Update Headlamp and Vault documentation; enhance RBAC configurations in Argo CD. Modify Headlamp README to clarify sessionTTL handling and ServiceAccount permissions. Add Cilium network policy instructions to Vault README. Update Argo CD values.yaml for default RBAC settings, ensuring local admin retains full access while new users start with read-only permissions. Reflect these changes in CLUSTER-BUILD.md.

2026-03-28 02:02:17 -04:00
parent 906c24b1d5
commit 445a1ac211
15 changed files with 188 additions and 13 deletions
--- a/clusters/noble/apps/headlamp/values.yaml
+++ b/clusters/noble/apps/headlamp/values.yaml
@@ -8,6 +8,18 @@
 #
 # DNS: headlamp.apps.noble.lab.pcenicni.dev → Traefik LB (see talos/CLUSTER-BUILD.md).
 # Default chart RBAC is broad — restrict for production (Phase G).
+# Bind Headlamp’s ServiceAccount to the built-in **edit** ClusterRole (not **cluster-admin**).
+# For break-glass cluster-admin, use kubectl with your admin kubeconfig — not Headlamp.
+# If changing **clusterRoleName** on an existing install, Kubernetes forbids mutating **roleRef**:
+#   kubectl delete clusterrolebinding headlamp-admin
+#   helm upgrade … (same command as in the header comments)
+clusterRoleBinding:
+  clusterRoleName: edit
+#
+# Chart 0.40.1 passes -session-ttl but the v0.40.1 binary does not define it — omit the flag:
+# https://github.com/kubernetes-sigs/headlamp/issues/4883
+config:
+  sessionTTL: null

 ingress:
  enabled: true