release: v0.7.2

Co-authored-by: hugh-hackman[bot] <266376744+hugh-hackman[bot]@users.noreply.github.com>

.github/workflows/e2e.yaml

@@ -7,6 +7,10 @@ on:
     branches: [main]
   workflow_dispatch:
 
+env:
+  HEADLAMP_NAMESPACE: kube-system
+  HEADLAMP_DEPLOY: headlamp
+
 jobs:
   e2e:
     runs-on: local-ubuntu-latest
@@ -14,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -25,46 +29,104 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
-      - name: Preflight — verify Headlamp and plugin version
+      - name: Build plugin
+        run: npm run build
+
+      - name: Setup kubectl
+        uses: azure/setup-kubectl@v4
+
+      - name: Ensure PVC exists
+        run: kubectl apply -f deployment/headlamp-plugins-pvc.yaml
+
+      - name: Patch Headlamp deployment with shared volume mount
+        run: |
+          NS="$HEADLAMP_NAMESPACE"
+          DEPLOY="$HEADLAMP_DEPLOY"
+
+          # Check if the plugins volume and mount already exist (by name or mountPath)
+          DEPLOY_JSON=$(kubectl get deploy "$DEPLOY" -n "$NS" -o json)
+          HAS_VOL=$(echo "$DEPLOY_JSON" | \
+            python3 -c "import sys,json; d=json.load(sys.stdin); vols=d['spec']['template']['spec'].get('volumes',[]); print('yes' if any(v.get('persistentVolumeClaim',{}).get('claimName')=='headlamp-plugins' or v.get('name')=='plugins' for v in vols) else '')")
+          HAS_MOUNT=$(echo "$DEPLOY_JSON" | \
+            python3 -c "import sys,json; d=json.load(sys.stdin); mounts=d['spec']['template']['spec']['containers'][0].get('volumeMounts',[]); print('yes' if any(m.get('mountPath')=='/headlamp/plugins' or m.get('name')=='plugins' for m in mounts) else '')")
+
+          NEEDS_PATCH=false
+
+          if [ -z "$HAS_VOL" ]; then
+            echo "Adding plugins PVC volume..."
+            kubectl patch deploy "$DEPLOY" -n "$NS" --type=json -p '[
+              {"op":"add","path":"/spec/template/spec/volumes/-","value":{
+                "name":"plugins",
+                "persistentVolumeClaim":{"claimName":"headlamp-plugins"}
+              }}
+            ]'
+            NEEDS_PATCH=true
+          else
+            echo "Plugins volume already present, skipping."
+          fi
+
+          if [ -z "$HAS_MOUNT" ]; then
+            echo "Adding plugins volume mount..."
+            kubectl patch deploy "$DEPLOY" -n "$NS" --type=json -p '[
+              {"op":"add","path":"/spec/template/spec/containers/0/volumeMounts/-","value":{
+                "name":"plugins",
+                "mountPath":"/headlamp/plugins",
+                "readOnly":true
+              }}
+            ]'
+            NEEDS_PATCH=true
+          else
+            echo "Plugins volume mount already present, skipping."
+          fi
+
+          # Set the plugins directory via env var
+          kubectl set env deploy/"$DEPLOY" -n "$NS" \
+            HEADLAMP_CONFIG_PLUGIN_DIR=/headlamp/plugins
+
+          # Wait for rollout
+          kubectl rollout status deploy/"$DEPLOY" -n "$NS" --timeout=120s
+
+      - name: Deploy plugin via shared volume
+        run: scripts/deploy-plugin-via-volume.sh
+
+      - name: Preflight — verify Headlamp and plugin availability
         env:
           HEADLAMP_URL: ${{ secrets.HEADLAMP_URL || 'http://headlamp.kube-system.svc.cluster.local' }}
         run: |
+          PLUGIN_NAME=$(node -p "require('./package.json').name")
           EXPECTED=$(node -p "require('./package.json').version")
-          PLUGIN_NAME=$(node -p "require('./package.json').artifacthub?.name || require('./package.json').name")
+          echo "Expecting: $PLUGIN_NAME@$EXPECTED"
-          echo "Expected: $PLUGIN_NAME@$EXPECTED"
+
+          # Wait for Headlamp to be reachable
+          for i in $(seq 1 30); do
+            HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' --connect-timeout 5 "$HEADLAMP_URL" || true)
+            if [ "$HTTP_CODE" != "000" ]; then
+              echo "Headlamp responded HTTP $HTTP_CODE"
+              break
+            fi
+            echo "Waiting for Headlamp... ($i/30)"
+            sleep 2
+          done
 
-          # Check Headlamp connectivity
-          HTTP_CODE=$(curl -s -o /dev/null -w '%{http_code}' --connect-timeout 10 "$HEADLAMP_URL" || true)
           if [ "$HTTP_CODE" = "000" ]; then
-            echo "::error::Cannot reach Headlamp at $HEADLAMP_URL"
+            echo "::error::Cannot reach Headlamp at $HEADLAMP_URL after 60s"
             exit 1
           fi
-          echo "Headlamp responded HTTP $HTTP_CODE"
 
-          # Check installed plugins and version match
+          # Verify plugin is visible
           PLUGIN_JSON=$(curl -sf --connect-timeout 10 "$HEADLAMP_URL/plugins" 2>/dev/null || echo "[]")
           node -e "
-            const expected = '$EXPECTED';
-            const pluginName = '$PLUGIN_NAME';
             const plugins = JSON.parse(process.argv[1]);
             console.log('Installed plugins:');
             for (const p of plugins) console.log('  ' + p.name + '@' + (p.version||'unknown'));
-            const ours = plugins.find(p => p.name === pluginName || p.name === 'polaris' || p.name.includes('polaris'));
+            const ours = plugins.find(p => p.name === '$PLUGIN_NAME' || p.name === 'polaris' || p.name.includes('polaris'));
             if (!ours) {
-              console.log('::warning::Plugin ' + pluginName + ' not found in Headlamp — data-dependent tests will fail');
+              console.log('::warning::Plugin $PLUGIN_NAME not yet visible — Headlamp may need a restart');
             } else {
               console.log('Found plugin: ' + ours.name + ' at path ' + ours.path);
             }
           " "$PLUGIN_JSON"
 
-          # Fetch deployed plugin version from package.json
-          DEPLOYED_VERSION=$(curl -sf --connect-timeout 10 "$HEADLAMP_URL/plugins/$PLUGIN_NAME/package.json" 2>/dev/null \
-            | node -p "JSON.parse(require('fs').readFileSync(0,'utf8')).version" 2>/dev/null || echo "unknown")
-          echo "Deployed version: $DEPLOYED_VERSION"
-          if [ "$DEPLOYED_VERSION" != "$EXPECTED" ] && [ "$DEPLOYED_VERSION" != "unknown" ]; then
-            echo "::warning::Version mismatch — repo has $EXPECTED but Headlamp runs $DEPLOYED_VERSION. Tests may fail due to stale plugin."
-          fi
-
       - name: Install Playwright browsers
         run: npx playwright install --with-deps chromium
 

README.md

@@ -48,9 +48,14 @@ Polaris must be deployed in the `polaris` namespace with the dashboard component
 
 ## Installing
 
-### Option 1: Headlamp Plugin Manager (Recommended)
+The plugin is published on [Artifact Hub](https://artifacthub.io/packages/headlamp/polaris/headlamp-polaris-plugin). Install via the Headlamp UI:
 
-The plugin is published on [Artifact Hub](https://artifacthub.io/packages/headlamp/polaris/headlamp-polaris-plugin). Configure Headlamp via Helm:
+1. Go to **Settings → Plugins**
+2. Click **Catalog** tab
+3. Search for "Polaris"
+4. Click **Install**
+
+Or configure Headlamp via Helm:
 
 ```yaml
 config:
@@ -62,56 +67,6 @@ pluginsManager:
       url: https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.3.10/polaris-0.3.10.tar.gz
 ```
 
-Or install via the Headlamp UI:
-
-1. Go to **Settings → Plugins**
-2. Click **Catalog** tab
-3. Search for "Polaris"
-4. Click **Install**
-
-### Option 2: Sidecar Container (Alternative)
-
-For detailed sidecar installation instructions, see [docs/DEPLOYMENT.md#installation-method-2-sidecar-container](docs/DEPLOYMENT.md#installation-method-2-sidecar-container).
-
-```yaml
-sidecars:
-  - name: headlamp-plugin
-    image: node:lts-alpine
-    command: ['/bin/sh']
-    args:
-      - -c
-      - |
-        npm install -g @kinvolk/headlamp-plugin
-        headlamp-plugin install --config /config/plugin.yml
-        tail -f /dev/null
-    volumeMounts:
-      - name: plugins
-        mountPath: /headlamp/plugins
-      - name: plugin-config
-        mountPath: /config
-```
-
-### Option 3: Manual Tarball Install
-
-Download the `.tar.gz` from the [GitHub releases page](https://github.com/privilegedescalation/headlamp-polaris-plugin/releases), then extract into Headlamp's plugin directory:
-
-```bash
-wget https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.3.10/polaris-0.3.10.tar.gz
-tar xzf polaris-0.3.10.tar.gz -C /headlamp/plugins/
-```
-
-### Option 4: Build from Source
-
-```bash
-git clone https://github.com/privilegedescalation/headlamp-polaris-plugin.git
-cd headlamp-polaris-plugin
-npm install
-npm run build
-npx @kinvolk/headlamp-plugin extract . /headlamp/plugins
-```
-
-For complete installation instructions including Helm integration, FluxCD examples, and production deployment checklist, see **[docs/DEPLOYMENT.md](docs/DEPLOYMENT.md)**.
-
 ## RBAC / Security Setup
 
 The plugin fetches audit data through the Kubernetes API server's **service proxy** sub-resource. The identity making the request (Headlamp's service account, or the user's own token in token-auth mode) must be granted:

artifacthub-pkg.yml

@@ -1,4 +1,4 @@
-version: "0.7.0"
+version: "0.7.2"
 name: headlamp-polaris
 displayName: Polaris
 createdAt: "2026-02-05T19:00:00Z"
@@ -28,7 +28,7 @@ maintainers:
   - name: privilegedescalation
     email: "chris@farhood.org"
 annotations:
-  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.7.0/headlamp-polaris-0.7.0.tar.gz"
+  headlamp/plugin/archive-url: "https://github.com/privilegedescalation/headlamp-polaris-plugin/releases/download/v0.7.2/headlamp-polaris-0.7.2.tar.gz"
   headlamp/plugin/version-compat: ">=0.26"
-  headlamp/plugin/archive-checksum: sha256:69b7adf74416d72580981387b1861e2b5fcf7f96ae9f0620f85f623f8b6dab56
+  headlamp/plugin/archive-checksum: sha256:ce75449a05d3d3dd3c546db36a2257fae3e4601e466108182e64310a1a4f6d71
   headlamp/plugin/distro-compat: in-cluster

deployment/e2e-ci-runner-rbac.yaml

@@ -0,0 +1,59 @@
+---
+# RBAC for the GitHub Actions CI runner to perform E2E test setup.
+# CI-only test fixture — NOT for production use.
+#
+# Grants the ARC runner service account namespace-scoped permissions in
+# kube-system to patch the Headlamp deployment (add shared volume mount),
+# manage PVCs, run temporary pods, and restart deployments.
+#
+# No cluster-scoped permissions needed — the E2E workflow uses kubectl patch
+# instead of helm upgrade, avoiding the need to read ClusterRole/ClusterRoleBinding.
+#
+# Apply with: kubectl apply -f deployment/e2e-ci-runner-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: e2e-ci-runner
+  namespace: kube-system
+rules:
+  - apiGroups: [""]
+    resources: ["persistentvolumeclaims"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list", "create", "delete", "watch"]
+  - apiGroups: [""]
+    resources: ["pods/attach"]
+    verbs: ["create", "get"]
+  - apiGroups: ["apps"]
+    resources: ["deployments"]
+    verbs: ["get", "list", "patch", "watch"]
+  - apiGroups: ["apps"]
+    resources: ["deployments/scale"]
+    verbs: ["patch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["services"]
+    verbs: ["get", "list", "create", "update", "patch", "delete"]
+  - apiGroups: [""]
+    resources: ["serviceaccounts"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: e2e-ci-runner-binding
+  namespace: kube-system
+subjects:
+  - kind: ServiceAccount
+    name: local-ubuntu-latest-gha-rs-no-permission
+    namespace: arc-runners
+roleRef:
+  kind: Role
+  name: e2e-ci-runner
+  apiGroup: rbac.authorization.k8s.io

deployment/headlamp-e2e-values.yaml

@@ -0,0 +1,22 @@
+---
+# Headlamp Helm values for E2E testing with shared volume plugin deployment.
+#
+# The CI runner and Headlamp pod share a PVC so that the runner can copy
+# built plugin artifacts directly into Headlamp's plugins directory.
+# This is a CI-only mechanism — production plugin distribution uses ArtifactHub.
+
+# Point Headlamp at the shared plugins mount
+config:
+  pluginsDir: /headlamp/plugins
+
+# PVC-backed volume shared with the CI runner
+volumes:
+  - name: plugins
+    persistentVolumeClaim:
+      claimName: headlamp-plugins
+
+# Mount into the Headlamp container
+volumeMounts:
+  - name: plugins
+    mountPath: /headlamp/plugins
+    readOnly: true

deployment/headlamp-plugins-pvc.yaml

@@ -0,0 +1,14 @@
+---
+# PVC for sharing built plugin artifacts between the CI runner and Headlamp.
+# Used only in E2E test environments — not for production.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: headlamp-plugins
+  namespace: kube-system
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 128Mi

deployment/headlamp-static-plugin-values.yaml

@@ -1,83 +0,0 @@
----
-# Custom Headlamp values for static plugin installation
-# This disables the plugin manager and uses an init container instead
-
-# Disable the plugin manager sidecar
-pluginsManager:
-  enabled: false
-
-# Use an init container to install plugins to /headlamp/static-plugins
-initContainers:
-  - name: install-plugins
-    image: node:lts-alpine
-    command:
-      - /bin/sh
-      - -c
-      - |
-        set -e
-        echo "Installing plugins to /headlamp/static-plugins..."
-
-        # Create plugins directory
-        mkdir -p /headlamp/static-plugins
-
-        # Set up npm cache
-        export NPM_CONFIG_CACHE=/tmp/npm-cache
-        export NPM_CONFIG_USERCONFIG=/tmp/npm-userconfig
-        mkdir -p /tmp/npm-cache /tmp/npm-userconfig
-
-        # Install polaris plugin
-        echo "Installing polaris plugin..."
-        cd /headlamp/static-plugins
-        npm pack headlamp-polaris-plugin@0.3.0
-        tar -xzf headlamp-polaris-plugin-0.3.0.tgz
-        mv package headlamp-polaris-plugin
-        rm headlamp-polaris-plugin-0.3.0.tgz
-
-        # Install other plugins
-        npx --yes @headlamp-k8s/plugin@latest install \
-          --source https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_flux \
-          --folderName /headlamp/static-plugins
-
-        npx --yes @headlamp-k8s/plugin@latest install \
-          --source https://artifacthub.io/packages/headlamp/headlamp-trivy/headlamp_trivy \
-          --folderName /headlamp/static-plugins
-
-        npx --yes @headlamp-k8s/plugin@latest install \
-          --source https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_cert-manager \
-          --folderName /headlamp/static-plugins
-
-        npx --yes @headlamp-k8s/plugin@latest install \
-          --source https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_ai_assistant \
-          --folderName /headlamp/static-plugins
-
-        echo "All plugins installed successfully"
-        ls -la /headlamp/static-plugins
-    securityContext:
-      runAsUser: 100
-      runAsGroup: 101
-      runAsNonRoot: true
-      privileged: false
-    resources:
-      requests:
-        cpu: 100m
-        memory: 256Mi
-      limits:
-        memory: 512Mi
-    volumeMounts:
-      - name: static-plugins
-        mountPath: /headlamp/static-plugins
-
-# Configure headlamp to use static plugins
-config:
-  pluginsDir: /headlamp/static-plugins
-
-# Add volume for static plugins
-volumes:
-  - name: static-plugins
-    emptyDir: {}
-
-# Add volume mount to main container
-volumeMounts:
-  - name: static-plugins
-    mountPath: /headlamp/static-plugins
-    readOnly: true

docs/deployment/helm.md

@@ -19,7 +19,7 @@ Helm provides the easiest way to deploy and manage the plugin in production. Thi
 
 ```bash
 # Add Headlamp Helm repository
-helm repo add headlamp https://headlamp-k8s.github.io/headlamp/
+helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
 helm repo update
 ```
 
@@ -210,7 +210,7 @@ metadata:
   namespace: flux-system
 spec:
   interval: 1h
-  url: https://headlamp-k8s.github.io/headlamp/
+  url: https://kubernetes-sigs.github.io/headlamp/
 ```
 
 ### HelmRelease

docs/getting-started/prerequisites.md

@@ -84,7 +84,7 @@ kubectl -n kube-system get deployment headlamp -o jsonpath='{.spec.template.spec
 
 ```bash
 # Add Headlamp Helm repository
-helm repo add headlamp https://headlamp-k8s.github.io/headlamp/
+helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
 helm repo update
 
 # Install Headlamp

e2e/settings.spec.ts

@@ -2,11 +2,17 @@ import { test, expect, Page } from '@playwright/test';
 
 /** Navigate to the Polaris plugin settings page and wait for settings to render. */
 async function goToPolarisSettings(page: Page) {
-  await page.goto('/c/main/settings/plugins');
+  // Headlamp's plugin settings page is a HOME-context route at /settings/plugins,
+  // not an in-cluster route (/c/main/settings/plugins would 404). Headlamp loads
+  // plugin scripts asynchronously on SPA init. When registerPluginSettings() fires,
+  // it dispatches a Redux action — PluginSettings uses useTypedSelector so it
+  // re-renders automatically once the plugin registers. No preloading needed.
+  await page.goto('/settings/plugins');
 
-  // Find and click the Polaris plugin entry to open its settings
+  // Wait for the plugin to appear in the settings list. The timeout covers
-  const pluginEntry = page.locator('text=polaris').first();
+  // async plugin script loading + registration.
-  await expect(pluginEntry).toBeVisible({ timeout: 15_000 });
+  const pluginEntry = page.locator('text=headlamp-polaris').first();
+  await expect(pluginEntry).toBeVisible({ timeout: 30_000 });
   await pluginEntry.click();
 
   // Wait for the PolarisSettings component to render

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "headlamp-polaris",
-  "version": "0.7.1",
+  "version": "0.7.2",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "headlamp-polaris",
-      "version": "0.7.1",
+      "version": "0.7.2",
       "license": "Apache-2.0",
       "devDependencies": {
         "@kinvolk/headlamp-plugin": "^0.13.0",
@@ -21,6 +21,8 @@
         "react": "^18.3.1",
         "react-dom": "^18.3.1",
         "react-router-dom": "^5.3.0",
+        "tar": "^7.5.11",
+        "undici": "^7.24.3",
         "vitest": "^3.0.5"
       },
       "peerDependencies": {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "headlamp-polaris",
-  "version": "0.7.1",
+  "version": "0.7.2",
   "description": "Headlamp plugin for Fairwinds Polaris audit results",
   "repository": {
     "type": "git",
@@ -30,6 +30,10 @@
     "react": "^18.0.0",
     "react-dom": "^18.0.0"
   },
+  "overrides": {
+    "tar": "^7.5.11",
+    "undici": "^7.24.3"
+  },
   "devDependencies": {
     "@kinvolk/headlamp-plugin": "^0.13.0",
     "@mui/material": "^5.15.14",
@@ -43,6 +47,8 @@
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-router-dom": "^5.3.0",
+    "tar": "^7.5.11",
+    "undici": "^7.24.3",
     "vitest": "^3.0.5"
   }
 }

scripts/deploy-plugin-via-volume.sh

@@ -0,0 +1,135 @@
+#!/usr/bin/env bash
+# deploy-plugin-via-volume.sh
+#
+# Copies the built plugin into the shared PVC so Headlamp picks it up.
+# Uses a temporary Kubernetes Job to write to the PVC — the CI runner
+# does NOT need the PVC mounted locally.
+#
+# Usage:
+#   scripts/deploy-plugin-via-volume.sh
+#
+# Environment:
+#   HEADLAMP_NAMESPACE  — namespace where Headlamp runs (default: kube-system)
+#   HEADLAMP_DEPLOY     — Headlamp deployment name (default: headlamp)
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+HEADLAMP_NAMESPACE="${HEADLAMP_NAMESPACE:-kube-system}"
+HEADLAMP_DEPLOY="${HEADLAMP_DEPLOY:-headlamp}"
+
+# The deployed directory name must match the package.json name and
+# the registerPluginSettings name. Headlamp identifies plugins by
+# reading package.json from each subdirectory of the plugins dir.
+PLUGIN_DIR_NAME="headlamp-polaris"
+DIST_DIR="$REPO_ROOT/dist"
+
+if [ ! -d "$DIST_DIR" ]; then
+  echo "ERROR: dist/ not found. Run 'npm run build' first." >&2
+  exit 1
+fi
+
+echo "Deploying plugin to shared volume via temporary job..."
+echo "  Source:    $DIST_DIR"
+echo "  PVC:       headlamp-plugins"
+echo "  Plugin:    $PLUGIN_DIR_NAME"
+
+# Create tarball of plugin dist + package.json
+TAR_FILE=$(mktemp /tmp/plugin-XXXXXX.tar.gz)
+tar -czf "$TAR_FILE" -C "$DIST_DIR" . -C "$REPO_ROOT" package.json
+echo "  Tarball:   $TAR_FILE ($(du -h "$TAR_FILE" | cut -f1))"
+
+# Find the node where Headlamp is running — the PVC is ReadWriteOnce so
+# the deploy job must land on the same node to mount it.
+HEADLAMP_NODE=$(kubectl get pods -n "$HEADLAMP_NAMESPACE" \
+  -l "app.kubernetes.io/name=headlamp" \
+  -o jsonpath='{.items[0].spec.nodeName}' 2>/dev/null || true)
+if [ -z "$HEADLAMP_NODE" ]; then
+  HEADLAMP_NODE=$(kubectl get pods -n "$HEADLAMP_NAMESPACE" \
+    -l "app.kubernetes.io/instance=headlamp" \
+    -o jsonpath='{.items[0].spec.nodeName}' 2>/dev/null || true)
+fi
+if [ -n "$HEADLAMP_NODE" ]; then
+  echo "  Headlamp node: $HEADLAMP_NODE (scheduling deploy job there)"
+fi
+
+# Clean up any previous deploy resources
+kubectl delete pod plugin-deploy -n "$HEADLAMP_NAMESPACE" --ignore-not-found --wait=true 2>/dev/null || true
+kubectl delete configmap plugin-tarball -n "$HEADLAMP_NAMESPACE" --ignore-not-found 2>/dev/null || true
+sleep 2
+
+# Store the tarball in a ConfigMap (binary-safe via --from-file)
+echo "Creating ConfigMap with plugin tarball..."
+kubectl create configmap plugin-tarball \
+  -n "$HEADLAMP_NAMESPACE" \
+  --from-file=plugin.tar.gz="$TAR_FILE"
+
+# Build the Pod manifest as a temp file to avoid heredoc YAML escaping issues
+POD_FILE=$(mktemp /tmp/plugin-deploy-pod-XXXXXX.yaml)
+
+cat > "$POD_FILE" <<'YAMLDOC'
+apiVersion: v1
+kind: Pod
+metadata:
+  name: plugin-deploy
+spec:
+  restartPolicy: Never
+  containers:
+    - name: deploy
+      image: busybox:1.36
+      command: ["sh", "-c"]
+      args:
+        - |
+          echo "Cleaning up stale plugin directories..."
+          rm -rf /plugins/polaris /plugins/headlamp-polaris
+          echo "Extracting plugin to shared volume..."
+          mkdir -p /plugins/PLUGIN_DIR_PLACEHOLDER
+          tar -xzf /tarball/plugin.tar.gz -C /plugins/PLUGIN_DIR_PLACEHOLDER
+          echo "Files deployed:"
+          ls -la /plugins/PLUGIN_DIR_PLACEHOLDER/
+      volumeMounts:
+        - name: plugins
+          mountPath: /plugins
+        - name: tarball
+          mountPath: /tarball
+          readOnly: true
+  volumes:
+    - name: plugins
+      persistentVolumeClaim:
+        claimName: headlamp-plugins
+    - name: tarball
+      configMap:
+        name: plugin-tarball
+YAMLDOC
+
+# Substitute plugin dir name
+sed -i "s/PLUGIN_DIR_PLACEHOLDER/${PLUGIN_DIR_NAME}/g" "$POD_FILE"
+
+# Add nodeName if we know which node Headlamp is on
+if [ -n "$HEADLAMP_NODE" ]; then
+  sed -i "/restartPolicy: Never/i\\  nodeName: ${HEADLAMP_NODE}" "$POD_FILE"
+fi
+
+echo "Starting deploy pod..."
+kubectl apply -n "$HEADLAMP_NAMESPACE" -f "$POD_FILE"
+rm -f "$POD_FILE"
+
+# Wait for the pod to complete (Succeeded phase)
+echo "Waiting for deploy pod to complete..."
+kubectl wait --for=jsonpath='{.status.phase}'=Succeeded pod/plugin-deploy \
+  -n "$HEADLAMP_NAMESPACE" --timeout=120s
+
+# Show logs
+kubectl logs plugin-deploy -n "$HEADLAMP_NAMESPACE" 2>/dev/null || true
+
+# Clean up
+kubectl delete pod plugin-deploy -n "$HEADLAMP_NAMESPACE" --ignore-not-found 2>/dev/null || true
+kubectl delete configmap plugin-tarball -n "$HEADLAMP_NAMESPACE" --ignore-not-found 2>/dev/null || true
+
+rm -f "$TAR_FILE"
+
+# Restart Headlamp to pick up the new plugin
+echo "Restarting Headlamp deployment to load plugin..."
+kubectl rollout restart "deployment/$HEADLAMP_DEPLOY" -n "$HEADLAMP_NAMESPACE"
+kubectl rollout status "deployment/$HEADLAMP_DEPLOY" -n "$HEADLAMP_NAMESPACE" --timeout=120s
+
+echo "Plugin deployed successfully."

src/components/AppBarScoreBadge.test.tsx

@@ -7,13 +7,7 @@ import { makeAuditData, makeResult } from '../test-utils';
 // Mock Headlamp lib
 vi.mock('@kinvolk/headlamp-plugin/lib', () => ({
   ApiProxy: { request: vi.fn() },
-  K8s: {
+  K8s: {},
-    useCluster: () => 'test-cluster',
-  },
-  Router: {
-    createRouteURL: (name: string, params?: { cluster?: string }) =>
-      `/c/${params?.cluster ?? 'default'}/${name}`,
-  },
 }));
 
 vi.mock('@mui/material/styles', () => ({
@@ -31,6 +25,15 @@ vi.mock('react-router-dom', () => ({
   useHistory: () => ({ push: mockPush }),
 }));
 
+// Set window.location.pathname for cluster extraction
+beforeEach(() => {
+  Object.defineProperty(window, 'location', {
+    value: { pathname: '/c/test-cluster/some-page' },
+    writable: true,
+  });
+  mockPush.mockClear();
+});
+
 const mockUsePolarisDataContext = vi.fn();
 vi.mock('../api/PolarisDataContext', () => ({
   usePolarisDataContext: () => mockUsePolarisDataContext(),
@@ -97,7 +100,7 @@ describe('AppBarScoreBadge', () => {
     expect(button.style.backgroundColor).toBe('rgb(244, 67, 54)');
   });
 
-  it('navigates to /polaris on click', async () => {
+  it('navigates to /c/<cluster>/polaris on click', async () => {
     const user = userEvent.setup();
     const data = makeAuditData([
       makeResult({
@@ -120,6 +123,33 @@ describe('AppBarScoreBadge', () => {
     expect(mockPush).toHaveBeenCalledWith('/c/test-cluster/polaris');
   });
 
+  it('navigates to /polaris when no cluster in URL', async () => {
+    Object.defineProperty(window, 'location', {
+      value: { pathname: '/settings' },
+      writable: true,
+    });
+    const user = userEvent.setup();
+    const data = makeAuditData([
+      makeResult({
+        Results: {
+          c1: {
+            ID: 'c1',
+            Message: '',
+            Details: [],
+            Success: true,
+            Severity: 'warning',
+            Category: 'X',
+          },
+        },
+      }),
+    ]);
+    mockUsePolarisDataContext.mockReturnValue({ data, loading: false });
+
+    render(<AppBarScoreBadge />);
+    await user.click(screen.getByRole('button'));
+    expect(mockPush).toHaveBeenCalledWith('/polaris');
+  });
+
   it('has correct aria-label', () => {
     const data = makeAuditData([
       makeResult({

src/components/AppBarScoreBadge.tsx

@@ -1,10 +1,21 @@
-import { K8s, Router } from '@kinvolk/headlamp-plugin/lib';
 import { useTheme } from '@mui/material/styles';
 import React from 'react';
 import { useHistory } from 'react-router-dom';
 import { computeScore, countResults } from '../api/polaris';
 import { usePolarisDataContext } from '../api/PolarisDataContext';
 
+/**
+ * Extract the cluster name from the current browser URL.
+ * Headlamp cluster routes follow the pattern /c/<cluster>/...
+ * We read window.location.pathname directly because the AppBar renders
+ * outside the cluster route context, so useCluster() returns null and
+ * React Router's useLocation() may not reflect the cluster prefix.
+ */
+function getClusterFromUrl(): string | null {
+  const match = window.location.pathname.match(/\/c\/([^/]+)/);
+  return match ? match[1] : null;
+}
+
 /**
  * App bar badge showing cluster Polaris score
  * Clicking navigates to the overview dashboard
@@ -13,7 +24,6 @@ export default function AppBarScoreBadge() {
   const theme = useTheme();
   const { data, loading } = usePolarisDataContext();
   const history = useHistory();
-  const cluster = K8s.useCluster();
 
   if (loading || !data) {
     return null; // Graceful degradation when Polaris unavailable
@@ -36,7 +46,9 @@ export default function AppBarScoreBadge() {
   };
 
   const handleClick = () => {
-    history.push(Router.createRouteURL('polaris', { cluster: cluster ?? '' }));
+    const cluster = getClusterFromUrl();
+    const prefix = cluster ? `/c/${cluster}` : '';
+    history.push(`${prefix}/polaris`);
   };
 
   return (