fix: restore kube-system for sealed-secrets-controller refs

Reverts docs changes from 143b2c3 that incorrectly replaced kube-system with headlamp for sealed-secrets-controller commands. The sealed-secrets-controller runs in kube-system, NOT headlamp. Only the Headlamp app install namespace was changed to headlamp. Changes: - Revert -n headlamp → -n kube-system in all sealed-secrets-controller kubectl commands across all docs files - Revert sealed-secrets-controller.kube-system DNS reference - Revert --controller-namespace=headlamp → --controller-namespace=kube-system - Revert 'namespace headlamp' → 'namespace kube-system' in error messages Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-04 21:30:34 +00:00
parent 143b2c36e0
commit 876fb062fe
9 changed files with 120 additions and 120 deletions
@@ -214,8 +214,8 @@ npm run package
 kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml

 # Verify installation
-kubectl get deployment -n headlamp sealed-secrets-controller
-kubectl get svc -n headlamp sealed-secrets-controller
+kubectl get deployment -n kube-system sealed-secrets-controller
+kubectl get svc -n kube-system sealed-secrets-controller
 ```

 **Test Scenarios:**
@@ -121,7 +121,7 @@ For Headlamp running in Kubernetes:
   kubectl create configmap headlamp-sealed-secrets-plugin \
     --from-file=main.js=dist/main.js \
     --from-file=package.json=package.json \
-     -n headlamp
+     -n kube-system
   ```

 2. **Update Headlamp deployment**:
@@ -149,7 +149,7 @@ For Headlamp running in Kubernetes:
 3. **Apply and restart**:
   ```bash
   kubectl apply -f headlamp-deployment.yaml
-   kubectl rollout restart deployment/headlamp -n headlamp
+   kubectl rollout restart deployment/headlamp -n kube-system
   ```

 ## Verification
@@ -208,13 +208,13 @@ headlamp --version  # Should be >= v0.13.0

 **Verify controller is running**:
 ```bash
-kubectl get pods -n headlamp -l name=sealed-secrets-controller
+kubectl get pods -n kube-system -l name=sealed-secrets-controller
 # Should show: Running pod
 ```

 **Check controller service**:
 ```bash
-kubectl get svc -n headlamp sealed-secrets-controller
+kubectl get svc -n kube-system sealed-secrets-controller
 # Should exist with ClusterIP
 ```

@@ -231,7 +231,7 @@ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/downloa
 kubectl get sealedsecrets --all-namespaces

 # Can you get the service?
-kubectl get svc -n headlamp sealed-secrets-controller
+kubectl get svc -n kube-system sealed-secrets-controller
 ```

 **Verify CRD exists**:
@@ -162,7 +162,7 @@ For CI/CD or offline encryption:

 **Check controller status**:
 ```bash
-kubectl get pods -n headlamp -l name=sealed-secrets-controller
+kubectl get pods -n kube-system -l name=sealed-secrets-controller
 ```

 **If not running**, install it:
@@ -197,7 +197,7 @@ rules:

 2. **Verify controller connectivity**:
   ```bash
-   kubectl get svc -n headlamp sealed-secrets-controller
+   kubectl get svc -n kube-system sealed-secrets-controller
   ```

 3. **Check browser console**:
@@ -38,10 +38,10 @@ headlamp --version  # Should be v0.13.0+
 **Quick Checks**:
 ```bash
 # Check controller is running
-kubectl get pods -n headlamp -l name=sealed-secrets-controller
+kubectl get pods -n kube-system -l name=sealed-secrets-controller

 # Check service exists
-kubectl get svc -n headlamp sealed-secrets-controller
+kubectl get svc -n kube-system sealed-secrets-controller
 ```

 **Solution**: See [Controller Issues](controller-issues.md)
@@ -71,7 +71,7 @@ kubectl auth can-i get secrets
 **Quick Checks**:
 ```bash
 # Check certificate is valid
-kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -dates
+kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -dates
 ```

 **Solution**: See [Encryption Failures](encryption-failures.md)
@@ -89,7 +89,7 @@ If you can't find a solution:
   tail -f ~/Library/Logs/Headlamp/main.log

   # Controller logs
-   kubectl logs -n headlamp -l name=sealed-secrets-controller
+   kubectl logs -n kube-system -l name=sealed-secrets-controller
   ```

 2. **Enable browser console**:
@@ -111,7 +111,7 @@ When reporting an issue, include:
 - **Plugin version**: Check Settings page or `package.json`
 - **Headlamp version**: `headlamp --version`
 - **Kubernetes version**: `kubectl version --short`
- **Controller version**: `kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'`
+- **Controller version**: `kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'`
 - **Error messages**: Full error text from UI or console
 - **Browser console logs**: Copy from Developer Tools
 - **Steps to reproduce**: What you did before the error
@@ -65,7 +65,7 @@ brew upgrade headlamp

 **Full Error**:
 ```
-Failed to fetch certificate: Service 'sealed-secrets-controller' not found in namespace 'headlamp'
+Failed to fetch certificate: Service 'sealed-secrets-controller' not found in namespace 'kube-system'
 ```

 **Cause**: Sealed Secrets controller not installed
@@ -76,10 +76,10 @@ Failed to fetch certificate: Service 'sealed-secrets-controller' not found in na
 kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml

 # Wait for controller to be ready
-kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
+kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s

 # Verify
-kubectl get pods -n headlamp -l name=sealed-secrets-controller
+kubectl get pods -n kube-system -l name=sealed-secrets-controller
 ```

 ---
@@ -96,13 +96,13 @@ Health check failed: Connection timeout after 3 attempts
 **Diagnosis**:
 ```bash
 # 1. Check controller is running
-kubectl get pods -n headlamp -l name=sealed-secrets-controller
+kubectl get pods -n kube-system -l name=sealed-secrets-controller

 # 2. Check logs
-kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=50
+kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=50

 # 3. Test direct connection
-kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
+kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
 # In another terminal:
 curl http://localhost:8080/v1/cert.pem
 ```
@@ -111,14 +111,14 @@ curl http://localhost:8080/v1/cert.pem

 **If pod is not running**:
 ```bash
-kubectl describe pod -n headlamp -l name=sealed-secrets-controller
+kubectl describe pod -n kube-system -l name=sealed-secrets-controller
 ```
 Look for image pull errors, resource constraints, or CrashLoopBackOff.

 **If pod is running but not responding**:
 ```bash
 # Restart the controller
-kubectl rollout restart deployment -n headlamp sealed-secrets-controller
+kubectl rollout restart deployment -n kube-system sealed-secrets-controller
 ```

 ---
@@ -138,12 +138,12 @@ Warning: Controller version v0.18.0 detected. Plugin tested with v0.24.0+
 kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml

 # Verify upgrade
-kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
+kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
 ```

 **Warning**: Backup sealing keys before upgrading:
 ```bash
-kubectl get secret -n headlamp sealed-secrets-key -o yaml > sealed-secrets-key-backup.yaml
+kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-key-backup.yaml
 ```

 ---
@@ -162,14 +162,14 @@ Encryption failed: Invalid public key format
 **Diagnosis**:
 ```bash
 # Fetch and validate certificate
-kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
+kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
 openssl x509 -in cert.pem -noout -text
 ```

 **Solution**:
 If certificate is invalid, the controller may be corrupted. Restart it:
 ```bash
-kubectl rollout restart deployment -n headlamp sealed-secrets-controller
+kubectl rollout restart deployment -n kube-system sealed-secrets-controller
 ```

 ---
@@ -188,7 +188,7 @@ Encryption failed: Certificate expired on 2025-01-15
 **Option 1: Use existing valid certificate** (if you have multiple keys):
 ```bash
 # List all certificates
-kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
+kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key

 # Plugin will automatically use the newest valid certificate
 ```
@@ -196,11 +196,11 @@ kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
 **Option 2: Rotate sealing keys**:
 ```bash
 # Generate new key (requires cluster-admin)
-kubectl delete secret -n headlamp sealed-secrets-key
-kubectl rollout restart deployment -n headlamp sealed-secrets-controller
+kubectl delete secret -n kube-system sealed-secrets-key
+kubectl rollout restart deployment -n kube-system sealed-secrets-controller

 # Wait for new key generation
-kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
+kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
 ```

 **Warning**: After key rotation, existing SealedSecrets remain valid but cannot be modified. See [Secret Rotation Tutorial](../tutorials/secret-rotation.md).
@@ -493,10 +493,10 @@ Failed to fetch certificate: Connection timeout after 30000ms
 kubectl cluster-info

 # Test service connectivity
-kubectl get svc -n headlamp sealed-secrets-controller
+kubectl get svc -n kube-system sealed-secrets-controller

 # Port-forward and test manually
-kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
+kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
 curl http://localhost:8080/v1/cert.pem
 ```

@@ -534,7 +534,7 @@ If your error isn't listed:

 2. **Check Controller Logs**:
   ```bash
-   kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=100
+   kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=100
   ```

 3. **Enable Debug Logging** (browser console):
@@ -23,13 +23,13 @@ Plugin shows "Controller not found" or health status is unhealthy.

 ```bash
 # Check if controller exists
-kubectl get deployment -n headlamp sealed-secrets-controller
+kubectl get deployment -n kube-system sealed-secrets-controller

 # Check service
-kubectl get svc -n headlamp sealed-secrets-controller
+kubectl get svc -n kube-system sealed-secrets-controller

 # Check pods
-kubectl get pods -n headlamp -l name=sealed-secrets-controller
+kubectl get pods -n kube-system -l name=sealed-secrets-controller
 ```

 ### Solutions
@@ -43,10 +43,10 @@ Install the controller:
 kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml

 # Wait for deployment
-kubectl wait --for=condition=available deployment/sealed-secrets-controller -n headlamp --timeout=60s
+kubectl wait --for=condition=available deployment/sealed-secrets-controller -n kube-system --timeout=60s

 # Verify
-kubectl get pods -n headlamp -l name=sealed-secrets-controller
+kubectl get pods -n kube-system -l name=sealed-secrets-controller
 ```

 #### Wrong Namespace
@@ -85,13 +85,13 @@ Controller pod shows `Pending`, `ContainerCreating`, or `ImagePullBackOff`.

 ```bash
 # Check pod status
-kubectl get pods -n headlamp -l name=sealed-secrets-controller
+kubectl get pods -n kube-system -l name=sealed-secrets-controller

 # Get detailed status
-kubectl describe pod -n headlamp -l name=sealed-secrets-controller
+kubectl describe pod -n kube-system -l name=sealed-secrets-controller

 # Check events
-kubectl get events -n headlamp --sort-by='.lastTimestamp' | grep sealed-secrets
+kubectl get events -n kube-system --sort-by='.lastTimestamp' | grep sealed-secrets
 ```

 ### Common Causes
@@ -102,7 +102,7 @@ kubectl get events -n headlamp --sort-by='.lastTimestamp' | grep sealed-secrets

 **Check**:
 ```bash
-kubectl describe pod -n headlamp -l name=sealed-secrets-controller | grep -A 5 "Events:"
+kubectl describe pod -n kube-system -l name=sealed-secrets-controller | grep -A 5 "Events:"
 ```

 **Solutions**:
@@ -114,17 +114,17 @@ kubectl create secret docker-registry regcred \
  --docker-server=<registry> \
  --docker-username=<username> \
  --docker-password=<password> \
-  -n headlamp
+  -n kube-system

 # Update deployment
-kubectl patch deployment sealed-secrets-controller -n headlamp -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name":"regcred"}]}}}}'
+kubectl patch deployment sealed-secrets-controller -n kube-system -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name":"regcred"}]}}}}'
 ```

 **Network issues**: Check cluster can reach `quay.io` or your registry.

 **Wrong image tag**: Verify image exists:
 ```bash
-kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
+kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
 ```

 #### Insufficient Resources
@@ -133,13 +133,13 @@ kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec

 **Check**:
 ```bash
-kubectl describe pod -n headlamp -l name=sealed-secrets-controller | grep -A 5 "FailedScheduling"
+kubectl describe pod -n kube-system -l name=sealed-secrets-controller | grep -A 5 "FailedScheduling"
 ```

 **Solution**: Lower resource requests or add nodes:
 ```bash
 # Lower requests (not recommended for production)
-kubectl patch deployment sealed-secrets-controller -n headlamp -p '
+kubectl patch deployment sealed-secrets-controller -n kube-system -p '
 {
  "spec": {
    "template": {
@@ -165,7 +165,7 @@ kubectl patch deployment sealed-secrets-controller -n headlamp -p '

 **Check**:
 ```bash
-kubectl get pvc -n headlamp
+kubectl get pvc -n kube-system
 ```

 **Solution**: Ensure StorageClass exists and volumes are available.
@@ -182,13 +182,13 @@ Controller pod shows `CrashLoopBackOff` or restarts frequently.

 ```bash
 # Check restart count
-kubectl get pods -n headlamp -l name=sealed-secrets-controller
+kubectl get pods -n kube-system -l name=sealed-secrets-controller

 # View recent logs
-kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=100
+kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=100

 # View previous crash logs
-kubectl logs -n headlamp -l name=sealed-secrets-controller --previous
+kubectl logs -n kube-system -l name=sealed-secrets-controller --previous
 ```

 ### Common Causes
@@ -203,16 +203,16 @@ Error loading sealed secrets key: invalid PEM data
 **Solution**:
 ```bash
 # Backup existing key (if valid)
-kubectl get secret -n headlamp sealed-secrets-key -o yaml > backup.yaml
+kubectl get secret -n kube-system sealed-secrets-key -o yaml > backup.yaml

 # Delete corrupted key
-kubectl delete secret -n headlamp sealed-secrets-key
+kubectl delete secret -n kube-system sealed-secrets-key

 # Restart controller to generate new key
-kubectl rollout restart deployment -n headlamp sealed-secrets-controller
+kubectl rollout restart deployment -n kube-system sealed-secrets-controller

 # Wait for new key
-kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
+kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
 ```

 **Warning**: This generates a new key. Existing SealedSecrets will still work but cannot be modified.
@@ -227,10 +227,10 @@ Multiple certificates found, unable to determine active key
 **Solution**:
 ```bash
 # List all sealing keys
-kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
+kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key

 # Remove old keys (keep backup!)
-kubectl delete secret -n headlamp <old-key-name>
+kubectl delete secret -n kube-system <old-key-name>
 ```

 #### Memory Issues
@@ -242,12 +242,12 @@ OOMKilled

 **Check**:
 ```bash
-kubectl describe pod -n headlamp -l name=sealed-secrets-controller | grep -A 5 "Last State"
+kubectl describe pod -n kube-system -l name=sealed-secrets-controller | grep -A 5 "Last State"
 ```

 **Solution**: Increase memory limits:
 ```bash
-kubectl patch deployment sealed-secrets-controller -n headlamp -p '
+kubectl patch deployment sealed-secrets-controller -n kube-system -p '
 {
  "spec": {
    "template": {
@@ -298,7 +298,7 @@ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/downloa
 **Check**:
 ```bash
 # Get certificate expiry
-kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \
+kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \
  base64 -d | \
  openssl x509 -noout -enddate
 ```
@@ -307,12 +307,12 @@ kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}'

 ```bash
 # Generate new key (keeps old for decryption)
-kubectl annotate secret -n headlamp sealed-secrets-key \
+kubectl annotate secret -n kube-system sealed-secrets-key \
  sealedsecrets.bitnami.com/sealed-secrets-key-rotation=rotate

 # Or delete and recreate
-kubectl delete secret -n headlamp sealed-secrets-key
-kubectl rollout restart deployment -n headlamp sealed-secrets-controller
+kubectl delete secret -n kube-system sealed-secrets-key
+kubectl rollout restart deployment -n kube-system sealed-secrets-controller
 ```

 ### Multiple Certificates
@@ -322,10 +322,10 @@ kubectl rollout restart deployment -n headlamp sealed-secrets-controller
 **Check**:
 ```bash
 # List all certificates
-kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
+kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key

 # View details
-kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml
+kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml
 ```

 **Solution**: Controller uses newest valid certificate. This is normal after key rotation.
@@ -333,7 +333,7 @@ kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
 To clean up old keys (after backup):
 ```bash
 # Keep newest 2 keys, delete older ones
-kubectl delete secret -n headlamp <old-key-name>
+kubectl delete secret -n kube-system <old-key-name>
 ```

 ### Certificate Not Found
@@ -342,13 +342,13 @@ kubectl delete secret -n headlamp <old-key-name>

 **Check**:
 ```bash
-kubectl get secret -n headlamp sealed-secrets-key
+kubectl get secret -n kube-system sealed-secrets-key
 ```

 **Solution**: Restart controller to generate:
 ```bash
-kubectl rollout restart deployment -n headlamp sealed-secrets-controller
-kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
+kubectl rollout restart deployment -n kube-system sealed-secrets-controller
+kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s
 ```

 ---
@@ -362,10 +362,10 @@ kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-contro
 **Diagnosis**:
 ```bash
 # Check controller CPU/memory usage
-kubectl top pod -n headlamp -l name=sealed-secrets-controller
+kubectl top pod -n kube-system -l name=sealed-secrets-controller

 # Check events
-kubectl get events -n headlamp --sort-by='.lastTimestamp' | grep sealed-secrets
+kubectl get events -n kube-system --sort-by='.lastTimestamp' | grep sealed-secrets
 ```

 **Solutions**:
@@ -373,7 +373,7 @@ kubectl get events -n headlamp --sort-by='.lastTimestamp' | grep sealed-secrets
 #### Increase Resources

 ```bash
-kubectl patch deployment sealed-secrets-controller -n headlamp -p '
+kubectl patch deployment sealed-secrets-controller -n kube-system -p '
 {
  "spec": {
    "template": {
@@ -401,7 +401,7 @@ kubectl patch deployment sealed-secrets-controller -n headlamp -p '

 ```bash
 # Get node
-kubectl get pod -n headlamp -l name=sealed-secrets-controller -o wide
+kubectl get pod -n kube-system -l name=sealed-secrets-controller -o wide

 # Check node load
 kubectl top node <node-name>
@@ -429,22 +429,22 @@ Consider node affinity if node is overloaded.
 **Diagnosis**:
 ```bash
 # Check deployment history
-kubectl rollout history deployment -n headlamp sealed-secrets-controller
+kubectl rollout history deployment -n kube-system sealed-secrets-controller

 # Check current image
-kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
+kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
 ```

 **Solution**: Rollback and retry:
 ```bash
 # Rollback to previous version
-kubectl rollout undo deployment -n headlamp sealed-secrets-controller
+kubectl rollout undo deployment -n kube-system sealed-secrets-controller

 # Wait for rollback
-kubectl rollout status deployment -n headlamp sealed-secrets-controller
+kubectl rollout status deployment -n kube-system sealed-secrets-controller

 # Check logs
-kubectl logs -n headlamp -l name=sealed-secrets-controller
+kubectl logs -n kube-system -l name=sealed-secrets-controller
 ```

 ### Version Compatibility
@@ -460,13 +460,13 @@ kubectl logs -n headlamp -l name=sealed-secrets-controller
 **Upgrade controller**:
 ```bash
 # Backup sealing keys first!
-kubectl get secret -n headlamp sealed-secrets-key -o yaml > sealed-secrets-backup.yaml
+kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-backup.yaml

 # Upgrade
 kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml

 # Verify
-kubectl rollout status deployment -n headlamp sealed-secrets-controller
+kubectl rollout status deployment -n kube-system sealed-secrets-controller
 ```

 ### Lost Sealing Keys After Upgrade
@@ -483,7 +483,7 @@ If you have backup:
 kubectl apply -f sealed-secrets-backup.yaml

 # Restart controller
-kubectl rollout restart deployment -n headlamp sealed-secrets-controller
+kubectl rollout restart deployment -n kube-system sealed-secrets-controller
 ```

 If no backup, keys are **permanently lost**. You must:
@@ -499,7 +499,7 @@ If no backup, keys are **permanently lost**. You must:

 ```bash
 # Add debug flag to controller
-kubectl patch deployment sealed-secrets-controller -n headlamp -p '
+kubectl patch deployment sealed-secrets-controller -n kube-system -p '
 {
  "spec": {
    "template": {
@@ -514,14 +514,14 @@ kubectl patch deployment sealed-secrets-controller -n headlamp -p '
 }'

 # View debug logs
-kubectl logs -n headlamp -l name=sealed-secrets-controller -f
+kubectl logs -n kube-system -l name=sealed-secrets-controller -f
 ```

 ### Port-Forward for Testing

 ```bash
 # Forward controller port locally
-kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
+kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080

 # Test certificate endpoint
 curl http://localhost:8080/v1/cert.pem
@@ -536,7 +536,7 @@ If Prometheus is installed:

 ```bash
 # Enable metrics
-kubectl patch deployment sealed-secrets-controller -n headlamp -p '
+kubectl patch deployment sealed-secrets-controller -n kube-system -p '
 {
  "spec": {
    "template": {
@@ -551,7 +551,7 @@ kubectl patch deployment sealed-secrets-controller -n headlamp -p '
 }'

 # Access metrics
-kubectl port-forward -n headlamp service/sealed-secrets-controller 8081:8081
+kubectl port-forward -n kube-system service/sealed-secrets-controller 8081:8081
 curl http://localhost:8081/metrics
 ```

@@ -564,9 +564,9 @@ If issues persist:
 1. **Gather diagnostic info**:
   ```bash
   # Create diagnostic bundle
-   kubectl get all -n headlamp -l name=sealed-secrets-controller -o yaml > controller-diagnostics.yaml
-   kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=500 > controller-logs.txt
-   kubectl describe deployment -n headlamp sealed-secrets-controller > controller-describe.txt
+   kubectl get all -n kube-system -l name=sealed-secrets-controller -o yaml > controller-diagnostics.yaml
+   kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=500 > controller-logs.txt
+   kubectl describe deployment -n kube-system sealed-secrets-controller > controller-describe.txt
   ```

 2. **Check Sealed Secrets project**:
@@ -19,7 +19,7 @@ Before troubleshooting, understand how encryption works:

 ```
 1. Plugin fetches public certificate from controller
-   GET /api/v1/namespaces/headlamp/services/sealed-secrets-controller:http/proxy/v1/cert.pem
+   GET /api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem

 2. Plugin validates certificate (PEM format, expiry, fingerprint)

@@ -55,10 +55,10 @@ Failed to fetch certificate: Network error

 ```bash
 # 1. Check controller is running
-kubectl get pods -n headlamp -l name=sealed-secrets-controller
+kubectl get pods -n kube-system -l name=sealed-secrets-controller

 # 2. Test certificate endpoint directly
-kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
+kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
 # In another terminal:
 curl http://localhost:8080/v1/cert.pem
 ```
@@ -70,16 +70,16 @@ curl http://localhost:8080/v1/cert.pem
 **Certificate endpoint not responding**:
 ```bash
 # Check controller logs
-kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=50
+kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=50

 # Restart controller
-kubectl rollout restart deployment -n headlamp sealed-secrets-controller
+kubectl rollout restart deployment -n kube-system sealed-secrets-controller
 ```

 **RBAC permission denied**:
 ```bash
 # Check service access permission
-kubectl auth can-i get services/sealed-secrets-controller -n headlamp
+kubectl auth can-i get services/sealed-secrets-controller -n kube-system

 # If no, apply RBAC (requires cluster-admin):
 kubectl apply -f - <<EOF
@@ -121,7 +121,7 @@ Encryption failed: Certificate expired on 2025-01-15T10:30:00Z

 ```bash
 # Check certificate expiry
-kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \
+kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \
  base64 -d | \
  openssl x509 -noout -dates

@@ -136,19 +136,19 @@ Rotate sealing keys (see [Secret Rotation Tutorial](../tutorials/secret-rotation

 ```bash
 # Option 1: Delete old key (generates new automatically)
-kubectl delete secret -n headlamp sealed-secrets-key
-kubectl rollout restart deployment -n headlamp sealed-secrets-controller
+kubectl delete secret -n kube-system sealed-secrets-key
+kubectl rollout restart deployment -n kube-system sealed-secrets-controller

 # Option 2: Annotate for rotation (keeps old for decryption)
-kubectl annotate secret -n headlamp sealed-secrets-key \
+kubectl annotate secret -n kube-system sealed-secrets-key \
  sealedsecrets.bitnami.com/sealed-secrets-key-rotation=rotate
-kubectl rollout restart deployment -n headlamp sealed-secrets-controller
+kubectl rollout restart deployment -n kube-system sealed-secrets-controller

 # Wait for new key
-kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s
+kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s

 # Verify new certificate
-kubectl get secret -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
+kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key
 ```

 **Warning**: After key rotation:
@@ -168,7 +168,7 @@ Encryption failed: Certificate is not valid PEM format

 ```bash
 # Fetch and validate certificate
-kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem
+kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem

 # Should start with:
 # -----BEGIN CERTIFICATE-----
@@ -183,14 +183,14 @@ cat cert.pem
 **Corrupted certificate**:
 ```bash
 # Regenerate certificate
-kubectl delete secret -n headlamp sealed-secrets-key
-kubectl rollout restart deployment -n headlamp sealed-secrets-controller
+kubectl delete secret -n kube-system sealed-secrets-key
+kubectl rollout restart deployment -n kube-system sealed-secrets-controller
 ```

 **Wrong secret**: Ensure you're using correct secret:
 ```bash
 # List all sealing keys
-kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key
+kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key

 # Should show sealed-secrets-key
 ```
@@ -213,7 +213,7 @@ Plan key rotation before expiry:
 1. **Schedule maintenance window**
 2. **Backup existing keys**:
   ```bash
-   kubectl get secret -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > sealing-keys-backup.yaml
+   kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > sealing-keys-backup.yaml
   ```
 3. **Rotate keys**: See [Secret Rotation Tutorial](../tutorials/secret-rotation.md)
 4. **Recreate SealedSecrets** if needed
@@ -485,10 +485,10 @@ Failed to fetch certificate: Request timeout after 30000ms
 kubectl cluster-info

 # Test service endpoint
-kubectl get svc -n headlamp sealed-secrets-controller
+kubectl get svc -n kube-system sealed-secrets-controller

 # Test with curl
-kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080
+kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080
 curl -m 5 http://localhost:8080/v1/cert.pem
 ```

@@ -550,7 +550,7 @@ Test encryption manually:

 ```javascript
 // In browser console
-const cert = await fetch('/api/v1/namespaces/headlamp/services/sealed-secrets-controller:http/proxy/v1/cert.pem')
+const cert = await fetch('/api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem')
  .then(r => r.text());

 console.log('Certificate:', cert);
@@ -587,7 +587,7 @@ sudo install -m 755 kubeseal /usr/local/bin/kubeseal

 # Test encryption
 echo -n mysecretvalue | kubeseal \
-  --controller-namespace=headlamp \
+  --controller-namespace=kube-system \
  --controller-name=sealed-secrets-controller \
  --format=yaml \
  --name=my-secret \
@@ -621,10 +621,10 @@ If encryption still fails:
 1. **Gather diagnostics**:
   ```bash
   # Controller version
-   kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'
+   kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'

   # Certificate validity
-   kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text
+   kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text

   # Plugin version (in Headlamp UI)
   Settings → Sealed Secrets → About
@@ -202,11 +202,11 @@ Missing service access permission.

 ```bash
 # Check service access
-kubectl auth can-i get services -n headlamp
-kubectl auth can-i get services/sealed-secrets-controller -n headlamp
+kubectl auth can-i get services -n kube-system
+kubectl auth can-i get services/sealed-secrets-controller -n kube-system

 # Check proxy access
-kubectl auth can-i get services/proxy -n headlamp
+kubectl auth can-i get services/proxy -n kube-system
 ```

 #### Solution
@@ -563,7 +563,7 @@ TOKEN=$(kubectl create token sealed-secrets-ci -n ci-cd)

 # Use with kubeseal
 echo -n mysecret | kubeseal \
-  --controller-namespace=headlamp \
+  --controller-namespace=kube-system \
  --token="$TOKEN" \
  --format=yaml
 ```
@@ -33,7 +33,7 @@ The sealing certificate is the public key used to encrypt secrets. You can downl
 Alternatively, fetch it directly from the controller:

 ```bash
-kubectl get secret -n headlamp \
+kubectl get secret -n kube-system \
  -l sealedsecrets.bitnami.com/sealed-secrets-key=active \
  -o jsonpath='{.items[0].data.tls\.crt}' | base64 -d > sealed-secrets-cert.pem
 ```
@@ -41,7 +41,7 @@ kubectl get secret -n headlamp \
 Or use the controller's certificate endpoint:

 ```bash
-curl http://sealed-secrets-controller.headlamp:8080/v1/cert.pem > sealed-secrets-cert.pem
+curl http://sealed-secrets-controller.kube-system:8080/v1/cert.pem > sealed-secrets-cert.pem
 ```

 ## Step 2: Install kubeseal CLI
@@ -107,7 +107,7 @@ jobs:
          echo "${{ secrets.SEALED_SECRETS_CERT }}" > sealed-secrets-cert.pem

          # Option 2: From cluster (requires kubectl access)
-          # kubectl get secret -n headlamp \
+          # kubectl get secret -n kube-system \
          #   -l sealedsecrets.bitnami.com/sealed-secrets-key=active \
          #   -o jsonpath='{.items[0].data.tls\.crt}' | base64 -d > sealed-secrets-cert.pem