gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7a62489ad6aab358500783e7c2f17d7dcf3d3bb8
home-server/clusters/noble/apps/headlamp
History
Nikholas Pcenicni 7a62489ad6 Enhance noble_landing_urls role by adding support for generating a Headlamp ServiceAccount token with a configurable duration. Update documentation to reflect changes in the markdown output for Headlamp sign-in. Modify fetch_credentials task to include token generation alongside existing credential fetching. These updates improve the usability and security of the Headlamp integration.
2026-03-28 16:38:47 -04:00
..
namespace.yaml
Update README.md and CLUSTER-BUILD.md to enhance documentation for Vault Kubernetes auth and ClusterSecretStore integration. Add one-shot configuration instructions for Kubernetes auth in README.md, and update CLUSTER-BUILD.md to reflect the current state of the Talos cluster, including new components like Headlamp and Renovate, along with their deployment details and next steps.
2026-03-28 01:41:52 -04:00
README.md
Enhance noble_landing_urls role by adding support for generating a Headlamp ServiceAccount token with a configurable duration. Update documentation to reflect changes in the markdown output for Headlamp sign-in. Modify fetch_credentials task to include token generation alongside existing credential fetching. These updates improve the usability and security of the Headlamp integration.
2026-03-28 16:38:47 -04:00
values.yaml
Update Headlamp and Vault documentation; enhance RBAC configurations in Argo CD. Modify Headlamp README to clarify sessionTTL handling and ServiceAccount permissions. Add Cilium network policy instructions to Vault README. Update Argo CD values.yaml for default RBAC settings, ensuring local admin retains full access while new users start with read-only permissions. Reflect these changes in CLUSTER-BUILD.md.
2026-03-28 02:02:17 -04:00

README.md

Headlamp (noble)

Headlamp web UI for the cluster. Exposed on https://headlamp.apps.noble.lab.pcenicni.dev via Traefik + cert-manager (letsencrypt-prod), same pattern as Grafana.

  • Chart: headlamp/headlamp 0.40.1 (config.sessionTTL: null avoids chart/binary mismatch — issue #4883)
  • Namespace: headlamp

Install

helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
helm repo update
kubectl apply -f clusters/noble/apps/headlamp/namespace.yaml
helm upgrade --install headlamp headlamp/headlamp -n headlamp \
  --version 0.40.1 -f clusters/noble/apps/headlamp/values.yaml --wait --timeout 10m

Sign-in uses a ServiceAccount token (Headlamp docs: create a limited SA for day-to-day use). This repo binds the Headlamp workload SA to the built-in edit ClusterRole (clusterRoleBinding.clusterRoleName: edit in values.yaml) — not cluster-admin. For cluster-scoped admin work, use kubectl with your admin kubeconfig. Optional OIDC in config.oidc replaces token login for SSO.

Sign-in token (ServiceAccount headlamp)

Use a short-lived token (Kubernetes 1.24+; requires permission to create TokenRequests):

export KUBECONFIG=/path/to/talos/kubeconfig   # or your admin kubeconfig
kubectl -n headlamp create token headlamp --duration=48h

Paste the printed JWT into Headlamps token field at https://headlamp.apps.noble.lab.pcenicni.dev.

To use another duration (cluster spec.serviceAccount / admission limits may cap it):

kubectl -n headlamp create token headlamp --duration=8760h
Reference in New Issue View Git Blame Copy Permalink