From 876fb062fe9a4014c1ca121962f533c214e2153f Mon Sep 17 00:00:00 2001 From: Chris Farhood Date: Mon, 4 May 2026 21:30:34 +0000 Subject: [PATCH] fix: restore kube-system for sealed-secrets-controller refs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reverts docs changes from 143b2c3 that incorrectly replaced kube-system with headlamp for sealed-secrets-controller commands. The sealed-secrets-controller runs in kube-system, NOT headlamp. Only the Headlamp app install namespace was changed to headlamp. Changes: - Revert -n headlamp → -n kube-system in all sealed-secrets-controller kubectl commands across all docs files - Revert sealed-secrets-controller.kube-system DNS reference - Revert --controller-namespace=headlamp → --controller-namespace=kube-system - Revert 'namespace headlamp' → 'namespace kube-system' in error messages Co-Authored-By: Paperclip --- docs/development/workflow.md | 4 +- docs/getting-started/installation.md | 10 +- docs/getting-started/quick-start.md | 4 +- docs/troubleshooting/README.md | 10 +- docs/troubleshooting/common-errors.md | 38 +++---- docs/troubleshooting/controller-issues.md | 112 ++++++++++---------- docs/troubleshooting/encryption-failures.md | 48 ++++----- docs/troubleshooting/permission-errors.md | 8 +- docs/tutorials/ci-cd-integration.md | 6 +- 9 files changed, 120 insertions(+), 120 deletions(-) diff --git a/docs/development/workflow.md b/docs/development/workflow.md index d46275d..9abf7e1 100644 --- a/docs/development/workflow.md +++ b/docs/development/workflow.md @@ -214,8 +214,8 @@ npm run package kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml # Verify installation -kubectl get deployment -n headlamp sealed-secrets-controller -kubectl get svc -n headlamp sealed-secrets-controller +kubectl get deployment -n kube-system sealed-secrets-controller +kubectl get svc -n kube-system sealed-secrets-controller ``` **Test Scenarios:** diff --git a/docs/getting-started/installation.md b/docs/getting-started/installation.md index 24202c3..5f071fb 100644 --- a/docs/getting-started/installation.md +++ b/docs/getting-started/installation.md @@ -121,7 +121,7 @@ For Headlamp running in Kubernetes: kubectl create configmap headlamp-sealed-secrets-plugin \ --from-file=main.js=dist/main.js \ --from-file=package.json=package.json \ - -n headlamp + -n kube-system ``` 2. **Update Headlamp deployment**: @@ -149,7 +149,7 @@ For Headlamp running in Kubernetes: 3. **Apply and restart**: ```bash kubectl apply -f headlamp-deployment.yaml - kubectl rollout restart deployment/headlamp -n headlamp + kubectl rollout restart deployment/headlamp -n kube-system ``` ## Verification @@ -208,13 +208,13 @@ headlamp --version # Should be >= v0.13.0 **Verify controller is running**: ```bash -kubectl get pods -n headlamp -l name=sealed-secrets-controller +kubectl get pods -n kube-system -l name=sealed-secrets-controller # Should show: Running pod ``` **Check controller service**: ```bash -kubectl get svc -n headlamp sealed-secrets-controller +kubectl get svc -n kube-system sealed-secrets-controller # Should exist with ClusterIP ``` @@ -231,7 +231,7 @@ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/downloa kubectl get sealedsecrets --all-namespaces # Can you get the service? -kubectl get svc -n headlamp sealed-secrets-controller +kubectl get svc -n kube-system sealed-secrets-controller ``` **Verify CRD exists**: diff --git a/docs/getting-started/quick-start.md b/docs/getting-started/quick-start.md index bf4ced9..19c2fd1 100644 --- a/docs/getting-started/quick-start.md +++ b/docs/getting-started/quick-start.md @@ -162,7 +162,7 @@ For CI/CD or offline encryption: **Check controller status**: ```bash -kubectl get pods -n headlamp -l name=sealed-secrets-controller +kubectl get pods -n kube-system -l name=sealed-secrets-controller ``` **If not running**, install it: @@ -197,7 +197,7 @@ rules: 2. **Verify controller connectivity**: ```bash - kubectl get svc -n headlamp sealed-secrets-controller + kubectl get svc -n kube-system sealed-secrets-controller ``` 3. **Check browser console**: diff --git a/docs/troubleshooting/README.md b/docs/troubleshooting/README.md index 82e2a0b..8994b14 100644 --- a/docs/troubleshooting/README.md +++ b/docs/troubleshooting/README.md @@ -38,10 +38,10 @@ headlamp --version # Should be v0.13.0+ **Quick Checks**: ```bash # Check controller is running -kubectl get pods -n headlamp -l name=sealed-secrets-controller +kubectl get pods -n kube-system -l name=sealed-secrets-controller # Check service exists -kubectl get svc -n headlamp sealed-secrets-controller +kubectl get svc -n kube-system sealed-secrets-controller ``` **Solution**: See [Controller Issues](controller-issues.md) @@ -71,7 +71,7 @@ kubectl auth can-i get secrets **Quick Checks**: ```bash # Check certificate is valid -kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -dates +kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -dates ``` **Solution**: See [Encryption Failures](encryption-failures.md) @@ -89,7 +89,7 @@ If you can't find a solution: tail -f ~/Library/Logs/Headlamp/main.log # Controller logs - kubectl logs -n headlamp -l name=sealed-secrets-controller + kubectl logs -n kube-system -l name=sealed-secrets-controller ``` 2. **Enable browser console**: @@ -111,7 +111,7 @@ When reporting an issue, include: - **Plugin version**: Check Settings page or `package.json` - **Headlamp version**: `headlamp --version` - **Kubernetes version**: `kubectl version --short` -- **Controller version**: `kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'` +- **Controller version**: `kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}'` - **Error messages**: Full error text from UI or console - **Browser console logs**: Copy from Developer Tools - **Steps to reproduce**: What you did before the error diff --git a/docs/troubleshooting/common-errors.md b/docs/troubleshooting/common-errors.md index 1bdef56..fdd002f 100644 --- a/docs/troubleshooting/common-errors.md +++ b/docs/troubleshooting/common-errors.md @@ -65,7 +65,7 @@ brew upgrade headlamp **Full Error**: ``` -Failed to fetch certificate: Service 'sealed-secrets-controller' not found in namespace 'headlamp' +Failed to fetch certificate: Service 'sealed-secrets-controller' not found in namespace 'kube-system' ``` **Cause**: Sealed Secrets controller not installed @@ -76,10 +76,10 @@ Failed to fetch certificate: Service 'sealed-secrets-controller' not found in na kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml # Wait for controller to be ready -kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s +kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s # Verify -kubectl get pods -n headlamp -l name=sealed-secrets-controller +kubectl get pods -n kube-system -l name=sealed-secrets-controller ``` --- @@ -96,13 +96,13 @@ Health check failed: Connection timeout after 3 attempts **Diagnosis**: ```bash # 1. Check controller is running -kubectl get pods -n headlamp -l name=sealed-secrets-controller +kubectl get pods -n kube-system -l name=sealed-secrets-controller # 2. Check logs -kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=50 +kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=50 # 3. Test direct connection -kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080 +kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080 # In another terminal: curl http://localhost:8080/v1/cert.pem ``` @@ -111,14 +111,14 @@ curl http://localhost:8080/v1/cert.pem **If pod is not running**: ```bash -kubectl describe pod -n headlamp -l name=sealed-secrets-controller +kubectl describe pod -n kube-system -l name=sealed-secrets-controller ``` Look for image pull errors, resource constraints, or CrashLoopBackOff. **If pod is running but not responding**: ```bash # Restart the controller -kubectl rollout restart deployment -n headlamp sealed-secrets-controller +kubectl rollout restart deployment -n kube-system sealed-secrets-controller ``` --- @@ -138,12 +138,12 @@ Warning: Controller version v0.18.0 detected. Plugin tested with v0.24.0+ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml # Verify upgrade -kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}' +kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}' ``` **Warning**: Backup sealing keys before upgrading: ```bash -kubectl get secret -n headlamp sealed-secrets-key -o yaml > sealed-secrets-key-backup.yaml +kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-key-backup.yaml ``` --- @@ -162,14 +162,14 @@ Encryption failed: Invalid public key format **Diagnosis**: ```bash # Fetch and validate certificate -kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem +kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem openssl x509 -in cert.pem -noout -text ``` **Solution**: If certificate is invalid, the controller may be corrupted. Restart it: ```bash -kubectl rollout restart deployment -n headlamp sealed-secrets-controller +kubectl rollout restart deployment -n kube-system sealed-secrets-controller ``` --- @@ -188,7 +188,7 @@ Encryption failed: Certificate expired on 2025-01-15 **Option 1: Use existing valid certificate** (if you have multiple keys): ```bash # List all certificates -kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key +kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key # Plugin will automatically use the newest valid certificate ``` @@ -196,11 +196,11 @@ kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key **Option 2: Rotate sealing keys**: ```bash # Generate new key (requires cluster-admin) -kubectl delete secret -n headlamp sealed-secrets-key -kubectl rollout restart deployment -n headlamp sealed-secrets-controller +kubectl delete secret -n kube-system sealed-secrets-key +kubectl rollout restart deployment -n kube-system sealed-secrets-controller # Wait for new key generation -kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s +kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s ``` **Warning**: After key rotation, existing SealedSecrets remain valid but cannot be modified. See [Secret Rotation Tutorial](../tutorials/secret-rotation.md). @@ -493,10 +493,10 @@ Failed to fetch certificate: Connection timeout after 30000ms kubectl cluster-info # Test service connectivity -kubectl get svc -n headlamp sealed-secrets-controller +kubectl get svc -n kube-system sealed-secrets-controller # Port-forward and test manually -kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080 +kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080 curl http://localhost:8080/v1/cert.pem ``` @@ -534,7 +534,7 @@ If your error isn't listed: 2. **Check Controller Logs**: ```bash - kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=100 + kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=100 ``` 3. **Enable Debug Logging** (browser console): diff --git a/docs/troubleshooting/controller-issues.md b/docs/troubleshooting/controller-issues.md index a903eed..45be189 100644 --- a/docs/troubleshooting/controller-issues.md +++ b/docs/troubleshooting/controller-issues.md @@ -23,13 +23,13 @@ Plugin shows "Controller not found" or health status is unhealthy. ```bash # Check if controller exists -kubectl get deployment -n headlamp sealed-secrets-controller +kubectl get deployment -n kube-system sealed-secrets-controller # Check service -kubectl get svc -n headlamp sealed-secrets-controller +kubectl get svc -n kube-system sealed-secrets-controller # Check pods -kubectl get pods -n headlamp -l name=sealed-secrets-controller +kubectl get pods -n kube-system -l name=sealed-secrets-controller ``` ### Solutions @@ -43,10 +43,10 @@ Install the controller: kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml # Wait for deployment -kubectl wait --for=condition=available deployment/sealed-secrets-controller -n headlamp --timeout=60s +kubectl wait --for=condition=available deployment/sealed-secrets-controller -n kube-system --timeout=60s # Verify -kubectl get pods -n headlamp -l name=sealed-secrets-controller +kubectl get pods -n kube-system -l name=sealed-secrets-controller ``` #### Wrong Namespace @@ -85,13 +85,13 @@ Controller pod shows `Pending`, `ContainerCreating`, or `ImagePullBackOff`. ```bash # Check pod status -kubectl get pods -n headlamp -l name=sealed-secrets-controller +kubectl get pods -n kube-system -l name=sealed-secrets-controller # Get detailed status -kubectl describe pod -n headlamp -l name=sealed-secrets-controller +kubectl describe pod -n kube-system -l name=sealed-secrets-controller # Check events -kubectl get events -n headlamp --sort-by='.lastTimestamp' | grep sealed-secrets +kubectl get events -n kube-system --sort-by='.lastTimestamp' | grep sealed-secrets ``` ### Common Causes @@ -102,7 +102,7 @@ kubectl get events -n headlamp --sort-by='.lastTimestamp' | grep sealed-secrets **Check**: ```bash -kubectl describe pod -n headlamp -l name=sealed-secrets-controller | grep -A 5 "Events:" +kubectl describe pod -n kube-system -l name=sealed-secrets-controller | grep -A 5 "Events:" ``` **Solutions**: @@ -114,17 +114,17 @@ kubectl create secret docker-registry regcred \ --docker-server= \ --docker-username= \ --docker-password= \ - -n headlamp + -n kube-system # Update deployment -kubectl patch deployment sealed-secrets-controller -n headlamp -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name":"regcred"}]}}}}' +kubectl patch deployment sealed-secrets-controller -n kube-system -p '{"spec":{"template":{"spec":{"imagePullSecrets":[{"name":"regcred"}]}}}}' ``` **Network issues**: Check cluster can reach `quay.io` or your registry. **Wrong image tag**: Verify image exists: ```bash -kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}' +kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}' ``` #### Insufficient Resources @@ -133,13 +133,13 @@ kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec **Check**: ```bash -kubectl describe pod -n headlamp -l name=sealed-secrets-controller | grep -A 5 "FailedScheduling" +kubectl describe pod -n kube-system -l name=sealed-secrets-controller | grep -A 5 "FailedScheduling" ``` **Solution**: Lower resource requests or add nodes: ```bash # Lower requests (not recommended for production) -kubectl patch deployment sealed-secrets-controller -n headlamp -p ' +kubectl patch deployment sealed-secrets-controller -n kube-system -p ' { "spec": { "template": { @@ -165,7 +165,7 @@ kubectl patch deployment sealed-secrets-controller -n headlamp -p ' **Check**: ```bash -kubectl get pvc -n headlamp +kubectl get pvc -n kube-system ``` **Solution**: Ensure StorageClass exists and volumes are available. @@ -182,13 +182,13 @@ Controller pod shows `CrashLoopBackOff` or restarts frequently. ```bash # Check restart count -kubectl get pods -n headlamp -l name=sealed-secrets-controller +kubectl get pods -n kube-system -l name=sealed-secrets-controller # View recent logs -kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=100 +kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=100 # View previous crash logs -kubectl logs -n headlamp -l name=sealed-secrets-controller --previous +kubectl logs -n kube-system -l name=sealed-secrets-controller --previous ``` ### Common Causes @@ -203,16 +203,16 @@ Error loading sealed secrets key: invalid PEM data **Solution**: ```bash # Backup existing key (if valid) -kubectl get secret -n headlamp sealed-secrets-key -o yaml > backup.yaml +kubectl get secret -n kube-system sealed-secrets-key -o yaml > backup.yaml # Delete corrupted key -kubectl delete secret -n headlamp sealed-secrets-key +kubectl delete secret -n kube-system sealed-secrets-key # Restart controller to generate new key -kubectl rollout restart deployment -n headlamp sealed-secrets-controller +kubectl rollout restart deployment -n kube-system sealed-secrets-controller # Wait for new key -kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s +kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s ``` **Warning**: This generates a new key. Existing SealedSecrets will still work but cannot be modified. @@ -227,10 +227,10 @@ Multiple certificates found, unable to determine active key **Solution**: ```bash # List all sealing keys -kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key +kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key # Remove old keys (keep backup!) -kubectl delete secret -n headlamp +kubectl delete secret -n kube-system ``` #### Memory Issues @@ -242,12 +242,12 @@ OOMKilled **Check**: ```bash -kubectl describe pod -n headlamp -l name=sealed-secrets-controller | grep -A 5 "Last State" +kubectl describe pod -n kube-system -l name=sealed-secrets-controller | grep -A 5 "Last State" ``` **Solution**: Increase memory limits: ```bash -kubectl patch deployment sealed-secrets-controller -n headlamp -p ' +kubectl patch deployment sealed-secrets-controller -n kube-system -p ' { "spec": { "template": { @@ -298,7 +298,7 @@ kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/downloa **Check**: ```bash # Get certificate expiry -kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \ +kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | \ base64 -d | \ openssl x509 -noout -enddate ``` @@ -307,12 +307,12 @@ kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' ```bash # Generate new key (keeps old for decryption) -kubectl annotate secret -n headlamp sealed-secrets-key \ +kubectl annotate secret -n kube-system sealed-secrets-key \ sealedsecrets.bitnami.com/sealed-secrets-key-rotation=rotate # Or delete and recreate -kubectl delete secret -n headlamp sealed-secrets-key -kubectl rollout restart deployment -n headlamp sealed-secrets-controller +kubectl delete secret -n kube-system sealed-secrets-key +kubectl rollout restart deployment -n kube-system sealed-secrets-controller ``` ### Multiple Certificates @@ -322,10 +322,10 @@ kubectl rollout restart deployment -n headlamp sealed-secrets-controller **Check**: ```bash # List all certificates -kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key +kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key # View details -kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml +kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml ``` **Solution**: Controller uses newest valid certificate. This is normal after key rotation. @@ -333,7 +333,7 @@ kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key To clean up old keys (after backup): ```bash # Keep newest 2 keys, delete older ones -kubectl delete secret -n headlamp +kubectl delete secret -n kube-system ``` ### Certificate Not Found @@ -342,13 +342,13 @@ kubectl delete secret -n headlamp **Check**: ```bash -kubectl get secret -n headlamp sealed-secrets-key +kubectl get secret -n kube-system sealed-secrets-key ``` **Solution**: Restart controller to generate: ```bash -kubectl rollout restart deployment -n headlamp sealed-secrets-controller -kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-controller --timeout=60s +kubectl rollout restart deployment -n kube-system sealed-secrets-controller +kubectl wait --for=condition=ready pod -n kube-system -l name=sealed-secrets-controller --timeout=60s ``` --- @@ -362,10 +362,10 @@ kubectl wait --for=condition=ready pod -n headlamp -l name=sealed-secrets-contro **Diagnosis**: ```bash # Check controller CPU/memory usage -kubectl top pod -n headlamp -l name=sealed-secrets-controller +kubectl top pod -n kube-system -l name=sealed-secrets-controller # Check events -kubectl get events -n headlamp --sort-by='.lastTimestamp' | grep sealed-secrets +kubectl get events -n kube-system --sort-by='.lastTimestamp' | grep sealed-secrets ``` **Solutions**: @@ -373,7 +373,7 @@ kubectl get events -n headlamp --sort-by='.lastTimestamp' | grep sealed-secrets #### Increase Resources ```bash -kubectl patch deployment sealed-secrets-controller -n headlamp -p ' +kubectl patch deployment sealed-secrets-controller -n kube-system -p ' { "spec": { "template": { @@ -401,7 +401,7 @@ kubectl patch deployment sealed-secrets-controller -n headlamp -p ' ```bash # Get node -kubectl get pod -n headlamp -l name=sealed-secrets-controller -o wide +kubectl get pod -n kube-system -l name=sealed-secrets-controller -o wide # Check node load kubectl top node @@ -429,22 +429,22 @@ Consider node affinity if node is overloaded. **Diagnosis**: ```bash # Check deployment history -kubectl rollout history deployment -n headlamp sealed-secrets-controller +kubectl rollout history deployment -n kube-system sealed-secrets-controller # Check current image -kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}' +kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}' ``` **Solution**: Rollback and retry: ```bash # Rollback to previous version -kubectl rollout undo deployment -n headlamp sealed-secrets-controller +kubectl rollout undo deployment -n kube-system sealed-secrets-controller # Wait for rollback -kubectl rollout status deployment -n headlamp sealed-secrets-controller +kubectl rollout status deployment -n kube-system sealed-secrets-controller # Check logs -kubectl logs -n headlamp -l name=sealed-secrets-controller +kubectl logs -n kube-system -l name=sealed-secrets-controller ``` ### Version Compatibility @@ -460,13 +460,13 @@ kubectl logs -n headlamp -l name=sealed-secrets-controller **Upgrade controller**: ```bash # Backup sealing keys first! -kubectl get secret -n headlamp sealed-secrets-key -o yaml > sealed-secrets-backup.yaml +kubectl get secret -n kube-system sealed-secrets-key -o yaml > sealed-secrets-backup.yaml # Upgrade kubectl apply -f https://github.com/bitnami-labs/sealed-secrets/releases/download/v0.24.0/controller.yaml # Verify -kubectl rollout status deployment -n headlamp sealed-secrets-controller +kubectl rollout status deployment -n kube-system sealed-secrets-controller ``` ### Lost Sealing Keys After Upgrade @@ -483,7 +483,7 @@ If you have backup: kubectl apply -f sealed-secrets-backup.yaml # Restart controller -kubectl rollout restart deployment -n headlamp sealed-secrets-controller +kubectl rollout restart deployment -n kube-system sealed-secrets-controller ``` If no backup, keys are **permanently lost**. You must: @@ -499,7 +499,7 @@ If no backup, keys are **permanently lost**. You must: ```bash # Add debug flag to controller -kubectl patch deployment sealed-secrets-controller -n headlamp -p ' +kubectl patch deployment sealed-secrets-controller -n kube-system -p ' { "spec": { "template": { @@ -514,14 +514,14 @@ kubectl patch deployment sealed-secrets-controller -n headlamp -p ' }' # View debug logs -kubectl logs -n headlamp -l name=sealed-secrets-controller -f +kubectl logs -n kube-system -l name=sealed-secrets-controller -f ``` ### Port-Forward for Testing ```bash # Forward controller port locally -kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080 +kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080 # Test certificate endpoint curl http://localhost:8080/v1/cert.pem @@ -536,7 +536,7 @@ If Prometheus is installed: ```bash # Enable metrics -kubectl patch deployment sealed-secrets-controller -n headlamp -p ' +kubectl patch deployment sealed-secrets-controller -n kube-system -p ' { "spec": { "template": { @@ -551,7 +551,7 @@ kubectl patch deployment sealed-secrets-controller -n headlamp -p ' }' # Access metrics -kubectl port-forward -n headlamp service/sealed-secrets-controller 8081:8081 +kubectl port-forward -n kube-system service/sealed-secrets-controller 8081:8081 curl http://localhost:8081/metrics ``` @@ -564,9 +564,9 @@ If issues persist: 1. **Gather diagnostic info**: ```bash # Create diagnostic bundle - kubectl get all -n headlamp -l name=sealed-secrets-controller -o yaml > controller-diagnostics.yaml - kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=500 > controller-logs.txt - kubectl describe deployment -n headlamp sealed-secrets-controller > controller-describe.txt + kubectl get all -n kube-system -l name=sealed-secrets-controller -o yaml > controller-diagnostics.yaml + kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=500 > controller-logs.txt + kubectl describe deployment -n kube-system sealed-secrets-controller > controller-describe.txt ``` 2. **Check Sealed Secrets project**: diff --git a/docs/troubleshooting/encryption-failures.md b/docs/troubleshooting/encryption-failures.md index 76d9d77..6eca36e 100644 --- a/docs/troubleshooting/encryption-failures.md +++ b/docs/troubleshooting/encryption-failures.md @@ -19,7 +19,7 @@ Before troubleshooting, understand how encryption works: ``` 1. Plugin fetches public certificate from controller - GET /api/v1/namespaces/headlamp/services/sealed-secrets-controller:http/proxy/v1/cert.pem + GET /api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem 2. Plugin validates certificate (PEM format, expiry, fingerprint) @@ -55,10 +55,10 @@ Failed to fetch certificate: Network error ```bash # 1. Check controller is running -kubectl get pods -n headlamp -l name=sealed-secrets-controller +kubectl get pods -n kube-system -l name=sealed-secrets-controller # 2. Test certificate endpoint directly -kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080 +kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080 # In another terminal: curl http://localhost:8080/v1/cert.pem ``` @@ -70,16 +70,16 @@ curl http://localhost:8080/v1/cert.pem **Certificate endpoint not responding**: ```bash # Check controller logs -kubectl logs -n headlamp -l name=sealed-secrets-controller --tail=50 +kubectl logs -n kube-system -l name=sealed-secrets-controller --tail=50 # Restart controller -kubectl rollout restart deployment -n headlamp sealed-secrets-controller +kubectl rollout restart deployment -n kube-system sealed-secrets-controller ``` **RBAC permission denied**: ```bash # Check service access permission -kubectl auth can-i get services/sealed-secrets-controller -n headlamp +kubectl auth can-i get services/sealed-secrets-controller -n kube-system # If no, apply RBAC (requires cluster-admin): kubectl apply -f - < cert.pem +kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d > cert.pem # Should start with: # -----BEGIN CERTIFICATE----- @@ -183,14 +183,14 @@ cat cert.pem **Corrupted certificate**: ```bash # Regenerate certificate -kubectl delete secret -n headlamp sealed-secrets-key -kubectl rollout restart deployment -n headlamp sealed-secrets-controller +kubectl delete secret -n kube-system sealed-secrets-key +kubectl rollout restart deployment -n kube-system sealed-secrets-controller ``` **Wrong secret**: Ensure you're using correct secret: ```bash # List all sealing keys -kubectl get secrets -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key +kubectl get secrets -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key # Should show sealed-secrets-key ``` @@ -213,7 +213,7 @@ Plan key rotation before expiry: 1. **Schedule maintenance window** 2. **Backup existing keys**: ```bash - kubectl get secret -n headlamp -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > sealing-keys-backup.yaml + kubectl get secret -n kube-system -l sealedsecrets.bitnami.com/sealed-secrets-key -o yaml > sealing-keys-backup.yaml ``` 3. **Rotate keys**: See [Secret Rotation Tutorial](../tutorials/secret-rotation.md) 4. **Recreate SealedSecrets** if needed @@ -485,10 +485,10 @@ Failed to fetch certificate: Request timeout after 30000ms kubectl cluster-info # Test service endpoint -kubectl get svc -n headlamp sealed-secrets-controller +kubectl get svc -n kube-system sealed-secrets-controller # Test with curl -kubectl port-forward -n headlamp service/sealed-secrets-controller 8080:8080 +kubectl port-forward -n kube-system service/sealed-secrets-controller 8080:8080 curl -m 5 http://localhost:8080/v1/cert.pem ``` @@ -550,7 +550,7 @@ Test encryption manually: ```javascript // In browser console -const cert = await fetch('/api/v1/namespaces/headlamp/services/sealed-secrets-controller:http/proxy/v1/cert.pem') +const cert = await fetch('/api/v1/namespaces/kube-system/services/sealed-secrets-controller:http/proxy/v1/cert.pem') .then(r => r.text()); console.log('Certificate:', cert); @@ -587,7 +587,7 @@ sudo install -m 755 kubeseal /usr/local/bin/kubeseal # Test encryption echo -n mysecretvalue | kubeseal \ - --controller-namespace=headlamp \ + --controller-namespace=kube-system \ --controller-name=sealed-secrets-controller \ --format=yaml \ --name=my-secret \ @@ -621,10 +621,10 @@ If encryption still fails: 1. **Gather diagnostics**: ```bash # Controller version - kubectl get deployment -n headlamp sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}' + kubectl get deployment -n kube-system sealed-secrets-controller -o jsonpath='{.spec.template.spec.containers[0].image}' # Certificate validity - kubectl get secret -n headlamp sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text + kubectl get secret -n kube-system sealed-secrets-key -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -text # Plugin version (in Headlamp UI) Settings → Sealed Secrets → About diff --git a/docs/troubleshooting/permission-errors.md b/docs/troubleshooting/permission-errors.md index ced1d33..ed207d0 100644 --- a/docs/troubleshooting/permission-errors.md +++ b/docs/troubleshooting/permission-errors.md @@ -202,11 +202,11 @@ Missing service access permission. ```bash # Check service access -kubectl auth can-i get services -n headlamp -kubectl auth can-i get services/sealed-secrets-controller -n headlamp +kubectl auth can-i get services -n kube-system +kubectl auth can-i get services/sealed-secrets-controller -n kube-system # Check proxy access -kubectl auth can-i get services/proxy -n headlamp +kubectl auth can-i get services/proxy -n kube-system ``` #### Solution @@ -563,7 +563,7 @@ TOKEN=$(kubectl create token sealed-secrets-ci -n ci-cd) # Use with kubeseal echo -n mysecret | kubeseal \ - --controller-namespace=headlamp \ + --controller-namespace=kube-system \ --token="$TOKEN" \ --format=yaml ``` diff --git a/docs/tutorials/ci-cd-integration.md b/docs/tutorials/ci-cd-integration.md index af76dd4..4bcbf15 100644 --- a/docs/tutorials/ci-cd-integration.md +++ b/docs/tutorials/ci-cd-integration.md @@ -33,7 +33,7 @@ The sealing certificate is the public key used to encrypt secrets. You can downl Alternatively, fetch it directly from the controller: ```bash -kubectl get secret -n headlamp \ +kubectl get secret -n kube-system \ -l sealedsecrets.bitnami.com/sealed-secrets-key=active \ -o jsonpath='{.items[0].data.tls\.crt}' | base64 -d > sealed-secrets-cert.pem ``` @@ -41,7 +41,7 @@ kubectl get secret -n headlamp \ Or use the controller's certificate endpoint: ```bash -curl http://sealed-secrets-controller.headlamp:8080/v1/cert.pem > sealed-secrets-cert.pem +curl http://sealed-secrets-controller.kube-system:8080/v1/cert.pem > sealed-secrets-cert.pem ``` ## Step 2: Install kubeseal CLI @@ -107,7 +107,7 @@ jobs: echo "${{ secrets.SEALED_SECRETS_CERT }}" > sealed-secrets-cert.pem # Option 2: From cluster (requires kubectl access) - # kubectl get secret -n headlamp \ + # kubectl get secret -n kube-system \ # -l sealedsecrets.bitnami.com/sealed-secrets-key=active \ # -o jsonpath='{.items[0].data.tls\.crt}' | base64 -d > sealed-secrets-cert.pem