Enhance noble_landing_urls role by adding support for generating a Headlamp ServiceAccount token with a configurable duration. Update documentation to reflect changes in the markdown output for Headlamp sign-in. Modify fetch_credentials task to include token generation alongside existing credential fetching. These updates improve the usability and security of the Headlamp integration.

ansible/roles/noble_landing_urls/defaults/main.yml

@@ -2,9 +2,12 @@
 # Regenerated when **noble_landing_urls** runs (after platform stack). Paths match Traefik + cert-manager Ingresses.
 noble_landing_urls_dest: "{{ noble_repo_root }}/ansible/output/noble-lab-ui-urls.md"
 
-# When true, run kubectl against the cluster to fill Argo CD / Grafana passwords in the markdown (requires working kubeconfig).
+# When true, run kubectl to fill Argo CD / Grafana secrets and a bounded Headlamp SA token in the markdown (requires working kubeconfig).
 noble_landing_urls_fetch_credentials: true
 
+# Headlamp: bounded token for UI sign-in (`kubectl create token`); cluster may cap max duration.
+noble_landing_urls_headlamp_token_duration: 48h
+
 noble_lab_ui_entries:
   - name: Argo CD
     description: GitOps UI (sync, apps, repos)

ansible/roles/noble_landing_urls/tasks/fetch_credentials.yml

@@ -1,5 +1,5 @@
 ---
-# Populates template variables from Secrets (no_log on kubectl to avoid leaking into Ansible stdout).
+# Populates template variables from Secrets + Headlamp token (no_log on kubectl to avoid leaking into Ansible stdout).
 - name: Fetch Argo CD initial admin password (base64)
   ansible.builtin.command:
     argv:
@@ -53,3 +53,20 @@
   failed_when: false
   changed_when: false
   no_log: true
+
+- name: Create Headlamp ServiceAccount token (for UI sign-in)
+  ansible.builtin.command:
+    argv:
+      - kubectl
+      - -n
+      - headlamp
+      - create
+      - token
+      - headlamp
+      - "--duration={{ noble_landing_urls_headlamp_token_duration | default('48h') }}"
+  environment:
+    KUBECONFIG: "{{ noble_kubeconfig }}"
+  register: noble_fetch_headlamp_token
+  failed_when: false
+  changed_when: false
+  no_log: true

ansible/roles/noble_landing_urls/templates/noble-lab-ui-urls.md.j2

@@ -20,7 +20,7 @@ This file is **generated** by Ansible (`noble_landing_urls` role). Use it as a t
 |-----|---------------------|-------------------|
 | **Argo CD** | `admin` | {% if (noble_fetch_argocd_pw_b64 is defined) and (noble_fetch_argocd_pw_b64.rc | default(1) == 0) and (noble_fetch_argocd_pw_b64.stdout | default('') | length > 0) %}`{{ noble_fetch_argocd_pw_b64.stdout | b64decode }}`{% else %}*(not fetched — use commands below)*{% endif %} |
 | **Grafana** | {% if (noble_fetch_grafana_user_b64 is defined) and (noble_fetch_grafana_user_b64.rc | default(1) == 0) and (noble_fetch_grafana_user_b64.stdout | default('') | length > 0) %}`{{ noble_fetch_grafana_user_b64.stdout | b64decode }}`{% else %}*(from Secret — use commands below)*{% endif %} | {% if (noble_fetch_grafana_pw_b64 is defined) and (noble_fetch_grafana_pw_b64.rc | default(1) == 0) and (noble_fetch_grafana_pw_b64.stdout | default('') | length > 0) %}`{{ noble_fetch_grafana_pw_b64.stdout | b64decode }}`{% else %}*(not fetched — use commands below)*{% endif %} |
-| **Headlamp** | ServiceAccount token | No fixed password. Sign in with a SA token, or configure OIDC — `clusters/noble/apps/headlamp/README.md`. |
+| **Headlamp** | ServiceAccount **`headlamp`** | {% if (noble_fetch_headlamp_token is defined) and (noble_fetch_headlamp_token.rc | default(1) == 0) and (noble_fetch_headlamp_token.stdout | default('') | trim | length > 0) %}Token ({{ noble_landing_urls_headlamp_token_duration | default('48h') }}): `{{ noble_fetch_headlamp_token.stdout | trim }}`{% else %}*(not generated — use command below)*{% endif %} |
 | **Prometheus** | — | No auth in default install (lab). |
 | **Alertmanager** | — | No auth in default install (lab). |
 | **Longhorn** | — | No default login unless you enable access control in the UI settings. |
@@ -48,3 +48,4 @@ To generate this file **without** calling kubectl, run Ansible with **`-e noble_
 - **Grafana** password is random unless you set `grafana.adminPassword` in chart values.
 - **Vault** UI needs **unsealed** Vault; tokens come from your chosen auth method.
 - **Prometheus / Alertmanager** UIs are unauthenticated by default — restrict when hardening (`talos/CLUSTER-BUILD.md` Phase G).
+- **Headlamp** token above expires after the configured duration; re-run Ansible or `kubectl create token` to refresh.