Enhance noble_landing_urls role by adding support for generating a Headlamp ServiceAccount token with a configurable duration. Update documentation to reflect changes in the markdown output for Headlamp sign-in. Modify fetch_credentials task to include token generation alongside existing credential fetching. These updates improve the usability and security of the Headlamp integration.

2026-03-28 16:38:47 -04:00
parent 0e8eaa2f0d
commit 7a62489ad6
4 changed files with 41 additions and 3 deletions
--- a/ansible/roles/noble_landing_urls/defaults/main.yml
+++ b/ansible/roles/noble_landing_urls/defaults/main.yml
@@ -2,9 +2,12 @@
 # Regenerated when **noble_landing_urls** runs (after platform stack). Paths match Traefik + cert-manager Ingresses.
 noble_landing_urls_dest: "{{ noble_repo_root }}/ansible/output/noble-lab-ui-urls.md"
-# When true, run kubectl against the cluster to fill Argo CD / Grafana passwords in the markdown (requires working kubeconfig).
+# When true, run kubectl to fill Argo CD / Grafana secrets and a bounded Headlamp SA token in the markdown (requires working kubeconfig).
 noble_landing_urls_fetch_credentials: true
 # Headlamp: bounded token for UI sign-in (`kubectl create token`); cluster may cap max duration.
 noble_landing_urls_headlamp_token_duration: 48h
 noble_lab_ui_entries:
  - name: Argo CD
    description: GitOps UI (sync, apps, repos)
--- a/ansible/roles/noble_landing_urls/tasks/fetch_credentials.yml
+++ b/ansible/roles/noble_landing_urls/tasks/fetch_credentials.yml
@@ -1,5 +1,5 @@
 ---
-# Populates template variables from Secrets (no_log on kubectl to avoid leaking into Ansible stdout).
+# Populates template variables from Secrets + Headlamp token (no_log on kubectl to avoid leaking into Ansible stdout).
 - name: Fetch Argo CD initial admin password (base64)
  ansible.builtin.command:
    argv:
@@ -53,3 +53,20 @@
  failed_when: false
  changed_when: false
  no_log: true
 - name: Create Headlamp ServiceAccount token (for UI sign-in)
  ansible.builtin.command:
    argv:
      - kubectl
      - -n
      - headlamp
      - create
      - token
      - headlamp
      - "--duration={{ noble_landing_urls_headlamp_token_duration | default('48h') }}"
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  register: noble_fetch_headlamp_token
  failed_when: false
  changed_when: false
  no_log: true
--- a/ansible/roles/noble_landing_urls/templates/noble-lab-ui-urls.md.j2
+++ b/ansible/roles/noble_landing_urls/templates/noble-lab-ui-urls.md.j2
@@ -20,7 +20,7 @@ This file is **generated** by Ansible (`noble_landing_urls` role). Use it as a t
 |-----|---------------------|-------------------|
 | **Argo CD** | `admin` | {% if (noble_fetch_argocd_pw_b64 is defined) and (noble_fetch_argocd_pw_b64.rc | default(1) == 0) and (noble_fetch_argocd_pw_b64.stdout | default('') | length > 0) %}`{{ noble_fetch_argocd_pw_b64.stdout | b64decode }}`{% else %}*(not fetched — use commands below)*{% endif %} |
 | **Grafana** | {% if (noble_fetch_grafana_user_b64 is defined) and (noble_fetch_grafana_user_b64.rc | default(1) == 0) and (noble_fetch_grafana_user_b64.stdout | default('') | length > 0) %}`{{ noble_fetch_grafana_user_b64.stdout | b64decode }}`{% else %}*(from Secret — use commands below)*{% endif %} | {% if (noble_fetch_grafana_pw_b64 is defined) and (noble_fetch_grafana_pw_b64.rc | default(1) == 0) and (noble_fetch_grafana_pw_b64.stdout | default('') | length > 0) %}`{{ noble_fetch_grafana_pw_b64.stdout | b64decode }}`{% else %}*(not fetched — use commands below)*{% endif %} |
-| **Headlamp** | ServiceAccount token | No fixed password. Sign in with a SA token, or configure OIDC — `clusters/noble/apps/headlamp/README.md`. |
+| **Headlamp** | ServiceAccount **`headlamp`** | {% if (noble_fetch_headlamp_token is defined) and (noble_fetch_headlamp_token.rc | default(1) == 0) and (noble_fetch_headlamp_token.stdout | default('') | trim | length > 0) %}Token ({{ noble_landing_urls_headlamp_token_duration | default('48h') }}): `{{ noble_fetch_headlamp_token.stdout | trim }}`{% else %}*(not generated — use command below)*{% endif %} |
 | **Prometheus** | — | No auth in default install (lab). |
 | **Alertmanager** | — | No auth in default install (lab). |
 | **Longhorn** | — | No default login unless you enable access control in the UI settings. |
@@ -48,3 +48,4 @@ To generate this file **without** calling kubectl, run Ansible with **`-e noble_
 - **Grafana** password is random unless you set `grafana.adminPassword` in chart values.
 - **Vault** UI needs **unsealed** Vault; tokens come from your chosen auth method.
 - **Prometheus / Alertmanager** UIs are unauthenticated by default — restrict when hardening (`talos/CLUSTER-BUILD.md` Phase G).
 - **Headlamp** token above expires after the configured duration; re-run Ansible or `kubectl create token` to refresh.
--- a/clusters/noble/apps/headlamp/README.md
+++ b/clusters/noble/apps/headlamp/README.md
@@ -16,3 +16,20 @@ helm upgrade --install headlamp headlamp/headlamp -n headlamp \
 ```
 Sign-in uses a **ServiceAccount token** (Headlamp docs: create a limited SA for day-to-day use). This repo binds the Headlamp workload SA to the built-in **`edit`** ClusterRole (**`clusterRoleBinding.clusterRoleName: edit`** in **`values.yaml`**) — not **`cluster-admin`**. For cluster-scoped admin work, use **`kubectl`** with your admin kubeconfig. Optional **OIDC** in **`config.oidc`** replaces token login for SSO.
 ## Sign-in token (ServiceAccount `headlamp`)
 Use a short-lived token (Kubernetes **1.24+**; requires permission to create **TokenRequests**):
 ```bash
 export KUBECONFIG=/path/to/talos/kubeconfig   # or your admin kubeconfig
 kubectl -n headlamp create token headlamp --duration=48h
 ```
 Paste the printed JWT into Headlamp’s token field at **`https://headlamp.apps.noble.lab.pcenicni.dev`**.
 To use another duration (cluster `spec.serviceAccount` / admission limits may cap it):
 ```bash
 kubectl -n headlamp create token headlamp --duration=8760h
 ```