release: v0.7.1

2026-03-17 12:31:26 +00:00
26 changed files with 415 additions and 1743 deletions
@@ -1,20 +0,0 @@
-name: Dual Approval (CTO + QA)
-
-# Calls the shared dual-approval-check workflow.
-# Passes when both privilegedescalation-cto and privilegedescalation-qa
-# have approved the PR. Add "Dual Approval (CTO + QA)" to required_status_checks
-# in branch protection to enforce this gate.
-
-on:
-  pull_request_review:
-    types: [submitted, dismissed]
-  pull_request:
-    branches: [main]
-    types: [opened, reopened, synchronize]
-
-jobs:
-  dual-approval:
-    uses: privilegedescalation/.github/.github/workflows/dual-approval-check.yaml@main
-    secrets: inherit
-    with:
-      pr_number: ${{ github.event.pull_request.number }}
@@ -7,61 +7,63 @@ on:
    branches: [main]
  workflow_dispatch:

-permissions:
-  contents: read
-
-# Only one E2E run at a time: the shared E2E_RELEASE (headlamp-e2e) in
-# headlamp-dev cannot be shared across concurrent runs.
-# cancel-in-progress: false (queue, don't cancel) — cancelling in-flight
-# runs may skip the if:always() teardown, leaving dangling cluster resources.
-concurrency:
-  group: e2e-${{ github.repository }}
-  cancel-in-progress: false
-
-env:
-  E2E_NAMESPACE: headlamp-dev
-  E2E_RELEASE: headlamp-e2e
-  # Pin to a known-good Headlamp version. Using :latest is risky because
-  # the tag can change between CI runs, causing flaky failures when a newer
-  # image is pulled on some nodes but not others (IfNotPresent pull policy).
-  # Update this when Headlamp is upgraded in production (kube-system).
-  HEADLAMP_VERSION: v0.40.1
-
 jobs:
  e2e:
-    runs-on: runners-privilegedescalation
+    runs-on: local-ubuntu-latest
    timeout-minutes: 15

    steps:
      - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4

      - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@v4
        with:
          node-version: '22'
          cache: 'npm'

-      - name: Setup kubectl
-        uses: azure/setup-kubectl@v4
-
      - name: Install dependencies
        run: npm ci

-      - name: Build plugin
-        run: npx @kinvolk/headlamp-plugin build
-
-      - name: Deploy E2E Headlamp instance
-        run: scripts/deploy-e2e-headlamp.sh
-
-      - name: Load E2E environment
+      - name: Preflight — verify Headlamp and plugin version
+        env:
+          HEADLAMP_URL: ${{ secrets.HEADLAMP_URL || 'http://headlamp.kube-system.svc.cluster.local' }}
        run: |
-          if [ -f .env.e2e ]; then
-            cat .env.e2e >> "$GITHUB_ENV"
-          else
-            echo "::error::deploy-e2e-headlamp.sh did not produce .env.e2e"
+          EXPECTED=$(node -p "require('./package.json').version")
+          PLUGIN_NAME=$(node -p "require('./package.json').artifacthub?.name || require('./package.json').name")
+          echo "Expected: $PLUGIN_NAME@$EXPECTED"
+
+          # Check Headlamp connectivity
+          HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' --connect-timeout 10 "$HEADLAMP_URL" || true)
+          if [ "$HTTP_CODE" = "000" ]; then
+            echo "::error::Cannot reach Headlamp at $HEADLAMP_URL"
            exit 1
          fi
+          echo "Headlamp responded HTTP $HTTP_CODE"
+
+          # Check installed plugins and version match
+          PLUGIN_JSON=$(curl -sf --connect-timeout 10 "$HEADLAMP_URL/plugins" 2>/dev/null || echo "[]")
+          node -e "
+            const expected = '$EXPECTED';
+            const pluginName = '$PLUGIN_NAME';
+            const plugins = JSON.parse(process.argv[1]);
+            console.log('Installed plugins:');
+            for (const p of plugins) console.log('  ' + p.name + '@' + (p.version||'unknown'));
+            const ours = plugins.find(p => p.name === pluginName || p.name === 'polaris' || p.name.includes('polaris'));
+            if (!ours) {
+              console.log('::warning::Plugin ' + pluginName + ' not found in Headlamp — data-dependent tests will fail');
+            } else {
+              console.log('Found plugin: ' + ours.name + ' at path ' + ours.path);
+            }
+          " "$PLUGIN_JSON"
+
+          # Fetch deployed plugin version from package.json
+          DEPLOYED_VERSION=$(curl -sf --connect-timeout 10 "$HEADLAMP_URL/plugins/$PLUGIN_NAME/package.json" 2>/dev/null \
+            | node -p "JSON.parse(require('fs').readFileSync(0,'utf8')).version" 2>/dev/null || echo "unknown")
+          echo "Deployed version: $DEPLOYED_VERSION"
+          if [ "$DEPLOYED_VERSION" != "$EXPECTED" ] && [ "$DEPLOYED_VERSION" != "unknown" ]; then
+            echo "::warning::Version mismatch — repo has $EXPECTED but Headlamp runs $DEPLOYED_VERSION. Tests may fail due to stale plugin."
+          fi

      - name: Install Playwright browsers
        run: npx playwright install --with-deps chromium
@@ -69,25 +71,13 @@ jobs:
      - name: Run E2E tests
        run: npm run e2e
        env:
-          HEADLAMP_URL: ${{ env.HEADLAMP_URL }}
-          HEADLAMP_TOKEN: ${{ env.HEADLAMP_TOKEN }}
-
-      - name: Collect deployment diagnostics on failure
-        if: failure()
-        run: |
-          echo "=== Pod state ==="
-          kubectl get pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
-          echo "=== Pod describe ==="
-          kubectl describe pods -n "$E2E_NAMESPACE" -l "app.kubernetes.io/instance=$E2E_RELEASE" 2>&1 || true
-          echo "=== Recent namespace events ==="
-          kubectl get events -n "$E2E_NAMESPACE" --sort-by='.lastTimestamp' 2>&1 | tail -20 || true
-
-      - name: Teardown E2E instance
-        if: always()
-        run: scripts/teardown-e2e-headlamp.sh
+          HEADLAMP_URL: ${{ secrets.HEADLAMP_URL || 'http://headlamp.kube-system.svc.cluster.local' }}
+          HEADLAMP_TOKEN: ${{ secrets.HEADLAMP_TOKEN }}
+          AUTHENTIK_USERNAME: ${{ secrets.AUTHENTIK_USERNAME }}
+          AUTHENTIK_PASSWORD: ${{ secrets.AUTHENTIK_PASSWORD }}

      - name: Upload Playwright report
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: playwright-report
@@ -95,7 +85,7 @@ jobs:
          retention-days: 7

      - name: Upload test results
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@v4
        if: failure()
        with:
          name: test-results
@@ -15,9 +15,6 @@ permissions:
 jobs:
  release:
    uses: privilegedescalation/.github/.github/workflows/plugin-release.yaml@main
-    secrets:
-      RELEASE_APP_ID: ${{ secrets.RELEASE_APP_ID }}
-      RELEASE_APP_PRIVATE_KEY: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
    with:
      version: ${{ inputs.version }}
      upstream-repo: 'FairwindsOps/polaris'
@@ -6,6 +6,5 @@ e2e/.auth/
 test-results/
 .playwright-mcp/
 .env
-.env.e2e
 .env.local
 .eslintcache
@@ -7,31 +7,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

 ## [Unreleased]

-## [1.0.0] - 2026-03-22
-
-First stable release. The plugin API (routes, sidebar entries, settings schema, and app bar action) is
-now frozen — no breaking changes without a new major version.
-
-### Security
- Patched 8 of 9 npm audit vulnerabilities via `pnpm.overrides` (#92)
-
-### Added
- **Dual-approval CI check**: PRs now require approval from both CTO and QA before merging (#98, #76)
- **ExemptionManager test suite**: Full coverage of annotation-based exemption flows, exemption creation, and inline feedback (#82)
- **RBAC preflight check**: `deploy-e2e-headlamp.sh` now verifies runner RBAC before attempting E2E deploy (#80)
-
-### Fixed
- **E2E infrastructure overhaul**: Replaced Dockerfile.e2e with ConfigMap volume mount for plugin loading; tests now run in the `privilegedescalation-dev` namespace (#73, #89, #94)
- **E2E token auth**: Workflow uses GitHub App token auth and handles the `/token` redirect correctly (#97)
- **E2E HTTP readiness**: `deploy-e2e-headlamp.sh` waits for HTTP reachability after rollout before running tests (#104)
- **E2E runner label**: Updated to `runners-privilegedescalation` for self-hosted ARC runners (#71)
- **Direct devDependencies**: Added `typescript`, `eslint`, `prettier`, and `@headlamp-k8s/eslint-config` as explicit direct devDependencies to prevent phantom-dep failures in clean installs (#95, #102)
-
-### Changed
- **pnpm version pinned**: `packageManager` field in `package.json` pins the pnpm version used in CI (#103)
- **GitHub Actions SHA pinning**: Renovate `pinDigests` enabled to SHA-pin all GitHub Actions (#105)
- **ArtifactHub metadata polish**: Improved `install` instructions and `changes` section formatting (#82)
-
 ## [0.6.0] - 2026-03-04

 ### Fixed
@@ -295,8 +270,7 @@ now frozen — no breaking changes without a new major version.
 - Automated release workflow
 - Basic CI/CD pipeline

-[Unreleased]: https://github.com/privilegedescalation/headlamp-polaris-plugin/compare/v1.0.0...HEAD
-[1.0.0]: https://github.com/privilegedescalation/headlamp-polaris-plugin/compare/v0.7.2...v1.0.0
+[Unreleased]: https://github.com/privilegedescalation/headlamp-polaris-plugin/compare/v0.6.0...HEAD
 [0.6.0]: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/tag/v0.6.0
 [0.3.5]: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/tag/v0.3.5
 [0.3.4]: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/tag/v0.3.4
@@ -229,7 +229,7 @@ Headlamp v0.39.0 with default `watchPlugins: true` treats catalog-managed plugin
 **Action Items:**
 - [ ] Parallelize test execution
 - [ ] Add npm cache to GitHub Actions
- [x] Renovate is configured org-wide via `github>privilegedescalation/.github:renovate-config`
+- [ ] Integrate Dependabot
 - [ ] Add semantic-release

 ---
@@ -48,14 +48,9 @@ Polaris must be deployed in the `polaris` namespace with the dashboard component

 ## Installing

-The plugin is published on [Artifact Hub](https://artifacthub.io/packages/headlamp/polaris/headlamp-polaris-plugin). Install via the Headlamp UI:
+### Option 1: Headlamp Plugin Manager (Recommended)

-1. Go to **Settings → Plugins**
-2. Click **Catalog** tab
-3. Search for "Polaris"
-4. Click **Install**
-
-Or configure Headlamp via Helm:
+The plugin is published on [Artifact Hub](https://artifacthub.io/packages/headlamp/polaris/headlamp-polaris-plugin). Configure Headlamp via Helm:

 ```yaml
 config:
@@ -67,6 +62,56 @@ pluginsManager:
      url: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.3.10/polaris-0.3.10.tar.gz
 ```

+Or install via the Headlamp UI:
+
+1. Go to **Settings → Plugins**
+2. Click **Catalog** tab
+3. Search for "Polaris"
+4. Click **Install**
+
+### Option 2: Sidecar Container (Alternative)
+
+For detailed sidecar installation instructions, see [docs/DEPLOYMENT.md#installation-method-2-sidecar-container](docs/DEPLOYMENT.md#installation-method-2-sidecar-container).
+
+```yaml
+sidecars:
+  - name: headlamp-plugin
+    image: node:lts-alpine
+    command: ['/bin/sh']
+    args:
+      - -c
+      - |
+        npm install -g @kinvolk/headlamp-plugin
+        headlamp-plugin install --config /config/plugin.yml
+        tail -f /dev/null
+    volumeMounts:
+      - name: plugins
+        mountPath: /headlamp/plugins
+      - name: plugin-config
+        mountPath: /config
+```
+
+### Option 3: Manual Tarball Install
+
+Download the `.tar.gz` from the [GitHub releases page](https://github.com/privilegedescalation/headlamp-polaris-plugin/releases), then extract into Headlamp's plugin directory:
+
+```bash
+wget https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.3.10/polaris-0.3.10.tar.gz
+tar xzf polaris-0.3.10.tar.gz -C /headlamp/plugins/
+```
+
+### Option 4: Build from Source
+
+```bash
+git clone https://github.com/privilegedescalation/headlamp-polaris-plugin.git
+cd headlamp-polaris-plugin
+npm install
+npm run build
+npx @kinvolk/headlamp-plugin extract . /headlamp/plugins
+```
+
+For complete installation instructions including Helm integration, FluxCD examples, and production deployment checklist, see **[docs/DEPLOYMENT.md](docs/DEPLOYMENT.md)**.
+
 ## RBAC / Security Setup

 The plugin fetches audit data through the Kubernetes API server's **service proxy** sub-resource. The identity making the request (Headlamp's service account, or the user's own token in token-auth mode) must be granted:
@@ -212,7 +212,7 @@ If you discover a security vulnerability in this plugin, please report it via:

 The project uses:
 - **npm audit**: Runs automatically during `npm install`
- **Renovate**: Automated dependency updates via Mend Renovate (org-wide configured)
+- **Dependabot**: GitHub Dependabot monitors dependencies and creates PRs for updates
 - **GitHub Actions**: CI workflow runs `npm audit` on every commit

 ### Updating Dependencies
@@ -1,4 +1,4 @@
-version: "1.0.0"
+version: "0.7.1"
 name: headlamp-polaris
 displayName: Polaris
 createdAt: "2026-02-05T19:00:00Z"
@@ -11,7 +11,6 @@ description: >-
  `polaris-dashboard` service in the `polaris` namespace.
 license: Apache-2.0
 homeURL: "https://github.com/privilegedescalation/headlamp-polaris-plugin"
-appVersion: "10.1.6"
 category: security
 keywords:
  - polaris
@@ -25,52 +24,11 @@ links:
    url: "https://github.com/privilegedescalation/headlamp-polaris-plugin"
  - name: Polaris
    url: "https://polaris.docs.fairwinds.com/"
-install: |
-  ## Installation
-
-  ### Prerequisites
-
-  1. [Headlamp](https://headlamp.dev) v0.26.0 or later
-  2. [Fairwinds Polaris](https://polaris.docs.fairwinds.com/) installed and the dashboard running in your cluster
-
-  ### Install via Headlamp Plugin Catalog
-
-  1. Open Headlamp and navigate to **Settings → Plugin Catalog**
-  2. Search for **"Polaris"**
-  3. Click **Install** and restart Headlamp when prompted
-
-  The plugin is sourced directly from [ArtifactHub](https://artifacthub.io/packages/headlamp/headlamp/headlamp-polaris).
-
-  ## Usage
-
-  After installation, the Polaris plugin adds:
-  - A **cluster score badge** in the Headlamp app bar
-  - A **Polaris** section in the sidebar with the full dashboard and namespace drill-downs
-  - An **inline audit panel** on Deployment, StatefulSet, DaemonSet, Job, and CronJob detail pages
-
-  For more information, see the [README](https://github.com/privilegedescalation/headlamp-polaris-plugin/blob/main/README.md).
-changes:
-  - kind: security
-    description: Patched 8 npm audit vulnerabilities via pnpm.overrides
-  - kind: added
-    description: Dual-approval required CI check — PRs must be approved by both CTO and QA before merge
-  - kind: added
-    description: ExemptionManager test suite — full coverage of annotation-based exemption flows
-  - kind: fixed
-    description: E2E infrastructure overhauled — ConfigMap volume mount replaces Dockerfile-based approach, tests run in privilegedescalation-dev namespace
-  - kind: fixed
-    description: E2E workflow uses token auth and waits for HTTP reachability before running tests
-  - kind: fixed
-    description: Added explicit direct devDependencies (typescript, eslint, prettier, @headlamp-k8s/eslint-config) to prevent phantom dep failures
-  - kind: changed
-    description: pnpm version pinned via packageManager field; GitHub Actions SHA-pinned via Renovate pinDigests
-  - kind: changed
-    description: v1.0.0 stable release — plugin API (routes, sidebar, settings schema, app bar action) is stable and will not change without a major version bump
 maintainers:
  - name: privilegedescalation
    email: "chris@farhood.org"
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v1.0.0/headlamp-polaris-1.0.0.tar.gz"
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.7.1/headlamp-polaris-0.7.1.tar.gz"
  headlamp/plugin/version-compat: ">=0.26"
-  headlamp/plugin/archive-checksum: sha256:a165e871b40f11a44950aa9f10eb7f7883276f749026ae7a4f886278ecd9bd7d
-  headlamp/plugin/distro-compat: "in-cluster,web,desktop"
+  headlamp/plugin/archive-checksum: sha256:5ea27f3beeab9730a13a752a0a7c2270eca83dcbbe813a6cabeb6a22fa9d5174
+  headlamp/plugin/distro-compat: in-cluster
@@ -1,46 +0,0 @@
---
-# RBAC for the GitHub Actions CI runner to manage the E2E Headlamp instance.
-# CI-only test fixture — NOT for production use.
-#
-# Grants the ARC runner service account permissions in the headlamp-dev
-# namespace to deploy and tear down a dedicated Headlamp instance via Helm.
-# E2E resources run in `headlamp-dev` — nothing persists beyond a test run.
-#
-# Plugin is loaded via ConfigMap volume mount — no custom Docker images.
-#
-# Note: This RBAC is mirrored in privilegedescalation/infra (base/rbac/)
-# and managed by Flux GitOps. The infra repo is the source of truth.
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: e2e-ci-runner
-  namespace: headlamp-dev
-rules:
-  # Helm needs to manage these resources for the Headlamp chart
-  - apiGroups: ["apps"]
-    resources: ["deployments"]
-    verbs: ["get", "list", "create", "update", "patch", "delete", "watch"]
-  - apiGroups: [""]
-    resources: ["services", "serviceaccounts", "configmaps", "secrets", "events"]
-    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
-  - apiGroups: [""]
-    resources: ["pods"]
-    verbs: ["get", "list", "watch"]
-  # Token creation for E2E test auth
-  - apiGroups: [""]
-    resources: ["serviceaccounts/token"]
-    verbs: ["create"]
---
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: e2e-ci-runner-binding
-  namespace: headlamp-dev
-subjects:
-  - kind: ServiceAccount
-    name: runners-privilegedescalation-gha-rs-no-permission
-    namespace: arc-runners
-roleRef:
-  kind: Role
-  name: e2e-ci-runner
-  apiGroup: rbac.authorization.k8s.io
@@ -0,0 +1,83 @@
+---
+# Custom Headlamp values for static plugin installation
+# This disables the plugin manager and uses an init container instead
+
+# Disable the plugin manager sidecar
+pluginsManager:
+  enabled: false
+
+# Use an init container to install plugins to /headlamp/static-plugins
+initContainers:
+  - name: install-plugins
+    image: node:lts-alpine
+    command:
+      - /bin/sh
+      - -c
+      - |
+        set -e
+        echo "Installing plugins to /headlamp/static-plugins..."
+
+        # Create plugins directory
+        mkdir -p /headlamp/static-plugins
+
+        # Set up npm cache
+        export NPM_CONFIG_CACHE=/tmp/npm-cache
+        export NPM_CONFIG_USERCONFIG=/tmp/npm-userconfig
+        mkdir -p /tmp/npm-cache /tmp/npm-userconfig
+
+        # Install polaris plugin
+        echo "Installing polaris plugin..."
+        cd /headlamp/static-plugins
+        npm pack headlamp-polaris-plugin@0.3.0
+        tar -xzf headlamp-polaris-plugin-0.3.0.tgz
+        mv package headlamp-polaris-plugin
+        rm headlamp-polaris-plugin-0.3.0.tgz
+
+        # Install other plugins
+        npx --yes @headlamp-k8s/plugin@latest install \
+          --source https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_flux \
+          --folderName /headlamp/static-plugins
+
+        npx --yes @headlamp-k8s/plugin@latest install \
+          --source https://artifacthub.io/packages/headlamp/headlamp-trivy/headlamp_trivy \
+          --folderName /headlamp/static-plugins
+
+        npx --yes @headlamp-k8s/plugin@latest install \
+          --source https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_cert-manager \
+          --folderName /headlamp/static-plugins
+
+        npx --yes @headlamp-k8s/plugin@latest install \
+          --source https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_ai_assistant \
+          --folderName /headlamp/static-plugins
+
+        echo "All plugins installed successfully"
+        ls -la /headlamp/static-plugins
+    securityContext:
+      runAsUser: 100
+      runAsGroup: 101
+      runAsNonRoot: true
+      privileged: false
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        memory: 512Mi
+    volumeMounts:
+      - name: static-plugins
+        mountPath: /headlamp/static-plugins
+
+# Configure headlamp to use static plugins
+config:
+  pluginsDir: /headlamp/static-plugins
+
+# Add volume for static plugins
+volumes:
+  - name: static-plugins
+    emptyDir: {}
+
+# Add volume mount to main container
+volumeMounts:
+  - name: static-plugins
+    mountPath: /headlamp/static-plugins
+    readOnly: true
@@ -19,7 +19,7 @@ Helm provides the easiest way to deploy and manage the plugin in production. Thi

 ```bash
 # Add Headlamp Helm repository
-helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
+helm repo add headlamp https://headlamp-k8s.github.io/headlamp/
 helm repo update
 ```

@@ -210,7 +210,7 @@ metadata:
  namespace: flux-system
 spec:
  interval: 1h
-  url: https://kubernetes-sigs.github.io/headlamp/
+  url: https://headlamp-k8s.github.io/headlamp/
 ```

 ### HelmRelease
@@ -84,7 +84,7 @@ kubectl -n kube-system get deployment headlamp -o jsonpath='{.spec.template.spec

 ```bash
 # Add Headlamp Helm repository
-helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
+helm repo add headlamp https://headlamp-k8s.github.io/headlamp/
 helm repo update

 # Install Headlamp
@@ -4,16 +4,7 @@ Playwright-based smoke tests that validate the Polaris plugin against a live Hea

 ## CI

-E2E tests run automatically in GitHub Actions on pushes to `main` and pull requests. The workflow (`.github/workflows/e2e.yaml`):
-
-1. Builds the plugin (`npm run build`)
-2. Creates a ConfigMap from the built `dist/` output
-3. Deploys a stock Headlamp instance via Helm with the plugin mounted as a ConfigMap volume
-4. Generates a ServiceAccount token for test auth
-5. Runs Playwright tests against the E2E instance
-6. Tears down the E2E instance
-
-This approach uses the stock `ghcr.io/headlamp-k8s/headlamp` image with no custom Docker builds. The plugin is loaded via `HEADLAMP_PLUGINS_DIR` volume mount.
+E2E tests run automatically in GitHub Actions on pushes to `main` and pull requests. The workflow (`.github/workflows/e2e.yaml`) uses either Authentik OIDC or token-based authentication via repository secrets.

 ### Required GitHub Secrets

@@ -21,12 +12,12 @@ Configure these in GitHub repository settings (Settings → Secrets and variable

 | Secret               | Required | Description                                                    |
 | -------------------- | -------- | -------------------------------------------------------------- |
+| `HEADLAMP_URL`       | Optional | Headlamp instance URL (defaults to `https://headlamp.animaniacs.farh.net`) |
 | `AUTHENTIK_USERNAME` | OIDC     | Authentik email or username for a CI user with Headlamp access |
 | `AUTHENTIK_PASSWORD` | OIDC     | Password for that user                                         |
+| `HEADLAMP_TOKEN`     | Token    | Kubernetes service account token (alternative to OIDC)         |

-Token-based auth is auto-generated by the deploy script. OIDC secrets are only needed if testing against the shared Headlamp instance.
-
-No `GHCR_TOKEN` or Docker registry secrets are needed — the stock Headlamp image is public.
+Set either `AUTHENTIK_USERNAME` + `AUTHENTIK_PASSWORD` **or** `HEADLAMP_TOKEN`. OIDC takes priority if both are set.

 ## Running Locally

@@ -56,12 +47,12 @@ HEADLAMP_URL=http://localhost:4466 npm run e2e:headed

 | Variable             | Required | Default                                | Description                             |
 | -------------------- | -------- | -------------------------------------- | --------------------------------------- |
-| `HEADLAMP_URL`       | No       | `https://headlamp.animaniacs.farh.net` | Base URL of the Headlamp instance                    |
-| `AUTHENTIK_USERNAME` | OIDC     | —                                      | Authentik email/username                             |
-| `AUTHENTIK_PASSWORD` | OIDC     | —                                      | Authentik password                                   |
-| `HEADLAMP_TOKEN`     | Token    | —                                      | Kubernetes bearer token (auto-generated in CI)       |
+| `HEADLAMP_URL`       | No       | `https://headlamp.animaniacs.farh.net` | Base URL of the Headlamp instance       |
+| `AUTHENTIK_USERNAME` | OIDC     | —                                      | Authentik email/username                |
+| `AUTHENTIK_PASSWORD` | OIDC     | —                                      | Authentik password                      |
+| `HEADLAMP_TOKEN`     | Token    | —                                      | Kubernetes bearer token (fallback auth) |

-In CI, `HEADLAMP_URL` and `HEADLAMP_TOKEN` are set automatically by the deploy script. For local runs, set either OIDC credentials or a token manually.
+Set either `AUTHENTIK_USERNAME` + `AUTHENTIK_PASSWORD` or `HEADLAMP_TOKEN`. OIDC takes priority if both are set.

 ## What the Tests Validate

@@ -258,25 +249,25 @@ test('plugin UI adapts to dark mode', async ({ page }) => {

 Tests run automatically in GitHub Actions on pushes to `main` and pull requests. See `.github/workflows/e2e.yaml` for workflow configuration.

-### Architecture
+### Required Secrets

-The E2E workflow deploys a **dedicated Headlamp instance** for each test run:
+Configure these in GitHub repository settings (Settings → Secrets and variables → Actions):

-1. Build plugin (`npm run build`)
-2. Create ConfigMap from `dist/` output (`scripts/deploy-e2e-headlamp.sh`)
-3. Deploy stock Headlamp via Helm with ConfigMap volume mount
-4. Run Playwright tests against the E2E instance
-5. Tear down (`scripts/teardown-e2e-headlamp.sh`)
+- `HEADLAMP_URL` (optional): Headlamp instance URL
+- `AUTHENTIK_USERNAME` + `AUTHENTIK_PASSWORD` (for OIDC auth)
+- OR `HEADLAMP_TOKEN` (for token-based auth)

-No custom Docker images, no PVCs, no kubectl exec/cp, no patching of existing deployments. The plugin is mounted from a ConfigMap into the stock Headlamp image.
+### Workflow Overview

-### Cluster Prerequisites
-
-One-time setup by a cluster admin:
-
-```bash
-kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
-```
+1. Checkout code
+2. Setup Node.js 20 with npm cache
+3. Install dependencies (`npm ci`)
+4. Install Playwright browsers (`chromium` only)
+5. Run auth setup (creates session in `e2e/.auth/state.json`)
+6. Run all E2E tests
+7. Upload artifacts on failure:
+   - `playwright-report/` - HTML test report
+   - `test-results/` - Screenshots, traces, videos

 ### Manual Trigger

@@ -39,20 +39,13 @@ async function authenticateWithOIDC(page: Page, username: string, password: stri
 }

 async function authenticateWithToken(page: Page, token: string): Promise<void> {
+  // Navigate to login — Headlamp redirects / to /c/main/login
  await page.goto('/');
-  // Headlamp goes to /token directly when no OIDC is configured,
-  // or through /login when OIDC is configured
-  await page.waitForURL(/\/(login|token)$/);
+  await page.waitForURL('**/login');

-  if (page.url().includes('/login')) {
-    // OIDC login page — click "use a token" to reach token auth.
-    // Wait explicitly before clicking so failures surface at 15 s
-    // with a clear message rather than silently timing out at 60 s.
-    const useTokenBtn = page.getByRole('button', { name: /use a token/i });
-    await useTokenBtn.waitFor({ state: 'visible', timeout: 15_000 });
-    await useTokenBtn.click();
-    await page.waitForURL('**/token');
-  }
+  // Click the token auth option
+  await page.getByRole('button', { name: /use a token/i }).click();
+  await page.waitForURL('**/token');

  // Fill the "ID token" field and submit
  await page.getByRole('textbox', { name: /id token/i }).fill(token);
@@ -2,17 +2,11 @@ import { test, expect, Page } from '@playwright/test';

 /** Navigate to the Polaris plugin settings page and wait for settings to render. */
 async function goToPolarisSettings(page: Page) {
-  // Headlamp's plugin settings page is a HOME-context route at /settings/plugins,
-  // not an in-cluster route (/c/main/settings/plugins would 404). Headlamp loads
-  // plugin scripts asynchronously on SPA init. When registerPluginSettings() fires,
-  // it dispatches a Redux action — PluginSettings uses useTypedSelector so it
-  // re-renders automatically once the plugin registers. No preloading needed.
-  await page.goto('/settings/plugins');
+  await page.goto('/c/main/settings/plugins');

-  // Wait for the plugin to appear in the settings list. The timeout covers
-  // async plugin script loading + registration.
-  const pluginEntry = page.locator('text=headlamp-polaris').first();
-  await expect(pluginEntry).toBeVisible({ timeout: 30_000 });
+  // Find and click the Polaris plugin entry to open its settings
+  const pluginEntry = page.locator('text=polaris').first();
+  await expect(pluginEntry).toBeVisible({ timeout: 15_000 });
  await pluginEntry.click();

  // Wait for the PolarisSettings component to render
@@ -1,12 +1,12 @@
 {
  "name": "headlamp-polaris",
-  "version": "1.0.0",
+  "version": "0.7.1",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "headlamp-polaris",
-      "version": "1.0.0",
+      "version": "0.7.1",
      "license": "Apache-2.0",
      "devDependencies": {
        "@kinvolk/headlamp-plugin": "^0.13.0",
@@ -17,14 +17,10 @@
        "@testing-library/user-event": "^14.5.2",
        "@types/react": "^19.2.14",
        "@types/react-dom": "^19.2.3",
-        "@vitest/coverage-v8": "^3.2.4",
        "jsdom": "^24.0.0",
        "react": "^18.3.1",
        "react-dom": "^18.3.1",
        "react-router-dom": "^5.3.0",
-        "tar": "^7.5.11",
-        "typescript": "~5.6.2",
-        "undici": "^7.24.3",
        "vitest": "^3.0.5"
      },
      "peerDependencies": {
@@ -39,20 +35,6 @@
      "dev": true,
      "license": "MIT"
    },
-    "node_modules/@ampproject/remapping": {
-      "version": "2.3.0",
-      "resolved": "https://registry.npmjs.org/@ampproject/remapping/-/remapping-2.3.0.tgz",
-      "integrity": "sha512-30iZtAPgz+LTIYoeivqYo853f02jBYSd5uGnGpkFV0M3xOt9aN73erkgYAmZU43x4VfqcnLxW9Kpg3R5LC4YYw==",
-      "dev": true,
-      "license": "Apache-2.0",
-      "dependencies": {
-        "@jridgewell/gen-mapping": "^0.3.5",
-        "@jridgewell/trace-mapping": "^0.3.24"
-      },
-      "engines": {
-        "node": ">=6.0.0"
-      }
-    },
    "node_modules/@apidevtools/json-schema-ref-parser": {
      "version": "11.7.2",
      "resolved": "https://registry.npmjs.org/@apidevtools/json-schema-ref-parser/-/json-schema-ref-parser-11.7.2.tgz",
@@ -447,16 +429,6 @@
        "node": ">=6.9.0"
      }
    },
-    "node_modules/@bcoe/v8-coverage": {
-      "version": "1.0.2",
-      "resolved": "https://registry.npmjs.org/@bcoe/v8-coverage/-/v8-coverage-1.0.2.tgz",
-      "integrity": "sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==",
-      "dev": true,
-      "license": "MIT",
-      "engines": {
-        "node": ">=18"
-      }
-    },
    "node_modules/@bundled-es-modules/cookie": {
      "version": "2.0.1",
      "resolved": "https://registry.npmjs.org/@bundled-es-modules/cookie/-/cookie-2.0.1.tgz",
@@ -4872,40 +4844,6 @@
        "vitest": "3.2.4"
      }
    },
-    "node_modules/@vitest/coverage-v8": {
-      "version": "3.2.4",
-      "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-3.2.4.tgz",
-      "integrity": "sha512-EyF9SXU6kS5Ku/U82E259WSnvg6c8KTjppUncuNdm5QHpe17mwREHnjDzozC8x9MZ0xfBUFSaLkRv4TMA75ALQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@ampproject/remapping": "^2.3.0",
-        "@bcoe/v8-coverage": "^1.0.2",
-        "ast-v8-to-istanbul": "^0.3.3",
-        "debug": "^4.4.1",
-        "istanbul-lib-coverage": "^3.2.2",
-        "istanbul-lib-report": "^3.0.1",
-        "istanbul-lib-source-maps": "^5.0.6",
-        "istanbul-reports": "^3.1.7",
-        "magic-string": "^0.30.17",
-        "magicast": "^0.3.5",
-        "std-env": "^3.9.0",
-        "test-exclude": "^7.0.1",
-        "tinyrainbow": "^2.0.0"
-      },
-      "funding": {
-        "url": "https://opencollective.com/vitest"
-      },
-      "peerDependencies": {
-        "@vitest/browser": "3.2.4",
-        "vitest": "3.2.4"
-      },
-      "peerDependenciesMeta": {
-        "@vitest/browser": {
-          "optional": true
-        }
-      }
-    },
    "node_modules/@vitest/expect": {
      "version": "3.2.4",
      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-3.2.4.tgz",
@@ -5711,35 +5649,6 @@
      "dev": true,
      "license": "MIT"
    },
-    "node_modules/ast-v8-to-istanbul": {
-      "version": "0.3.12",
-      "resolved": "https://registry.npmjs.org/ast-v8-to-istanbul/-/ast-v8-to-istanbul-0.3.12.tgz",
-      "integrity": "sha512-BRRC8VRZY2R4Z4lFIL35MwNXmwVqBityvOIwETtsCSwvjl0IdgFsy9NhdaA6j74nUdtJJlIypeRhpDam19Wq3g==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@jridgewell/trace-mapping": "^0.3.31",
-        "estree-walker": "^3.0.3",
-        "js-tokens": "^10.0.0"
-      }
-    },
-    "node_modules/ast-v8-to-istanbul/node_modules/estree-walker": {
-      "version": "3.0.3",
-      "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
-      "integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "@types/estree": "^1.0.0"
-      }
-    },
-    "node_modules/ast-v8-to-istanbul/node_modules/js-tokens": {
-      "version": "10.0.0",
-      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-10.0.0.tgz",
-      "integrity": "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==",
-      "dev": true,
-      "license": "MIT"
-    },
    "node_modules/astral-regex": {
      "version": "2.0.0",
      "resolved": "https://registry.npmjs.org/astral-regex/-/astral-regex-2.0.0.tgz",
@@ -1,6 +1,6 @@
 {
  "name": "headlamp-polaris",
-  "version": "1.0.0",
+  "version": "0.7.1",
  "description": "Headlamp plugin for Fairwinds Polaris audit results",
  "repository": {
    "type": "git",
@@ -12,7 +12,6 @@
  "homepage": "https://github.com/privilegedescalation/headlamp-polaris-plugin#readme",
  "author": "privilegedescalation",
  "license": "Apache-2.0",
-  "packageManager": "pnpm@10.32.1",
  "scripts": {
    "start": "headlamp-plugin start",
    "build": "headlamp-plugin build",
@@ -31,17 +30,6 @@
    "react": "^18.0.0",
    "react-dom": "^18.0.0"
  },
-  "pnpm": {
-    "overrides": {
-      "tar": "^7.5.11",
-      "undici": "^7.24.3",
-      "flatted": "^3.4.2",
-      "lodash": ">=4.18.0",
-      "picomatch": ">=4.0.4",
-      "vite": ">=6.4.2",
-      "elliptic": ">=6.6.1"
-    }
-  },
  "devDependencies": {
    "@kinvolk/headlamp-plugin": "^0.13.0",
    "@mui/material": "^5.15.14",
@@ -51,17 +39,10 @@
    "@testing-library/user-event": "^14.5.2",
    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
-    "@vitest/coverage-v8": "^3.2.4",
-    "@headlamp-k8s/eslint-config": "^0.6.0",
-    "eslint": "^8.57.0",
    "jsdom": "^24.0.0",
-    "prettier": "^2.8.8",
    "react": "^18.3.1",
    "react-dom": "^18.3.1",
    "react-router-dom": "^5.3.0",
-    "tar": "^7.5.11",
-    "typescript": "~5.6.2",
-    "undici": "^7.24.3",
    "vitest": "^3.0.5"
  }
 }
@@ -1,5 +1,19 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>privilegedescalation/.github:renovate-config"]
+  "extends": ["config:recommended"],
+  "baseBranches": ["main"],
+  "schedule": ["every weekend"],
+  "prConcurrentLimit": 10,
+  "packageRules": [
+    {
+      "matchManagers": ["npm"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "npm minor and patch"
+    },
+    {
+      "matchManagers": ["github-actions"],
+      "matchUpdateTypes": ["minor", "patch"],
+      "groupName": "github-actions minor and patch"
+    }
+  ]
 }
-
@@ -1,210 +0,0 @@
-#!/usr/bin/env bash
-# deploy-e2e-headlamp.sh
-#
-# Deploys a stock Headlamp instance with the polaris plugin loaded via
-# a ConfigMap volume mount. No custom Docker images — the plugin is built
-# in CI and injected as a ConfigMap.
-#
-# E2E resources are deployed to the `headlamp-dev` namespace. Nothing
-# persists beyond a test run — teardown cleans up all created resources.
-#
-# Prerequisites:
-#   - Plugin built (dist/ exists with plugin-main.js + package.json)
-#   - kubectl configured with cluster access
-#   - RBAC applied (managed by Flux GitOps in privilegedescalation/infra)
-#
-# Environment:
-#   E2E_NAMESPACE     — namespace for E2E Headlamp (default: headlamp-dev)
-#   E2E_RELEASE       — release/resource name prefix (default: headlamp-e2e)
-#   HEADLAMP_VERSION  — Headlamp image tag (default: v0.40.1, pinned to match production)
-set -euo pipefail
-
-REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
-DIST_DIR="$REPO_ROOT/dist"
-
-E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
-E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
-HEADLAMP_VERSION="${HEADLAMP_VERSION:-v0.40.1}"
-
-if [ ! -d "$DIST_DIR" ]; then
-  echo "ERROR: dist/ not found. Run 'npm run build' first." >&2
-  exit 1
-fi
-
-# --- Preflight: verify RBAC before touching the cluster ---
-echo "Checking RBAC permissions in namespace '${E2E_NAMESPACE}'..."
-if ! kubectl auth can-i delete configmaps -n "$E2E_NAMESPACE" --quiet 2>/dev/null; then
-  echo "ERROR: Missing RBAC — cannot delete configmaps in namespace '${E2E_NAMESPACE}'." >&2
-  echo "  Apply RBAC first: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml" >&2
-  exit 1
-fi
-
-echo "=== E2E Headlamp Deployment ==="
-echo "  Image:     ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}"
-echo "  Namespace: $E2E_NAMESPACE"
-echo "  Release:   $E2E_RELEASE"
-
-# --- Create ConfigMap from built plugin ---
-echo ""
-echo "Creating ConfigMap with plugin files..."
-
-# Delete existing ConfigMap if present (idempotent redeploy)
-kubectl delete configmap headlamp-polaris-plugin \
-  -n "$E2E_NAMESPACE" --ignore-not-found
-
-# Create ConfigMap from dist/ contents and package.json
-kubectl create configmap headlamp-polaris-plugin \
-  -n "$E2E_NAMESPACE" \
-  --from-file="$DIST_DIR" \
-  --from-file=package.json="$REPO_ROOT/package.json"
-
-# --- Tear down any existing E2E deployment for a clean start ---
-# kubectl apply without prior deletion only patches in-place: if the pod spec is
-# unchanged between runs, no new rollout is triggered and a degraded pod keeps
-# serving. Delete first to guarantee a fresh pod regardless of prior state.
-echo ""
-echo "Removing any existing E2E deployment (clean-start)..."
-kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
-kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
-kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found --wait
-
-# --- Deploy Headlamp via kubectl apply ---
-echo ""
-echo "Deploying Headlamp E2E instance..."
-
-kubectl apply -f - <<EOF
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: ${E2E_RELEASE}
-  namespace: ${E2E_NAMESPACE}
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: ${E2E_RELEASE}
-  namespace: ${E2E_NAMESPACE}
-  labels:
-    app.kubernetes.io/name: headlamp
-    app.kubernetes.io/instance: ${E2E_RELEASE}
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app.kubernetes.io/name: headlamp
-      app.kubernetes.io/instance: ${E2E_RELEASE}
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/name: headlamp
-        app.kubernetes.io/instance: ${E2E_RELEASE}
-    spec:
-      serviceAccountName: ${E2E_RELEASE}
-      automountServiceAccountToken: true
-      securityContext: {}
-      containers:
-        - name: headlamp
-          image: ghcr.io/headlamp-k8s/headlamp:${HEADLAMP_VERSION}
-          imagePullPolicy: IfNotPresent
-          securityContext:
-            runAsNonRoot: true
-            privileged: false
-            runAsUser: 100
-            runAsGroup: 101
-          args:
-            - "-in-cluster"
-            - "-in-cluster-context-name=main"
-            - "-plugins-dir=/headlamp/plugins"
-          ports:
-            - name: http
-              containerPort: 4466
-              protocol: TCP
-          readinessProbe:
-            httpGet:
-              path: /
-              port: http
-            initialDelaySeconds: 5
-            periodSeconds: 5
-            failureThreshold: 6
-          livenessProbe:
-            httpGet:
-              path: /
-              port: http
-            initialDelaySeconds: 10
-            periodSeconds: 10
-          volumeMounts:
-            - name: polaris-plugin
-              mountPath: /headlamp/plugins/headlamp-polaris
-              readOnly: true
-      volumes:
-        - name: polaris-plugin
-          configMap:
-            name: headlamp-polaris-plugin
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: ${E2E_RELEASE}
-  namespace: ${E2E_NAMESPACE}
-  labels:
-    app.kubernetes.io/name: headlamp
-    app.kubernetes.io/instance: ${E2E_RELEASE}
-spec:
-  type: ClusterIP
-  selector:
-    app.kubernetes.io/name: headlamp
-    app.kubernetes.io/instance: ${E2E_RELEASE}
-  ports:
-    - name: http
-      port: 80
-      targetPort: http
-      protocol: TCP
-EOF
-
-echo "Waiting for rollout..."
-kubectl rollout status "deployment/${E2E_RELEASE}" \
-  -n "$E2E_NAMESPACE" --timeout=120s
-
-# --- Generate a service URL for tests ---
-SVC_URL="http://${E2E_RELEASE}.${E2E_NAMESPACE}.svc.cluster.local"
-
-# --- Wait for DNS and HTTP reachability ---
-# rollout status only confirms the pod is ready per readinessProbe.
-# Kubernetes Service DNS may still be propagating to the runner pod.
-# Poll until the service is reachable over HTTP before handing off.
-echo ""
-echo "Waiting for ${SVC_URL} to be reachable..."
-ATTEMPTS=0
-MAX_ATTEMPTS=24  # 24 × 5s = 120s max
-until curl -sf --max-time 5 "${SVC_URL}" -o /dev/null 2>/dev/null; do
-  ATTEMPTS=$((ATTEMPTS + 1))
-  if [ "$ATTEMPTS" -ge "$MAX_ATTEMPTS" ]; then
-    echo "ERROR: ${SVC_URL} not reachable after $((MAX_ATTEMPTS * 5))s" >&2
-    exit 1
-  fi
-  echo "  [${ATTEMPTS}/${MAX_ATTEMPTS}] not yet reachable, retrying in 5s..."
-  sleep 5
-done
-echo ""
-echo "E2E Headlamp is ready at: ${SVC_URL}"
-echo "  export HEADLAMP_URL=${SVC_URL}"
-
-# --- Generate a token for test auth ---
-echo ""
-echo "Creating service account token for E2E auth..."
-kubectl create serviceaccount headlamp-e2e-test \
-  -n "$E2E_NAMESPACE" --dry-run=client -o yaml | kubectl apply -f -
-
-TOKEN=$(kubectl create token headlamp-e2e-test -n "$E2E_NAMESPACE" --duration=1h 2>/dev/null || echo "")
-if [ -n "$TOKEN" ]; then
-  echo "  export HEADLAMP_TOKEN=<generated>"
-  echo ""
-  echo "HEADLAMP_URL=${SVC_URL}" > "$REPO_ROOT/.env.e2e"
-  echo "HEADLAMP_TOKEN=${TOKEN}" >> "$REPO_ROOT/.env.e2e"
-  echo "Wrote .env.e2e with HEADLAMP_URL and HEADLAMP_TOKEN"
-else
-  echo "  WARNING: Could not generate token. Set HEADLAMP_TOKEN manually or use OIDC."
-fi
-
-echo ""
-echo "E2E deployment complete."
@@ -1,34 +0,0 @@
-#!/usr/bin/env bash
-# teardown-e2e-headlamp.sh
-#
-# Tears down the dedicated E2E Headlamp instance deployed by deploy-e2e-headlamp.sh.
-#
-# Environment:
-#   E2E_NAMESPACE  — namespace to clean up (default: headlamp-dev)
-#   E2E_RELEASE    — release/resource name prefix (default: headlamp-e2e)
-set -euo pipefail
-
-REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
-
-E2E_NAMESPACE="${E2E_NAMESPACE:-headlamp-dev}"
-E2E_RELEASE="${E2E_RELEASE:-headlamp-e2e}"
-
-echo "=== E2E Headlamp Teardown ==="
-echo "  Namespace: $E2E_NAMESPACE"
-echo "  Release:   $E2E_RELEASE"
-
-echo "Removing Headlamp Deployment, Service, and ServiceAccount..."
-kubectl delete deployment "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
-kubectl delete service "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
-kubectl delete serviceaccount "${E2E_RELEASE}" -n "$E2E_NAMESPACE" --ignore-not-found
-
-echo "Cleaning up ConfigMap..."
-kubectl delete configmap headlamp-polaris-plugin -n "$E2E_NAMESPACE" --ignore-not-found
-
-echo "Cleaning up test service account..."
-kubectl delete serviceaccount headlamp-e2e-test -n "$E2E_NAMESPACE" --ignore-not-found
-
-# Clean up local env file
-rm -f "$REPO_ROOT/.env.e2e"
-
-echo "Teardown complete."
@@ -7,7 +7,13 @@ import { makeAuditData, makeResult } from '../test-utils';
 // Mock Headlamp lib
 vi.mock('@kinvolk/headlamp-plugin/lib', () => ({
  ApiProxy: { request: vi.fn() },
-  K8s: {},
+  K8s: {
+    useCluster: () => 'test-cluster',
+  },
+  Router: {
+    createRouteURL: (name: string, params?: { cluster?: string }) =>
+      `/c/${params?.cluster ?? 'default'}/${name}`,
+  },
 }));

 vi.mock('@mui/material/styles', () => ({
@@ -25,15 +31,6 @@ vi.mock('react-router-dom', () => ({
  useHistory: () => ({ push: mockPush }),
 }));

-// Set window.location.pathname for cluster extraction
-beforeEach(() => {
-  Object.defineProperty(window, 'location', {
-    value: { pathname: '/c/test-cluster/some-page' },
-    writable: true,
-  });
-  mockPush.mockClear();
-});
-
 const mockUsePolarisDataContext = vi.fn();
 vi.mock('../api/PolarisDataContext', () => ({
  usePolarisDataContext: () => mockUsePolarisDataContext(),
@@ -100,7 +97,7 @@ describe('AppBarScoreBadge', () => {
    expect(button.style.backgroundColor).toBe('rgb(244, 67, 54)');
  });

-  it('navigates to /c/<cluster>/polaris on click', async () => {
+  it('navigates to /polaris on click', async () => {
    const user = userEvent.setup();
    const data = makeAuditData([
      makeResult({
@@ -123,33 +120,6 @@ describe('AppBarScoreBadge', () => {
    expect(mockPush).toHaveBeenCalledWith('/c/test-cluster/polaris');
  });

-  it('navigates to /polaris when no cluster in URL', async () => {
-    Object.defineProperty(window, 'location', {
-      value: { pathname: '/settings' },
-      writable: true,
-    });
-    const user = userEvent.setup();
-    const data = makeAuditData([
-      makeResult({
-        Results: {
-          c1: {
-            ID: 'c1',
-            Message: '',
-            Details: [],
-            Success: true,
-            Severity: 'warning',
-            Category: 'X',
-          },
-        },
-      }),
-    ]);
-    mockUsePolarisDataContext.mockReturnValue({ data, loading: false });
-
-    render(<AppBarScoreBadge />);
-    await user.click(screen.getByRole('button'));
-    expect(mockPush).toHaveBeenCalledWith('/polaris');
-  });
-
  it('has correct aria-label', () => {
    const data = makeAuditData([
      makeResult({
@@ -1,21 +1,10 @@
+import { K8s, Router } from '@kinvolk/headlamp-plugin/lib';
 import { useTheme } from '@mui/material/styles';
 import React from 'react';
 import { useHistory } from 'react-router-dom';
 import { computeScore, countResults } from '../api/polaris';
 import { usePolarisDataContext } from '../api/PolarisDataContext';

-/**
- * Extract the cluster name from the current browser URL.
- * Headlamp cluster routes follow the pattern /c/<cluster>/...
- * We read window.location.pathname directly because the AppBar renders
- * outside the cluster route context, so useCluster() returns null and
- * React Router's useLocation() may not reflect the cluster prefix.
- */
-function getClusterFromUrl(): string | null {
-  const match = window.location.pathname.match(/\/c\/([^/]+)/);
-  return match ? match[1] : null;
-}
-
 /**
 * App bar badge showing cluster Polaris score
 * Clicking navigates to the overview dashboard
@@ -24,6 +13,7 @@ export default function AppBarScoreBadge() {
  const theme = useTheme();
  const { data, loading } = usePolarisDataContext();
  const history = useHistory();
+  const cluster = K8s.useCluster();

  if (loading || !data) {
    return null; // Graceful degradation when Polaris unavailable
@@ -46,9 +36,7 @@ export default function AppBarScoreBadge() {
  };

  const handleClick = () => {
-    const cluster = getClusterFromUrl();
-    const prefix = cluster ? `/c/${cluster}` : '';
-    history.push(`${prefix}/polaris`);
+    history.push(Router.createRouteURL('polaris', { cluster: cluster ?? '' }));
  };

  return (
@@ -1,432 +0,0 @@
-import { fireEvent, render, screen, waitFor } from '@testing-library/react';
-import React from 'react';
-import { describe, expect, it, vi } from 'vitest';
-import { makeResult } from '../test-utils';
-
-const { mockApiRequest } = vi.hoisted(() => ({ mockApiRequest: vi.fn() }));
-
-vi.mock('@kinvolk/headlamp-plugin/lib', () => ({
-  ApiProxy: { request: mockApiRequest },
-}));
-
-vi.mock('@mui/material/styles', () => ({
-  useTheme: () => ({
-    palette: {
-      primary: { main: '#1976d2', contrastText: '#fff' },
-      action: { disabledBackground: '#e0e0e0', disabled: '#9e9e9e' },
-      divider: '#e0e0e0',
-    },
-  }),
-}));
-
-vi.mock('@kinvolk/headlamp-plugin/lib/CommonComponents', () => ({
-  SectionBox: ({ title, children }: { title?: string; children?: React.ReactNode }) => (
-    <div data-testid="section-box" data-title={title}>
-      {children}
-    </div>
-  ),
-  StatusLabel: ({ status, children }: { status: string; children?: React.ReactNode }) => (
-    <span data-testid="status-label" data-status={status}>
-      {children}
-    </span>
-  ),
-  Dialog: ({
-    open,
-    children,
-    title,
-  }: {
-    open: boolean;
-    onClose?: () => void;
-    title?: string;
-    children?: React.ReactNode;
-  }) =>
-    open ? (
-      <div data-testid="dialog" data-title={title}>
-        {children}
-      </div>
-    ) : null,
-}));
-
-import ExemptionManager from './ExemptionManager';
-
-const defaultProps = {
-  workloadResult: makeResult(),
-  namespace: 'default',
-  kind: 'Deployment',
-  name: 'my-deploy',
-};
-
-const resultWithPodFailures = makeResult({
-  PodResult: {
-    Name: 'pod',
-    Results: {
-      hostIPCSet: {
-        ID: 'hostIPCSet',
-        Message: 'Host IPC is set',
-        Details: [],
-        Success: false,
-        Severity: 'danger',
-        Category: 'Security',
-      },
-      hostPIDSet: {
-        ID: 'hostPIDSet',
-        Message: 'Host PID is set',
-        Details: [],
-        Success: false,
-        Severity: 'danger',
-        Category: 'Security',
-      },
-    },
-    ContainerResults: [],
-  },
-});
-
-const resultWithContainerFailures = makeResult({
-  PodResult: {
-    Name: 'pod',
-    Results: {},
-    ContainerResults: [
-      {
-        Name: 'container-1',
-        Results: {
-          cpuRequestsMissing: {
-            ID: 'cpuRequestsMissing',
-            Message: 'CPU requests missing',
-            Details: [],
-            Success: false,
-            Severity: 'warning',
-            Category: 'Efficiency',
-          },
-        },
-      },
-    ],
-  },
-});
-
-const resultWithIgnoredFailures = makeResult({
-  PodResult: {
-    Name: 'pod',
-    Results: {
-      hostIPCSet: {
-        ID: 'hostIPCSet',
-        Message: '',
-        Details: [],
-        Success: false,
-        Severity: 'ignore',
-        Category: 'Security',
-      },
-    },
-    ContainerResults: [],
-  },
-});
-
-describe('ExemptionManager', () => {
-  describe('rendering failing checks', () => {
-    it('shows disabled Add Exemption button when no failing checks', () => {
-      render(<ExemptionManager {...defaultProps} />);
-      const btn = screen.getByRole('button', { name: /add exemption/i });
-      expect(btn).toBeDisabled();
-    });
-
-    it('shows enabled Add Exemption button when there are failing checks', () => {
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      const btn = screen.getByRole('button', { name: /add exemption/i });
-      expect(btn).not.toBeDisabled();
-    });
-
-    it('does not include ignored-severity checks as failing', () => {
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithIgnoredFailures} />);
-      const btn = screen.getByRole('button', { name: /add exemption/i });
-      expect(btn).toBeDisabled();
-    });
-
-    it('collects failing checks from pod-level results', () => {
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      expect(screen.getByText('Host IPC')).toBeInTheDocument();
-      expect(screen.getByText('Host PID')).toBeInTheDocument();
-    });
-
-    it('collects failing checks from container-level results', () => {
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithContainerFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      expect(screen.getByText('CPU Requests')).toBeInTheDocument();
-    });
-
-    it('deduplicates checks that appear in multiple containers', () => {
-      const resultWithDuplicate = makeResult({
-        PodResult: {
-          Name: 'pod',
-          Results: {},
-          ContainerResults: [
-            {
-              Name: 'container-1',
-              Results: {
-                cpuRequestsMissing: {
-                  ID: 'cpuRequestsMissing',
-                  Message: '',
-                  Details: [],
-                  Success: false,
-                  Severity: 'warning',
-                  Category: 'Efficiency',
-                },
-              },
-            },
-            {
-              Name: 'container-2',
-              Results: {
-                cpuRequestsMissing: {
-                  ID: 'cpuRequestsMissing',
-                  Message: '',
-                  Details: [],
-                  Success: false,
-                  Severity: 'warning',
-                  Category: 'Efficiency',
-                },
-              },
-            },
-          ],
-        },
-      });
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithDuplicate} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      const items = screen.getAllByText('CPU Requests');
-      expect(items).toHaveLength(1);
-    });
-  });
-
-  describe('dialog interactions', () => {
-    it('opens dialog when Add Exemption button is clicked', () => {
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      expect(screen.queryByTestId('dialog')).not.toBeInTheDocument();
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      expect(screen.getByTestId('dialog')).toBeInTheDocument();
-    });
-
-    it('closes dialog when Cancel button is clicked', () => {
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      expect(screen.getByTestId('dialog')).toBeInTheDocument();
-      fireEvent.click(screen.getByRole('button', { name: /cancel/i }));
-      expect(screen.queryByTestId('dialog')).not.toBeInTheDocument();
-    });
-
-    it('toggles individual check selection', () => {
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-
-      // Find the checkbox next to "Host IPC"
-      const checkboxes = screen.getAllByRole('checkbox');
-      // First checkbox is "Exempt from all checks", rest are individual checks
-      const hostIPCCheckbox = checkboxes[1];
-      expect(hostIPCCheckbox).not.toBeChecked();
-      fireEvent.click(hostIPCCheckbox);
-      expect(hostIPCCheckbox).toBeChecked();
-      fireEvent.click(hostIPCCheckbox);
-      expect(hostIPCCheckbox).not.toBeChecked();
-    });
-
-    it('hides individual checks list when exempt-all is toggled', () => {
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      expect(screen.getByText('Host IPC')).toBeInTheDocument();
-
-      const exemptAllCheckbox = screen.getByRole('checkbox', { name: /exempt from all checks/i });
-      fireEvent.click(exemptAllCheckbox);
-      expect(screen.queryByText('Host IPC')).not.toBeInTheDocument();
-    });
-
-    it('Apply button is disabled when no checks selected and exemptAll is false', () => {
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      expect(screen.getByRole('button', { name: /apply/i })).toBeDisabled();
-    });
-
-    it('Apply button is enabled when exemptAll is checked', () => {
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      const exemptAllCheckbox = screen.getByRole('checkbox', { name: /exempt from all checks/i });
-      fireEvent.click(exemptAllCheckbox);
-      expect(screen.getByRole('button', { name: /apply/i })).not.toBeDisabled();
-    });
-
-    it('Apply button is enabled when at least one individual check is selected', () => {
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      const checkboxes = screen.getAllByRole('checkbox');
-      fireEvent.click(checkboxes[1]); // select first individual check
-      expect(screen.getByRole('button', { name: /apply/i })).not.toBeDisabled();
-    });
-  });
-
-  describe('ApiProxy.request calls', () => {
-    it('patches with exempt-all annotation when exemptAll is selected', async () => {
-      mockApiRequest.mockResolvedValue({});
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
-      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
-
-      await waitFor(() => {
-        expect(mockApiRequest).toHaveBeenCalledWith(
-          '/apis/apps/v1/namespaces/default/deployments/my-deploy',
-          expect.objectContaining({
-            method: 'PATCH',
-            headers: { 'Content-Type': 'application/strategic-merge-patch+json' },
-            body: JSON.stringify({
-              metadata: {
-                annotations: { 'polaris.fairwinds.com/exempt': 'true' },
-              },
-            }),
-          })
-        );
-      });
-    });
-
-    it('patches with per-check annotations when individual checks selected', async () => {
-      mockApiRequest.mockResolvedValue({});
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      // Select first check (hostIPCSet)
-      fireEvent.click(screen.getAllByRole('checkbox')[1]);
-      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
-
-      await waitFor(() => {
-        expect(mockApiRequest).toHaveBeenCalledWith(
-          '/apis/apps/v1/namespaces/default/deployments/my-deploy',
-          expect.objectContaining({
-            method: 'PATCH',
-            body: JSON.stringify({
-              metadata: {
-                annotations: { 'polaris.fairwinds.com/hostIPCSet-exempt': 'true' },
-              },
-            }),
-          })
-        );
-      });
-    });
-
-    it('uses core API path for Pod kind (no api group)', async () => {
-      mockApiRequest.mockResolvedValue({});
-      render(
-        <ExemptionManager {...defaultProps} kind="Pod" workloadResult={resultWithPodFailures} />
-      );
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
-      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
-
-      await waitFor(() => {
-        expect(mockApiRequest).toHaveBeenCalledWith(
-          '/api/v1/namespaces/default/pods/my-deploy',
-          expect.anything()
-        );
-      });
-    });
-
-    it('uses batch API group for Job kind', async () => {
-      mockApiRequest.mockResolvedValue({});
-      render(
-        <ExemptionManager {...defaultProps} kind="Job" workloadResult={resultWithPodFailures} />
-      );
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
-      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
-
-      await waitFor(() => {
-        expect(mockApiRequest).toHaveBeenCalledWith(
-          '/apis/batch/v1/namespaces/default/jobs/my-deploy',
-          expect.anything()
-        );
-      });
-    });
-
-    it('uses batch API group for CronJob kind', async () => {
-      mockApiRequest.mockResolvedValue({});
-      render(
-        <ExemptionManager {...defaultProps} kind="CronJob" workloadResult={resultWithPodFailures} />
-      );
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
-      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
-
-      await waitFor(() => {
-        expect(mockApiRequest).toHaveBeenCalledWith(
-          '/apis/batch/v1/namespaces/default/cronjobs/my-deploy',
-          expect.anything()
-        );
-      });
-    });
-
-    it('uses apps API group for StatefulSet kind', async () => {
-      mockApiRequest.mockResolvedValue({});
-      render(
-        <ExemptionManager
-          {...defaultProps}
-          kind="StatefulSet"
-          workloadResult={resultWithPodFailures}
-        />
-      );
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
-      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
-
-      await waitFor(() => {
-        expect(mockApiRequest).toHaveBeenCalledWith(
-          '/apis/apps/v1/namespaces/default/statefulsets/my-deploy',
-          expect.anything()
-        );
-      });
-    });
-  });
-
-  describe('feedback states', () => {
-    it('shows success feedback and closes dialog after successful apply', async () => {
-      mockApiRequest.mockResolvedValue({});
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
-      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
-
-      await waitFor(() => {
-        expect(screen.queryByTestId('dialog')).not.toBeInTheDocument();
-        const label = screen.getByTestId('status-label');
-        expect(label).toHaveAttribute('data-status', 'success');
-        expect(label).toHaveTextContent('Exemptions applied successfully');
-      });
-    });
-
-    it('shows error feedback and keeps dialog closed after failed apply', async () => {
-      mockApiRequest.mockRejectedValue(new Error('403 Forbidden'));
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
-      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
-
-      await waitFor(() => {
-        const label = screen.getByTestId('status-label');
-        expect(label).toHaveAttribute('data-status', 'error');
-        expect(label).toHaveTextContent(/failed to apply exemptions/i);
-      });
-    });
-
-    it('shows "Applying..." text on Apply button while in-flight', async () => {
-      let resolveRequest!: () => void;
-      mockApiRequest.mockReturnValue(
-        new Promise<void>(res => {
-          resolveRequest = res;
-        })
-      );
-
-      render(<ExemptionManager {...defaultProps} workloadResult={resultWithPodFailures} />);
-      fireEvent.click(screen.getByRole('button', { name: /add exemption/i }));
-      fireEvent.click(screen.getByRole('checkbox', { name: /exempt from all checks/i }));
-      fireEvent.click(screen.getByRole('button', { name: /apply/i }));
-
-      expect(screen.getByRole('button', { name: /applying/i })).toBeInTheDocument();
-      resolveRequest();
-      await waitFor(() => {
-        expect(screen.queryByTestId('dialog')).not.toBeInTheDocument();
-      });
-    });
-  });
-});
@@ -9,16 +9,5 @@ export default defineConfig({
    environment: 'jsdom',
    setupFiles: ['./vitest.setup.ts'],
    exclude: ['e2e/**', 'node_modules/**'],
-    coverage: {
-      provider: 'v8',
-      include: ['src/**/*.{ts,tsx}'],
-      exclude: ['src/**/*.test.{ts,tsx}', 'src/test-utils.tsx', 'src/index.tsx'],
-      thresholds: {
-        lines: 80,
-        functions: 80,
-        branches: 80,
-        statements: 80,
-      },
-    },
  },
 });