36 lines
1.7 KiB
Markdown
36 lines
1.7 KiB
Markdown
# Headlamp (noble)
|
||
|
||
[Headlamp](https://headlamp.dev/) web UI for the cluster. Exposed on **`https://headlamp.apps.noble.lab.pcenicni.dev`** via **Traefik** + **cert-manager** (`letsencrypt-prod`), same pattern as Grafana.
|
||
|
||
- **Chart:** `headlamp/headlamp` **0.40.1** (`config.sessionTTL: null` avoids chart/binary mismatch — [issue #4883](https://github.com/kubernetes-sigs/headlamp/issues/4883))
|
||
- **Namespace:** `headlamp`
|
||
|
||
## Install
|
||
|
||
```bash
|
||
helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
|
||
helm repo update
|
||
kubectl apply -f clusters/noble/apps/headlamp/namespace.yaml
|
||
helm upgrade --install headlamp headlamp/headlamp -n headlamp \
|
||
--version 0.40.1 -f clusters/noble/apps/headlamp/values.yaml --wait --timeout 10m
|
||
```
|
||
|
||
Sign-in uses a **ServiceAccount token** (Headlamp docs: create a limited SA for day-to-day use). This repo binds the Headlamp workload SA to the built-in **`edit`** ClusterRole (**`clusterRoleBinding.clusterRoleName: edit`** in **`values.yaml`**) — not **`cluster-admin`**. For cluster-scoped admin work, use **`kubectl`** with your admin kubeconfig. Optional **OIDC** in **`config.oidc`** replaces token login for SSO.
|
||
|
||
## Sign-in token (ServiceAccount `headlamp`)
|
||
|
||
Use a short-lived token (Kubernetes **1.24+**; requires permission to create **TokenRequests**):
|
||
|
||
```bash
|
||
export KUBECONFIG=/path/to/talos/kubeconfig # or your admin kubeconfig
|
||
kubectl -n headlamp create token headlamp --duration=48h
|
||
```
|
||
|
||
Paste the printed JWT into Headlamp’s token field at **`https://headlamp.apps.noble.lab.pcenicni.dev`**.
|
||
|
||
To use another duration (cluster `spec.serviceAccount` / admission limits may cap it):
|
||
|
||
```bash
|
||
kubectl -n headlamp create token headlamp --duration=8760h
|
||
```
|