Skip to content

feat(headlamp): install dashboard with ArgoCD Dex OIDC#13

Merged
xnoto merged 1 commit intomainfrom
feat/headlamp-install
Apr 30, 2026
Merged

feat(headlamp): install dashboard with ArgoCD Dex OIDC#13
xnoto merged 1 commit intomainfrom
feat/headlamp-install

Conversation

@xnoto
Copy link
Copy Markdown
Contributor

@xnoto xnoto commented Apr 30, 2026
edited
Loading

Summary

Install Headlamp as a Helm-based ArgoCD Application, fronted by the cluster-apps Cloudflare Tunnel at `https://headlamp.makeitwork.cloud\`, with login flowing through ArgoCD's embedded Dex (which bridges to GitHub OAuth — same path Grafana will move to next).

`operators/headlamp/`

  • `namespace.yaml` — headlamp ns.
  • `oidc-secret.yaml` — Secret named `oidc` in headlamp ns, sops-encrypted. Consumed by the upstream chart with `config.oidc.secret.create=false, name=oidc`. `clientSecret` matches the value in `argocd-secret.dex.headlamp.clientSecret` from the merged Dex static-client PR.
  • `ksops-headlamp-secrets.yaml` — pulls the secret in via KSOps.
  • `application.yaml` — ArgoCD Helm Application installing chart v0.41.0 from `https://kubernetes-sigs.github.io/headlamp/\`. Cluster-admin RBAC (single-user home cluster), modest resource limits.
  • `kustomization.yaml` + add `headlamp` to `operators/kustomization.yaml`.

`workloads/headlamp/`

  • `tunnel-binding.yaml` — TunnelBinding fronts headlamp Service on `headlamp.makeitwork.cloud` via the existing cluster-apps tunnel.

`workloads/apps/`

  • `headlamp-app.yaml` + add to `workloads/apps/kustomization.yaml` — ArgoCD Application that syncs the workload manifests.

Pairs with

Test plan

  • After merge: `kube-prometheus-stack` operators app + `headlamp` operators app reach Synced + Healthy
  • After merge: headlamp-app workloads app reaches Synced + Healthy
  • After merge: `https://headlamp.makeitwork.cloud\` redirects to ArgoCD's Dex GitHub login, then back to a working dashboard with cluster-admin scope

🤖 Generated with Claude Code

@xnoto
feat(headlamp): install dashboard with ArgoCD Dex OIDC
f0bf2bc 
operators/headlamp/:
- namespace.yaml — headlamp ns
- oidc-secret.yaml — Secret named 'oidc' consumed by the upstream Helm
  chart (config.oidc.secret.create=false, name=oidc). clientSecret
  matches the dex.headlamp.clientSecret already in argocd-secret;
  encrypted via the existing AGE key.
- ksops-headlamp-secrets.yaml — KSOps generator pulling oidc-secret in
- application.yaml — Helm-based ArgoCD Application installing the
  upstream chart at v0.41.0. cluster-admin RoleBinding (single-user
  home cluster). Issuer points at https://argocd.makeitwork.cloud/api/dex.
- kustomization.yaml + add 'headlamp' to operators/kustomization.yaml

workloads/headlamp/tunnel-binding.yaml — TunnelBinding fronts the
headlamp Service on headlamp.makeitwork.cloud via the cluster-apps tunnel.

workloads/apps/headlamp-app.yaml + kustomization update — wire up the
ArgoCD Application that syncs the workload.
@xnoto xnoto merged commit 253743f into main Apr 30, 2026
2 checks passed
@xnoto xnoto deleted the feat/headlamp-install branch April 30, 2026 03:26
@xnoto xnoto self-assigned this Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@xnoto xnoto

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@xnoto