Update README.md and CLUSTER-BUILD.md to enhance documentation for Vault Kubernetes auth and ClusterSecretStore integration. Add one-shot configuration instructions for Kubernetes auth in README.md, and update CLUSTER-BUILD.md to reflect the current state of the Talos cluster, including new components like Headlamp and Renovate, along with their deployment details and next steps.
This commit is contained in:
Nikholas Pcenicni
18
clusters/noble/apps/headlamp/README.md
Normal file
18
clusters/noble/apps/headlamp/README.md
Normal file
@@ -0,0 +1,18 @@
|
||||
# Headlamp (noble)
|
||||
|
||||
[Headlamp](https://headlamp.dev/) web UI for the cluster. Exposed on **`https://headlamp.apps.noble.lab.pcenicni.dev`** via **Traefik** + **cert-manager** (`letsencrypt-prod`), same pattern as Grafana.
|
||||
|
||||
- **Chart:** `headlamp/headlamp` **0.40.1**
|
||||
- **Namespace:** `headlamp`
|
||||
|
||||
## Install
|
||||
|
||||
```bash
|
||||
helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
|
||||
helm repo update
|
||||
kubectl apply -f clusters/noble/apps/headlamp/namespace.yaml
|
||||
helm upgrade --install headlamp headlamp/headlamp -n headlamp \
|
||||
--version 0.40.1 -f clusters/noble/apps/headlamp/values.yaml --wait --timeout 10m
|
||||
```
|
||||
|
||||
Sign-in uses a **ServiceAccount token** (Headlamp docs: create a limited SA for day-to-day use). The chart’s default **ClusterRole** is powerful — tighten RBAC and/or add **OIDC** in **`values.yaml`** under **`config.oidc`** when hardening (**Phase G**).
|
||||
10
clusters/noble/apps/headlamp/namespace.yaml
Normal file
10
clusters/noble/apps/headlamp/namespace.yaml
Normal file
@@ -0,0 +1,10 @@
|
||||
# Headlamp — apply before Helm.
|
||||
# Chart pods do not satisfy PSA "restricted" (see install warnings); align with other UIs.
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: headlamp
|
||||
labels:
|
||||
pod-security.kubernetes.io/enforce: privileged
|
||||
pod-security.kubernetes.io/audit: privileged
|
||||
pod-security.kubernetes.io/warn: privileged
|
||||
25
clusters/noble/apps/headlamp/values.yaml
Normal file
25
clusters/noble/apps/headlamp/values.yaml
Normal file
@@ -0,0 +1,25 @@
|
||||
# Headlamp — noble (Kubernetes web UI)
|
||||
#
|
||||
# helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
|
||||
# helm repo update
|
||||
# kubectl apply -f clusters/noble/apps/headlamp/namespace.yaml
|
||||
# helm upgrade --install headlamp headlamp/headlamp -n headlamp \
|
||||
# --version 0.40.1 -f clusters/noble/apps/headlamp/values.yaml --wait --timeout 10m
|
||||
#
|
||||
# DNS: headlamp.apps.noble.lab.pcenicni.dev → Traefik LB (see talos/CLUSTER-BUILD.md).
|
||||
# Default chart RBAC is broad — restrict for production (Phase G).
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: traefik
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
hosts:
|
||||
- host: headlamp.apps.noble.lab.pcenicni.dev
|
||||
paths:
|
||||
- path: /
|
||||
type: Prefix
|
||||
tls:
|
||||
- secretName: headlamp-apps-noble-tls
|
||||
hosts:
|
||||
- headlamp.apps.noble.lab.pcenicni.dev
|
||||
Reference in New Issue
Block a user