# Headlamp (noble)

[Headlamp](https://headlamp.dev/) web UI for the cluster. Exposed on **`https://headlamp.apps.noble.lab.pcenicni.dev`** via **Traefik** + **cert-manager** (`letsencrypt-prod`), same pattern as Grafana.

- **Chart:** `headlamp/headlamp` **0.40.1** (`config.sessionTTL: null` avoids chart/binary mismatch — [issue #4883](https://github.com/kubernetes-sigs/headlamp/issues/4883))
- **Namespace:** `headlamp`

## Install

```bash
helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
helm repo update
kubectl apply -f clusters/noble/apps/headlamp/namespace.yaml
helm upgrade --install headlamp headlamp/headlamp -n headlamp \
  --version 0.40.1 -f clusters/noble/apps/headlamp/values.yaml --wait --timeout 10m
```

Sign-in uses a **ServiceAccount token** (Headlamp docs: create a limited SA for day-to-day use). This repo binds the Headlamp workload SA to the built-in **`edit`** ClusterRole (**`clusterRoleBinding.clusterRoleName: edit`** in **`values.yaml`**) — not **`cluster-admin`**. For cluster-scoped admin work, use **`kubectl`** with your admin kubeconfig. Optional **OIDC** in **`config.oidc`** replaces token login for SSO.

## Sign-in token (ServiceAccount `headlamp`)

Use a short-lived token (Kubernetes **1.24+**; requires permission to create **TokenRequests**):

```bash
export KUBECONFIG=/path/to/talos/kubeconfig   # or your admin kubeconfig
kubectl -n headlamp create token headlamp --duration=48h
```

Paste the printed JWT into Headlamp’s token field at **`https://headlamp.apps.noble.lab.pcenicni.dev`**.

To use another duration (cluster `spec.serviceAccount` / admission limits may cap it):

```bash
kubectl -n headlamp create token headlamp --duration=8760h
```