gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
817849ee3cdcf09c7be992d29e17f7c503911516
home-server/clusters/noble/bootstrap/headlamp/README.md

2.4 KiB
Raw Blame History

Headlamp (noble)

Headlamp web UI for the cluster. Exposed on https://headlamp.apps.noble.lab.pcenicni.dev via Traefik + cert-manager (letsencrypt-prod), same pattern as Grafana.

  • Chart: headlamp/headlamp 0.42.0 (config.sessionTTL: null still omits -session-ttl if needed — issue #4883)
  • Namespace: headlamp
  • OIDC TLS: cacert.pem (Mozilla bundle from curl CA extract) is baked into ConfigMap headlamp-oidc-ca-bundle via kustomization.yaml and mounted at /etc/ssl/headlamp/oidc-ca-bundle.pem for -oidc-ca-file (stops empty-PEM log noise; refresh the file occasionally). If Authentik used a private CA, append that PEM to cacert.pem (or replace) before sync.

Install

helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
helm repo update
kubectl apply -f clusters/noble/bootstrap/headlamp/namespace.yaml
helm upgrade --install headlamp headlamp/headlamp -n headlamp \
  --version 0.42.0 -f clusters/noble/bootstrap/headlamp/values.yaml --wait --timeout 10m

Sign-in uses a ServiceAccount token (Headlamp docs: create a limited SA for day-to-day use). This repo binds the Headlamp workload SA to the built-in edit ClusterRole (clusterRoleBinding.clusterRoleName: edit in values.yaml) — not cluster-admin. For cluster-scoped admin work, use kubectl with your admin kubeconfig. Optional OIDC in config.oidc replaces token login for SSO. In-cluster OIDC requires kube-apiserver OIDC (same Authentik app issuer + oidc-client-id: headlamp) or proxied K8s calls return 401 while /me still returns 200 — see talos/talconfig.yaml, oidc-noble-admins-clusterrolebinding.yaml, and ansible/roles/noble_authentik/README.md troubleshooting.

Sign-in token (ServiceAccount headlamp)

Use a short-lived token (Kubernetes 1.24+; requires permission to create TokenRequests):

export KUBECONFIG=/path/to/talos/kubeconfig   # or your admin kubeconfig
kubectl -n headlamp create token headlamp --duration=48h

Paste the printed JWT into Headlamps token field at https://headlamp.apps.noble.lab.pcenicni.dev.

To use another duration (cluster spec.serviceAccount / admission limits may cap it):

kubectl -n headlamp create token headlamp --duration=8760h
Reference in New Issue View Git Blame Copy Permalink