DirectorySecurity AdvisoriesPricing
Sign in
Directory
headlamp logoHELM

headlamp

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
# Default values for headlamp.
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into your templates.
4
5
# -- Number of desired pods
6
replicaCount: 1
7
image:
8
# -- Container image registry
9
registry: cgr.dev
10
# -- Container image name
11
repository: chainguard-private/headlamp
12
# -- Image pull policy. One of Always, Never, IfNotPresent
13
pullPolicy: IfNotPresent
14
# -- Container image tag, If "" uses appVersion in Chart.yaml
15
tag: latest@sha256:8eb827559a7072d2f8015de1e8fc9cfbdc5cad91282ae5a74220b317679850e6
16
# -- An optional list of references to secrets in the same namespace to use for pulling any of the images used
17
imagePullSecrets: []
18
# -- Overrides the name of the chart
19
nameOverride: ""
20
# -- Overrides the full name of the chart
21
fullnameOverride: ""
22
# -- Override the deployment namespace; defaults to .Release.Namespace
23
namespaceOverride: ""
24
# -- An optional list of init containers to be run before the main containers.
25
initContainers: []
26
# -- An optional list of extra containers to be run along side the main containers.
27
extraContainers: []
28
config:
29
inCluster: true
30
inClusterContextName: "main"
31
# -- base url path at which headlamp should run
32
baseURL: ""
33
# -- session token TTL in seconds (default is 24 hours)
34
sessionTTL: 86400
35
oidc:
36
# Option 1:
37
# @param config.oidc.secret - OIDC secret configuration
38
# If you want to use an existing secret, set create to false and provide the name of the secret.
39
# If you want to create a new secret, set create to true and provide the name of the secret.
40
# Also provide the values for clientID, clientSecret, issuerURL, and scopes.
41
# Example:
42
# config:
43
# oidc:
44
# secret:
45
# create: true
46
# name: oidc
47
secret:
48
# -- Generate OIDC secret. If true, will generate a secret using .config.oidc.
49
create: true
50
# -- Name of the OIDC secret.
51
name: oidc
52
# Option 2:
53
# @param config.oidc - OIDC env configuration
54
# If you want to set the OIDC configuration directly, set the following values.
55
# Example:
56
# config:
57
# oidc:
58
# clientID: "clientID"
59
# clientSecret: "clientSecret"
60
# issuerURL: "issuerURL"
61
# scopes: "scopes"
62
63
# -- OIDC client ID
64
clientID: ""
65
# -- OIDC client secret
66
clientSecret: ""
67
# -- OIDC issuer URL
68
issuerURL: ""
69
# -- OIDC scopes to be used
70
scopes: ""
71
# -- OIDC callback URL
72
callbackURL: ""
73
# -- OIDC client to be used during token validation
74
validatorClientID: ""
75
# -- OIDC Issuer URL to be used during token validation
76
validatorIssuerURL: ""
77
# -- Use 'access_token' instead of 'id_token' when authenticating using OIDC
78
useAccessToken: false
79
# -- Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow
80
usePKCE: false
81
# -- Enable using OIDC cookie for authentication outside of cluster
82
useCookie: false
83
# Option 3:
84
# @param config.oidc - External OIDC secret configuration
85
# If you want to use an external secret for OIDC configuration, enable this option.
86
# Provide the name of the secret to use.
87
# Example:
88
# config:
89
# oidc:
90
# secret:
91
# create: false
92
# externalSecret:
93
# enabled: true
94
# name: oidc
95
externalSecret:
96
enabled: false
97
name: ""
98
# -- URL to fetch additional user info for the /me endpoint.
99
# For oauth2proxy /oauth2/userinfo can be used. Empty and it will not be used.
100
meUserInfoURL: ""
101
# -- directory to look for plugins
102
pluginsDir: "/headlamp/plugins"
103
enableHelm: false
104
watchPlugins: false
105
# tlsCertPath: "/headlamp-cert/headlamp-ca.crt"
106
# tlsKeyPath: "/headlamp-cert/headlamp-tls.key"
107
# Extra arguments that can be given to the container. See charts/headlamp/README.md for more information.
108
extraArgs: []
109
# -- An optional list of environment variables
110
# env:
111
# - name: KUBERNETES_SERVICE_HOST
112
# value: "localhost"
113
# - name: KUBERNETES_SERVICE_PORT
114
# value: "6443"
115
116
# -- Mount Service Account token in pod
117
automountServiceAccountToken: true
118
serviceAccount:
119
# -- Specifies whether a service account should be created
120
create: true
121
# -- Annotations to add to the service account
122
annotations: {}
123
# -- The name of the service account to use.(If not set and create is true, a name is generated using the fullname template)
124
name: ""
125
clusterRoleBinding:
126
# -- Specified whether a cluster role binding should be created
127
create: true
128
# -- Set name of the Cluster Role with limited permissions from you cluster
129
# for example - clusterRoleName: user-ro
130
clusterRoleName: cluster-admin
131
# -- Annotations to add to the cluster role binding
132
annotations: {}
133
# -- Annotations to add to the deployment
134
deploymentAnnotations: {}
135
# -- Annotations to add to the pod
136
podAnnotations: {}
137
# -- Labels to add to the pod
138
podLabels: {}
139
# -- Controls user namespace isolation for the Headlamp pod.
140
# When true (default), the pod shares the host user namespace (user namespaces are DISABLED).
141
# When false, the pod uses a separate user namespace (user namespaces are ENABLED) for stronger isolation,
142
# if supported by the cluster. Set this to false if your cluster supports user namespaces and you want
143
# additional isolation; leave as true if user namespaces are not available.
144
# See: https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
145
hostUsers: true
146
# -- Headlamp pod's Security Context
147
podSecurityContext: {}
148
# fsGroup: 2000
149
150
# -- Headlamp containers Security Context
151
securityContext:
152
# capabilities:
153
# drop:
154
# - ALL
155
# readOnlyRootFilesystem: true
156
runAsNonRoot: true
157
privileged: false
158
runAsUser: 100
159
runAsGroup: 101
160
# Uses these defaults if this is empty.
161
# allowPrivilegeEscalation: false
162
# runAsNonRoot: true
163
# seccompProfile:
164
# type: RuntimeDefault
165
# capabilities:
166
# drop:
167
# - ALL
168
169
service:
170
# -- Annotations to add to the service
171
annotations: {}
172
# -- Kubernetes Service type
173
type: ClusterIP
174
# -- Kubernetes Service port
175
port: 80
176
# -- Kubernetes Service clusterIP
177
clusterIP: ""
178
# -- Kubernetes Service loadBalancerIP
179
loadBalancerIP: ""
180
# -- Kubernetes Service loadBalancerSourceRanges
181
loadBalancerSourceRanges: []
182
# -- Kubernetes Service Nodeport
183
nodePort: null
184
# -- Headlamp containers volume mounts
185
volumeMounts: []
186
# -- Headlamp pod's volumes
187
volumes: []
188
persistentVolumeClaim:
189
# -- Enable Persistent Volume Claim
190
enabled: false
191
# -- Annotations to add to the persistent volume claim (if enabled)
192
annotations: {}
193
# -- accessModes for the persistent volume claim, eg: ReadWriteOnce, ReadOnlyMany, ReadWriteMany etc.
194
accessModes: []
195
# -- size of the persistent volume claim, eg: 10Gi. Required if enabled is true.
196
size: ""
197
# -- storageClassName for the persistent volume claim.
198
storageClassName: ""
199
# -- selector for the persistent volume claim.
200
selector: {}
201
# -- volumeMode for the persistent volume claim, eg: Filesystem, Block.
202
volumeMode: ""
203
ingress:
204
# -- Enable ingress controller resource
205
enabled: false
206
# -- Annotations for Ingress resource
207
annotations: {}
208
# kubernetes.io/tls-acme: "true"
209
210
# -- Additional labels to add to the Ingress resource
211
labels: {}
212
# app.kubernetes.io/part-of: traefik
213
# environment: prod
214
215
# -- Ingress class name. replacement for the deprecated "kubernetes.io/ingress.class" annotation
216
ingressClassName: ""
217
# -- Hostname(s) for the Ingress resource
218
# Please refer to https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec for more information.
219
hosts: []
220
# - host: chart-example.local
221
# paths:
222
# - path: /
223
# type: ImplementationSpecific
224
# -- Ingress TLS configuration
225
tls: []
226
# - secretName: chart-example-tls
227
# hosts:
228
# - chart-example.local
229
# HTTPRoute configuration for Gateway API
230
# Please refer to https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute
231
httpRoute:
232
# -- Enable HTTPRoute resource for Gateway API
233
enabled: false
234
# -- Annotations for HTTPRoute resource
235
annotations: {}
236
# -- Additional labels for HTTPRoute resource
237
labels: {}
238
# -- Parent references (REQUIRED when enabled - HTTPRoute will not work without this)
239
# Example:
240
# parentRefs:
241
# - name: my-gateway
242
# namespace: gateway-namespace
243
parentRefs: []
244
# -- Hostnames for the HTTPRoute
245
# Example:
246
# hostnames:
247
# - headlamp.example.com
248
hostnames: []
249
# -- Custom routing rules (optional, defaults to path prefix /)
250
# If not specified, a default rule routing all traffic to the service is used
251
rules: []
252
# Example custom rules:
253
# rules:
254
# - matches:
255
# - path:
256
# type: PathPrefix
257
# value: /headlamp
258
# backendRefs:
259
# - name: "{{ .Release.Name }}-headlamp"
260
# port: 80
261
# -- CPU/Memory resource requests/limits
262
resources: {}
263
# We usually recommend not to specify default resources and to leave this as a conscious
264
# choice for the user. This also increases chances charts run on environments with little
265
# resources, such as Minikube. If you do want to specify resources, uncomment the following
266
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
267
# limits:
268
# cpu: 100m
269
# memory: 128Mi
270
# requests:
271
# cpu: 100m
272
# memory: 128Mi
273
274
# -- Node labels for pod assignment
275
nodeSelector: {}
276
# -- Toleration labels for pod assignment
277
tolerations: []
278
# -- Affinity settings for pod assignment
279
affinity: {}
280
# -- Topology Spread Constraints for pod assignment
281
topologySpreadConstraints: []
282
# - maxSkew: 1
283
# topologyKey: topology.kubernetes.io/zone
284
# whenUnsatisfiable: ScheduleAnyway
285
# matchLabelKeys:
286
# - pod-template-hash
287
# - maxSkew: 1
288
# topologyKey: kubernetes.io/hostname
289
# whenUnsatisfiable: DoNotSchedule
290
# matchLabelKeys:
291
# - pod-template-hash
292
293
# -- Pod priority class
294
priorityClassName: ""
295
# Plugin Manager Sidecar Container Configuration
296
pluginsManager:
297
# -- Enable plugin manager
298
enabled: false
299
# -- Plugin configuration file name
300
configFile: "plugin.yml"
301
# -- Plugin configuration content in YAML format. This is required if plugins.enabled is true.
302
configContent: ""
303
# -- Base node image to use
304
baseImage: cgr.dev/chainguard-private/node:latest@sha256:92f74407d67cbd01b10d7b1df1b77f76dbb0e1c74f9eff63d7f5ec0188b48a3e
305
# -- Headlamp plugin package version to install
306
version: latest
307
# -- Plugin manager containers volume mounts
308
volumeMounts: []
309
# -- Plugin manager env variable configuration
310
# env:
311
# - name: HTTPS_PROXY
312
# value: "proxy.example.com:8080"
313
# -- Specify resrouces
314
# resources:
315
# requests:
316
# cpu: "500m"
317
# memory: "2048Mi"
318
# limits:
319
# cpu: "1000m"
320
# memory: "4096Mi"
321
# If omitted, the plugin manager will inherit the global securityContext
322
securityContext: {}
323
# runAsUser: 1001
324
# runAsNonRoot: true
325
# allowPrivilegeEscalation: false
326
# readOnlyRootFilesystem: true
327
# capabilities:
328
# drop:
329
# - ALL
330
podDisruptionBudget:
331
# -- enable PodDisruptionBudget
332
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
333
enabled: false
334
# @schema
335
# type: [null, integer, string]
336
# @schema
337
# -- Minimum number/percentage of pods that should remain scheduled.
338
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
339
minAvailable: 0
340
# @schema
341
# type: [null, integer, string]
342
# @schema
343
# -- Maximum number/percentage of pods that may be made unavailable
344
maxUnavailable: null
345
# @schema
346
# type: [null, string]
347
# @schema
348
# -- How are unhealthy, but running, pods counted for eviction
349
unhealthyPodEvictionPolicy: null
350
# -- Additional Kubernetes manifests to be deployed. Include the manifest as nested YAML.
351
extraManifests: []
352
# - |
353
# apiVersion: v1
354
# kind: ConfigMap
355
# metadata:
356
# name: my-config
357
# data:
358
# key: value
359
# - |
360
# apiVersion: v1
361
# kind: ConfigMap
362
# metadata:
363
# name: my-config-too
364
# data:
365
# key: value
366

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.