gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CA certificates bundle and update Headlamp configuration for OIDC

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-05-14 18:59:47 -04:00
parent 2321209626
commit 817849ee3c
4 changed files with 2979 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
clusters/noble/bootstrap/headlamp/README.md
View File

@@ -4,6 +4,7 @@
- **Chart:** `headlamp/headlamp` **0.42.0** (`config.sessionTTL: null` still omits **`-session-ttl`** if needed — [issue #4883](https://github.com/kubernetes-sigs/headlamp/issues/4883)) - **Chart:** `headlamp/headlamp` **0.42.0** (`config.sessionTTL: null` still omits **`-session-ttl`** if needed — [issue #4883](https://github.com/kubernetes-sigs/headlamp/issues/4883))
- **Namespace:** `headlamp` - **Namespace:** `headlamp`
- **OIDC TLS:** **`cacert.pem`** (Mozilla bundle from [curl CA extract](https://curl.se/ca/cacert.pem)) is baked into ConfigMap **`headlamp-oidc-ca-bundle`** via **`kustomization.yaml`** and mounted at **`/etc/ssl/headlamp/oidc-ca-bundle.pem`** for **`-oidc-ca-file`** (stops empty-PEM log noise; refresh the file occasionally). If Authentik used a **private** CA, append that PEM to **`cacert.pem`** (or replace) before sync.
## Install ## Install

2957
clusters/noble/bootstrap/headlamp/cacert.pem Normal file
View File

File diff suppressed because it is too large Load Diff

8
clusters/noble/bootstrap/headlamp/kustomization.yaml
View File

@@ -2,6 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
# namespace.yaml is owned by noble-bootstrap-root (clusters/noble/bootstrap/kustomization.yaml). # namespace.yaml is owned by noble-bootstrap-root (clusters/noble/bootstrap/kustomization.yaml).
# Do not include it here — two Applications owning the same Namespace causes SharedResourceWarning. # Do not include it here — two Applications owning the same Namespace causes SharedResourceWarning.
generatorOptions:
disableNameSuffixHash: true
configMapGenerator:
# Mozilla CA bundle (https://curl.se/ca/cacert.pem) — mounted for **-oidc-ca-file** so Headlamps OIDC
# client uses a non-empty PEM pool (avoids spurious “failed to append ca cert to pool” when IdP TLS is public PKI).
- name: headlamp-oidc-ca-bundle
files:
- oidc-ca-bundle.pem=cacert.pem
resources: resources:
- metrics-clusterrolebinding.yaml - metrics-clusterrolebinding.yaml
- oidc-noble-admins-clusterrolebinding.yaml - oidc-noble-admins-clusterrolebinding.yaml

13
clusters/noble/bootstrap/headlamp/values.yaml
View File

@@ -19,6 +19,19 @@ clusterRoleBinding:
# Optional: set **config.sessionTTL** (seconds) or **null** to omit **-session-ttl** (see headlamp#4883 for older chart/binary mismatches). # Optional: set **config.sessionTTL** (seconds) or **null** to omit **-session-ttl** (see headlamp#4883 for older chart/binary mismatches).
config: config:
sessionTTL: null sessionTTL: null
extraArgs:
# PEM pool from ConfigMap **headlamp-oidc-ca-bundle** (see **kustomization.yaml** + **cacert.pem**).
- "-oidc-ca-file=/etc/ssl/headlamp/oidc-ca-bundle.pem"
volumeMounts:
- name: oidc-ca-bundle
mountPath: /etc/ssl/headlamp
readOnly: true
volumes:
- name: oidc-ca-bundle
configMap:
name: headlamp-oidc-ca-bundle
ingress: ingress:
enabled: true enabled: true