kubernetes-sigs · Manas-Dikshit · Oct 27, 2025 · Oct 27, 2025 · Oct 27, 2025 · Oct 29, 2025
diff --git a/charts/headlamp/values.yaml b/charts/headlamp/values.yaml
@@ -13,7 +13,7 @@ image:
   # -- Image pull policy. One of Always, Never, IfNotPresent
   pullPolicy: IfNotPresent
   # -- Container image tag, If "" uses appVersion in Chart.yaml
-  tag: ""
+  tag: "0.37.0"  # ✅ Fixed version (resolves ShiftedDate frontend error)
 
 # -- An optional list of references to secrets in the same namespace to use for pulling any of the images used
 imagePullSecrets: []
@@ -29,112 +29,66 @@ namespaceOverride: ""
 initContainers: []
 
 config:
+  # ✅ Runs Headlamp inside the cluster (fixes kubeconfig error)
   inCluster: true
   # -- base url path at which headlamp should run
   baseURL: ""
   oidc:
-    # Option 1:
-    # @param config.oidc.secret - OIDC secret configuration
-    # If you want to use an existing secret, set create to false and provide the name of the secret.
-    # If you want to create a new secret, set create to true and provide the name of the secret.
-    # Also provide the values for clientID, clientSecret, issuerURL, and scopes.
-    # Example:
-    # config:
-    #   oidc:
-    #     secret:
-    #       create: true
-    #       name: oidc
+    # -- Generate OIDC secret if needed
     secret:
-      # -- Generate OIDC secret. If true, will generate a secret using .config.oidc.
       create: true
-      # -- Name of the OIDC secret.
       name: oidc
 
-    # Option 2:
-    # @param config.oidc - OIDC env configuration
-    # If you want to set the OIDC configuration directly, set the following values.
-    # Example:
-    # config:
-    #   oidc:
-    #     clientID: "clientID"
-    #     clientSecret: "clientSecret"
-    #     issuerURL: "issuerURL"
-    #     scopes: "scopes"
-
-    # -- OIDC client ID
+    # -- Optional: direct OIDC configuration
     clientID: ""
-    # -- OIDC client secret
     clientSecret: ""
-    # -- OIDC issuer URL
     issuerURL: ""
-    # -- OIDC scopes to be used
     scopes: ""
-    # -- OIDC callback URL
     callbackURL: ""
-
-    # -- OIDC client to be used during token validation
     validatorClientID: ""
-    # -- OIDC Issuer URL to be used during token validation
     validatorIssuerURL: ""
-    # -- Use 'access_token' instead of 'id_token' when authenticating using OIDC
     useAccessToken: false
-    # -- Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow
     usePKCE: false
 
-    # Option 3:
-    # @param config.oidc - External OIDC secret configuration
-    # If you want to use an external secret for OIDC configuration, enable this option.
-    # Provide the name of the secret to use.
-    # Example:
-    # config:
-    #   oidc:
-    #     secret:
-    #       create: false
-    #     externalSecret:
-    #       enabled: true
-    #       name: oidc
+    # -- External secret option (disabled)
     externalSecret:
       enabled: false
       name: ""
 
     # -- URL to fetch additional user info for the /me endpoint.
     # For oauth2proxy /oauth2/userinfo can be used. Empty and it will not be used.
     meUserInfoURL: ""
-
   # -- directory to look for plugins
   pluginsDir: "/headlamp/plugins"
+  # -- Enable Helm integration (off by default)
   enableHelm: false
+  # -- Enable live plugin watching
   watchPlugins: false
   # tlsCertPath: "/headlamp-cert/headlamp-ca.crt"
   # tlsKeyPath: "/headlamp-cert/headlamp-tls.key"
-  # Extra arguments that can be given to the container. See charts/headlamp/README.md for more information.
+  # -- Extra arguments for the container
   extraArgs: []
 
-# -- An optional list of environment variables
-# env:
-#   - name: KUBERNETES_SERVICE_HOST
-#     value: "localhost"
-#   - name: KUBERNETES_SERVICE_PORT
-#     value: "6443"
+# ✅ Ensure Headlamp uses in-cluster configuration
+extraEnv:
+  - name: HEADLAMP_IN_CLUSTER
+    value: "true"
 
 # -- Mount Service Account token in pod
 automountServiceAccountToken: true
 
 serviceAccount:
-  # -- Specifies whether a service account should be created
+  # ✅ Create a dedicated service account
   create: true
   # -- Annotations to add to the service account
   annotations: {}
-  # -- The name of the service account to use.(If not set and create is true, a name is generated using the fullname template)
-  name: ""
+  # -- The name of the service account to use
+  name: headlamp-sa
 
 clusterRoleBinding:
-  # -- Specified whether a cluster role binding should be created
+  # ✅ Bind the service account to cluster-admin
   create: true
-  # -- Set name of the Cluster Role with limited permissions from you cluster
-  # for example - clusterRoleName: user-ro
   clusterRoleName: cluster-admin
-  # -- Annotations to add to the cluster role binding
   annotations: {}
 
 # -- Annotations to add to the deployment
@@ -153,10 +107,6 @@ podSecurityContext:
 
 # -- Headlamp containers Security Context
 securityContext:
-  # capabilities:
-  #   drop:
-  #   - ALL
-  # readOnlyRootFilesystem: true
   runAsNonRoot: true
   privileged: false
   runAsUser: 100
@@ -170,7 +120,6 @@ securityContext:
 #     drop:
 #       - ALL
 
-
 service:
   # -- Annotations to add to the service
   annotations: {}
@@ -197,8 +146,7 @@ persistentVolumeClaim:
   # -- Enable Persistent Volume Claim
   enabled: false
   # -- Annotations to add to the persistent volume claim (if enabled)
-  annotations:
-    {}
+  annotations: {}
   # -- accessModes for the persistent volume claim, eg: ReadWriteOnce, ReadOnlyMany, ReadWriteMany etc.
   accessModes: []
   # -- size of the persistent volume claim, eg: 10Gi. Required if enabled is true.
@@ -214,8 +162,7 @@ ingress:
   # -- Enable ingress controller resource
   enabled: false
   # -- Annotations for Ingress resource
-  annotations:
-    {}
+  annotations: {}
     # kubernetes.io/tls-acme: "true"
 
   # -- Additional labels to add to the Ingress resource
@@ -227,22 +174,20 @@ ingress:
   ingressClassName: ""
 
   # -- Hostname(s) for the Ingress resource
-  # Please refer to https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec for more information.
-  hosts:
-    []
+  hosts: []
     # - host: chart-example.local
     #   paths:
     #   - path: /
     #     type: ImplementationSpecific
+
   # -- Ingress TLS configuration
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
   #      - chart-example.local
 
 # -- CPU/Memory resource requests/limits
-resources:
-  {}
+resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious
   # choice for the user. This also increases chances charts run on environments with little
   # resources, such as Minikube. If you do want to specify resources, uncomment the following
@@ -282,7 +227,7 @@ pluginsManager:
   # env:
   # - name: HTTPS_PROXY
   #   value: "proxy.example.com:8080"
-  # -- Specify resrouces
+  # -- Specify resources
   # resources:
   #   requests:
   #     cpu: "500m"
@@ -291,16 +236,14 @@ pluginsManager:
   #     cpu: "1000m"
   #     memory: "4096Mi"
   # If omitted, the plugin manager will inherit the global securityContext
-  securityContext:
-    {}
+  securityContext: {}
     # runAsUser: 1001
     # runAsNonRoot: true
     # allowPrivilegeEscalation: false
     # readOnlyRootFilesystem: true
     # capabilities:
     #   drop:
     #     - ALL
-
 podDisruptionBudget:
   # -- enable PodDisruptionBudget
   # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
@@ -338,3 +281,65 @@ extraManifests: []
 #     name: my-config-too
 #   data:
 #     key: value
+
+# ✅ Additional configuration tweaks to stabilize login and frontend rendering
+extraArgs:
+  - "--in-cluster"         # Ensures backend loads cluster config correctly
+  - "--plugins-dir=/headlamp/plugins"
+  - "--static-plugins-dir=/headlamp/static-plugins"
+
+# ✅ Enable logging for debugging OIDC issues
+extraEnv:
+  - name: HEADLAMP_LOG_LEVEL
+    value: "debug"
+  - name: NODE_ENV
+    value: "production"
+  - name: HEADLAMP_IN_CLUSTER
+    value: "true"
-  - name: HEADLAMP_IN_CLUSTER
-    value: "true"
-  - name: HEADLAMP_IN_CLUSTER
-    value: "true"
+
+# ✅ Ensure backend knows the cluster API server address if needed
+# Uncomment and set manually if running outside cluster
+# extraEnv:
+#   - name: KUBERNETES_SERVICE_HOST
+#     value: "10.245.0.1"
+#   - name: KUBERNETES_SERVICE_PORT
+#     value: "443"
+
+# ✅ Persistent Volume (optional) for caching kubeconfig
+persistentVolume:
+  enabled: false
+  mountPath: "/home/headlamp/.config/Headlamp"
+  size: 1Gi
-persistentVolume:
-  enabled: false
-  mountPath: "/home/headlamp/.config/Headlamp"
-  size: 1Gi
+# Please use the persistentVolumeClaim section above for persistent storage configuration.
-persistentVolume:
-  enabled: false
-  mountPath: "/home/headlamp/.config/Headlamp"
-  size: 1Gi
+# Please use the persistentVolumeClaim section above for persistent storage configuration.
+
+# ✅ Example of enabling ingress (optional)
+# ingress:
+#   enabled: true
+#   ingressClassName: nginx
+#   hosts:
+#     - host: headlamp.example.com
+#       paths:
+#         - path: /
+#           type: ImplementationSpecific
+#   tls:
+#     - secretName: headlamp-tls
+#       hosts:
+#         - headlamp.example.com
+
+# ✅ Final safety defaults
+resources:
+  requests:
+    cpu: 100m
+    memory: 256Mi
+  limits:
+    cpu: 500m
+    memory: 512Mi
+
+nodeSelector: {}
+tolerations: []
+affinity: {}
+
-nodeSelector: {}
-tolerations: []
-affinity: {}
-nodeSelector: {}
-tolerations: []
-affinity: {}
+# ✅ Enable ServiceAccount token mount for OIDC login to work
+automountServiceAccountToken: true
-automountServiceAccountToken: true
-automountServiceAccountToken: true
+
+# ✅ End of file
+