migrate

clusters/cl01tl/helm/headlamp/Chart.lock

@@ -0,0 +1,6 @@
+dependencies:
+- name: headlamp
+  repository: https://kubernetes-sigs.github.io/headlamp/
+  version: 0.38.0
+digest: sha256:3f4c6bb308a1e5e757368ea9eee902d5ade7d33881c0f6c8402d6ed41641e260
+generated: "2025-12-01T19:55:48.64361-06:00"

clusters/cl01tl/helm/headlamp/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: headlamp
+version: 1.0.0
+description: Headlamp
+keywords:
+  - headlamp
+  - dashboard
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/6cc43960-78df-459d-aab6-433844249243
+sources:
+  - https://github.com/headlamp-k8s/headlamp
+  - https://github.com/headlamp-k8s/headlamp/tree/main/charts/headlamp
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: headlamp
+    version: 0.38.0
+    repository: https://kubernetes-sigs.github.io/headlamp/
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/headlamp.png
+appVersion: 0.37.0

clusters/cl01tl/helm/headlamp/templates/cluster-role-binding.yaml

@@ -0,0 +1,20 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cluster-admin-oidc
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: cluster-admin-oidc
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+roleRef:
+  kind: ClusterRole
+  name: cluster-admin
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: User
+    name: alexanderlebens@gmail.com
+    apiGroup: rbac.authorization.k8s.io
+  - kind: ServiceAccount
+    name: headlamp-admin
+    namespace: headlamp

clusters/cl01tl/helm/headlamp/templates/external-secret.yaml

@@ -0,0 +1,56 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: headlamp-oidc-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: headlamp-oidc-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: OIDC_CLIENT_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/headlamp
+        metadataPolicy: None
+        property: client
+    - secretKey: OIDC_CLIENT_SECRET
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/headlamp
+        metadataPolicy: None
+        property: secret
+    - secretKey: OIDC_ISSUER_URL
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/headlamp
+        metadataPolicy: None
+        property: issuer
+    - secretKey: OIDC_SCOPES
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/headlamp
+        metadataPolicy: None
+        property: scopes
+    - secretKey: OIDC_VALIDATOR_ISSUER_URL
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/headlamp
+        metadataPolicy: None
+        property: validator-issuer-url
+    - secretKey: OIDC_VALIDATOR_CLIENT_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /authentik/oidc/headlamp
+        metadataPolicy: None
+        property: validator-client-id

clusters/cl01tl/helm/headlamp/templates/http-route.yaml

@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: https-route-headlamp
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: https-route-headlamp
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - headlamp.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: headlamp
+          port: 80
+          weight: 100

clusters/cl01tl/helm/headlamp/templates/service-account.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: headlamp-admin
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: headlamp-admin
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}

clusters/cl01tl/helm/headlamp/values.yaml

@@ -0,0 +1,31 @@
+headlamp:
+  replicaCount: 2
+  config:
+    oidc:
+      secret:
+        create: false
+      externalSecret:
+        enabled: true
+        name: headlamp-oidc-secret
+    watchPlugins: true
+  resources:
+    requests:
+      cpu: 10m
+      memory: 128Mi
+  pluginsManager:
+    enabled: true
+    securityContext:
+      readOnlyRootFilesystem: false
+      runAsNonRoot: false
+      runAsUser: 0
+    configContent: |
+      plugins:
+        - name: cert-manager
+          source: https://artifacthub.io/packages/headlamp/headlamp-plugins/headlamp_cert-manager
+          version: 0.1.0
+        - name: trivy
+          source: https://artifacthub.io/packages/headlamp/headlamp-trivy/headlamp_trivy
+          version: 0.3.1
+      installOptions:
+        parallel: true
+        maxConcurrent: 2