Enhance noble_landing_urls role by adding support for generating a Headlamp ServiceAccount token with a configurable duration. Update documentation to reflect changes in the markdown output for Headlamp sign-in. Modify fetch_credentials task to include token generation alongside existing credential fetching. These updates improve the usability and security of the Headlamp integration.

clusters/noble/apps/headlamp/README.md

@@ -16,3 +16,20 @@ helm upgrade --install headlamp headlamp/headlamp -n headlamp \
 ```
 
 Sign-in uses a **ServiceAccount token** (Headlamp docs: create a limited SA for day-to-day use). This repo binds the Headlamp workload SA to the built-in **`edit`** ClusterRole (**`clusterRoleBinding.clusterRoleName: edit`** in **`values.yaml`**) — not **`cluster-admin`**. For cluster-scoped admin work, use **`kubectl`** with your admin kubeconfig. Optional **OIDC** in **`config.oidc`** replaces token login for SSO.
+
+## Sign-in token (ServiceAccount `headlamp`)
+
+Use a short-lived token (Kubernetes **1.24+**; requires permission to create **TokenRequests**):
+
+```bash
+export KUBECONFIG=/path/to/talos/kubeconfig   # or your admin kubeconfig
+kubectl -n headlamp create token headlamp --duration=48h
+```
+
+Paste the printed JWT into Headlamp’s token field at **`https://headlamp.apps.noble.lab.pcenicni.dev`**.
+
+To use another duration (cluster `spec.serviceAccount` / admission limits may cap it):
+
+```bash
+kubectl -n headlamp create token headlamp --duration=8760h
+```