Headlamp

Headlamp is a web-based interface for managing a cluster. It allows you to view cluster resources, manage them, and monitor application status without using kubectl.

Installation

Before installing the add-on, make sure that Nginx Ingress is installed in your cluster.

1. Go to the Kubernetes section and click on the cluster.
2. Navigate to the Addons tab and select Headlamp.
3. Enable Advanced setup and adjust the configuration for your needs. For example, you can set up:
   • the domain where the interface will be available;
   • ingress settings;
   • OIDC configuration.
4. Click Install.

To verify that the add-on is installed correctly, run:

kubectl get pod -n headlamp

If the installation was successful, you will see a pod with the Running status.

Authentication

After installation, the Headlamp icon will appear in the cluster control panel.

Click it to open the interface. If you are not authenticated, you will need to provide a token.

You can obtain the token from the Dashboard tab in the control panel by clicking Copy next to Dashboard token:

After authentication, the Headlamp interface will be displayed.

Headlamp interface

Main sections are:

• Cluster: cluster information and status
• Map: visualization of resources and their relationships
• Workloads: management of workloads (Pods, Deployments, StatefulSets)
• Storage: PVCs, PVs, and storage classes
• Network: services, ingress, and network policies
• Gateway: Gateway API resources
• Security: roles, service accounts, and access policies
• Configuration: ConfigMaps, Secrets, and other settings
• Custom Resources: custom resources (CRDs)
• Create: create resources via the interface

Configuring Authentication

If the Headlamp interface is exposed externally, it is recommended to configure additional basic authentication.

Headlamp does not support username and password authentication directly. Instead, basic authentication is configured at the ingress level.

Create a file with a username and password:

htpasswd -c auth admin

Here, admin is the username. You will be prompted to enter the desired password twice.

This command creates a file named auth.

If the htpasswd utility is not available, install the apache2-utils package.

Next, create a secret in the headlamp namespace using the generated file:

kubectl create secret generic headlamp-basic-auth \
  --from-file=auth \
  -n headlamp

Go to the Addons section in the cluster control panel and open the installed Headlamp add-on.

Enable advanced setup and locate the following block:

ingress:
 enabled: true
 annotations: {}

Remove {} next to annotations and add the required annotations:

ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: headlamp-basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"

Click Save and wait for the add-on to be updated.

After that, when accessing Headlamp, you will first be prompted for a username and password, and then for a token.

To change the password, create a new auth file and update the secret in the cluster.