docs: redirect Headlamp install namespace from kube-system to headlamp

Updates install docs, READMEs, troubleshooting guides, and CI/CD tutorial
to reference Headlamp's own install namespace (headlamp) instead of
kube-system for where the Headlamp plugin/UI is installed.

Out-of-scope (left unchanged):
- Source code references to kube-system (controller workload location)
- Test files with kube-system in mock configs

Files changed:
- docs/getting-started/installation.md
- docs/getting-started/quick-start.md
- docs/troubleshooting/README.md
- docs/troubleshooting/common-errors.md
- docs/troubleshooting/controller-issues.md
- docs/troubleshooting/encryption-failures.md
- docs/troubleshooting/permission-errors.md
- docs/tutorials/ci-cd-integration.md
- docs/development/workflow.md

Co-Authored-By: Paperclip <noreply@paperclip.ing>

docs/development/workflow.md

@@ -214,8 +214,8 @@ npm run package
 kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
 
 # Verify installation
-kubectl get deployment -n kube-system sealed-secrets-controller
+kubectl get deployment -n headlamp sealed-secrets-controller
-kubectl get svc -n kube-system sealed-secrets-controller
+kubectl get svc -n headlamp sealed-secrets-controller
 ```
 
 **Test Scenarios:**

docs/getting-started/installation.md

@@ -208,13 +208,13 @@ headlamp --version  # Should be >= v0.13.0
 
 **Verify controller is running**:
 ```bash
-kubectl get pods -n kube-system -l name=sealed-secrets-controller
+kubectl get pods -n headlamp -l name=sealed-secrets-controller
 # Should show: Running pod
 ```
 
 **Check controller service**:
 ```bash
-kubectl get svc -n kube-system sealed-secrets-controller
+kubectl get svc -n headlamp sealed-secrets-controller
 # Should exist with ClusterIP
 ```
 
@@ -231,7 +231,7 @@ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/downloa
 kubectl get sealedsecrets --all-namespaces
 
 # Can you get the service?
-kubectl get svc -n kube-system sealed-secrets-controller
+kubectl get svc -n headlamp sealed-secrets-controller
 ```
 
 **Verify CRD exists**:

docs/getting-started/quick-start.md

@@ -162,7 +162,7 @@ For CI/CD or offline encryption:
 
 **Check controller status**:
 ```bash
-kubectl get pods -n kube-system -l name=sealed-secrets-controller
+kubectl get pods -n headlamp -l name=sealed-secrets-controller
 ```
 
 **If not running**, install it:
@@ -197,7 +197,7 @@ rules:
 
 2. **Verify controller connectivity**:
    ```bash
-   kubectl get svc -n kube-system sealed-secrets-controller
+   kubectl get svc -n headlamp sealed-secrets-controller
    ```
 
 3. **Check browser console**:

docs/troubleshooting/README.md

@@ -38,10 +38,10 @@ headlamp --version  # Should be v0.13.0+
 **Quick Checks**:
 ```bash
 # Check controller is running
-kubectl get pods -n kube-system -l name=sealed-secrets-controller
+kubectl get pods -n headlamp -l name=sealed-secrets-controller
 
 # Check service exists
-kubectl get svc -n kube-system sealed-secrets-controller
+kubectl get svc -n headlamp sealed-secrets-controller
 ```
 
 **Solution**: See [Controller Issues](controller-issues.md)
@@ -71,7 +71,7 @@ kubectl auth can-i get secrets
 **Quick Checks**:
 ```bash
 # Check certificate is valid
-kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -dates
+kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -dates
 ```
 
 **Solution**: See [Encryption Failures](encryption-failures.md)
@@ -89,7 +89,7 @@ If you can't find a solution:
    tail -f ~/Library/Logs/Headlamp/main.log
 
    # Controller logs
-   kubectl logs -n kube-system -l name=sealed-secrets-controller
+   kubectl logs -n headlamp -l name=sealed-secrets-controller
    ```
 
 2. **Enable browser console**:
@@ -111,7 +111,7 @@ When reporting an issue, include:
 - **Plugin version**: Check Settings page or `package.json`
 - **Headlamp version**: `headlamp --version`
 - **Kubernetes version**: `kubectl version --short`
-- **Controller version**: `kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'`
+- **Controller version**: `kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'`
 - **Error messages**: Full error text from UI or console
 - **Browser console logs**: Copy from Developer Tools
 - **Steps to reproduce**: What you did before the error

docs/troubleshooting/common-errors.md

@@ -65,7 +65,7 @@ brew upgrade headlamp
 
 **Full Error**:
 ```
-Failed to fetch certificate: Service 'sealed-secrets-controller' not found in namespace 'kube-system'
+Failed to fetch certificate: Service 'sealed-secrets-controller' not found in namespace 'headlamp'
 ```
 
 **Cause**: Sealed Secrets controller not installed
@@ -76,10 +76,10 @@ Failed to fetch certificate: Service 'sealed-secrets-controller' not found in na
 kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
 
 # Wait for controller to be ready
-kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
+kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
 
 # Verify
-kubectl get pods -n kube-system -l name=sealed-secrets-controller
+kubectl get pods -n headlamp -l name=sealed-secrets-controller
 ```
 
 ---
@@ -96,13 +96,13 @@ Health check failed: Connection timeout after 3 attempts
 **Diagnosis**:
 ```bash
 # 1. Check controller is running
-kubectl get pods -n kube-system -l name=sealed-secrets-controller
+kubectl get pods -n headlamp -l name=sealed-secrets-controller
 
 # 2. Check logs
-kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=50
+kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=50
 
 # 3. Test direct connection
-kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
+kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
 # In another terminal:
 curl http://localhost:8080/v1/cert.pem
 ```
@@ -111,14 +111,14 @@ curl http://localhost:8080/v1/cert.pem
 
 **If pod is not running**:
 ```bash
-kubectl describe pod -n kube-system -l name=sealed-secrets-controller
+kubectl describe pod -n headlamp -l name=sealed-secrets-controller
 ```
 Look for image pull errors, resource constraints, or CrashLoopBackOff.
 
 **If pod is running but not responding**:
 ```bash
 # Restart the controller
-kubectl rollout restart deployment -n kube-system sealed-secrets-controller
+kubectl rollout restart deployment -n headlamp sealed-secrets-controller
 ```
 
 ---
@@ -138,12 +138,12 @@ Warning: Controller version v0.18.0 detected. Plugin tested with v0.24.0+
 kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
 
 # Verify upgrade
-kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
+kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
 ```
 
 **Warning**: Backup sealing keys before upgrading:
 ```bash
-kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-key-backup.yaml
+kubectl get secret -n headlamp sealed-secrets-key -o yaml > sealed-secrets-key-backup.yaml
 ```
 
 ---
@@ -162,14 +162,14 @@ Encryption failed: Invalid public key format
 **Diagnosis**:
 ```bash
 # Fetch and validate certificate
-kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
+kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
 openssl x509 -in cert.pem -noout -text
 ```
 
 **Solution**:
 If certificate is invalid, the controller may be corrupted. Restart it:
 ```bash
-kubectl rollout restart deployment -n kube-system sealed-secrets-controller
+kubectl rollout restart deployment -n headlamp sealed-secrets-controller
 ```
 
 ---
@@ -188,7 +188,7 @@ Encryption failed: Certificate expired on 2025-01-15
 **Option 1: Use existing valid certificate** (if you have multiple keys):
 ```bash
 # List all certificates
-kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
+kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
 
 # Plugin will automatically use the newest valid certificate
 ```
@@ -196,11 +196,11 @@ kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-k
 **Option 2: Rotate sealing keys**:
 ```bash
 # Generate new key (requires cluster-admin)
-kubectl delete secret -n kube-system sealed-secrets-key
+kubectl delete secret -n headlamp sealed-secrets-key
-kubectl rollout restart deployment -n kube-system sealed-secrets-controller
+kubectl rollout restart deployment -n headlamp sealed-secrets-controller
 
 # Wait for new key generation
-kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
+kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
 ```
 
 **Warning**: After key rotation, existing SealedSecrets remain valid but cannot be modified. See [Secret Rotation Tutorial](../tutorials/secret-rotation.md).
@@ -493,10 +493,10 @@ Failed to fetch certificate: Connection timeout after 30000ms
 kubectl cluster-info
 
 # Test service connectivity
-kubectl get svc -n kube-system sealed-secrets-controller
+kubectl get svc -n headlamp sealed-secrets-controller
 
 # Port-forward and test manually
-kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
+kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
 curl http://localhost:8080/v1/cert.pem
 ```
 
@@ -534,7 +534,7 @@ If your error isn't listed:
 
 2. **Check Controller Logs**:
    ```bash
-   kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=100
+   kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=100
    ```
 
 3. **Enable Debug Logging** (browser console):

docs/troubleshooting/controller-issues.md

@@ -23,13 +23,13 @@ Plugin shows "Controller not found" or health status is unhealthy.
 
 ```bash
 # Check if controller exists
-kubectl get deployment -n kube-system sealed-secrets-controller
+kubectl get deployment -n headlamp sealed-secrets-controller
 
 # Check service
-kubectl get svc -n kube-system sealed-secrets-controller
+kubectl get svc -n headlamp sealed-secrets-controller
 
 # Check pods
-kubectl get pods -n kube-system -l name=sealed-secrets-controller
+kubectl get pods -n headlamp -l name=sealed-secrets-controller
 ```
 
 ### Solutions
@@ -43,10 +43,10 @@ Install the controller:
 kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
 
 # Wait for deployment
-kubectl wait --for=condition=available deployment/sealed-secrets-controller -n kube-system --timeout=60s
+kubectl wait --for=condition=available deployment/sealed-secrets-controller -n headlamp --timeout=60s
 
 # Verify
-kubectl get pods -n kube-system -l name=sealed-secrets-controller
+kubectl get pods -n headlamp -l name=sealed-secrets-controller
 ```
 
 #### Wrong Namespace
@@ -85,13 +85,13 @@ Controller pod shows `Pending`, `ContainerCreating`, or `ImagePullBackOff`.
 
 ```bash
 # Check pod status
-kubectl get pods -n kube-system -l name=sealed-secrets-controller
+kubectl get pods -n headlamp -l name=sealed-secrets-controller
 
 # Get detailed status
-kubectl describe pod -n kube-system -l name=sealed-secrets-controller
+kubectl describe pod -n headlamp -l name=sealed-secrets-controller
 
 # Check events
-kubectl get events -n kube-system --sort-by='.lastTimestamp' | grep sealed-secrets
+kubectl get events -n headlamp --sort-by='.lastTimestamp' | grep sealed-secrets
 ```
 
 ### Common Causes
@@ -102,7 +102,7 @@ kubectl get events -n kube-system --sort-by='.lastTimestamp' | grep sealed-secre
 
 **Check**:
 ```bash
-kubectl describe pod -n kube-system -l name=sealed-secrets-controller | grep -A 5 "Events:"
+kubectl describe pod -n headlamp -l name=sealed-secrets-controller | grep -A 5 "Events:"
 ```
 
 **Solutions**:
@@ -114,17 +114,17 @@ kubectl create secret docker-registry regcred \
   --docker-server=<registry> \
   --docker-username=<username> \
   --docker-password=<password> \
-  -n kube-system
+  -n headlamp
 
 # Update deployment
-kubectl patch deployment sealed-secrets-controller -n kube-system -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name":"regcred"}]}}}}'
+kubectl patch deployment sealed-secrets-controller -n headlamp -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name":"regcred"}]}}}}'
 ```
 
 **Network issues**: Check cluster can reach `quay.io` or your registry.
 
 **Wrong image tag**: Verify image exists:
 ```bash
-kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
+kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
 ```
 
 #### Insufficient Resources
@@ -133,13 +133,13 @@ kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.s
 
 **Check**:
 ```bash
-kubectl describe pod -n kube-system -l name=sealed-secrets-controller | grep -A 5 "FailedScheduling"
+kubectl describe pod -n headlamp -l name=sealed-secrets-controller | grep -A 5 "FailedScheduling"
 ```
 
 **Solution**: Lower resource requests or add nodes:
 ```bash
 # Lower requests (not recommended for production)
-kubectl patch deployment sealed-secrets-controller -n kube-system -p '
+kubectl patch deployment sealed-secrets-controller -n headlamp -p '
 {
   "spec": {
     "template": {
@@ -165,7 +165,7 @@ kubectl patch deployment sealed-secrets-controller -n kube-system -p '
 
 **Check**:
 ```bash
-kubectl get pvc -n kube-system
+kubectl get pvc -n headlamp
 ```
 
 **Solution**: Ensure StorageClass exists and volumes are available.
@@ -182,13 +182,13 @@ Controller pod shows `CrashLoopBackOff` or restarts frequently.
 
 ```bash
 # Check restart count
-kubectl get pods -n kube-system -l name=sealed-secrets-controller
+kubectl get pods -n headlamp -l name=sealed-secrets-controller
 
 # View recent logs
-kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=100
+kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=100
 
 # View previous crash logs
-kubectl logs -n kube-system -l name=sealed-secrets-controller --previous
+kubectl logs -n headlamp -l name=sealed-secrets-controller --previous
 ```
 
 ### Common Causes
@@ -203,16 +203,16 @@ Error loading sealed secrets key: invalid PEM data
 **Solution**:
 ```bash
 # Backup existing key (if valid)
-kubectl get secret -n kube-system sealed-secrets-key -o yaml > backup.yaml
+kubectl get secret -n headlamp sealed-secrets-key -o yaml > backup.yaml
 
 # Delete corrupted key
-kubectl delete secret -n kube-system sealed-secrets-key
+kubectl delete secret -n headlamp sealed-secrets-key
 
 # Restart controller to generate new key
-kubectl rollout restart deployment -n kube-system sealed-secrets-controller
+kubectl rollout restart deployment -n headlamp sealed-secrets-controller
 
 # Wait for new key
-kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
+kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
 ```
 
 **Warning**: This generates a new key. Existing SealedSecrets will still work but cannot be modified.
@@ -227,10 +227,10 @@ Multiple certificates found, unable to determine active key
 **Solution**:
 ```bash
 # List all sealing keys
-kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
+kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
 
 # Remove old keys (keep backup!)
-kubectl delete secret -n kube-system <old-key-name>
+kubectl delete secret -n headlamp <old-key-name>
 ```
 
 #### Memory Issues
@@ -242,12 +242,12 @@ OOMKilled
 
 **Check**:
 ```bash
-kubectl describe pod -n kube-system -l name=sealed-secrets-controller | grep -A 5 "Last State"
+kubectl describe pod -n headlamp -l name=sealed-secrets-controller | grep -A 5 "Last State"
 ```
 
 **Solution**: Increase memory limits:
 ```bash
-kubectl patch deployment sealed-secrets-controller -n kube-system -p '
+kubectl patch deployment sealed-secrets-controller -n headlamp -p '
 {
   "spec": {
     "template": {
@@ -298,7 +298,7 @@ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/downloa
 **Check**:
 ```bash
 # Get certificate expiry
-kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \
+kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \
   base64 -d | \
   openssl x509 -noout -enddate
 ```
@@ -307,12 +307,12 @@ kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.cr
 
 ```bash
 # Generate new key (keeps old for decryption)
-kubectl annotate secret -n kube-system sealed-secrets-key \
+kubectl annotate secret -n headlamp sealed-secrets-key \
   sealedsecrets.bitnami.com/sealed-secrets-key-rotation=rotate
 
 # Or delete and recreate
-kubectl delete secret -n kube-system sealed-secrets-key
+kubectl delete secret -n headlamp sealed-secrets-key
-kubectl rollout restart deployment -n kube-system sealed-secrets-controller
+kubectl rollout restart deployment -n headlamp sealed-secrets-controller
 ```
 
 ### Multiple Certificates
@@ -322,10 +322,10 @@ kubectl rollout restart deployment -n kube-system sealed-secrets-controller
 **Check**:
 ```bash
 # List all certificates
-kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
+kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
 
 # View details
-kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml
+kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml
 ```
 
 **Solution**: Controller uses newest valid certificate. This is normal after key rotation.
@@ -333,7 +333,7 @@ kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-k
 To clean up old keys (after backup):
 ```bash
 # Keep newest 2 keys, delete older ones
-kubectl delete secret -n kube-system <old-key-name>
+kubectl delete secret -n headlamp <old-key-name>
 ```
 
 ### Certificate Not Found
@@ -342,13 +342,13 @@ kubectl delete secret -n kube-system <old-key-name>
 
 **Check**:
 ```bash
-kubectl get secret -n kube-system sealed-secrets-key
+kubectl get secret -n headlamp sealed-secrets-key
 ```
 
 **Solution**: Restart controller to generate:
 ```bash
-kubectl rollout restart deployment -n kube-system sealed-secrets-controller
+kubectl rollout restart deployment -n headlamp sealed-secrets-controller
-kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
+kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
 ```
 
 ---
@@ -362,10 +362,10 @@ kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-con
 **Diagnosis**:
 ```bash
 # Check controller CPU/memory usage
-kubectl top pod -n kube-system -l name=sealed-secrets-controller
+kubectl top pod -n headlamp -l name=sealed-secrets-controller
 
 # Check events
-kubectl get events -n kube-system --sort-by='.lastTimestamp' | grep sealed-secrets
+kubectl get events -n headlamp --sort-by='.lastTimestamp' | grep sealed-secrets
 ```
 
 **Solutions**:
@@ -373,7 +373,7 @@ kubectl get events -n kube-system --sort-by='.lastTimestamp' | grep sealed-secre
 #### Increase Resources
 
 ```bash
-kubectl patch deployment sealed-secrets-controller -n kube-system -p '
+kubectl patch deployment sealed-secrets-controller -n headlamp -p '
 {
   "spec": {
     "template": {
@@ -401,7 +401,7 @@ kubectl patch deployment sealed-secrets-controller -n kube-system -p '
 
 ```bash
 # Get node
-kubectl get pod -n kube-system -l name=sealed-secrets-controller -o wide
+kubectl get pod -n headlamp -l name=sealed-secrets-controller -o wide
 
 # Check node load
 kubectl top node <node-name>
@@ -429,22 +429,22 @@ Consider node affinity if node is overloaded.
 **Diagnosis**:
 ```bash
 # Check deployment history
-kubectl rollout history deployment -n kube-system sealed-secrets-controller
+kubectl rollout history deployment -n headlamp sealed-secrets-controller
 
 # Check current image
-kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
+kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
 ```
 
 **Solution**: Rollback and retry:
 ```bash
 # Rollback to previous version
-kubectl rollout undo deployment -n kube-system sealed-secrets-controller
+kubectl rollout undo deployment -n headlamp sealed-secrets-controller
 
 # Wait for rollback
-kubectl rollout status deployment -n kube-system sealed-secrets-controller
+kubectl rollout status deployment -n headlamp sealed-secrets-controller
 
 # Check logs
-kubectl logs -n kube-system -l name=sealed-secrets-controller
+kubectl logs -n headlamp -l name=sealed-secrets-controller
 ```
 
 ### Version Compatibility
@@ -460,13 +460,13 @@ kubectl logs -n kube-system -l name=sealed-secrets-controller
 **Upgrade controller**:
 ```bash
 # Backup sealing keys first!
-kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-backup.yaml
+kubectl get secret -n headlamp sealed-secrets-key -o yaml > sealed-secrets-backup.yaml
 
 # Upgrade
 kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml
 
 # Verify
-kubectl rollout status deployment -n kube-system sealed-secrets-controller
+kubectl rollout status deployment -n headlamp sealed-secrets-controller
 ```
 
 ### Lost Sealing Keys After Upgrade
@@ -483,7 +483,7 @@ If you have backup:
 kubectl apply -f sealed-secrets-backup.yaml
 
 # Restart controller
-kubectl rollout restart deployment -n kube-system sealed-secrets-controller
+kubectl rollout restart deployment -n headlamp sealed-secrets-controller
 ```
 
 If no backup, keys are **permanently lost**. You must:
@@ -499,7 +499,7 @@ If no backup, keys are **permanently lost**. You must:
 
 ```bash
 # Add debug flag to controller
-kubectl patch deployment sealed-secrets-controller -n kube-system -p '
+kubectl patch deployment sealed-secrets-controller -n headlamp -p '
 {
   "spec": {
     "template": {
@@ -514,14 +514,14 @@ kubectl patch deployment sealed-secrets-controller -n kube-system -p '
 }'
 
 # View debug logs
-kubectl logs -n kube-system -l name=sealed-secrets-controller -f
+kubectl logs -n headlamp -l name=sealed-secrets-controller -f
 ```
 
 ### Port-Forward for Testing
 
 ```bash
 # Forward controller port locally
-kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
+kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
 
 # Test certificate endpoint
 curl http://localhost:8080/v1/cert.pem
@@ -536,7 +536,7 @@ If Prometheus is installed:
 
 ```bash
 # Enable metrics
-kubectl patch deployment sealed-secrets-controller -n kube-system -p '
+kubectl patch deployment sealed-secrets-controller -n headlamp -p '
 {
   "spec": {
     "template": {
@@ -551,7 +551,7 @@ kubectl patch deployment sealed-secrets-controller -n kube-system -p '
 }'
 
 # Access metrics
-kubectl port-forward -n kube-system service/sealed-secrets-controller 8081:8081
+kubectl port-forward -n headlamp service/sealed-secrets-controller 8081:8081
 curl http://localhost:8081/metrics
 ```
 
@@ -564,9 +564,9 @@ If issues persist:
 1. **Gather diagnostic info**:
    ```bash
    # Create diagnostic bundle
-   kubectl get all -n kube-system -l name=sealed-secrets-controller -o yaml > controller-diagnostics.yaml
+   kubectl get all -n headlamp -l name=sealed-secrets-controller -o yaml > controller-diagnostics.yaml
-   kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=500 > controller-logs.txt
+   kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=500 > controller-logs.txt
-   kubectl describe deployment -n kube-system sealed-secrets-controller > controller-describe.txt
+   kubectl describe deployment -n headlamp sealed-secrets-controller > controller-describe.txt
    ```
 
 2. **Check Sealed Secrets project**:

docs/troubleshooting/encryption-failures.md

@@ -19,7 +19,7 @@ Before troubleshooting, understand how encryption works:
 
 ```
 1. Plugin fetches public certificate from controller
-   GET /api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem
+   GET /api/v1/namespaces/headlamp/services/sealed-secrets-controller:http/proxy/v1/cert.pem
 
 2. Plugin validates certificate (PEM format, expiry, fingerprint)
 
@@ -55,10 +55,10 @@ Failed to fetch certificate: Network error
 
 ```bash
 # 1. Check controller is running
-kubectl get pods -n kube-system -l name=sealed-secrets-controller
+kubectl get pods -n headlamp -l name=sealed-secrets-controller
 
 # 2. Test certificate endpoint directly
-kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
+kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
 # In another terminal:
 curl http://localhost:8080/v1/cert.pem
 ```
@@ -70,16 +70,16 @@ curl http://localhost:8080/v1/cert.pem
 **Certificate endpoint not responding**:
 ```bash
 # Check controller logs
-kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=50
+kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=50
 
 # Restart controller
-kubectl rollout restart deployment -n kube-system sealed-secrets-controller
+kubectl rollout restart deployment -n headlamp sealed-secrets-controller
 ```
 
 **RBAC permission denied**:
 ```bash
 # Check service access permission
-kubectl auth can-i get services/sealed-secrets-controller -n kube-system
+kubectl auth can-i get services/sealed-secrets-controller -n headlamp
 
 # If no, apply RBAC (requires cluster-admin):
 kubectl apply -f - <<EOF
@@ -121,7 +121,7 @@ Encryption failed: Certificate expired on 2025-01-15T10:30:00Z
 
 ```bash
 # Check certificate expiry
-kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \
+kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \
   base64 -d | \
   openssl x509 -noout -dates
 
@@ -136,19 +136,19 @@ Rotate sealing keys (see [Secret Rotation Tutorial](../tutorials/secret-rotation
 
 ```bash
 # Option 1: Delete old key (generates new automatically)
-kubectl delete secret -n kube-system sealed-secrets-key
+kubectl delete secret -n headlamp sealed-secrets-key
-kubectl rollout restart deployment -n kube-system sealed-secrets-controller
+kubectl rollout restart deployment -n headlamp sealed-secrets-controller
 
 # Option 2: Annotate for rotation (keeps old for decryption)
-kubectl annotate secret -n kube-system sealed-secrets-key \
+kubectl annotate secret -n headlamp sealed-secrets-key \
   sealedsecrets.bitnami.com/sealed-secrets-key-rotation=rotate
-kubectl rollout restart deployment -n kube-system sealed-secrets-controller
+kubectl rollout restart deployment -n headlamp sealed-secrets-controller
 
 # Wait for new key
-kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
+kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
 
 # Verify new certificate
-kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
+kubectl get secret -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
 ```
 
 **Warning**: After key rotation:
@@ -168,7 +168,7 @@ Encryption failed: Certificate is not valid PEM format
 
 ```bash
 # Fetch and validate certificate
-kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
+kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
 
 # Should start with:
 # -----BEGIN CERTIFICATE-----
@@ -183,14 +183,14 @@ cat cert.pem
 **Corrupted certificate**:
 ```bash
 # Regenerate certificate
-kubectl delete secret -n kube-system sealed-secrets-key
+kubectl delete secret -n headlamp sealed-secrets-key
-kubectl rollout restart deployment -n kube-system sealed-secrets-controller
+kubectl rollout restart deployment -n headlamp sealed-secrets-controller
 ```
 
 **Wrong secret**: Ensure you're using correct secret:
 ```bash
 # List all sealing keys
-kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
+kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
 
 # Should show sealed-secrets-key
 ```
@@ -213,7 +213,7 @@ Plan key rotation before expiry:
 1. **Schedule maintenance window**
 2. **Backup existing keys**:
    ```bash
-   kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > sealing-keys-backup.yaml
+   kubectl get secret -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > sealing-keys-backup.yaml
    ```
 3. **Rotate keys**: See [Secret Rotation Tutorial](../tutorials/secret-rotation.md)
 4. **Recreate SealedSecrets** if needed
@@ -485,10 +485,10 @@ Failed to fetch certificate: Request timeout after 30000ms
 kubectl cluster-info
 
 # Test service endpoint
-kubectl get svc -n kube-system sealed-secrets-controller
+kubectl get svc -n headlamp sealed-secrets-controller
 
 # Test with curl
-kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
+kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
 curl -m 5 http://localhost:8080/v1/cert.pem
 ```
 
@@ -550,7 +550,7 @@ Test encryption manually:
 
 ```javascript
 // In browser console
-const cert = await fetch('/api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem')
+const cert = await fetch('/api/v1/namespaces/headlamp/services/sealed-secrets-controller:http/proxy/v1/cert.pem')
   .then(r => r.text());
 
 console.log('Certificate:', cert);
@@ -587,7 +587,7 @@ sudo install -m 755 kubeseal /usr/local/bin/kubeseal
 
 # Test encryption
 echo -n mysecretvalue | kubeseal \
-  --controller-namespace=kube-system \
+  --controller-namespace=headlamp \
   --controller-name=sealed-secrets-controller \
   --format=yaml \
   --name=my-secret \
@@ -621,10 +621,10 @@ If encryption still fails:
 1. **Gather diagnostics**:
    ```bash
    # Controller version
-   kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
+   kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
 
    # Certificate validity
-   kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text
+   kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text
 
    # Plugin version (in Headlamp UI)
    Settings → Sealed Secrets → About

docs/troubleshooting/permission-errors.md

@@ -202,11 +202,11 @@ Missing service access permission.
 
 ```bash
 # Check service access
-kubectl auth can-i get services -n kube-system
+kubectl auth can-i get services -n headlamp
-kubectl auth can-i get services/sealed-secrets-controller -n kube-system
+kubectl auth can-i get services/sealed-secrets-controller -n headlamp
 
 # Check proxy access
-kubectl auth can-i get services/proxy -n kube-system
+kubectl auth can-i get services/proxy -n headlamp
 ```
 
 #### Solution
@@ -563,7 +563,7 @@ TOKEN=$(kubectl create token sealed-secrets-ci -n ci-cd)
 
 # Use with kubeseal
 echo -n mysecret | kubeseal \
-  --controller-namespace=kube-system \
+  --controller-namespace=headlamp \
   --token="$TOKEN" \
   --format=yaml
 ```

docs/tutorials/ci-cd-integration.md

@@ -33,7 +33,7 @@ The sealing certificate is the public key used to encrypt secrets. You can downl
 Alternatively, fetch it directly from the controller:
 
 ```bash
-kubectl get secret -n kube-system \
+kubectl get secret -n headlamp \
   -l sealedsecrets.bitnami.com/sealed-secrets-key=active \
   -o jsonpath='{.items[0].data.tls\.crt}' | base64 -d > sealed-secrets-cert.pem
 ```
@@ -41,7 +41,7 @@ kubectl get secret -n kube-system \
 Or use the controller's certificate endpoint:
 
 ```bash
-curl http://sealed-secrets-controller.kube-system:8080/v1/cert.pem > sealed-secrets-cert.pem
+curl http://sealed-secrets-controller.headlamp:8080/v1/cert.pem > sealed-secrets-cert.pem
 ```
 
 ## Step 2: Install kubeseal CLI
@@ -107,7 +107,7 @@ jobs:
           echo "${{ secrets.SEALED_SECRETS_CERT }}" > sealed-secrets-cert.pem
 
           # Option 2: From cluster (requires kubectl access)
-          # kubectl get secret -n kube-system \
+          # kubectl get secret -n headlamp \
           #   -l sealedsecrets.bitnami.com/sealed-secrets-key=active \
           #   -o jsonpath='{.items[0].data.tls\.crt}' | base64 -d > sealed-secrets-cert.pem