Standardize on external-secrets-system namespace

[colek42]

Standardize on external-secrets-system namespace

Problem

There are inconsistencies in namespace references for External Secrets Operator (ESO) across documentation and Helm charts.

Current State

Inconsistent references:

• Documentation: Mixed between external-secrets and external-secrets-system
• Helm charts: ESO resources deployed to namespace from .Release.Namespace
• Standard practice: Official ESO Helm chart uses external-secrets-system

Examples of inconsistency:

- "external-secrets namespace"
- "external-secrets-system namespace"
- In deployment: "{{ .Release.Namespace }}"

Desired State

Standardize everywhere on external-secrets-system:

1. ESO installation command
2. All documentation references
3. Helm chart comments and examples
4. Troubleshooting commands
5. Secret architecture diagrams

Files to Update

Documentation

• platform-architecture.md - Update ESO namespace references
• CLAUDE.md (Helm charts) - Update ESO installation docs

Helm Charts

• charts/judge/README.md - Update installation instructions
• All template comments mentioning ESO
• Values.yaml example comments

Installation Instructions

Update to:

helm repo add external-secrets https://charts.external-secrets.io
helm install external-secrets external-secrets/external-secrets \
  -n external-secrets-system \
  --create-namespace

Why This Change

1. Standard Convention: Official ESO Helm chart defaults to external-secrets-system
2. Consistency: Single source of truth for namespace name
3. Documentation: Users won't be confused by multiple namespace references
4. Best Practice: Dedicated namespace for external secrets improves security isolation

Impact

• Low Priority: Cosmetic/consistency fix
• No functional impact if namespace is used consistently
• Improves documentation clarity
• Aligns with community best practices

Verification

After fix, verify:

# ESO should be in external-secrets-system
kubectl get all -n external-secrets-system

# ESO SecretStore resources in judge namespace
kubectl get secretstore -n judge

# ESO ExternalSecret resources in judge namespace
kubectl get externalsecret -n judge

# ESO webhook validation in external-secrets-system
kubectl get validatingwebhookconfigurations | grep secrets

Testing

# Install ESO in correct namespace
helm install external-secrets external-secrets/external-secrets \
  -n external-secrets-system \
  --create-namespace

# Deploy Judge platform
helm install judge ./charts/judge -n judge

# Verify SecretStores can connect to ESO webhook
kubectl describe secretstore vault-kratos -n judge

Files to Update

1. /Users/nkennedy/proj/judge/.grc/platform-architecture.md

   • Line search for "external-secrets" and update references
   • Update ESO installation instructions

2. /Users/nkennedy/proj/cust/conda/repos/cust-anaconda-helm-charts/CLAUDE.md

   • Update ESO installation command
   • Update namespace references in prerequisites

3. charts/judge/README.md

   • Update installation steps
   • Update troubleshooting commands

4. All template files with ESO references

   • Update example commands
   • Update comments

Labels

• documentation
• helm-charts
• consistency
• eso

Fix Location

Both Documentation and Helm Charts - Standardize namespace references throughout