DirectorySecurity AdvisoriesPricing
Sign in
Directory
headlamp logoHELM

headlamp

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
# Default values for headlamp.
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into your templates.
4
5
# -- Number of desired pods
6
replicaCount: 1
7
image:
8
# -- Container image registry
9
registry: cgr.dev
10
# -- Container image name
11
repository: chainguard-private/headlamp
12
# -- Image pull policy. One of Always, Never, IfNotPresent
13
pullPolicy: IfNotPresent
14
# -- Container image tag, If "" uses appVersion in Chart.yaml
15
tag: latest@sha256:58e144342d4fa6155b6c1437c92cde142fce9cad0f79dbbc6bba7d2c2d907acb
16
# -- An optional list of references to secrets in the same namespace to use for pulling any of the images used
17
imagePullSecrets: []
18
# -- Overrides the name of the chart
19
nameOverride: ""
20
# -- Overrides the full name of the chart
21
fullnameOverride: ""
22
# -- Override the deployment namespace; defaults to .Release.Namespace
23
namespaceOverride: ""
24
# -- An optional list of init containers to be run before the main containers.
25
initContainers: []
26
# -- An optional list of extra containers to be run along side the main containers.
27
extraContainers: []
28
config:
29
inCluster: true
30
inClusterContextName: "main"
31
# -- base url path at which headlamp should run
32
baseURL: ""
33
# -- session token TTL in seconds (default is 24 hours)
34
sessionTTL: 86400
35
# -- UNSAFE: authenticate every Headlamp user as the pod's service account when running in-cluster.
36
# This disables per-user authentication and is only safe behind an auth proxy (e.g. OIDC proxy).
37
unsafeUseServiceAccountToken: false
38
# -- path to the service account token file.
39
# Only used when unsafeUseServiceAccountToken is true.
40
# Defaults to /var/run/secrets/kubernetes.io/serviceaccount/token when empty.
41
serviceAccountTokenPath: ""
42
oidc:
43
# Option 1:
44
# @param config.oidc.secret - OIDC secret configuration
45
# If you want to use an existing secret, set create to false and provide the name of the secret.
46
# If you want to create a new secret, set create to true and provide the name of the secret.
47
# Also provide the values for clientID, clientSecret, issuerURL, and scopes.
48
# Example:
49
# config:
50
# oidc:
51
# secret:
52
# create: true
53
# name: oidc
54
secret:
55
# -- Generate OIDC secret. If true, will generate a secret using .config.oidc.
56
create: true
57
# -- Name of the OIDC secret.
58
name: oidc
59
# Option 2:
60
# @param config.oidc - OIDC env configuration
61
# If you want to set the OIDC configuration directly, set the following values.
62
# Example:
63
# config:
64
# oidc:
65
# clientID: "clientID"
66
# clientSecret: "clientSecret"
67
# issuerURL: "issuerURL"
68
# scopes: "scopes"
69
70
# -- OIDC client ID
71
clientID: ""
72
# -- OIDC client secret
73
clientSecret: ""
74
# -- OIDC issuer URL
75
issuerURL: ""
76
# -- OIDC scopes to be used
77
scopes: ""
78
# -- OIDC callback URL
79
callbackURL: ""
80
# -- OIDC client to be used during token validation
81
validatorClientID: ""
82
# -- OIDC Issuer URL to be used during token validation
83
validatorIssuerURL: ""
84
# -- Use 'access_token' instead of 'id_token' when authenticating using OIDC
85
useAccessToken: false
86
# -- Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow
87
usePKCE: false
88
# -- Enable using OIDC cookie for authentication outside of cluster
89
useCookie: false
90
# Option 3:
91
# @param config.oidc - External OIDC secret configuration
92
# If you want to use an external secret for OIDC configuration, enable this option.
93
# Provide the name of the secret to use.
94
# Example:
95
# config:
96
# oidc:
97
# secret:
98
# create: false
99
# externalSecret:
100
# enabled: true
101
# name: oidc
102
externalSecret:
103
enabled: false
104
name: ""
105
# -- Set to true if your external secret contains an OIDC_SCOPES key.
106
# When false (default), the -oidc-scopes argument is omitted so that
107
# a missing key does not produce an empty or unresolved argument.
108
hasScopes: false
109
# -- URL to fetch additional user info for the /me endpoint.
110
# For oauth2proxy /oauth2/userinfo can be used. Empty and it will not be used.
111
meUserInfoURL: ""
112
# -- directory to look for plugins
113
pluginsDir: "/headlamp/plugins"
114
enableHelm: false
115
watchPlugins: false
116
# -- Default image to use when creating pod debug containers. If empty, Headlamp uses its built-in default.
117
podDebugImage: ""
118
# -- Default image to use when creating node shell pods. If empty, Headlamp uses its built-in default.
119
nodeShellImage: ""
120
# tlsCertPath: "/headlamp-cert/headlamp-ca.crt"
121
# tlsKeyPath: "/headlamp-cert/headlamp-tls.key"
122
clusterInventory:
123
# -- Enable experimental/alpha Cluster Inventory discovery.
124
enabled: false
125
# -- Experimental/alpha Cluster Inventory access providers config. Required when enabled.
126
accessProvidersConfig: {}
127
# accessProvidersConfig:
128
# providers:
129
# - name: secretreader
130
# execConfig:
131
# apiVersion: client.authentication.k8s.io/v1
132
# command: /access-plugins/secretreader/bin/secretreader-plugin
133
# interactiveMode: Never
134
# provideClusterInfo: true
135
# - name: kubeconfig-secretreader
136
# execConfig:
137
# apiVersion: client.authentication.k8s.io/v1
138
# command: /access-plugins/kubeconfig-secretreader/bin/kubeconfig-secretreader-plugin
139
# interactiveMode: Never
140
# provideClusterInfo: true
141
# plugins[] uses the Kubernetes "image" volume type to mount experimental/alpha access provider binaries.
142
plugins: []
143
# plugins:
144
# - name: secretreader
145
# image: registry.k8s.io/cluster-inventory-api/secretreader:v0.1.3@sha256:ec3090dc166aa2b42fb35d714d161c417d8b27bbc463404c8f615f5f4c610a1d
146
# mountPath: /access-plugins/secretreader
147
# - name: kubeconfig-secretreader
148
# image: registry.k8s.io/cluster-inventory-api/kubeconfig-secretreader:v0.1.3@sha256:b92966cc6e4ac78002a63862921022a71d54956826f6e4febcb7247495eb98c0
149
# mountPath: /access-plugins/kubeconfig-secretreader
150
# -- Kubernetes label selector used to filter experimental/alpha ClusterProfile resources.
151
labelSelector: "!headlamp.dev/ignore"
152
# -- Override the experimental/alpha Cluster Inventory root reconcile interval. Empty uses the Headlamp default.
153
rootReconcileInterval: ""
154
# -- Override the experimental/alpha Cluster Inventory no-CRD cache TTL. Empty uses the Headlamp default.
155
noCRDCacheTTL: ""
156
# Extra arguments that can be given to the container. See charts/headlamp/README.md for more information.
157
extraArgs: []
158
# -- An optional list of environment variables
159
# env:
160
# - name: KUBERNETES_SERVICE_HOST
161
# value: "localhost"
162
# - name: KUBERNETES_SERVICE_PORT
163
# value: "6443"
164
165
# -- Mount Service Account token in pod
166
automountServiceAccountToken: true
167
serviceAccount:
168
# -- Specifies whether a service account should be created
169
create: true
170
# -- Annotations to add to the service account
171
annotations: {}
172
# -- The name of the service account to use.(If not set and create is true, a name is generated using the fullname template)
173
name: ""
174
clusterRoleBinding:
175
# -- Specified whether a cluster role binding should be created
176
create: true
177
# -- Set name of the Cluster Role with limited permissions from you cluster
178
# for example - clusterRoleName: user-ro
179
clusterRoleName: cluster-admin
180
# -- Annotations to add to the cluster role binding
181
annotations: {}
182
# -- Annotations to add to the deployment
183
deploymentAnnotations: {}
184
# -- Annotations to add to the pod
185
podAnnotations: {}
186
# -- Labels to add to the pod
187
podLabels: {}
188
# -- Controls user namespace isolation for the Headlamp pod.
189
# When true (default), the pod shares the host user namespace (user namespaces are DISABLED).
190
# When false, the pod uses a separate user namespace (user namespaces are ENABLED) for stronger isolation,
191
# if supported by the cluster. Set this to false if your cluster supports user namespaces and you want
192
# additional isolation; leave as true if user namespaces are not available.
193
# See: https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
194
hostUsers: true
195
# -- Headlamp pod's Security Context
196
podSecurityContext: {}
197
# fsGroup: 2000
198
199
# -- Headlamp containers Security Context
200
# When readOnlyRootFilesystem: true is set, the chart automatically adds a
201
# writable emptyDir volume named "headlamp-tmp" mounted at /tmp so the
202
# application can write temporary files.
203
# You can override this behavior in two ways:
204
# 1. Supply your own volumeMount with mountPath: /tmp — the chart will skip
205
# adding both the automatic mount and the automatic volume.
206
# 2. Supply your own volume named "headlamp-tmp" (e.g. to set sizeLimit) —
207
# the chart will skip creating the volume but will still add the /tmp mount
208
# pointing to your volume.
209
securityContext:
210
# capabilities:
211
# drop:
212
# - ALL
213
# readOnlyRootFilesystem: true
214
runAsNonRoot: true
215
privileged: false
216
runAsUser: 100
217
runAsGroup: 101
218
# Uses these defaults if this is empty.
219
# allowPrivilegeEscalation: false
220
# runAsNonRoot: true
221
# seccompProfile:
222
# type: RuntimeDefault
223
# capabilities:
224
# drop:
225
# - ALL
226
227
service:
228
# -- Annotations to add to the service
229
annotations: {}
230
# -- Kubernetes Service type
231
type: ClusterIP
232
# -- Kubernetes Service port
233
port: 80
234
# -- Kubernetes Service clusterIP
235
clusterIP: ""
236
# -- Kubernetes Service loadBalancerIP
237
loadBalancerIP: ""
238
# -- Kubernetes Service loadBalancerSourceRanges
239
loadBalancerSourceRanges: []
240
# -- Kubernetes Service Nodeport
241
nodePort: null
242
# -- Additional ports to expose on the Service in addition to the default
243
# http port. Each entry must have a unique `name` and a `port`. `targetPort`
244
# defaults to `port` when omitted. `nodePort` is only honored when
245
# `service.type` is `NodePort` or `LoadBalancer`. A matching containerPort
246
# must be provided by the user (e.g. via a sidecar) for traffic to actually
247
# be routed.
248
extraServicePorts: []
249
# - name: extra
250
# port: 9090
251
# targetPort: extra
252
# protocol: TCP
253
# nodePort: null
254
# -- Headlamp containers volume mounts
255
volumeMounts: []
256
# -- Headlamp pod's volumes
257
volumes: []
258
persistentVolumeClaim:
259
# -- Enable Persistent Volume Claim
260
enabled: false
261
# -- Annotations to add to the persistent volume claim (if enabled)
262
annotations: {}
263
# -- accessModes for the persistent volume claim, eg: ReadWriteOnce, ReadOnlyMany, ReadWriteMany etc.
264
accessModes: []
265
# -- size of the persistent volume claim, eg: 10Gi. Required if enabled is true.
266
size: ""
267
# -- storageClassName for the persistent volume claim.
268
storageClassName: ""
269
# -- selector for the persistent volume claim.
270
selector: {}
271
# -- volumeMode for the persistent volume claim, eg: Filesystem, Block.
272
volumeMode: ""
273
ingress:
274
# -- Enable ingress controller resource
275
enabled: false
276
# -- Annotations for Ingress resource
277
annotations: {}
278
# kubernetes.io/tls-acme: "true"
279
280
# -- Additional labels to add to the Ingress resource
281
labels: {}
282
# app.kubernetes.io/part-of: traefik
283
# environment: prod
284
285
# -- Ingress class name. replacement for the deprecated "kubernetes.io/ingress.class" annotation
286
ingressClassName: ""
287
# -- Hostname(s) for the Ingress resource
288
# Please refer to https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec for more information.
289
# Each path may optionally specify `backend.service.{name,port}` to override
290
# the default Headlamp Service / `service.port`. `name` supports `tpl` so
291
# values like `{{ .Release.Name }}-extra` can be used. `port` accepts either
292
# `number` or `name` (matching `service.extraServicePorts[].name`).
293
hosts: []
294
# - host: chart-example.local
295
# paths:
296
# - path: /
297
# type: ImplementationSpecific
298
# - path: /extra
299
# type: ImplementationSpecific
300
# backend:
301
# service:
302
# port:
303
# name: extra
304
# -- Ingress TLS configuration
305
tls: []
306
# - secretName: chart-example-tls
307
# hosts:
308
# - chart-example.local
309
# HTTPRoute configuration for Gateway API
310
# Please refer to https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute
311
httpRoute:
312
# -- Enable HTTPRoute resource for Gateway API
313
enabled: false
314
# -- Annotations for HTTPRoute resource
315
annotations: {}
316
# -- Additional labels for HTTPRoute resource
317
labels: {}
318
# -- Parent references (REQUIRED when enabled - HTTPRoute will not work without this)
319
# Example:
320
# parentRefs:
321
# - name: my-gateway
322
# namespace: gateway-namespace
323
parentRefs: []
324
# -- Hostnames for the HTTPRoute
325
# Example:
326
# hostnames:
327
# - headlamp.example.com
328
hostnames: []
329
# -- Custom routing rules (optional, defaults to path prefix /)
330
# If not specified, a default rule routing all traffic to the service is used
331
rules: []
332
# Example custom rules:
333
# rules:
334
# - matches:
335
# - path:
336
# type: PathPrefix
337
# value: /headlamp
338
# backendRefs:
339
# - name: "{{ .Release.Name }}-headlamp"
340
# port: 80
341
# -- CPU/Memory resource requests/limits
342
resources: {}
343
# We usually recommend not to specify default resources and to leave this as a conscious
344
# choice for the user. This also increases chances charts run on environments with little
345
# resources, such as Minikube. If you do want to specify resources, uncomment the following
346
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
347
# limits:
348
# cpu: 100m
349
# memory: 128Mi
350
# requests:
351
# cpu: 100m
352
# memory: 128Mi
353
354
# -- Node labels for pod assignment
355
nodeSelector: {}
356
# -- Toleration labels for pod assignment
357
tolerations: []
358
# -- Affinity settings for pod assignment
359
affinity: {}
360
# -- Host aliases to add to the pod's /etc/hosts file
361
hostAliases: []
362
# -- Topology Spread Constraints for pod assignment
363
topologySpreadConstraints: []
364
# - maxSkew: 1
365
# topologyKey: topology.kubernetes.io/zone
366
# whenUnsatisfiable: ScheduleAnyway
367
# matchLabelKeys:
368
# - pod-template-hash
369
# - maxSkew: 1
370
# topologyKey: kubernetes.io/hostname
371
# whenUnsatisfiable: DoNotSchedule
372
# matchLabelKeys:
373
# - pod-template-hash
374
375
# -- Pod priority class
376
priorityClassName: ""
377
# Probe configuration for liveness and readiness checks
378
probes:
379
# -- Scheme to use for liveness and readiness probes (HTTP or HTTPS).
380
# Set to HTTPS when TLS is enabled at the backend server.
381
scheme: HTTP
382
livenessProbe:
383
# -- Initial delay in seconds before starting liveness probe
384
initialDelaySeconds: 0
385
# -- Period in seconds between liveness probe checks
386
periodSeconds: 10
387
# -- Timeout in seconds for liveness probe
388
timeoutSeconds: 1
389
# -- Minimum consecutive successes for the probe to be considered successful (must be 1 for liveness probes per Kubernetes API)
390
successThreshold: 1
391
# -- Minimum consecutive failures for the probe to be considered failed
392
failureThreshold: 3
393
readinessProbe:
394
# -- Initial delay in seconds before starting readiness probe
395
initialDelaySeconds: 0
396
# -- Period in seconds between readiness probe checks
397
periodSeconds: 10
398
# -- Timeout in seconds for readiness probe
399
timeoutSeconds: 1
400
# -- Minimum consecutive successes for the probe to be considered successful
401
successThreshold: 1
402
# -- Minimum consecutive failures for the probe to be considered failed
403
failureThreshold: 3
404
# Plugin Manager Sidecar Container Configuration
405
pluginsManager:
406
# -- Enable plugin manager
407
enabled: false
408
# -- Plugin configuration file name
409
configFile: "plugin.yml"
410
# -- Plugin configuration content in YAML format. This is required if plugins.enabled is true.
411
configContent: ""
412
# -- Base node image to use
413
baseImage: cgr.dev/chainguard-private/node:latest@sha256:e18f9c9c1fc1784e6eb14c0af919eb891f2ee069c02db3f5f4294c42e0671cf7
414
# -- Headlamp plugin package version to install
415
version: latest
416
# -- Plugin manager containers volume mounts
417
volumeMounts: []
418
# -- Plugin manager env variable configuration
419
# env:
420
# - name: HTTPS_PROXY
421
# value: "proxy.example.com:8080"
422
# -- Specify resrouces
423
# resources:
424
# requests:
425
# cpu: "500m"
426
# memory: "2048Mi"
427
# limits:
428
# cpu: "1000m"
429
# memory: "4096Mi"
430
# If omitted, the plugin manager will inherit the global securityContext.
431
# When readOnlyRootFilesystem: true is active (set here or inherited), the
432
# chart automatically adds a writable emptyDir volume named
433
# "headlamp-plugins-tmp" mounted at /tmp in the plugin manager container.
434
# Override behavior mirrors the main container: supply your own /tmp
435
# volumeMount to skip both, or supply your own "headlamp-plugins-tmp" volume
436
# (e.g. to set sizeLimit) to have the chart only add the mount.
437
securityContext: {}
438
# runAsUser: 1001
439
# runAsNonRoot: true
440
# allowPrivilegeEscalation: false
441
# readOnlyRootFilesystem: true
442
# capabilities:
443
# drop:
444
# - ALL
445
podDisruptionBudget:
446
# -- enable PodDisruptionBudget
447
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
448
enabled: false
449
# @schema
450
# type: [null, integer, string]
451
# @schema
452
# -- Minimum number/percentage of pods that should remain scheduled.
453
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
454
minAvailable: 0
455
# @schema
456
# type: [null, integer, string]
457
# @schema
458
# -- Maximum number/percentage of pods that may be made unavailable
459
maxUnavailable: null
460
# @schema
461
# type: [null, string]
462
# @schema
463
# -- How are unhealthy, but running, pods counted for eviction
464
unhealthyPodEvictionPolicy: null
465
# -- Additional Kubernetes manifests to be deployed. Include the manifest as nested YAML.
466
extraManifests: []
467
# - |
468
# apiVersion: v1
469
# kind: ConfigMap
470
# metadata:
471
# name: my-config
472
# data:
473
# key: value
474
# - |
475
# apiVersion: v1
476
# kind: ConfigMap
477
# metadata:
478
# name: my-config-too
479
# data:
480
# key: value
481

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.