DirectorySecurity AdvisoriesPricing
Sign in
Directory
headlamp logoHELM

headlamp

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
# Default values for headlamp.
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into your templates.
4
5
# -- Number of desired pods
6
replicaCount: 1
7
image:
8
# -- Container image registry
9
registry: cgr.dev
10
# -- Container image name
11
repository: chainguard-private/headlamp-fips
12
# -- Image pull policy. One of Always, Never, IfNotPresent
13
pullPolicy: IfNotPresent
14
# -- Container image tag, If "" uses appVersion in Chart.yaml
15
tag: latest@sha256:7447fdb2634a6e2f890968bb0527113237fc454e3a42cc53f949cf3c3d51b205
16
# -- An optional list of references to secrets in the same namespace to use for pulling any of the images used
17
imagePullSecrets: []
18
# -- Overrides the name of the chart
19
nameOverride: ""
20
# -- Overrides the full name of the chart
21
fullnameOverride: ""
22
# -- Override the deployment namespace; defaults to .Release.Namespace
23
namespaceOverride: ""
24
# -- An optional list of init containers to be run before the main containers.
25
initContainers: []
26
# -- An optional list of extra containers to be run along side the main containers.
27
extraContainers: []
28
config:
29
inCluster: true
30
inClusterContextName: "main"
31
# -- base url path at which headlamp should run
32
baseURL: ""
33
# -- session token TTL in seconds (default is 24 hours)
34
sessionTTL: 86400
35
oidc:
36
# Option 1:
37
# @param config.oidc.secret - OIDC secret configuration
38
# If you want to use an existing secret, set create to false and provide the name of the secret.
39
# If you want to create a new secret, set create to true and provide the name of the secret.
40
# Also provide the values for clientID, clientSecret, issuerURL, and scopes.
41
# Example:
42
# config:
43
# oidc:
44
# secret:
45
# create: true
46
# name: oidc
47
secret:
48
# -- Generate OIDC secret. If true, will generate a secret using .config.oidc.
49
create: true
50
# -- Name of the OIDC secret.
51
name: oidc
52
# Option 2:
53
# @param config.oidc - OIDC env configuration
54
# If you want to set the OIDC configuration directly, set the following values.
55
# Example:
56
# config:
57
# oidc:
58
# clientID: "clientID"
59
# clientSecret: "clientSecret"
60
# issuerURL: "issuerURL"
61
# scopes: "scopes"
62
63
# -- OIDC client ID
64
clientID: ""
65
# -- OIDC client secret
66
clientSecret: ""
67
# -- OIDC issuer URL
68
issuerURL: ""
69
# -- OIDC scopes to be used
70
scopes: ""
71
# -- OIDC callback URL
72
callbackURL: ""
73
# -- OIDC client to be used during token validation
74
validatorClientID: ""
75
# -- OIDC Issuer URL to be used during token validation
76
validatorIssuerURL: ""
77
# -- Use 'access_token' instead of 'id_token' when authenticating using OIDC
78
useAccessToken: false
79
# -- Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow
80
usePKCE: false
81
# -- Enable using OIDC cookie for authentication outside of cluster
82
useCookie: false
83
# Option 3:
84
# @param config.oidc - External OIDC secret configuration
85
# If you want to use an external secret for OIDC configuration, enable this option.
86
# Provide the name of the secret to use.
87
# Example:
88
# config:
89
# oidc:
90
# secret:
91
# create: false
92
# externalSecret:
93
# enabled: true
94
# name: oidc
95
externalSecret:
96
enabled: false
97
name: ""
98
# -- URL to fetch additional user info for the /me endpoint.
99
# For oauth2proxy /oauth2/userinfo can be used. Empty and it will not be used.
100
meUserInfoURL: ""
101
# -- directory to look for plugins
102
pluginsDir: "/headlamp/plugins"
103
enableHelm: false
104
watchPlugins: false
105
# tlsCertPath: "/headlamp-cert/headlamp-ca.crt"
106
# tlsKeyPath: "/headlamp-cert/headlamp-tls.key"
107
# Extra arguments that can be given to the container. See charts/headlamp/README.md for more information.
108
extraArgs: []
109
# -- An optional list of environment variables
110
# env:
111
# - name: KUBERNETES_SERVICE_HOST
112
# value: "localhost"
113
# - name: KUBERNETES_SERVICE_PORT
114
# value: "6443"
115
116
# -- Mount Service Account token in pod
117
automountServiceAccountToken: true
118
serviceAccount:
119
# -- Specifies whether a service account should be created
120
create: true
121
# -- Annotations to add to the service account
122
annotations: {}
123
# -- The name of the service account to use.(If not set and create is true, a name is generated using the fullname template)
124
name: ""
125
clusterRoleBinding:
126
# -- Specified whether a cluster role binding should be created
127
create: true
128
# -- Set name of the Cluster Role with limited permissions from you cluster
129
# for example - clusterRoleName: user-ro
130
clusterRoleName: cluster-admin
131
# -- Annotations to add to the cluster role binding
132
annotations: {}
133
# -- Annotations to add to the deployment
134
deploymentAnnotations: {}
135
# -- Annotations to add to the pod
136
podAnnotations: {}
137
# -- Labels to add to the pod
138
podLabels: {}
139
# -- Controls user namespace isolation for the Headlamp pod.
140
# When true (default), the pod shares the host user namespace (user namespaces are DISABLED).
141
# When false, the pod uses a separate user namespace (user namespaces are ENABLED) for stronger isolation,
142
# if supported by the cluster. Set this to false if your cluster supports user namespaces and you want
143
# additional isolation; leave as true if user namespaces are not available.
144
# See: https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
145
hostUsers: true
146
# -- Headlamp pod's Security Context
147
podSecurityContext: {}
148
# fsGroup: 2000
149
150
# -- Headlamp containers Security Context
151
# When readOnlyRootFilesystem: true is set, the chart automatically adds a
152
# writable emptyDir volume named "headlamp-tmp" mounted at /tmp so the
153
# application can write temporary files.
154
# You can override this behavior in two ways:
155
# 1. Supply your own volumeMount with mountPath: /tmp — the chart will skip
156
# adding both the automatic mount and the automatic volume.
157
# 2. Supply your own volume named "headlamp-tmp" (e.g. to set sizeLimit) —
158
# the chart will skip creating the volume but will still add the /tmp mount
159
# pointing to your volume.
160
securityContext:
161
# capabilities:
162
# drop:
163
# - ALL
164
# readOnlyRootFilesystem: true
165
runAsNonRoot: true
166
privileged: false
167
runAsUser: 100
168
runAsGroup: 101
169
# Uses these defaults if this is empty.
170
# allowPrivilegeEscalation: false
171
# runAsNonRoot: true
172
# seccompProfile:
173
# type: RuntimeDefault
174
# capabilities:
175
# drop:
176
# - ALL
177
178
service:
179
# -- Annotations to add to the service
180
annotations: {}
181
# -- Kubernetes Service type
182
type: ClusterIP
183
# -- Kubernetes Service port
184
port: 80
185
# -- Kubernetes Service clusterIP
186
clusterIP: ""
187
# -- Kubernetes Service loadBalancerIP
188
loadBalancerIP: ""
189
# -- Kubernetes Service loadBalancerSourceRanges
190
loadBalancerSourceRanges: []
191
# -- Kubernetes Service Nodeport
192
nodePort: null
193
# -- Additional ports to expose on the Service in addition to the default
194
# http port. Each entry must have a unique `name` and a `port`. `targetPort`
195
# defaults to `port` when omitted. `nodePort` is only honored when
196
# `service.type` is `NodePort` or `LoadBalancer`. A matching containerPort
197
# must be provided by the user (e.g. via a sidecar) for traffic to actually
198
# be routed.
199
extraServicePorts: []
200
# - name: extra
201
# port: 9090
202
# targetPort: extra
203
# protocol: TCP
204
# nodePort: null
205
# -- Headlamp containers volume mounts
206
volumeMounts: []
207
# -- Headlamp pod's volumes
208
volumes: []
209
persistentVolumeClaim:
210
# -- Enable Persistent Volume Claim
211
enabled: false
212
# -- Annotations to add to the persistent volume claim (if enabled)
213
annotations: {}
214
# -- accessModes for the persistent volume claim, eg: ReadWriteOnce, ReadOnlyMany, ReadWriteMany etc.
215
accessModes: []
216
# -- size of the persistent volume claim, eg: 10Gi. Required if enabled is true.
217
size: ""
218
# -- storageClassName for the persistent volume claim.
219
storageClassName: ""
220
# -- selector for the persistent volume claim.
221
selector: {}
222
# -- volumeMode for the persistent volume claim, eg: Filesystem, Block.
223
volumeMode: ""
224
ingress:
225
# -- Enable ingress controller resource
226
enabled: false
227
# -- Annotations for Ingress resource
228
annotations: {}
229
# kubernetes.io/tls-acme: "true"
230
231
# -- Additional labels to add to the Ingress resource
232
labels: {}
233
# app.kubernetes.io/part-of: traefik
234
# environment: prod
235
236
# -- Ingress class name. replacement for the deprecated "kubernetes.io/ingress.class" annotation
237
ingressClassName: ""
238
# -- Hostname(s) for the Ingress resource
239
# Please refer to https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec for more information.
240
# Each path may optionally specify `backend.service.{name,port}` to override
241
# the default Headlamp Service / `service.port`. `name` supports `tpl` so
242
# values like `{{ .Release.Name }}-extra` can be used. `port` accepts either
243
# `number` or `name` (matching `service.extraServicePorts[].name`).
244
hosts: []
245
# - host: chart-example.local
246
# paths:
247
# - path: /
248
# type: ImplementationSpecific
249
# - path: /extra
250
# type: ImplementationSpecific
251
# backend:
252
# service:
253
# port:
254
# name: extra
255
# -- Ingress TLS configuration
256
tls: []
257
# - secretName: chart-example-tls
258
# hosts:
259
# - chart-example.local
260
# HTTPRoute configuration for Gateway API
261
# Please refer to https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute
262
httpRoute:
263
# -- Enable HTTPRoute resource for Gateway API
264
enabled: false
265
# -- Annotations for HTTPRoute resource
266
annotations: {}
267
# -- Additional labels for HTTPRoute resource
268
labels: {}
269
# -- Parent references (REQUIRED when enabled - HTTPRoute will not work without this)
270
# Example:
271
# parentRefs:
272
# - name: my-gateway
273
# namespace: gateway-namespace
274
parentRefs: []
275
# -- Hostnames for the HTTPRoute
276
# Example:
277
# hostnames:
278
# - headlamp.example.com
279
hostnames: []
280
# -- Custom routing rules (optional, defaults to path prefix /)
281
# If not specified, a default rule routing all traffic to the service is used
282
rules: []
283
# Example custom rules:
284
# rules:
285
# - matches:
286
# - path:
287
# type: PathPrefix
288
# value: /headlamp
289
# backendRefs:
290
# - name: "{{ .Release.Name }}-headlamp"
291
# port: 80
292
# -- CPU/Memory resource requests/limits
293
resources: {}
294
# We usually recommend not to specify default resources and to leave this as a conscious
295
# choice for the user. This also increases chances charts run on environments with little
296
# resources, such as Minikube. If you do want to specify resources, uncomment the following
297
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
298
# limits:
299
# cpu: 100m
300
# memory: 128Mi
301
# requests:
302
# cpu: 100m
303
# memory: 128Mi
304
305
# -- Node labels for pod assignment
306
nodeSelector: {}
307
# -- Toleration labels for pod assignment
308
tolerations: []
309
# -- Affinity settings for pod assignment
310
affinity: {}
311
# -- Topology Spread Constraints for pod assignment
312
topologySpreadConstraints: []
313
# - maxSkew: 1
314
# topologyKey: topology.kubernetes.io/zone
315
# whenUnsatisfiable: ScheduleAnyway
316
# matchLabelKeys:
317
# - pod-template-hash
318
# - maxSkew: 1
319
# topologyKey: kubernetes.io/hostname
320
# whenUnsatisfiable: DoNotSchedule
321
# matchLabelKeys:
322
# - pod-template-hash
323
324
# -- Pod priority class
325
priorityClassName: ""
326
# Plugin Manager Sidecar Container Configuration
327
pluginsManager:
328
# -- Enable plugin manager
329
enabled: false
330
# -- Plugin configuration file name
331
configFile: "plugin.yml"
332
# -- Plugin configuration content in YAML format. This is required if plugins.enabled is true.
333
configContent: ""
334
# -- Base node image to use
335
baseImage: cgr.dev/chainguard-private/node-fips:latest@sha256:d80f83293b9453286ec3397fbad015d7b9ecaf229f2391d220c99865ac05456a
336
# -- Headlamp plugin package version to install
337
version: latest
338
# -- Plugin manager containers volume mounts
339
volumeMounts: []
340
# -- Plugin manager env variable configuration
341
# env:
342
# - name: HTTPS_PROXY
343
# value: "proxy.example.com:8080"
344
# -- Specify resrouces
345
# resources:
346
# requests:
347
# cpu: "500m"
348
# memory: "2048Mi"
349
# limits:
350
# cpu: "1000m"
351
# memory: "4096Mi"
352
# If omitted, the plugin manager will inherit the global securityContext.
353
# When readOnlyRootFilesystem: true is active (set here or inherited), the
354
# chart automatically adds a writable emptyDir volume named
355
# "headlamp-plugins-tmp" mounted at /tmp in the plugin manager container.
356
# Override behavior mirrors the main container: supply your own /tmp
357
# volumeMount to skip both, or supply your own "headlamp-plugins-tmp" volume
358
# (e.g. to set sizeLimit) to have the chart only add the mount.
359
securityContext: {}
360
# runAsUser: 1001
361
# runAsNonRoot: true
362
# allowPrivilegeEscalation: false
363
# readOnlyRootFilesystem: true
364
# capabilities:
365
# drop:
366
# - ALL
367
podDisruptionBudget:
368
# -- enable PodDisruptionBudget
369
# ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
370
enabled: false
371
# @schema
372
# type: [null, integer, string]
373
# @schema
374
# -- Minimum number/percentage of pods that should remain scheduled.
375
# When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
376
minAvailable: 0
377
# @schema
378
# type: [null, integer, string]
379
# @schema
380
# -- Maximum number/percentage of pods that may be made unavailable
381
maxUnavailable: null
382
# @schema
383
# type: [null, string]
384
# @schema
385
# -- How are unhealthy, but running, pods counted for eviction
386
unhealthyPodEvictionPolicy: null
387
# -- Additional Kubernetes manifests to be deployed. Include the manifest as nested YAML.
388
extraManifests: []
389
# - |
390
# apiVersion: v1
391
# kind: ConfigMap
392
# metadata:
393
# name: my-config
394
# data:
395
# key: value
396
# - |
397
# apiVersion: v1
398
# kind: ConfigMap
399
# metadata:
400
# name: my-config-too
401
# data:
402
# key: value
403

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.