.kubernetes.io/name: headlamp
@@ -204,7 +204,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
-  namespace: headlamp
+  namespace: kube-system
  labels:
    app.kubernetes.io/name: headlamp
 spec:
@@ -235,27 +235,27 @@ kubectl apply -f headlamp-service.yaml
 kubectl apply -f headlamp-serviceaccount.yaml
 # Wait for deployment to be ready
-kubectl -n headlamp wait --for=condition=available deployment/headlamp --timeout=300s
+kubectl -n kube-system wait --for=condition=available deployment/headlamp --timeout=300s
 ```
 ### 2. Verify Deployment
 ```bash
 # Check pods are running
-kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
+kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp
 # Expected output:
 # NAME                        READY   STATUS    RESTARTS   AGE
 # headlamp-xxxxxxxxxx-xxxxx   1/1     Running   0          2m
 # Check init container logs
-kubectl -n headlamp logs deployment/headlamp -c install-plugins
+kubectl -n kube-system logs deployment/headlamp -c install-plugins
 # Expected output:
 # Plugin installation complete
 # Verify plugin files exist
-kubectl -n headlamp exec deployment/headlamp -c headlamp -- \
+kubectl -n kube-system exec deployment/headlamp -c headlamp -- \
  ls -la /headlamp/plugins/headlamp-polaris-plugin/
 # Expected output:
@@ -273,7 +273,7 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
 ```bash
 # Port-forward to access locally
-kubectl -n headlamp port-forward service/headlamp 8080:80
+kubectl -n kube-system port-forward service/headlamp 8080:80
 # Open browser to http://localhost:8080
 ```
@@ -309,7 +309,7 @@ k8s/
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: headlamp
+namespace: kube-system
 commonLabels:
  app.kubernetes.io/name: headlamp
@@ -401,7 +401,7 @@ spec:
    - apiVersion: apps/v1
      kind: Deployment
      name: headlamp
-      namespace: headlamp
+      namespace: kube-system
 ```
 ## Upgrading the Plugin
@@ -410,24 +410,24 @@ spec:
 ```bash
 # Edit ConfigMap with new version
-kubectl -n headlamp edit configmap headlamp-plugin-config
+kubectl -n kube-system edit configmap headlamp-plugin-config
 # Update version and URL:
 # version: 0.3.6
 # url: https://github.com/.../v0.3.6/polaris-0.3.10.tar.gz
 # Restart deployment to trigger init container
-kubectl -n headlamp rollout restart deployment/headlamp
+kubectl -n kube-system rollout restart deployment/headlamp
 # Wait for rollout to complete
-kubectl -n headlamp rollout status deployment/headlamp
+kubectl -n kube-system rollout status deployment/headlamp
 ```
 ### Verify Upgrade
 ```bash
 # Check init container logs
-kubectl -n headlamp logs deployment/headlamp -c install-plugins
+kubectl -n kube-system logs deployment/headlamp -c install-plugins
 # Verify new version in UI
 # Navigate to Settings → Plugins in Headlamp
@@ -439,7 +439,7 @@ kubectl -n headlamp logs deployment/headlamp -c install-plugins
 ```bash
 # Check init container logs
-kubectl -n headlamp logs deployment/headlamp -c install-plugins
+kubectl -n kube-system logs deployment/headlamp -c install-plugins
 # Common issues:
 # 1. Network connectivity to GitHub
@@ -451,14 +451,14 @@ kubectl -n headlamp logs deployment/headlamp -c install-plugins
 ```bash
 # Verify HEADLAMP_CONFIG_WATCH_PLUGINS is false
-kubectl -n headlamp get deployment headlamp -o yaml | grep WATCH_PLUGINS
+kubectl -n kube-system get deployment headlamp -o yaml | grep WATCH_PLUGINS
 # Expected output:
 # - name: HEADLAMP_CONFIG_WATCH_PLUGINS
 #   value: "false"
 # If not set or "true", update deployment
-kubectl -n headlamp edit deployment headlamp
+kubectl -n kube-system edit deployment headlamp
 ```
 ### RBAC Permissions Denied
@@ -466,7 +466,7 @@ kubectl -n headlamp edit deployment headlamp
 ```bash
 # Test RBAC
 kubectl auth can-i get services/proxy \
-  --as=system:serviceaccount:headlamp:headlamp \
+  --as=system:serviceaccount:kube-system:headlamp \
  -n polaris \
  --resource-name=polaris-dashboard
@@ -37,8 +37,8 @@ kubectl -n polaris get svc polaris-dashboard
 kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy/results.json | jq .PolarisOutputVersion
 # Verify Headlamp
-kubectl -n headlamp get deployment headlamp
+kubectl -n kube-system get deployment headlamp
-kubectl -n headlamp get svc headlamp
+kubectl -n kube-system get svc headlamp
 ```
 ## Production Checklist
@@ -60,17 +60,17 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
 # 2. Verify RBAC permissions
 kubectl auth can-i get services/proxy \
-  --as=system:serviceaccount:headlamp:headlamp \
+  --as=system:serviceaccount:kube-system:headlamp \
  -n polaris \
  --resource-name=polaris-dashboard
 # Expected: yes
 # 3. Check Headlamp logs for plugin loading
-kubectl -n headlamp logs deployment/headlamp | grep -i polaris
+kubectl -n kube-system logs deployment/headlamp | grep -i polaris
 # Expected: No errors related to plugin loading
 # 4. Verify plugin files exist
-kubectl -n headlamp exec deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
+kubectl -n kube-system exec deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
 # Expected: dist/, package.json present
 ```
@@ -160,7 +160,7 @@ spec:
    - from:
        - namespaceSelector:
            matchLabels:
-              kubernetes.io/metadata.name: headlamp
+              kubernetes.io/metadata.name: kube-system
        - podSelector:
            matchLabels:
              component: kube-apiserver
@@ -241,7 +241,7 @@ apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  name: headlamp-pdb
-  namespace: headlamp
+  namespace: kube-system
 spec:
  minAvailable: 1
  selector:
@@ -295,7 +295,7 @@ apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: headlamp
-  namespace: headlamp
+  namespace: kube-system
 spec:
  selector:
    matchLabels:
@@ -312,10 +312,10 @@ spec:
 ```bash
 # View logs
-kubectl -n headlamp logs deployment/headlamp -f
+kubectl -n kube-system logs deployment/headlamp -f
 # Filter for plugin-related logs
-kubectl -n headlamp logs deployment/headlamp | grep -i polaris
+kubectl -n kube-system logs deployment/headlamp | grep -i polaris
 ```
 **Polaris Dashboard Logs:**
@@ -341,14 +341,14 @@ apiVersion: monitoring.coreos.com/v1
 kind: PrometheusRule
 metadata:
  name: headlamp-alerts
-  namespace: headlamp
+  namespace: kube-system
 spec:
  groups:
    - name: headlamp
      interval: 30s
      rules:
        - alert: HeadlampPodNotReady
-          expr: kube_pod_status_ready{namespace="headlamp", pod=~"headlamp-.*"} == 0
+          expr: kube_pod_status_ready{namespace="kube-system", pod=~"headlamp-.*"} == 0
          for: 5m
          labels:
            severity: warning
@@ -422,9 +422,9 @@ If Headlamp or plugin becomes unavailable:
 2. **Redeploy Headlamp:**
   ```bash
-helm upgrade --install headlamp headlamp/headlamp \
+   helm upgrade --install headlamp headlamp/headlamp \
-      --namespace headlamp \
+     --namespace kube-system \
-      --values headlamp-values.yaml
+     --values headlamp-values.yaml
   ```
 3. **Reapply RBAC:**
@@ -436,7 +436,7 @@ helm upgrade --install headlamp headlamp/headlamp \
 4. **Verify plugin files:**
   ```bash
-   kubectl -n headlamp exec deployment/headlamp -- \
+   kubectl -n kube-system exec deployment/headlamp -- \
     ls /headlamp/plugins/headlamp-polaris-plugin/
   ```
@@ -268,9 +268,10 @@ npm run e2e
 ```bash
 # Create token
-export HEADLAMP_TOKEN=$(kubectl create token headlamp -n headlamp --duration=24h)
+export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system --duration=24h)
-kubectl port-forward -n headlamp svc/headlamp 4466:80
+# Port-forward for local testing
 kubectl port-forward -n kube-system svc/headlamp 4466:80
 # Run tests
 HEADLAMP_URL=http://localhost:4466 npm run e2e
@@ -72,7 +72,7 @@ Deploy or update Headlamp:
 ```bash
 helm upgrade --install headlamp headlamp/headlamp \
-  --namespace headlamp \
+  --namespace kube-system \
  --values headlamp-values.yaml
 ```
@@ -122,7 +122,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
  name: headlamp-plugin-config
-  namespace: headlamp
+  namespace: kube-system
 data:
  plugin.yml: |
    - name: headlamp-polaris-plugin
@@ -138,14 +138,14 @@ kubectl apply -f headlamp-plugin-config.yaml
 # Deploy/update Headlamp with sidecar
 helm upgrade --install headlamp headlamp/headlamp \
-  --namespace headlamp \
+  --namespace kube-system \
  --values headlamp-values.yaml
 # Wait for pod to be ready
-kubectl -n headlamp wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
+kubectl -n kube-system wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
 # Verify plugin files
-kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
+kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
 # Expected output:
 # drwxr-xr-x  dist/
@@ -270,7 +270,7 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: headlamp
-    namespace: headlamp
+    namespace: kube-system
 roleRef:
  kind: Role
  name: polaris-proxy-reader
@@ -284,10 +284,10 @@ See [RBAC Permissions](../user-guide/rbac-permissions.md) for detailed RBAC conf
 ```bash
 # If you updated Helm values or ConfigMaps
-kubectl -n headlamp rollout restart deployment/headlamp
+kubectl -n kube-system rollout restart deployment/headlamp
 # Wait for pod to be ready
-kubectl -n headlamp wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
+kubectl -n kube-system wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
 ```
 ### 3. Clear Browser Cache
@@ -312,14 +312,14 @@ kubectl -n headlamp wait --for=condition=ready pod -l app.kubernetes.io/name=hea
 ```bash
 # Verify plugin files exist
-kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
+kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/headlamp-polaris-plugin/
 # Expected output:
 # drwxr-xr-x  dist/
 # -rw-r--r--  package.json
 # Check Headlamp logs for errors
-kubectl -n headlamp logs deployment/headlamp | grep -i polaris
+kubectl -n kube-system logs deployment/headlamp | grep -i polaris
 # Expected: No errors related to plugin loading
@@ -345,13 +345,13 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
 ```bash
 # 1. Verify plugin files exist
-kubectl -n headlamp exec deployment/headlamp -c headlamp -- \
+kubectl -n kube-system exec deployment/headlamp -c headlamp -- \
  ls -la /headlamp/plugins/headlamp-polaris-plugin/
 # Expected: dist/, package.json present
 # 2. Check Headlamp logs for plugin errors
-kubectl -n headlamp logs deployment/headlamp | grep -i polaris
+kubectl -n kube-system logs deployment/headlamp | grep -i polaris
 # 3. Hard refresh browser (Cmd+Shift+R or Ctrl+Shift+R)
@@ -404,7 +404,7 @@ helm install polaris fairwinds-stable/polaris \
 ```bash
 # Wait 30 minutes for ArtifactHub sync
 # Or manually force Headlamp restart:
-kubectl -n headlamp rollout restart deployment/headlamp
+kubectl -n kube-system rollout restart deployment/headlamp
 ```
 ## Next Steps
@@ -67,14 +67,14 @@ kubectl -n polaris wait --for=condition=ready pod -l app.kubernetes.io/name=pola
 ```bash
 # Check Headlamp is deployed
-kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
+kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp
 # Expected output:
 # NAME                        READY   STATUS    RESTARTS   AGE
 # headlamp-xxxxxxxxxx-xxxxx   1/1     Running   0          1h
 # Check Headlamp version (must be v0.26+)
-kubectl -n headlamp get deployment headlamp -o jsonpath='{.spec.template.spec.containers[0].image}'
+kubectl -n kube-system get deployment headlamp -o jsonpath='{.spec.template.spec.containers[0].image}'
 # Expected output:
 # ghcr.io/headlamp-k8s/headlamp:v0.39.0  (or similar)
@@ -89,12 +89,12 @@ helm repo update
 # Install Headlamp
 helm install headlamp headlamp/headlamp \
-  --namespace headlamp \
+  --namespace kube-system \
  --set config.pluginsDir="/headlamp/plugins" \
  --set pluginsManager.enabled=true
 # Wait for pod to be ready
-kubectl -n headlamp wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
+kubectl -n kube-system wait --for=condition=ready pod -l app.kubernetes.io/name=headlamp --timeout=300s
 ```
 ## RBAC Requirements
@@ -112,7 +112,7 @@ The plugin requires permissions to access the Polaris dashboard via Kubernetes s
 ```bash
 # Test if Headlamp service account has permission
 kubectl auth can-i get services/proxy \
-  --as=system:serviceaccount:headlamp:headlamp \
+  --as=system:serviceaccount:kube-system:headlamp \
  -n polaris \
  --resource-name=polaris-dashboard
@@ -38,7 +38,7 @@ EOF
 # Update Headlamp
 helm upgrade --install headlamp headlamp/headlamp \
-  --namespace headlamp \
+  --namespace kube-system \
  --values headlamp-values.yaml
 ```
@@ -70,7 +70,7 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: headlamp
-    namespace: headlamp
+    namespace: kube-system
 roleRef:
  kind: Role
  name: polaris-proxy-reader
@@ -111,7 +111,7 @@ EOF
 ```bash
 # Verify plugin files exist
-kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- \
+kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- \
  ls /headlamp/plugins/headlamp-polaris-plugin/dist/
 # Expected output:
@@ -119,7 +119,7 @@ kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- \
 # Verify RBAC is correct
 kubectl auth can-i get services/proxy \
-  --as=system:serviceaccount:headlamp:headlamp \
+  --as=system:serviceaccount:kube-system:headlamp \
  -n polaris \
  --resource-name=polaris-dashboard
@@ -185,7 +185,7 @@ Cluster score badge in top navigation:
 ```bash
 # Verify plugin files exist
-kubectl -n headlamp exec -it deployment/headlamp -c headlamp -- \
+kubectl -n kube-system exec -it deployment/headlamp -c headlamp -- \
  ls /headlamp/plugins/headlamp-polaris-plugin/
 # If missing, reinstall via Headlamp UI or sidecar method
@@ -38,17 +38,17 @@ kubectl get --raw /api/v1/namespaces/polaris/services/polaris-dashboard:80/proxy
 # 3. Verify RBAC permissions
 kubectl auth can-i get services/proxy \
-  --as=system:serviceaccount:headlamp:headlamp \
+  --as=system:serviceaccount:kube-system:headlamp \
  -n polaris \
  --resource-name=polaris-dashboard
 # Expected output: yes
 # 4. Check Headlamp pod is running
-kubectl -n headlamp get pods -l app.kubernetes.io/name=headlamp
+kubectl -n kube-system get pods -l app.kubernetes.io/name=headlamp
 # 5. Check Headlamp logs for plugin errors
-kubectl -n headlamp logs deployment/headlamp | grep -i polaris
+kubectl -n kube-system logs deployment/headlamp | grep -i polaris
 # Expected: No errors
 ```
@@ -57,7 +57,7 @@ kubectl -n headlamp logs deployment/headlamp | grep -i polaris
 ```bash
 # Verify plugin files exist
-kubectl -n headlamp exec deployment/headlamp -c headlamp -- \
+kubectl -n kube-system exec deployment/headlamp -c headlamp -- \
  ls -la /headlamp/plugins/headlamp-polaris-plugin/
 # Expected output:
@@ -76,7 +76,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
 # Test permission (service account mode)
 kubectl auth can-i get services/proxy \
-  --as=system:serviceaccount:headlamp:headlamp \
+  --as=system:serviceaccount:kube-system:headlamp \
  -n polaris \
  --resource-name=polaris-dashboard
@@ -33,7 +33,7 @@ This guide covers common issues encountered when using the Headlamp Polaris Plug
 ```bash
 # View Headlamp pod logs (plugin sidecar)
-kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
+kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin
 # Expected output:
 # Installing plugin from https://github.com/.../headlamp-polaris-plugin-X.Y.Z.tar.gz
@@ -43,7 +43,7 @@ kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
 **Verify plugin files exist**:
 ```bash
-kubectl exec -n headlamp deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/
+kubectl exec -n kube-system deployment/headlamp -c headlamp -- ls -la /headlamp/plugins/
 # Should show: headlamp-polaris-plugin/
 ```
@@ -118,7 +118,7 @@ Expected subjects:
 subjects:
  - kind: ServiceAccount
    name: headlamp
-    namespace: headlamp
+    namespace: kube-system
 ```
 For OIDC mode:
@@ -154,7 +154,7 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: headlamp
-    namespace: headlamp
+    namespace: kube-system
 roleRef:
  kind: Role
  name: polaris-proxy-reader
@@ -169,7 +169,7 @@ Service account mode:
 ```bash
 # Impersonate Headlamp service account
 kubectl auth can-i get services/proxy \
-  --as=system:serviceaccount:headlamp:headlamp \
+  --as=system:serviceaccount:kube-system:headlamp \
  --resource-name=polaris-dashboard \
  -n polaris
 # Expected: yes
@@ -189,7 +189,7 @@ kubectl auth can-i get services/proxy \
 After applying RBAC changes:
 ```bash
-kubectl rollout restart deployment headlamp -n headlamp
+kubectl rollout restart deployment headlamp -n kube-system
 ```
 ---
@@ -490,7 +490,7 @@ Run this script to test all RBAC components:
 #!/bin/bash
 NS="polaris"
 SA="headlamp"
-SA_NS="headlamp"
+SA_NS="kube-system"
 echo "=== Testing RBAC for Polaris Plugin ==="
@@ -529,8 +529,8 @@ echo "=== Test complete ==="
 Test connectivity from Headlamp to Polaris:
 ```bash
-# Create debug pod in headlamp namespace
+# Create debug pod in kube-system namespace
-kubectl run netdebug -n headlamp --rm -it --image=nicolaka/netshoot -- bash
+kubectl run netdebug -n kube-system --rm -it --image=nicolaka/netshoot -- bash
 # Inside pod, test DNS and HTTP
 nslookup polaris-dashboard.polaris.svc.cluster.local
@@ -545,11 +545,11 @@ If you have audit logging enabled, check for denied requests:
 ```bash
 # View recent audit logs (location varies by cluster)
-kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard
+kubectl logs -n kube-system kube-apiserver-* | grep polaris-dashboard
 # Look for lines with:
 # "reason": "Forbidden"
-# "user": "system:serviceaccount:headlamp:headlamp"
+# "user": "system:serviceaccount:kube-system:headlamp"
 ```
 ---
@@ -567,7 +567,7 @@ kubectl logs -n headlamp kube-apiserver-* | grep polaris-dashboard
 **Check sidecar logs**:
 ```bash
-kubectl logs -n headlamp deployment/headlamp -c headlamp-plugin
+kubectl logs -n kube-system deployment/headlamp -c headlamp-plugin
 ```
 **Common errors**:
@@ -591,7 +591,7 @@ Error: 404 Not Found
 **Solution**: Verify `archive-url` in plugin config matches GitHub release:
 ```bash
-kubectl get configmap headlamp-plugin-config -n headlamp -o yaml
+kubectl get configmap headlamp-plugin-config -n kube-system -o yaml
 ```
 Expected format:
@@ -677,13 +677,13 @@ If none of these solutions work, gather debugging information and open an issue:
 1. **Version Information**:
   ```bash
-   kubectl get pods -n headlamp -l app.kubernetes.io/name=headlamp -o yaml | grep image:
+   kubectl get pods -n kube-system -l app.kubernetes.io/name=headlamp -o yaml | grep image:
   ```
 2. **Plugin Version**:
   - Check Settings → Plugins in Headlamp UI
-   - Or: `kubectl exec -n headlamp deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json`
+   - Or: `kubectl exec -n kube-system deployment/headlamp -c headlamp -- cat /headlamp/plugins/headlamp-polaris-plugin/package.json`
 3. **Browser Console Output**:
@@ -698,7 +698,7 @@ If none of these solutions work, gather debugging information and open an issue:
 5. **Pod Logs**:
   ```bash
-   kubectl logs -n headlamp deployment/headlamp -c headlamp --tail=100
+   kubectl logs -n kube-system deployment/headlamp -c headlamp --tail=100
   kubectl logs -n polaris deployment/polaris-dashboard --tail=100
   ```
@@ -41,7 +41,7 @@ spec:
    - from:
        - namespaceSelector:
            matchLabels:
-              kubernetes.io/metadata.name: headlamp
+              kubernetes.io/metadata.name: kube-system
        - podSelector:
            matchLabels:
              component: kube-apiserver
@@ -43,7 +43,7 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: headlamp
-    namespace: headlamp
+    namespace: kube-system
 roleRef:
  kind: Role
  name: polaris-proxy-reader
@@ -83,7 +83,7 @@ roleRef:
 ```bash
 # Test service account (in-cluster mode)
 kubectl auth can-i get services/proxy \
-  --as=system:serviceaccount:headlamp:headlamp \
+  --as=system:serviceaccount:kube-system:headlamp \
  -n polaris \
  --resource-name=polaris-dashboard
@@ -317,7 +317,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
 # Test permission
 kubectl auth can-i get services/proxy \
-  --as=system:serviceaccount:headlamp:headlamp \
+  --as=system:serviceaccount:kube-system:headlamp \
  -n polaris \
  --resource-name=polaris-dashboard
 ```
@@ -65,7 +65,7 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: headlamp # Adjust to your Headlamp SA name
-    namespace: headlamp # Adjust to Headlamp's namespace
+    namespace: kube-system # Adjust to Headlamp's namespace
 roleRef:
  kind: Role
  name: polaris-proxy-reader
@@ -75,7 +75,7 @@ roleRef:
 **Adjust for your environment:**
 - `subjects[0].name` - Your Headlamp service account name (often `headlamp`)
- `subjects[0].namespace` - Namespace where Headlamp runs (often `headlamp`)
+- `subjects[0].namespace` - Namespace where Headlamp runs (often `kube-system`)
 ### Step 3: Apply and Verify
@@ -91,7 +91,7 @@ kubectl -n polaris get rolebinding headlamp-polaris-proxy
 # Test permission
 kubectl auth can-i get services/proxy \
-  --as=system:serviceaccount:headlamp:headlamp \
+  --as=system:serviceaccount:kube-system:headlamp \
  -n polaris \
  --resource-name=polaris-dashboard
@@ -109,7 +109,7 @@ In token-auth mode, **each user's own identity** is used for Kubernetes API requ
 With service account mode:
 - Single RoleBinding grants access to all Headlamp users
- Kubernetes sees all requests as `system:serviceaccount:headlamp:headlamp`
+- Kubernetes sees all requests as `system:serviceaccount:kube-system:headlamp`
 With token-auth mode:
@@ -267,7 +267,7 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: headlamp
-    namespace: headlamp
+    namespace: kube-system
 roleRef:
  kind: Role
  name: polaris-proxy-reader
@@ -281,7 +281,7 @@ metadata:
 subjects:
  - kind: ServiceAccount
    name: headlamp
-    namespace: headlamp
+    namespace: kube-system
 roleRef:
  kind: Role
  name: polaris-proxy-reader
@@ -318,7 +318,7 @@ spec:
    - from:
        - namespaceSelector:
            matchLabels:
-              kubernetes.io/metadata.name: headlamp
+              kubernetes.io/metadata.name: kube-system
        - podSelector:
            matchLabels:
              component: kube-apiserver
@@ -411,7 +411,7 @@ Every plugin data fetch creates a Kubernetes API audit log entry.
  "level": "Metadata",
  "verb": "get",
  "user": {
-    "username": "system:serviceaccount:headlamp:headlamp"
+    "username": "system:serviceaccount:kube-system:headlamp"
  },
  "sourceIPs": ["10.96.0.1"],
  "objectRef": {
@@ -494,7 +494,7 @@ If using a log aggregator (e.g., Elasticsearch), create filters to exclude or do
   ```bash
   # Service account mode
   kubectl auth can-i get services/proxy \
-     --as=system:serviceaccount:headlamp:headlamp \
+     --as=system:serviceaccount:kube-system:headlamp \
     -n polaris \
     --resource-name=polaris-dashboard
@@ -41,8 +41,8 @@ The default base URL is `https://headlamp.animaniacs.farh.net`. Override with `H
 ### Option 2: K8s bearer token (port-forward)
 ```bash
-kubectl port-forward -n headlamp svc/headlamp 4466:80
+kubectl port-forward -n kube-system svc/headlamp 4466:80
-export HEADLAMP_TOKEN=$(kubectl create token headlamp -n headlamp)
+export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system)
 HEADLAMP_URL=http://localhost:4466 npm run e2e
 ```
@@ -143,7 +143,7 @@ cp .env.example .env
 # 3. Set environment variables
 export HEADLAMP_URL=https://your-headlamp-instance.com
-export HEADLAMP_TOKEN=$(kubectl create token headlamp -n headlamp)
+export HEADLAMP_TOKEN=$(kubectl create token headlamp -n kube-system)
 # 4. Run tests
 npm run e2e
@@ -35,7 +35,11 @@
    "overrides": {
      "tar": "^7.5.11",
      "undici": "^7.24.3",
-      "flatted": "^3.4.2"
+      "flatted": "^3.4.2",
      "lodash": ">=4.18.0",
      "picomatch": ">=4.0.4",
      "vite": ">=6.4.2",
      "elliptic": ">=6.6.1"
    }
  },
  "devDependencies": {
@@ -5,18 +5,16 @@
 # a ConfigMap volume mount. No custom Docker images — the plugin is built
 # in CI and injected as a ConfigMap.
 #
-# E2E resources are deployed to the `privilegedescalation-dev` namespace. Nothing
+# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
-# persists beyond the test run — teardown cleans up all created resources.
+# persists beyond a test run — teardown cleans up all created resources.
 #
 # Prerequisites:
 #   - Plugin built (dist/ exists with plugin-main.js + package.json)
 #   - kubectl configured with cluster access
-# RBAC is managed via Flux from privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml.
+#   - RBAC applied (managed by Flux GitOps in privilegedescalation/infra)
 # The infra repo is the source of truth — do not apply this file directly.
 # Apply RBAC first: kubectl apply -f privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml
 #
 # Environment:
-#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: privilegedescalation-dev)
+#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-dev)
 #   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
 #   HEADLAMP_VERSION  — Headlamp image tag (default: v0.40.1, pinned to match production)
 set -euo pipefail
@@ -24,7 +22,7 @@ set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 DIST_DIR="$REPO_ROOT/dist"
-E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 HEADLAMP_VERSION="${HEADLAMP_VERSION:-v0.40.1}"
@@ -37,7 +35,7 @@ fi
 echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
 if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
  echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2
-  echo "  Apply RBAC first: kubectl apply -f privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml" >&2
+  echo "  Apply RBAC first: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2
  exit 1
 fi
@@ -3,17 +3,14 @@
 #
 # Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
 #
 # RBAC is managed via Flux from privilegedescalation/infra/base/rbac/e2e-ci-runner-headlamp-rbac.yaml.
 # The infra repo is the source of truth — do not apply this file directly.
 #
 # Environment:
-#   E2E_NAMESPACE  — namespace to clean up (default: privilegedescalation-dev)
+#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-dev)
 #   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
 set -euo pipefail
 REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
-E2E_NAMESPACE="${E2E_NAMESPACE:-privilegedescalation-dev}"
+E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
 E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
 echo "=== E2E Headlamp Teardown ==="
Author	SHA1	Message	Date
Chris Farhood	d6fe575abf	chore: regenerate pnpm-lock.yaml with elliptic override	2026-05-06 00:59:53 +00:00
Chris Farhood	5bc61a4e8d	fix: add elliptic override for GHSA-848j-6mx2-7j84 Add pnpm.overrides.elliptic to prevent version regression on the transitive elliptic vulnerability (CVE-2025-14505). Vulnerability path: @kinvolk/headlamp-plugin → vite-plugin-node-polyfills → node-stdlib-browser → crypto-browserify → browserify-sign → elliptic Note: pnpm audit will still report the vulnerability until upstream publishes elliptic 6.6.2+. This override safeguards against pulling a worse version. Co-Authored-By: Paperclip <noreply@paperclip.ing>	2026-05-06 00:44:50 +00:00
privilegedescalation-engineer[bot]	aa1db9215a	fix: patch high-severity vulnerabilities in picomatch and vite (#128 ) * chore: replace Dependabot references with Renovate - SECURITY.md: update to mention Renovate (org-wide Mend Renovate) - PROJECT_ASSESSMENT.md: mark Renovate as integrated (org-wide config) Closes PRI-389. Parent PRI-387. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix: override picomatch >=4.0.4 and vite >=6.4.2 to patch high-severity vulnerabilities Resolves 3 high-severity vulnerabilities from pnpm audit: - GHSA-c2c7-rcm5-vvqj: Picomatch ReDoS via extglob quantifiers (>=4.0.0 <4.0.4) - GHSA-p9ff-h696-f583: Vite arbitrary file read via dev server WebSocket - GHSA-4w7w-66w2-5vf9: Vite path traversal in optimized deps .map handling Also addresses moderate GHSA-3v7f-55p6-f55p (picomatch method injection). Remaining vulnerabilities (moderate/low) are in transitive dependencies managed by @kinvolk/headlamp-plugin and @headlamp-k8s/eslint-config which require upstream updates to those packages. Co-Authored-By: Paperclip <noreply@paperclip.ing> --------- Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-04 11:01:53 +00:00
privilegedescalation-engineer[bot]	202ce66c61	fix(e2e): migrate E2E namespace from privilegedescalation-dev to headlamp-dev (#130 ) The E2E workflow and deploy scripts were targeting the legacy privilegedescalation-dev namespace, which is not managed by Flux GitOps in privilegedescalation/infra. The infra repo (PR #11) already provisions the headlamp-dev namespace and corresponding RBAC (e2e-ci-runner-headlamp-rbac.yaml) that grants the ARC runner SA (runners-privilegedescalation-gha-rs-no-permission in arc-runners) the permissions needed to deploy/teardown the E2E Headlamp instance. This change aligns all E2E infrastructure to use headlamp-dev: - .github/workflows/e2e.yaml: E2E_NAMESPACE=headlamp-dev - scripts/deploy-e2e-headlamp.sh: default namespace and comments - scripts/teardown-e2e-headlamp.sh: default namespace - deployment/e2e-ci-runner-rbac.yaml: namespace and add missing events permission (already present in infra copy) Refs: PRI-423 Co-authored-by: Chris Farhood <chris@farhood.org> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-04 10:50:27 +00:00
privilegedescalation-engineer[bot]	58c9597388	fix: override lodash >=4.18.0 to patch code injection vulnerability (#120 ) * fix: override lodash >=4.18.0 to patch code injection vulnerability GHSA-r5fr-rjxr-66jc is a code injection vulnerability in lodash below 4.18.0. The vulnerable transitive dependency comes through @kinvolk/headlamp-plugin. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> * fix: update pnpm-lock.yaml to satisfy lodash override The package.json pnpm.overrides requires lodash >=4.18.0, but the lockfile had an older version. Regenerated lockfile with pnpm install. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): scope heading locators to main content area Fix E2E test failures by scoping heading locators to the main content area instead of searching the entire page. This prevents matching headings in the sidebar or other non-content areas. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): scope remaining getByText to main element The 'Cluster Score' text matcher was still searching the entire page instead of being scoped to the main content area. This could cause false positives if the same text appears in the sidebar. Co-Authored-By: Paperclip <noreply@paperclip.ing> * ci: trigger fresh E2E run Re-pushing to trigger a new CI run since the last E2E was cancelled. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): use [role=main] instead of main element Switch from 'main' element selector to '[role="main"]' attribute selector for better compatibility with Headlamp's app structure. Co-Authored-By: Paperclip <noreply@paperclip.ing> * fix(e2e): hybrid approach - unscoped headings, main-scoped text Use broader heading selectors matching intel-gpu pattern, but keep text checks scoped to main element to avoid sidebar conflicts. Co-Authored-By: Paperclip <noreply@paperclip.ing> * ci: re-test original code to verify baseline --------- Co-authored-by: Gandalf the Greybeard <gandalf@privilegedescalation.dev> Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: Paperclip <noreply@paperclip.ing>	2026-05-03 17:43:58 +00:00