diff --git a/headlamp/headlamp.env b/headlamp/headlamp.env
new file mode 100644
index 0000000..66bcd35
--- /dev/null
+++ b/headlamp/headlamp.env
@@ -0,0 +1,3 @@
+HEADLAMP_CONFIG_OIDC_CLIENT_ID=kubernetes
+HEADLAMP_CONFIG_OIDC_USE_PKCE=true
+HEADLAMP_CONFIG_OIDC_IDP_ISSUER_URL=https://auth.pyrocufflink.blue
diff --git a/headlamp/ingress.yaml b/headlamp/ingress.yaml
new file mode 100644
index 0000000..ce51e53
--- /dev/null
+++ b/headlamp/ingress.yaml
@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: headlamp
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/component: headlamp
+    app.kubernetes.io/part-of: headlamp
+spec:
+  tls:
+  - hosts:
+    - headlamp.pyrocufflink.blue
+  rules:
+  - host: headlamp.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: headlamp
+            port:
+              number: 80
diff --git a/headlamp/kustomization.yaml b/headlamp/kustomization.yaml
new file mode 100644
index 0000000..59c9a02
--- /dev/null
+++ b/headlamp/kustomization.yaml
@@ -0,0 +1,44 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: headlamp
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/part-of: headlamp
+
+resources:
+- namespace.yaml
+- https://raw.githubusercontent.com/kubernetes-sigs/headlamp/refs/tags/v0.38.0/kubernetes-headlamp.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: headlamp-env
+  envs:
+  - headlamp.env
+  options:
+    labels:
+      app.kubernetes.io/name: headlamp-env
+      app.kubernetes.io/componet: headlamp
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: headlamp
+      namespace: kube-system
+    spec:
+      template:
+        spec:
+          containers:
+          - name: headlamp
+            envFrom:
+            - configMapRef:
+                name: headlamp-env
+                optional: true
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 100
+            runAsGroup: 101
diff --git a/headlamp/namespace.yaml b/headlamp/namespace.yaml
new file mode 100644
index 0000000..ef5fedd
--- /dev/null
+++ b/headlamp/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: headlamp
+  labels:
+    app.kubernetes.io/name: headlamp