0e3bb28bef
Move ingress from headlamp.local (plain HTTP) to headlamp.roysland.net with a Let's Encrypt cert (cert-manager) and a Traefik HTTP->HTTPS redirect. Fixes the browser HTTPS-upgrade breaking the API calls against the self-signed Traefik default cert. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
129 lines
2.9 KiB
YAML
129 lines
2.9 KiB
YAML
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: headlamp-admin
|
|
namespace: kube-system
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: ClusterRoleBinding
|
|
metadata:
|
|
name: headlamp-admin
|
|
roleRef:
|
|
apiGroup: rbac.authorization.k8s.io
|
|
kind: ClusterRole
|
|
name: cluster-admin
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: headlamp-admin
|
|
namespace: kube-system
|
|
---
|
|
# Long-lived token used to log in to the Headlamp UI.
|
|
# Retrieve with: kubectl -n kube-system get secret headlamp-admin -o jsonpath='{.data.token}' | base64 -d
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: headlamp-admin
|
|
namespace: kube-system
|
|
annotations:
|
|
kubernetes.io/service-account.name: headlamp-admin
|
|
type: kubernetes.io/service-account-token
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: headlamp
|
|
namespace: kube-system
|
|
labels:
|
|
k8s-app: headlamp
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
k8s-app: headlamp
|
|
template:
|
|
metadata:
|
|
labels:
|
|
k8s-app: headlamp
|
|
spec:
|
|
serviceAccountName: headlamp-admin
|
|
containers:
|
|
- name: headlamp
|
|
image: ghcr.io/headlamp-k8s/headlamp:v0.42.0
|
|
args:
|
|
- "-in-cluster"
|
|
- "-plugins-dir=/headlamp/plugins"
|
|
ports:
|
|
- containerPort: 4466
|
|
name: http
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 4466
|
|
initialDelaySeconds: 30
|
|
timeoutSeconds: 30
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /
|
|
port: 4466
|
|
initialDelaySeconds: 30
|
|
timeoutSeconds: 30
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 100
|
|
privileged: false
|
|
allowPrivilegeEscalation: false
|
|
readOnlyRootFilesystem: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: headlamp
|
|
namespace: kube-system
|
|
spec:
|
|
selector:
|
|
k8s-app: headlamp
|
|
ports:
|
|
- port: 80
|
|
targetPort: 4466
|
|
---
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: https-redirect
|
|
namespace: kube-system
|
|
spec:
|
|
redirectScheme:
|
|
scheme: https
|
|
permanent: true
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: headlamp
|
|
namespace: kube-system
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt
|
|
# Force HTTP->HTTPS at Traefik (proxy-level, no app redirect loop).
|
|
traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
|
|
spec:
|
|
ingressClassName: traefik
|
|
tls:
|
|
- hosts:
|
|
- headlamp.roysland.net
|
|
secretName: headlamp-tls
|
|
rules:
|
|
- host: headlamp.roysland.net
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: headlamp
|
|
port:
|
|
number: 80
|