apiVersion: v1 kind: ConfigMap metadata: name: headplane-config data: config.yaml: | # Configuration for the Headplane server and web application server: host: "0.0.0.0" port: 3000 # The secret used to encode and decode web sessions # Ensure that this is exactly 32 characters long cookie_secret: "" # Should the cookies only work over HTTPS? # Set to false if running via HTTP without a proxy # (I recommend this is true in production) cookie_secure: true # Headscale specific settings to allow Headplane to talk # to Headscale and access deep integration features headscale: # The URL to your Headscale instance # (All API requests are routed through this URL) # (THIS IS NOT the gRPC endpoint, but the HTTP endpoint) # # IMPORTANT: If you are using TLS this MUST be set to `https://` url: "http://0.0.0.0:8080" # If you use the TLS configuration in Headscale, and you are not using # Let's Encrypt for your certificate, pass in the path to the certificate. # (This has no effect `url` does not start with `https://`) # tls_cert_path: "/var/lib/headplane/tls.crt" # Optional, public URL if they differ # This affects certain parts of the web UI # public_url: "https://headscale.example.com" # Path to the Headscale configuration file # This is optional, but HIGHLY recommended for the best experience # If this is read only, Headplane will show your configuration settings # in the Web UI, but they cannot be changed. config_path: "/etc/headscale/config.yaml" # Headplane internally validates the Headscale configuration # to ensure that it changes the configuration in a safe way. # If you want to disable this validation, set this to false. config_strict: true # Integration configurations for Headplane to interact with Headscale # Only one of these should be enabled at a time or you will get errors integration: kubernetes: enabled: true # Validates the manifest for the Pod to ensure all of the criteria # are set correctly. Turn this off if you are having issues with # shareProcessNamespace not being validated correctly. validate_manifest: true # This should be the name of the Pod running Headscale and Headplane. # If this isn't static you should be using the Kubernetes Downward API # to set this value (refer to docs/Integrated-Mode.md for more info). pod_name: "headscale" # # OIDC Configuration for simpler authentication # # (This is optional, but recommended for the best experience) # oidc: # issuer: "https://accounts.google.com" # client_id: "your-client-id" # # The client secret for the OIDC client # # Either this or `client_secret_path` must be set for OIDC to work # client_secret: "" # # You can alternatively set `client_secret_path` to read the secret from disk. # # The path specified can resolve environment variables, making integration # # with systemd's `LoadCredential` straightforward: # # client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" # disable_api_key_login: false # token_endpoint_auth_method: "client_secret_post" # # If you are using OIDC, you need to generate an API key # # that can be used to authenticate other sessions when signing in. # # # # This can be done with `headscale apikeys create --expiration 999d` # headscale_api_key: "" # # Optional, but highly recommended otherwise Headplane # # will attempt to automatically guess this from the issuer # # # # This should point to your publicly accessibly URL # # for your Headplane instance with /admin/oidc/callback # redirect_uri: "http://localhost:3000/admin/oidc/callback" # # Stores the users and their permissions for Headplane # # This is a path to a JSON file, default is specified below. # user_storage_file: "/var/lib/headplane/users.json"