Enhance noble_landing_urls role by adding support for generating a Headlamp ServiceAccount token with a configurable duration. Update documentation to reflect changes in the markdown output for Headlamp sign-in. Modify fetch_credentials task to include token generation alongside existing credential fetching. These updates improve the usability and security of the Headlamp integration.

2026-03-28 16:38:47 -04:00
parent 0e8eaa2f0d
commit 7a62489ad6
4 changed files with 41 additions and 3 deletions
--- a/ansible/roles/noble_landing_urls/defaults/main.yml
+++ b/ansible/roles/noble_landing_urls/defaults/main.yml
@@ -2,9 +2,12 @@
 # Regenerated when **noble_landing_urls** runs (after platform stack). Paths match Traefik + cert-manager Ingresses.
 noble_landing_urls_dest: "{{ noble_repo_root }}/ansible/output/noble-lab-ui-urls.md"

-# When true, run kubectl against the cluster to fill Argo CD / Grafana passwords in the markdown (requires working kubeconfig).
+# When true, run kubectl to fill Argo CD / Grafana secrets and a bounded Headlamp SA token in the markdown (requires working kubeconfig).
 noble_landing_urls_fetch_credentials: true

+# Headlamp: bounded token for UI sign-in (`kubectl create token`); cluster may cap max duration.
+noble_landing_urls_headlamp_token_duration: 48h
+
 noble_lab_ui_entries:
  - name: Argo CD
    description: GitOps UI (sync, apps, repos)