From 2cd55ee2ae7e693508aaef82abe83a228428e5c2 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 13 Nov 2025 18:35:51 -0600
Subject: [PATCH] headlamp: Deploy Headlamp

Now that upstream has finally added support for PKCE with OIDC
authentication, we can actually use Headlamp as a web application.
---
 headlamp/headlamp.env       |  3 +++
 headlamp/ingress.yaml       | 23 +++++++++++++++++++
 headlamp/kustomization.yaml | 44 +++++++++++++++++++++++++++++++++++++
 headlamp/namespace.yaml     |  6 +++++
 4 files changed, 76 insertions(+)
 create mode 100644 headlamp/headlamp.env
 create mode 100644 headlamp/ingress.yaml
 create mode 100644 headlamp/kustomization.yaml
 create mode 100644 headlamp/namespace.yaml

diff --git a/headlamp/headlamp.env b/headlamp/headlamp.env
new file mode 100644
index 0000000..66bcd35
--- /dev/null
+++ b/headlamp/headlamp.env
@@ -0,0 +1,3 @@
+HEADLAMP_CONFIG_OIDC_CLIENT_ID=kubernetes
+HEADLAMP_CONFIG_OIDC_USE_PKCE=true
+HEADLAMP_CONFIG_OIDC_IDP_ISSUER_URL=https://auth.pyrocufflink.blue
diff --git a/headlamp/ingress.yaml b/headlamp/ingress.yaml
new file mode 100644
index 0000000..ce51e53
--- /dev/null
+++ b/headlamp/ingress.yaml
@@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: headlamp
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/component: headlamp
+    app.kubernetes.io/part-of: headlamp
+spec:
+  tls:
+  - hosts:
+    - headlamp.pyrocufflink.blue
+  rules:
+  - host: headlamp.pyrocufflink.blue
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: headlamp
+            port:
+              number: 80
diff --git a/headlamp/kustomization.yaml b/headlamp/kustomization.yaml
new file mode 100644
index 0000000..59c9a02
--- /dev/null
+++ b/headlamp/kustomization.yaml
@@ -0,0 +1,44 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: headlamp
+
+labels:
+- pairs:
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/part-of: headlamp
+
+resources:
+- namespace.yaml
+- https://raw.githubusercontent.com/kubernetes-sigs/headlamp/refs/tags/v0.38.0/kubernetes-headlamp.yaml
+- ingress.yaml
+
+configMapGenerator:
+- name: headlamp-env
+  envs:
+  - headlamp.env
+  options:
+    labels:
+      app.kubernetes.io/name: headlamp-env
+      app.kubernetes.io/componet: headlamp
+
+patches:
+- patch: |-
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: headlamp
+      namespace: kube-system
+    spec:
+      template:
+        spec:
+          containers:
+          - name: headlamp
+            envFrom:
+            - configMapRef:
+                name: headlamp-env
+                optional: true
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 100
+            runAsGroup: 101
diff --git a/headlamp/namespace.yaml b/headlamp/namespace.yaml
new file mode 100644
index 0000000..ef5fedd
--- /dev/null
+++ b/headlamp/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: headlamp
+  labels:
+    app.kubernetes.io/name: headlamp