Fix deployment guide (#404)

* Fix deployment guide
* Add missing namespace from deployment resources
* Add note about discovery limitation

---------

Signed-off-by: Dan Barr <6922515+danbarr@users.noreply.github.com>
Co-authored-by: Dan Barr <6922515+danbarr@users.noreply.github.com>

Author: danbarr

docs/toolhive/guides-registry/configuration.mdx

@@ -198,6 +198,13 @@ endpoint documentation and request/response examples.
 Discovers MCP servers from running Kubernetes deployments. Automatically creates
 registry entries for deployed MCP servers in your cluster.
 
+:::note
+
+Currently, only resources in the same namespace as the Registry Server are
+discovered.
+
+:::
+
 ```yaml title="config-kubernetes.yaml"
 registries:
   - name: k8s-cluster
@@ -220,14 +227,14 @@ of workloads. The types being watched are
 [`VirtualMCPServer`](../guides-vmcp/configuration.mdx).
 
 The Registry Server will receive events when a resource among those listed above
-is annotated with the following annotations
+is annotated with the following annotations:
 
-```yaml
+```yaml {7-10}
 apiVersion: toolhive.stacklok.dev/v1alpha1
 kind: MCPServer
 metadata:
   name: my-mcp-server
-  namespace: production
+  namespace: toolhive-system # Must match Registry Server namespace
   annotations:
     toolhive.stacklok.dev/registry-export: 'true'
     toolhive.stacklok.dev/registry-url: 'https://mcp.example.com/servers/my-mcp-server'

docs/toolhive/guides-registry/deployment.mdx

@@ -25,6 +25,9 @@ and the necessary users for migration and application execution are configured
 and able to connect to a `registry` database. It also assumes that you have a
 keycloak instance configured to act as identity provider.
 
+All resources are created in the `toolhive-system` namespace. This namespace
+must exist before applying the deployment.
+
 For further details about user grants read the
 [Migration user privileges](./database.mdx#migration-user-privileges) and
 [Application user privileges](./database.mdx#application-user-privileges)
@@ -36,6 +39,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: registry-api
+  namespace: toolhive-system
 spec:
   replicas: 1
   selector:
@@ -64,7 +68,7 @@ spec:
               subPath: pgpass
       containers:
         - name: registry-api
-          image: ghcr.io/stacklok/toolhive-registry-server/thv-registry-api:latest
+          image: ghcr.io/stacklok/thv-registry-api:latest
           args:
             - serve
             - --config=/thv/config.yaml
@@ -110,6 +114,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: registry-api-config
+  namespace: toolhive-system
 data:
   config.yaml: |
     registryName: my-registry
@@ -142,6 +147,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: registry-api-pgpass
+  namespace: toolhive-system
 type: Opaque
 stringData:
   pgpass: |
@@ -152,6 +158,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: registry-api
+  namespace: toolhive-system
 spec:
   selector:
     app: registry-api
@@ -176,24 +183,31 @@ of workloads. The types being watched are
 [`MCPRemoteProxy`](../guides-k8s/remote-mcp-proxy.mdx), and
 [`VirtualMCPServer`](../guides-vmcp/configuration.mdx).
 
+:::note
+
+Currently, only resources in the same namespace as the Registry Server are
+discovered.
+
+:::
+
 This feature requires the Registry Server to be granted access to those
-resources via a Service Account like the following
+resources.
 
 ```yaml title="registry-service-account.yaml"
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   labels:
-    toolhive.stacklok.io/registry-name: example-registry
-  name: example-registry-registry-api
+    toolhive.stacklok.io/registry-name: registry-api
+  name: registry-api
   namespace: toolhive-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   labels:
-    toolhive.stacklok.io/registry-name: example-registry
-  name: example-registry-registry-api
+    toolhive.stacklok.io/registry-name: registry-api
+  name: registry-api
   namespace: toolhive-system
 rules:
   - apiGroups:
@@ -250,15 +264,25 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   labels:
-    toolhive.stacklok.io/registry-name: example-registry
-  name: example-registry-registry-api
+    toolhive.stacklok.io/registry-name: registry-api
+  name: registry-api
   namespace: toolhive-system
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: example-registry-registry-api
+  name: registry-api
 subjects:
   - kind: ServiceAccount
-    name: example-registry-registry-api
+    name: registry-api
     namespace: toolhive-system
 ```
+
+Apply the service account to the registry server deployment in the
+`spec.template.spec` section:
+
+```yaml
+spec:
+  template:
+    spec:
+      serviceAccountName: registry-api
+```