gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
817849ee3cdcf09c7be992d29e17f7c503911516
home-server/clusters/noble/bootstrap/headlamp/values.yaml

53 lines
2.1 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Headlamp — noble (Kubernetes web UI)
#
# helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
# helm repo update
# kubectl apply -f clusters/noble/bootstrap/headlamp/namespace.yaml
# helm upgrade --install headlamp headlamp/headlamp -n headlamp \
# --version 0.42.0 -f clusters/noble/bootstrap/headlamp/values.yaml --wait --timeout 10m
#
# DNS: headlamp.apps.noble.lab.pcenicni.dev → Traefik LB (see talos/CLUSTER-BUILD.md).
# Default chart RBAC is broad — restrict for production (Phase G).
# Bind Headlamps ServiceAccount to the built-in **edit** ClusterRole (not **cluster-admin**).
# For break-glass cluster-admin, use kubectl with your admin kubeconfig — not Headlamp.
# If changing **clusterRoleName** on an existing install, Kubernetes forbids mutating **roleRef**:
# kubectl delete clusterrolebinding headlamp-admin
# helm upgrade … (same command as in the header comments)
clusterRoleBinding:
clusterRoleName: edit
#
# Optional: set **config.sessionTTL** (seconds) or **null** to omit **-session-ttl** (see headlamp#4883 for older chart/binary mismatches).
config:
sessionTTL: null
extraArgs:
# PEM pool from ConfigMap **headlamp-oidc-ca-bundle** (see **kustomization.yaml** + **cacert.pem**).
- "-oidc-ca-file=/etc/ssl/headlamp/oidc-ca-bundle.pem"
volumeMounts:
- name: oidc-ca-bundle
mountPath: /etc/ssl/headlamp
readOnly: true
volumes:
- name: oidc-ca-bundle
configMap:
name: headlamp-oidc-ca-bundle
ingress:
enabled: true
ingressClassName: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
# Headlamp OIDC behind Traefik: ensure external TLS scheme reaches the app (see middleware-https-proto.yaml).
# Traefik Ingress refs CRD middlewares as <k8s-namespace>-<middleware-metadata.name>@kubernetescrd (see Traefik docs).
traefik.ingress.kubernetes.io/router.middlewares: headlamp-headlamp-https-proto@kubernetescrd
hosts:
- host: headlamp.apps.noble.lab.pcenicni.dev
paths:
- path: /
type: Prefix
tls:
- secretName: headlamp-apps-noble-tls
hosts:
- headlamp.apps.noble.lab.pcenicni.dev
Reference in New Issue View Git Blame Copy Permalink