# Headlamp — noble (Kubernetes web UI) # # helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/ # helm repo update # kubectl apply -f clusters/noble/bootstrap/headlamp/namespace.yaml # helm upgrade --install headlamp headlamp/headlamp -n headlamp \ # --version 0.42.0 -f clusters/noble/bootstrap/headlamp/values.yaml --wait --timeout 10m # # DNS: headlamp.apps.noble.lab.pcenicni.dev → Traefik LB (see talos/CLUSTER-BUILD.md). # Default chart RBAC is broad — restrict for production (Phase G). # Bind Headlamp’s ServiceAccount to the built-in **edit** ClusterRole (not **cluster-admin**). # For break-glass cluster-admin, use kubectl with your admin kubeconfig — not Headlamp. # If changing **clusterRoleName** on an existing install, Kubernetes forbids mutating **roleRef**: # kubectl delete clusterrolebinding headlamp-admin # helm upgrade … (same command as in the header comments) clusterRoleBinding: clusterRoleName: edit # # Optional: set **config.sessionTTL** (seconds) or **null** to omit **-session-ttl** (see headlamp#4883 for older chart/binary mismatches). config: sessionTTL: null extraArgs: # PEM pool from ConfigMap **headlamp-oidc-ca-bundle** (see **kustomization.yaml** + **cacert.pem**). - "-oidc-ca-file=/etc/ssl/headlamp/oidc-ca-bundle.pem" volumeMounts: - name: oidc-ca-bundle mountPath: /etc/ssl/headlamp readOnly: true volumes: - name: oidc-ca-bundle configMap: name: headlamp-oidc-ca-bundle ingress: enabled: true ingressClassName: traefik annotations: cert-manager.io/cluster-issuer: letsencrypt-prod # Headlamp OIDC behind Traefik: ensure external TLS scheme reaches the app (see middleware-https-proto.yaml). # Traefik Ingress refs CRD middlewares as -@kubernetescrd (see Traefik docs). traefik.ingress.kubernetes.io/router.middlewares: headlamp-headlamp-https-proto@kubernetescrd hosts: - host: headlamp.apps.noble.lab.pcenicni.dev paths: - path: / type: Prefix tls: - secretName: headlamp-apps-noble-tls hosts: - headlamp.apps.noble.lab.pcenicni.dev