From 11cbe6d7e0f7157db3a9f0190a6dcd25d5e89dbc Mon Sep 17 00:00:00 2001
From: Chris Farhood <chris@farhood.org>
Date: Wed, 6 May 2026 14:09:48 +0000
Subject: [PATCH] docs: migrate Headlamp install namespace from kube-system to
 headlamp

Doc-only: redirect all references to Headlamp's own install
namespace from kube-system to headlamp, except:
- Driver namespace (CLAUDE.md) stays kube-system (upstream)
- CSI controller API paths (docs/architecture/overview.md) stay
  kube-system (upstream workload)

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 SECURITY.md                          |  6 +++---
 docs/architecture/overview.md        |  2 +-
 docs/deployment/helm.md              | 10 +++++-----
 docs/getting-started/installation.md |  2 +-
 docs/getting-started/quick-start.md  |  6 +++---
 docs/troubleshooting/README.md       |  4 ++--
 docs/troubleshooting/benchmark.md    |  4 ++--
 docs/troubleshooting/metrics.md      |  2 +-
 docs/troubleshooting/rbac.md         |  6 +++---
 docs/user-guide/rbac.md              |  4 ++--
 10 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index c2993ca..b244037 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -91,7 +91,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: headlamp
-    namespace: kube-system   # adjust to your Headlamp namespace
+    namespace: headlamp   # adjust to your Headlamp namespace
 roleRef:
   kind: ClusterRole
   name: headlamp-tns-csi-reader
@@ -143,7 +143,7 @@ The Kubernetes API server performs the pod proxy hop, so policies should permit
 
 ### Service Account (Default)
 
-Headlamp runs with a dedicated service account (`headlamp` in `kube-system`). All users share the same RBAC permissions.
+Headlamp runs with a dedicated service account (`headlamp` in `headlamp`). All users share the same RBAC permissions.
 
 **Security Considerations:**
 - All users have identical access to plugin functionality including Benchmark
@@ -223,7 +223,7 @@ All API requests are logged in Kubernetes API audit logs (if enabled). Pod proxy
   "verb": "get",
   "requestURI": "/api/v1/namespaces/kube-system/pods/<controller-pod>/proxy/metrics",
   "user": {
-    "username": "system:serviceaccount:kube-system:headlamp"
+    "username": "system:serviceaccount:headlamp:headlamp"
   }
 }
 ```
diff --git a/docs/architecture/overview.md b/docs/architecture/overview.md
index a97345e..5793fb7 100644
--- a/docs/architecture/overview.md
+++ b/docs/architecture/overview.md
@@ -28,7 +28,7 @@ The TNS-CSI plugin is a single-page React application bundled as a Headlamp plug
                         │ HTTPS
                         ▼
 ┌─────────────────────────────────────────────────────┐
-│              Headlamp Pod (kube-system)              │
+│              Headlamp Pod (headlamp)              │
 │                                                     │
 │  Headlamp UI server + API proxy                     │
 │  (forwards requests using service account token     │
diff --git a/docs/deployment/helm.md b/docs/deployment/helm.md
index a4a2e55..8175676 100644
--- a/docs/deployment/helm.md
+++ b/docs/deployment/helm.md
@@ -9,7 +9,7 @@ helm repo add headlamp https://headlamp-k8s.github.io/headlamp/
 helm repo update
 
 helm install headlamp headlamp/headlamp \
-  --namespace kube-system \
+  --namespace headlamp \
   --create-namespace \
   --set config.pluginsDir=/headlamp/plugins \
   --set pluginsManager.sources[0].name=tns-csi \
@@ -44,7 +44,7 @@ Apply:
 
 ```bash
 helm install headlamp headlamp/headlamp \
-  --namespace kube-system \
+  --namespace headlamp \
   -f headlamp-values.yaml
 ```
 
@@ -64,7 +64,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: headlamp
-  namespace: kube-system
+  namespace: headlamp
 spec:
   interval: 1h
   chart:
@@ -122,7 +122,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: headlamp
-    namespace: kube-system
+    namespace: headlamp
 roleRef:
   kind: ClusterRole
   name: headlamp-tns-csi-reader
@@ -136,7 +136,7 @@ To upgrade to a new plugin version, update the `url` in your values and apply:
 
 ```bash
 helm upgrade headlamp headlamp/headlamp \
-  --namespace kube-system \
+  --namespace headlamp \
   -f headlamp-values.yaml
 ```
 
diff --git a/docs/getting-started/installation.md b/docs/getting-started/installation.md
index 2888d44..656bf84 100644
--- a/docs/getting-started/installation.md
+++ b/docs/getting-started/installation.md
@@ -32,7 +32,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
   name: headlamp
-  namespace: kube-system
+  namespace: headlamp
 spec:
   chart:
     spec:
diff --git a/docs/getting-started/quick-start.md b/docs/getting-started/quick-start.md
index 71eba84..6504397 100644
--- a/docs/getting-started/quick-start.md
+++ b/docs/getting-started/quick-start.md
@@ -34,7 +34,7 @@ pluginsManager:
 Then upgrade your Headlamp release:
 
 ```bash
-helm upgrade headlamp headlamp/headlamp -f values.yaml -n kube-system
+helm upgrade headlamp headlamp/headlamp -f values.yaml -n headlamp
 ```
 
 ## Step 2: Configure RBAC
@@ -70,7 +70,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: headlamp
-    namespace: kube-system
+    namespace: headlamp
 roleRef:
   kind: ClusterRole
   name: headlamp-tns-csi-reader
@@ -78,7 +78,7 @@ roleRef:
 EOF
 ```
 
-Adjust `name: headlamp` and `namespace: kube-system` to match your Headlamp service account.
+Adjust `name: headlamp` and `namespace: headlamp` to match your Headlamp service account.
 
 ## Step 3: Verify
 
diff --git a/docs/troubleshooting/README.md b/docs/troubleshooting/README.md
index 0388650..372d599 100644
--- a/docs/troubleshooting/README.md
+++ b/docs/troubleshooting/README.md
@@ -77,7 +77,7 @@ If a page shows a loading spinner indefinitely:
 
 1. **Check browser console** for errors (F12 → Console)
 2. **Check network tab** for failed API requests (look for 403, 404, 500)
-3. **Check Headlamp pod logs**: `kubectl logs -n kube-system -l app.kubernetes.io/name=headlamp`
+3. **Check Headlamp pod logs**: `kubectl logs -n headlamp -l app.kubernetes.io/name=headlamp`
 4. **Try refreshing** — the watch connection may have been interrupted
 
 ## Common API Errors
@@ -102,7 +102,7 @@ Look for errors related to `tns-csi`, `headlamp-plugin`, or Kubernetes API paths
 **Headlamp pod logs:**
 
 ```bash
-kubectl logs -n kube-system -l app.kubernetes.io/name=headlamp --tail=100
+kubectl logs -n headlamp -l app.kubernetes.io/name=headlamp --tail=100
 ```
 
 **tns-csi controller logs:**
diff --git a/docs/troubleshooting/benchmark.md b/docs/troubleshooting/benchmark.md
index 6bae6d1..2fc1fb4 100644
--- a/docs/troubleshooting/benchmark.md
+++ b/docs/troubleshooting/benchmark.md
@@ -8,10 +8,10 @@ The Benchmark page requires permissions to create and delete Jobs and PVCs:
 
 ```bash
 kubectl auth can-i create jobs -n <benchmark-namespace> \
-  --as=system:serviceaccount:kube-system:headlamp
+  --as=system:serviceaccount:headlamp:headlamp
 
 kubectl auth can-i create persistentvolumeclaims -n <benchmark-namespace> \
-  --as=system:serviceaccount:kube-system:headlamp
+  --as=system:serviceaccount:headlamp:headlamp
 ```
 
 Apply the additional permissions if missing — see [RBAC Issues](rbac.md) or [SECURITY.md](../../SECURITY.md).
diff --git a/docs/troubleshooting/metrics.md b/docs/troubleshooting/metrics.md
index b66c813..0628aec 100644
--- a/docs/troubleshooting/metrics.md
+++ b/docs/troubleshooting/metrics.md
@@ -47,7 +47,7 @@ This requires `get` on `pods/proxy` in `kube-system`:
 ```bash
 kubectl auth can-i get pods/proxy \
   -n kube-system \
-  --as=system:serviceaccount:kube-system:headlamp
+  --as=system:serviceaccount:headlamp:headlamp
 ```
 
 ### 5. Network Policies
diff --git a/docs/troubleshooting/rbac.md b/docs/troubleshooting/rbac.md
index 1663e46..a7a204d 100644
--- a/docs/troubleshooting/rbac.md
+++ b/docs/troubleshooting/rbac.md
@@ -11,16 +11,16 @@ Use `kubectl auth can-i` to check specific permissions:
 ```bash
 # Check if the Headlamp service account can list StorageClasses
 kubectl auth can-i list storageclasses \
-  --as=system:serviceaccount:kube-system:headlamp
+  --as=system:serviceaccount:headlamp:headlamp
 
 # Check pod proxy access (for metrics)
 kubectl auth can-i get pods/proxy \
   -n kube-system \
-  --as=system:serviceaccount:kube-system:headlamp
+  --as=system:serviceaccount:headlamp:headlamp
 
 # Check snapshot access
 kubectl auth can-i list volumesnapshots \
-  --as=system:serviceaccount:kube-system:headlamp
+  --as=system:serviceaccount:headlamp:headlamp
 ```
 
 ### Applying the Required RBAC
diff --git a/docs/user-guide/rbac.md b/docs/user-guide/rbac.md
index d06fb48..7191a28 100644
--- a/docs/user-guide/rbac.md
+++ b/docs/user-guide/rbac.md
@@ -47,7 +47,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: headlamp          # adjust to your Headlamp service account name
-    namespace: kube-system  # adjust to your Headlamp namespace
+    namespace: headlamp  # adjust to your Headlamp namespace
 roleRef:
   kind: ClusterRole
   name: headlamp-tns-csi-reader
@@ -99,7 +99,7 @@ metadata:
 subjects:
   - kind: ServiceAccount
     name: headlamp
-    namespace: kube-system
+    namespace: headlamp
 roleRef:
   kind: Role
   name: headlamp-tns-csi-benchmark