home-server/clusters/noble/bootstrap/headlamp/values.yaml

# Headlamp — noble (Kubernetes web UI)
#
# helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
# helm repo update
# kubectl apply -f clusters/noble/bootstrap/headlamp/namespace.yaml
# helm upgrade --install headlamp headlamp/headlamp -n headlamp \
#   --version 0.42.0 -f clusters/noble/bootstrap/headlamp/values.yaml --wait --timeout 10m
#
# DNS: headlamp.apps.noble.lab.pcenicni.dev → Traefik LB (see talos/CLUSTER-BUILD.md).
# Default chart RBAC is broad — restrict for production (Phase G).
# Bind Headlamp’s ServiceAccount to the built-in **edit** ClusterRole (not **cluster-admin**).
# For break-glass cluster-admin, use kubectl with your admin kubeconfig — not Headlamp.
# If changing **clusterRoleName** on an existing install, Kubernetes forbids mutating **roleRef**:
#   kubectl delete clusterrolebinding headlamp-admin
#   helm upgrade … (same command as in the header comments)
clusterRoleBinding:
  clusterRoleName: edit
#
# Optional: set **config.sessionTTL** (seconds) or **null** to omit **-session-ttl** (see headlamp#4883 for older chart/binary mismatches).
config:
  sessionTTL: null

ingress:
  enabled: true
  ingressClassName: traefik
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    # Headlamp OIDC behind Traefik: ensure external TLS scheme reaches the app (see middleware-https-proto.yaml).
    # Traefik Ingress refs CRD middlewares as <k8s-namespace>-<middleware-metadata.name>@kubernetescrd (see Traefik docs).
    traefik.ingress.kubernetes.io/router.middlewares: headlamp-headlamp-https-proto@kubernetescrd
  hosts:
    - host: headlamp.apps.noble.lab.pcenicni.dev
      paths:
        - path: /
          type: Prefix
  tls:
    - secretName: headlamp-apps-noble-tls
      hosts:
        - headlamp.apps.noble.lab.pcenicni.dev