Add headlamp app

2026-03-15 11:33:22 +02:00 · 2026-03-15 11:33:22 +02:00 · eecf97aefc
commit eecf97aefc
parent 59a08a9131
68 changed files with 6190 additions and 0 deletions
--- a/argocd-apps/headlamp.yaml
+++ b/argocd-apps/headlamp.yaml
@ -0,0 +1,17 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: headlamp
  namespace: argocd
 spec:
  project: infra
  source:
    repoURL: 'ssh://git@gitea-ssh.dev-tools.svc.cluster.local.:2222/dvirlabs/infra.git'
    targetRevision: HEAD
    path: charts/headlamp
    helm:
      valueFiles:
        - ../../manifests/headlamp/values.yaml
  destination:
    server: https://kubernetes.default.svc
    namespace: infra
--- a/headlamp/.helmignore
+++ b/headlamp/.helmignore
@ -0,0 +1,23 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/headlamp/Chart.yaml
+++ b/headlamp/Chart.yaml
@ -0,0 +1,43 @@
 annotations:
  artifacthub.io/category: monitoring-logging
  artifacthub.io/license: Apache-2.0
  artifacthub.io/screenshots: |
    - title: Cluster Overview
      url: https://raw.githubusercontent.com/kubernetes-sigs/headlamp/screenshots/screenshots/cluster_overview.png
    - title: Cluster Chooser
      url: https://raw.githubusercontent.com/kubernetes-sigs/headlamp/screenshots/screenshots/cluster_chooser.png
    - title: Nodes
      url: https://raw.githubusercontent.com/kubernetes-sigs/headlamp/screenshots/screenshots/nodes.png
    - title: Resource edition
      url: https://raw.githubusercontent.com/kubernetes-sigs/headlamp/screenshots/screenshots/resource_edition.png
    - title: Editor Documentation
      url: https://raw.githubusercontent.com/kubernetes-sigs/headlamp/screenshots/screenshots/editor_documentation.png
    - title: Terminal
      url: https://raw.githubusercontent.com/kubernetes-sigs/headlamp/screenshots/screenshots/terminal.png
  artifacthub.io/signKey: |
    fingerprint: 2956B7F7167769370C93730C7264DA7B85D08A37
    url: https://keys.openpgp.org/vks/v1/by-fingerprint/2956B7F7167769370C93730C7264DA7B85D08A37
 apiVersion: v2
 appVersion: 0.40.1
 description: Headlamp is an easy-to-use and extensible Kubernetes web UI.
 home: https://headlamp.dev/
 icon: https://raw.githubusercontent.com/kubernetes-sigs/headlamp/main/docs/headlamp_light.svg
 keywords:
 - kubernetes
 - plugins
 - kinvolk
 - headlamp
 - dashboard
 - ui
 - web
 - monitoring
 - logging
 maintainers:
 - name: kinvolk
  url: https://kinvolk.io/
 name: headlamp
 sources:
 - https://github.com/kubernetes-sigs/headlamp/tree/main/charts/headlamp
 - https://github.com/kubernetes-sigs/headlamp
 type: application
 version: 0.40.1
--- a/headlamp/README.md
+++ b/headlamp/README.md
@ -0,0 +1,411 @@
 # Headlamp Helm Chart
 Headlamp is an easy-to-use and extensible Kubernetes web UI that provides:
 - 🚀 Modern, fast, and responsive interface
 - 🔒 OIDC authentication support
 - 🔌 Plugin system for extensibility
 - 🎯 Real-time cluster state updates
 ## Prerequisites
 - Kubernetes 1.21+
 - Helm 3.x
 - Cluster admin access for initial setup
 ## Quick Start
 Add the Headlamp repository and install the chart:
 ```console
 $ helm repo add headlamp https://kubernetes-sigs.github.io/headlamp/
 $ helm repo update
 $ helm install my-headlamp headlamp/headlamp --namespace kube-system
 ```
 Access Headlamp:
 ```console
 $ kubectl port-forward -n kube-system svc/my-headlamp 8080:80
 ```
 Then open http://localhost:8080 in your browser.
 ## Installation
 ### Basic Installation
 ```console
 $ helm install my-headlamp headlamp/headlamp --namespace kube-system
 ```
 ### Installation with OIDC
 ```console
 $ helm install my-headlamp headlamp/headlamp \
  --namespace kube-system \
  --set config.oidc.clientID=your-client-id \
  --set config.oidc.clientSecret=your-client-secret \
  --set config.oidc.issuerURL=https://your-issuer-url
 ```
 ### Installation with Ingress
 ```console
 $ helm install my-headlamp headlamp/headlamp \
  --namespace kube-system \
  --set ingress.enabled=true \
  --set ingress.hosts[0].host=headlamp.example.com \
  --set ingress.hosts[0].paths[0].path=/
 ```
 ## Configuration
 ### Core Parameters
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | replicaCount | int | `1` | Number of desired pods |
 | image.registry | string | `"ghcr.io"` | Container image registry |
 | image.repository | string | `"headlamp-k8s/headlamp"` | Container image name |
 | image.tag | string | `""` | Container image tag (defaults to Chart appVersion) |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 ### Application Configuration
 | Key                | Type   | Default               | Description                                                               |
 |--------------------|--------|-----------------------|---------------------------------------------------------------------------|
 | config.inCluster   | bool   | `true`                | Run Headlamp in-cluster                                                   |
 | config.baseURL     | string | `""`                  | Base URL path for Headlamp UI                                             |
 | config.sessionTTL  | int    | `86400`               | The time in seconds for the internal session to remain valid (Default: 86400/24h, Min: 1 , Max: 31536000/1yr) |
 | config.pluginsDir  | string | `"/headlamp/plugins"` | Directory to load Headlamp plugins from                                   |
 | config.enableHelm  | bool   | `false`               | Enable Helm operations like install, upgrade and uninstall of Helm charts |
 | config.extraArgs   | array  | `[]`                  | Additional arguments for Headlamp server                                  |
 | config.tlsCertPath | string | `""`                  | Certificate for serving TLS                                               |
 | config.tlsKeyPath  | string | `""`                  | Key for serving TLS                                                       |
 ### OIDC Configuration
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | config.oidc.clientID | string | `""` | OIDC client ID |
 | config.oidc.clientSecret | string | `""` | OIDC client secret |
 | config.oidc.issuerURL | string | `""` | OIDC issuer URL |
 | config.oidc.scopes | string | `""` | OIDC scopes to be used |
 | config.oidc.usePKCE | bool | `false` | Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow |
 | config.oidc.secret.create | bool | `true` | Create OIDC secret using provided values |
 | config.oidc.secret.name | string | `"oidc"` | Name of the OIDC secret |
 | config.oidc.externalSecret.enabled | bool | `false` | Enable using external secret for OIDC |
 | config.oidc.externalSecret.name | string | `""` | Name of external OIDC secret |
 | config.oidc.meUserInfoURL | string | `""` | URL to fetch additional user info for the /me endpoint. Useful for providers like oauth2-proxy. |
 There are three ways to configure OIDC:
 1. Using direct configuration:
 ```yaml
 config:
  oidc:
    clientID: "your-client-id"
    clientSecret: "your-client-secret"
    issuerURL: "https://your-issuer"
    scopes: "openid profile email"
    meUserInfoURL: "https://headlamp.example.com/oauth2/userinfo"
 ```
 2. Using automatic secret creation:
 ```yaml
 config:
  oidc:
    secret:
      create: true
      name: oidc
 ```
 3. Using external secret:
 ```yaml
 config:
  oidc:
    secret:
      create: false
    externalSecret:
      enabled: true
      name: your-oidc-secret
 ```
 ### Deployment Configuration
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | replicaCount | int | `1` | Number of desired pods |
 | image.registry | string | `"ghcr.io"` | Container image registry |
 | image.repository | string | `"headlamp-k8s/headlamp"` | Container image name |
 | image.tag | string | `""` | Container image tag (defaults to Chart appVersion) |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
 | imagePullSecrets | list | `[]` | Image pull secrets references |
 | nameOverride | string | `""` | Override the name of the chart |
 | fullnameOverride | string | `""` | Override the full name of the chart |
 | namespaceOverride | string | `""` | Override the deployment namespace; defaults to .Release.Namespace |
 | initContainers | list | `[]` | Init containers to run before main container |
 ### Security Configuration
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | automountServiceAccountToken | bool | `true` | Mount Service Account token in pod |
 | serviceAccount.create | bool | `true` | Create service account |
 | serviceAccount.name | string | `""` | Service account name |
 | serviceAccount.annotations | object | `{}` | Service account annotations |
 | clusterRoleBinding.create | bool | `true` | Create cluster role binding |
 | clusterRoleBinding.clusterRoleName | string | `"cluster-admin"` | Kubernetes ClusterRole name |
 | clusterRoleBinding.annotations | object | `{}` | Cluster role binding annotations |
 | hostUsers | bool | `true` | Run in host uid namespace |
 | podSecurityContext | object | `{}` | Pod security context (e.g., fsGroup: 2000) |
 | securityContext.runAsNonRoot | bool | `true` | Run container as non-root |
 | securityContext.privileged | bool | `false` | Run container in privileged mode |
 | securityContext.runAsUser | int | `100` | User ID to run container |
 | securityContext.runAsGroup | int | `101` | Group ID to run container |
 | securityContext.capabilities | object | `{}` | Container capabilities (e.g., drop: [ALL]) |
 | securityContext.readOnlyRootFilesystem | bool | `false` | Mount root filesystem as read-only |
 NOTE: for `hostUsers=false` user namespaces must be supported. See: https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
 ### Storage Configuration
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | persistentVolumeClaim.enabled | bool | `false` | Enable PVC |
 | persistentVolumeClaim.annotations | object | `{}` | PVC annotations |
 | persistentVolumeClaim.size | string | `""` | PVC size (required if enabled) |
 | persistentVolumeClaim.storageClassName | string | `""` | Storage class name |
 | persistentVolumeClaim.accessModes | list | `[]` | PVC access modes |
 | persistentVolumeClaim.selector | object | `{}` | PVC selector |
 | persistentVolumeClaim.volumeMode | string | `""` | PVC volume mode |
 | volumeMounts | list | `[]` | Container volume mounts |
 | volumes | list | `[]` | Pod volumes |
 ### Network Configuration
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | service.type | string | `"ClusterIP"` | Kubernetes service type |
 | service.port | int | `80` | Kubernetes service port |
 | ingress.enabled | bool | `false` | Enable ingress |
 | ingress.ingressClassName | string | `""` | Ingress class name |
 | ingress.annotations | object | `{}` | Ingress annotations (e.g., kubernetes.io/tls-acme: "true") |
 | ingress.labels | object | `{}` | Additional labels for the Ingress resource |
 | ingress.hosts | list | `[]` | Ingress hosts configuration |
 | ingress.tls | list | `[]` | Ingress TLS configuration |
 Example ingress configuration:
 ```yaml
 ingress:
  enabled: true
  annotations:
    kubernetes.io/tls-acme: "true"
  labels:
    app.kubernetes.io/part-of: traefik
    environment: prod
  hosts:
    - host: headlamp.example.com
      paths:
        - path: /
          type: ImplementationSpecific
  tls:
    - secretName: headlamp-tls
      hosts:
        - headlamp.example.com
 ```
 ### HTTPRoute Configuration (Gateway API)
 For users who prefer Gateway API over classic Ingress resources, Headlamp supports HTTPRoute configuration.
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | httpRoute.enabled | bool | `false` | Enable HTTPRoute resource for Gateway API |
 | httpRoute.annotations | object | `{}` | Annotations for HTTPRoute resource |
 | httpRoute.labels | object | `{}` | Additional labels for HTTPRoute resource |
 | httpRoute.parentRefs | list | `[]` | Parent gateway references (REQUIRED when enabled) |
 | httpRoute.hostnames | list | `[]` | Hostnames for the HTTPRoute |
 | httpRoute.rules | list | `[]` | Custom routing rules (optional, defaults to path prefix /) |
 Example HTTPRoute configuration:
 ```yaml
 httpRoute:
  enabled: true
  annotations:
    gateway.example.com/custom-annotation: "value"
  labels:
    app.kubernetes.io/component: ingress
  parentRefs:
    - name: my-gateway
      namespace: gateway-namespace
  hostnames:
    - headlamp.example.com
  # Optional custom rules (defaults to path prefix / if not specified)
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /headlamp
      backendRefs:
        - name: my-headlamp
          port: 80
 ```
 ### Resource Management
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | resources | object | `{}` | Container resource requests/limits |
 | nodeSelector | object | `{}` | Node labels for pod assignment |
 | tolerations | list | `[]` | Pod tolerations |
 | affinity | object | `{}` | Pod affinity settings |
 | topologySpreadConstraints | list | `[]` | Topology spread constraints for pod assignment |
 | podAnnotations | object | `{}` | Pod annotations |
 | podLabels | object | `{}` | Pod labels |
 | env | list | `[]` | Additional environment variables |
 Example resource configuration:
 ```yaml
 resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi
 ```
 Example environment variables:
 ```yaml
 env:
  - name: KUBERNETES_SERVICE_HOST
    value: "localhost"
  - name: KUBERNETES_SERVICE_PORT
    value: "6443"
 ```
 Example topology spread constraints:
 ```yaml
 # Spread pods across availability zones with best-effort scheduling
 topologySpreadConstraints:
  - maxSkew: 1
    topologyKey: topology.kubernetes.io/zone
    whenUnsatisfiable: ScheduleAnyway  # Prefer spreading but allow scheduling even if it violates the constraint
    matchLabelKeys:
      - pod-template-hash
  - maxSkew: 1
    topologyKey: kubernetes.io/hostname
    whenUnsatisfiable: DoNotSchedule  # Hard requirement - don't schedule if it violates the constraint
    matchLabelKeys:
      - pod-template-hash
 ```
 The `labelSelector` is automatically populated with the pod's selector labels if not specified. You can also provide a custom `labelSelector`:
 ```yaml
 topologySpreadConstraints:
  - maxSkew: 1
    topologyKey: topology.kubernetes.io/zone
    whenUnsatisfiable: ScheduleAnyway
    labelSelector:
      matchLabels:
        app.kubernetes.io/name: headlamp
        custom-label: value
 ```
 ### Pod Disruption Budget (PDB)
 | Key | Type | Default | Description |
 |-----|------|---------|-------------|
 | podDisruptionBudget.enabled | bool | `false` | Create a PodDisruptionBudget resource |
 | podDisruptionBudget.minAvailable | integer \| string \| null | `0` | Minimum pods that must be available. Rendered only when set to a positive integer or a percentage string (e.g. `"1"` or `"50%"`). Schema default is 0, but the chart skips rendering `0`. |
 | podDisruptionBudget.maxUnavailable | integer \| string \| null | `null` | Maximum pods allowed to be unavailable. Accepts integer >= 0 or percentage string. Mutually exclusive with `minAvailable`; the template renders this field when set. |
 | podDisruptionBudget.unhealthyPodEvictionPolicy | string \| null | `null` | Eviction policy: `"IfHealthyBudget"` or `"AlwaysAllow"`. Emitted only on clusters running Kubernetes >= 1.27 and when explicitly set in values. |
 Note: Ensure `minAvailable` and `maxUnavailable` are not both set (use `null` to disable one). To include `minAvailable` in the rendered PDB, set a positive integer or percentage; the template omits a `0` value.
 Example, Require at least 1 pod available (ensure maxUnavailable is disabled):
 ```yaml
 podDisruptionBudget:
  enabled: true
  minAvailable: 1
  maxUnavailable: null
 ```
 Example, Allow up to 50% of pods to be unavailable:
 ```yaml
 podDisruptionBudget:
  enabled: true
  maxUnavailable: "50%"
  minAvailable: null
 ```
 Example, Set unhealthyPodEvictionPolicy (requires Kubernetes >= 1.27):
 ```yaml
 podDisruptionBudget:
  enabled: true
  maxUnavailable: 1
  minAvailable: null
  unhealthyPodEvictionPolicy: "IfHealthyBudget"
 ```
 Ensure your replicaCount and maintenance procedures respect the configured PDB to avoid blocking intended operations.
 ### pluginsManager Configuration
 | Key           | Type    | Default           | Description                                                                               |
 | ------------- | ------- | ----------------- | ----------------------------------------------------------------------------------------- |
 | enabled       | boolean | `false`           | Enable plugin manager                                                                     |
 | configFile    | string  | `plugin.yml`      | Plugin configuration file name                                                            |
 | configContent | string  | `""`              | Plugin configuration content in YAML format. This is required if plugins.enabled is true. |
 | baseImage     | string  | `node:lts-alpine` | Base node image to use                                                                    |
 | version       | string  | `latest`          | Headlamp plugin package version to install                                                |
 | env           | list    | `[]`              | Plugin manager env variable configuration                                                 |
 | resources     | object  | `{}`              | Plugin manager resource requests/limits                                                   |
 | volumeMounts  | list    | `[]`              | Plugin manager volume mounts                                                              |
 Example resource configuration:
 ```yaml
 pluginsManager:
  enabled: true
  baseImage: node:lts-alpine
  version: latest
  env:
    - name: HTTPS_PROXY
      value: "proxy.example.com:8080"
  resources:
    requests:
      cpu: "500m"
      memory: "2048Mi"
    limits:
      cpu: "1"
      memory: "4Gi"
 ```
 ## Contributing
 We welcome contributions to the Headlamp Helm chart! To contribute:
 1. Fork the repository and create your branch from `main`.
 2. Make your changes and test them thoroughly.
 3. Run Helm chart template tests to ensure your changes don't break existing functionality:
   ```console
   $ make helm-template-test
   ```
   This command executes the script at `charts/headlamp/tests/test.sh` to validate Helm chart templates against expected templates.
 4. If you've made changes that intentionally affect the rendered templates (like version updates or new features):
   ```console
   $ make helm-update-template-version
   ```
   This updates the expected templates with the current versions from Chart.yaml and only shows files where versions changed.
 5. Review the updated templates carefully to ensure they contain only your intended changes.
 6. Submit a pull request with a clear description of your changes.
 For more details, refer to our [contributing guidelines](https://github.com/kubernetes-sigs/headlamp/blob/main/CONTRIBUTING.md).
 ## Links
 - [GitHub Repository](https://github.com/kubernetes-sigs/headlamp)
 - [Documentation](https://headlamp.dev/)
 - [Maintainers](https://github.com/kubernetes-sigs/headlamp/blob/main/OWNERS_ALIASES)
--- a/headlamp/templates/NOTES.txt
+++ b/headlamp/templates/NOTES.txt
@ -0,0 +1,32 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
 {{- range $host := .Values.ingress.hosts }}
  {{- range .paths }}
  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
  export NODE_PORT=$(kubectl get --namespace {{ include "headlamp.namespace" . }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "headlamp.fullname" . }})
  export NODE_IP=$(kubectl get nodes --namespace {{ include "headlamp.namespace" . }} -o jsonpath="{.items[0].status.addresses[0].address}")
  echo http://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.service.type }}
     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
           You can watch the status of by running 'kubectl get --namespace {{ include "headlamp.namespace" . }} svc -w {{ include "headlamp.fullname" . }}'
  export SERVICE_IP=$(kubectl get svc --namespace {{ include "headlamp.namespace" . }} {{ include "headlamp.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
  echo http://$SERVICE_IP:{{ .Values.service.port }}
 {{- else if contains "ClusterIP" .Values.service.type }}
  export POD_NAME=$(kubectl get pods --namespace {{ include "headlamp.namespace" . }} -l "app.kubernetes.io/name={{ include "headlamp.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
  export CONTAINER_PORT=$(kubectl get pod --namespace {{ include "headlamp.namespace" . }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
  echo "Visit http://127.0.0.1:8080 to use your application"
  kubectl --namespace {{ include "headlamp.namespace" . }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
 {{- if .Values.clusterRoleBinding.create }}
  {{- if and ( ge .Capabilities.KubeVersion.Major "1" ) ( ge .Capabilities.KubeVersion.Minor "24" ) }}
 2. Get the token using
  kubectl create token {{ include "headlamp.serviceAccountName" . }} --namespace {{ include "headlamp.namespace" . }}
  {{- else }}
 2. Get the clusterrolebinding token using
  export SECRET=$(kubectl get secrets --namespace {{ include "headlamp.namespace" . }} -o custom-columns=":metadata.name" | grep "{{ include "headlamp.fullname" . }}-token")
  kubectl get secret $SECRET --namespace {{ include "headlamp.namespace" . }} --template=\{\{.data.token\}\} | base64 --decode
  {{- end }}
 {{- end }}
--- a/headlamp/templates/_helpers.tpl
+++ b/headlamp/templates/_helpers.tpl
@ -0,0 +1,76 @@
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "headlamp.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "headlamp.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- $name := default .Chart.Name .Values.nameOverride }}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{/*
 Expand the namespace of the release.
 Allows overriding it for multi-namespace deployments in combined charts.
 */}}
 {{- define "headlamp.namespace" -}}
  {{- if .Values.namespaceOverride }}
    {{- .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
  {{- else if .Release.Namespace }}
    {{- .Release.Namespace | trunc 63 | trimSuffix "-" -}}
  {{- else -}}
    default
  {{- end -}}
 {{- end -}}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "headlamp.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Common labels
 */}}
 {{- define "headlamp.labels" -}}
 helm.sh/chart: {{ include "headlamp.chart" . }}
 {{ include "headlamp.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "headlamp.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "headlamp.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "headlamp.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
 {{- default (include "headlamp.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
--- a/headlamp/templates/clusterrolebinding.yaml
+++ b/headlamp/templates/clusterrolebinding.yaml
@ -0,0 +1,20 @@
 {{- if .Values.clusterRoleBinding.create -}}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: {{ include "headlamp.fullname" . }}-admin
  labels:
    {{- include "headlamp.labels" . | nindent 4 }}
  {{- with .Values.clusterRoleBinding.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: {{ .Values.clusterRoleBinding.clusterRoleName }}
 subjects:
 - kind: ServiceAccount
  name: {{ include "headlamp.serviceAccountName" . }}
  namespace: {{ include "headlamp.namespace" . }}
 {{- end }}
--- a/headlamp/templates/deployment.yaml
+++ b/headlamp/templates/deployment.yaml
@ -0,0 +1,436 @@
 {{- $oidc := .Values.config.oidc }}
 {{- $env := .Values.env }}
 {{- $clientID := "" }}
 {{- $clientSecret := "" }}
 {{- $issuerURL := "" }}
 {{- $scopes := "" }}
 {{- $callbackURL := "" }}
 {{- $validatorClientID := "" }}
 {{- $validatorIssuerURL := "" }}
 {{- $usePKCE := "" }}
 {{- $useAccessToken := "" }}
 {{- $meUserInfoURL := "" }}
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 {{- range $env }}
  {{- if eq .name "OIDC_CLIENT_ID" }}
    {{- $clientID = .value }}
  {{- end }}
  {{- if eq .name "OIDC_CLIENT_SECRET" }}
    {{- $clientSecret = .value }}
  {{- end }}
  {{- if eq .name "OIDC_ISSUER_URL" }}
    {{- $issuerURL = .value }}
  {{- end }}
  {{- if eq .name "OIDC_SCOPES" }}
    {{- $scopes = .value }}
  {{- end }}
  {{- if eq .name "OIDC_CALLBACK_URL" }}
    {{- $callbackURL = .value }}
  {{- end }}
  {{- if eq .name "OIDC_VALIDATOR_CLIENT_ID" }}
    {{- $validatorClientID = .value }}
  {{- end }}
  {{- if eq .name "OIDC_VALIDATOR_ISSUER_URL" }}
    {{- $validatorIssuerURL = .value }}
  {{- end }}
  {{- if eq .name "OIDC_USE_ACCESS_TOKEN" }}
    {{- $useAccessToken = .value | toString }}
  {{- end }}
  {{- if eq .name "OIDC_USE_PKCE" }}
    {{- $usePKCE = .value | toString }}
  {{- end }}
  {{- if eq .name "ME_USER_INFO_URL" }}
    {{- $meUserInfoURL = .value | toString }}
  {{- end }}
 {{- end }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "headlamp.fullname" . }}
  namespace: {{ include "headlamp.namespace" . }}
  labels:
    {{- include "headlamp.labels" . | nindent 4 }}
  {{- with .Values.deploymentAnnotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  replicas: {{ .Values.replicaCount }}
  selector:
    matchLabels:
      {{- include "headlamp.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      {{- with .Values.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        {{- include "headlamp.selectorLabels" . | nindent 8 }}
        {{- with .Values.podLabels }}
        {{- tpl (toYaml .) $ | nindent 8 }}
        {{- end }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "headlamp.serviceAccountName" . }}
      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
      hostUsers: {{ .Values.hostUsers }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      {{- with .Values.initContainers }}
      initContainers:
        {{ toYaml . | nindent 8 }}
      {{- end }}
      containers:
        - name: {{ .Chart.Name }}
          securityContext:
            {{- if .Values.securityContext }}
              {{- toYaml .Values.securityContext | nindent 12 }}
            {{- else }}
              {{- $defaultSC := dict "allowPrivilegeEscalation" false "runAsNonRoot" true "seccompProfile" (dict "type" "RuntimeDefault") "capabilities" (dict "drop" (list "ALL")) }}
              {{- toYaml $defaultSC | nindent 12 }}
            {{- end }}
          image: "{{ .Values.image.registry}}/{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          {{ if or $oidc .Values.env }}
          {{- if $oidc.externalSecret.enabled }}
          # Check if externalSecret is enabled
          envFrom:
          - secretRef:
              name: {{ $oidc.externalSecret.name }}
          {{- if .Values.env }}
          env:
            {{- toYaml .Values.env | nindent 12 }}
          {{- end }}
          {{- else }}
          env:
            {{- if $oidc.secret.create }}
            {{- if $oidc.clientID }}
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: {{ $oidc.secret.name }}
                  key: clientID
            {{- end }}
            {{- if $oidc.clientSecret }}
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: {{ $oidc.secret.name }}
                  key: clientSecret
            {{- end }}
            {{- if $oidc.issuerURL }}
            - name: OIDC_ISSUER_URL
              valueFrom:
                secretKeyRef:
                  name: {{ $oidc.secret.name }}
                  key: issuerURL
            {{- end }}
            {{- if $oidc.scopes }}
            - name: OIDC_SCOPES
              valueFrom:
                secretKeyRef:
                  name: {{ $oidc.secret.name }}
                  key: scopes
            {{- end }}
            {{- if $oidc.callbackURL }}
            - name: OIDC_CALLBACK_URL
              valueFrom:
                secretKeyRef:
                  name: {{ $oidc.secret.name }}
                  key: callbackURL
            {{- end }}
            {{- if $oidc.validatorClientID }}
            - name: OIDC_VALIDATOR_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: {{ $oidc.secret.name }}
                  key: validatorClientID
            {{- end }}
            {{- if $oidc.validatorIssuerURL }}
            - name: OIDC_VALIDATOR_ISSUER_URL
              valueFrom:
                secretKeyRef:
                  name: {{ $oidc.secret.name }}
                  key: validatorIssuerURL
            {{- end }}
            {{- if $oidc.useAccessToken }}
            - name: OIDC_USE_ACCESS_TOKEN
              valueFrom:
                secretKeyRef:
                  name: {{ $oidc.secret.name }}
                  key: useAccessToken
            {{- end }}
            {{- if $oidc.usePKCE }}
            - name: OIDC_USE_PKCE
              valueFrom:
                secretKeyRef:
                  name: {{ $oidc.secret.name }}
                  key: usePKCE
            {{- end }}
            {{- if $oidc.meUserInfoURL }}
            - name: ME_USER_INFO_URL
              valueFrom:
                secretKeyRef:
                  name: {{ $oidc.secret.name }}
                  key: meUserInfoURL
            {{- end }}
            {{- else }}
            {{- if $oidc.clientID }}
            - name: OIDC_CLIENT_ID
              value: {{ $oidc.clientID }}
            {{- end }}
            {{- if $oidc.clientSecret }}
            - name: OIDC_CLIENT_SECRET
              value: {{ $oidc.clientSecret }}
            {{- end }}
            {{- if $oidc.issuerURL }}
            - name: OIDC_ISSUER_URL
              value: {{ $oidc.issuerURL }}
            {{- end }}
            {{- if $oidc.scopes }}
            - name: OIDC_SCOPES
              value: {{ $oidc.scopes }}
            {{- end }}
            {{- if $oidc.callbackURL }}
            - name: OIDC_CALLBACK_URL
              value: {{ $oidc.callbackURL }}
            {{- end }}
            {{- if $oidc.validatorClientID }}
            - name: OIDC_VALIDATOR_CLIENT_ID
              value: {{ $oidc.validatorClientID }}
            {{- end }}
            {{- if $oidc.validatorIssuerURL }}
            - name: OIDC_VALIDATOR_ISSUER_URL
              value: {{ $oidc.validatorIssuerURL }}
            {{- end }}
            {{- if $oidc.useAccessToken }}
            - name: OIDC_USE_ACCESS_TOKEN
              value: {{ $oidc.useAccessToken | quote }}
            {{- end }}
            {{- if $oidc.usePKCE }}
            - name: OIDC_USE_PKCE
              value: {{ $oidc.usePKCE | quote }}
            {{- end }}
            {{- if $oidc.meUserInfoURL }}
            - name: ME_USER_INFO_URL
              value: {{ $oidc.meUserInfoURL }}
            {{- end }}
            {{- end }}
            {{- if .Values.env }}
            {{- toYaml .Values.env | nindent 12 }}
            {{- end }}
          {{- end }}
          {{- end }}
          args:
            {{- if .Values.config.inCluster }}
            - "-in-cluster"
            {{- if .Values.config.inClusterContextName }}
            - "-in-cluster-context-name={{ .Values.config.inClusterContextName }}"
            {{- end }}
            {{- end }}
            {{- with .Values.config.enableHelm }}
            - "-enable-helm"
            {{- end }}
            {{- if .Values.config.watchPlugins }}
            - "-watch-plugins-changes"
            {{- end }}
            {{- with .Values.config.pluginsDir}}
            - "-plugins-dir={{ . }}"
            {{- end }}
            {{- if hasKey .Values.config "sessionTTL" }}
            - "-session-ttl={{ .Values.config.sessionTTL }}"
            {{- end }}
            {{- if not $oidc.externalSecret.enabled}}
            # Check if externalSecret is disabled
            {{- if or (ne $oidc.clientID "") (ne $clientID "") }}
            # Check if clientID is non empty either from env or oidc.config
            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
            {{- end }}
            {{- if or (ne $oidc.clientSecret "") (ne $clientSecret "") }}
            # Check if clientSecret is non empty either from env or oidc.config
            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
            {{- end }}
            {{- if or (ne $oidc.issuerURL "") (ne $issuerURL "") }}
            # Check if issuerURL is non empty either from env or oidc.config
            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
            {{- end }}
            {{- if or (ne $oidc.scopes "") (ne $scopes "") }}
            # Check if scopes are non empty either from env or oidc.config
            - "-oidc-scopes=$(OIDC_SCOPES)"
            {{- end }}
            {{- if or (ne $oidc.callbackURL "") (ne $callbackURL "") }}
            # Check if callbackURL is non empty either from env or oidc.config
            - "-oidc-callback-url=$(OIDC_CALLBACK_URL)"
            {{- end }}
            {{- if or (ne $oidc.validatorClientID "") (ne $validatorClientID "") }}
            # Check if validatorClientID is non empty either from env or oidc.config
            - "-oidc-validator-client-id=$(OIDC_VALIDATOR_CLIENT_ID)"
            {{- end }}
            {{- if or (ne $oidc.validatorIssuerURL "") (ne $validatorIssuerURL "") }}
            # Check if validatorIssuerURL is non empty either from env or oidc.config
            - "-oidc-validator-idp-issuer-url=$(OIDC_VALIDATOR_ISSUER_URL)"
            {{- end }}
            {{- if or (ne ($oidc.useAccessToken | toString) "false") (ne $useAccessToken "") }}
            # Check if useAccessToken is non false either from env or oidc.config
            - "-oidc-use-access-token=$(OIDC_USE_ACCESS_TOKEN)"
            {{- end }}
            {{- if or (eq ($oidc.usePKCE | toString) "true") (eq $usePKCE "true") }}
            - "-oidc-use-pkce=$(OIDC_USE_PKCE)"
            {{- end }}
            {{- if or (ne $oidc.meUserInfoURL "") (ne $meUserInfoURL "") }}
            - "-me-user-info-url=$(ME_USER_INFO_URL)"
            {{- end }}
            {{- else }}
            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
            - "-oidc-scopes=$(OIDC_SCOPES)"
            {{- if or (ne $oidc.callbackURL "") (ne $callbackURL "") }}
            # Check if callbackURL is non empty either from env or oidc.config
            - "-oidc-callback-url=$(OIDC_CALLBACK_URL)"
            {{- end }}
            {{- if or (eq ($oidc.usePKCE | toString) "true") (eq $usePKCE "true") }}
            - "-oidc-use-pkce=$(OIDC_USE_PKCE)"
            {{- end }}
            {{- if or (ne $oidc.validatorClientID "") (ne $validatorClientID "") }}
            # Check if validatorClientID is non empty either from env or oidc.config
            - "-oidc-validator-client-id=$(OIDC_VALIDATOR_CLIENT_ID)"
            {{- end }}
            {{- if or (ne $oidc.validatorIssuerURL "") (ne $validatorIssuerURL "") }}
            # Check if validatorIssuerURL is non empty either from env or oidc.config
            - "-oidc-validator-idp-issuer-url=$(OIDC_VALIDATOR_ISSUER_URL)"
            {{- end }}
            {{- if or (eq ($oidc.useAccessToken | toString) "true") (eq $useAccessToken "true") }}
            # Check if useAccessToken is non false either from env or oidc.config
            - "-oidc-use-access-token=$(OIDC_USE_ACCESS_TOKEN)"
            {{- end }}
            {{- if or (ne $oidc.meUserInfoURL "") (ne $meUserInfoURL "") }}
            - "-me-user-info-url=$(ME_USER_INFO_URL)"
            {{- end }}
            {{- end }}
            {{- with .Values.config.baseURL }}
            - "-base-url={{ . }}"
            {{- end }}
            {{- with .Values.config.tlsCertPath }}
            - "-tls-cert-path={{ . }}"
            {{- end }}
            {{- with .Values.config.tlsKeyPath }}
            - "-tls-key-path={{ . }}"
            {{- end }}
            {{- with .Values.config.extraArgs }}
              {{- toYaml . | nindent 12 }}
            {{- end }}
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "{{ .Values.config.baseURL }}/"
              port: http
          readinessProbe:
            httpGet:
              path: "{{ .Values.config.baseURL }}/"
              port: http
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          {{- if or .Values.pluginsManager.enabled .Values.volumeMounts }}
          volumeMounts:
            {{- if .Values.pluginsManager.enabled }}
            - name: plugins-dir
              mountPath: {{ .Values.config.pluginsDir }}
            {{- end }}
            {{- with .Values.volumeMounts }}
            {{- toYaml . | nindent 12 }}
            {{- end }}
          {{- end }}
        {{- if .Values.pluginsManager.enabled }}
        - name: headlamp-plugin
          image: {{ .Values.pluginsManager.baseImage }}
          command: ["/bin/sh", "-c"]
          {{- if .Values.pluginsManager.env }}
          env:
            {{- toYaml .Values.pluginsManager.env | nindent 12 }}
          {{- end }}
          args:
            - |
              if [ -f "/config/plugin.yml" ]; then
                echo "Installing plugins from config..."
                cat /config/plugin.yml
                # Use a writable cache directory
                export NPM_CONFIG_CACHE=/tmp/npm-cache
                # Use a writable config directory
                export NPM_CONFIG_USERCONFIG=/tmp/npm-userconfig
                mkdir -p /tmp/npm-cache /tmp/npm-userconfig
                npx --yes @headlamp-k8s/pluginctl@{{ .Values.pluginsManager.version }} install --config /config/plugin.yml --folderName {{ .Values.config.pluginsDir }} --watch
              fi
          volumeMounts:
            - name: plugins-dir
              mountPath: {{ .Values.config.pluginsDir }}
            - name: plugin-config
              mountPath: /config
            {{- with .Values.pluginsManager.volumeMounts }}
            {{- toYaml . | nindent 12 }}
            {{- end }}
          resources:
            {{- toYaml .Values.pluginsManager.resources | nindent 12 }}
          securityContext:
            {{- if .Values.pluginsManager.securityContext }}
              {{- toYaml .Values.pluginsManager.securityContext | nindent 12 }}
            {{- else if $.Values.securityContext }}
              {{- toYaml $.Values.securityContext | nindent 12 }}
            {{- else }}
              {{- $defaultSC := dict "allowPrivilegeEscalation" false "runAsNonRoot" true "seccompProfile" (dict "type" "RuntimeDefault") "capabilities" (dict "drop" (list "ALL")) }}
              {{- toYaml $defaultSC | nindent 12 }}
            {{- end }}
        {{- end }}
        {{- with .Values.extraContainers }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.topologySpreadConstraints }}
      topologySpreadConstraints:
        {{- range $constraint := . }}
        - {{ toYaml $constraint | nindent 10 }}
          {{- if not $constraint.labelSelector }}
          labelSelector:
            matchLabels:
              {{- include "headlamp.selectorLabels" $ | nindent 14 }}
          {{- end }}
        {{- end }}
      {{- end }}
      {{- with .Values.priorityClassName }}
      priorityClassName: {{ . | quote }}
      {{- end }}
      {{- if or .Values.pluginsManager.enabled .Values.volumes }}
      volumes:
        {{- if .Values.pluginsManager.enabled }}
        - name: plugins-dir
          emptyDir: {}
        - name: plugin-config
          configMap:
            name: {{ include "headlamp.fullname" . }}-plugin-config
        {{- end }}
        {{- with .Values.volumes}}
        {{- toYaml . | nindent 8 }}
        {{- end }}
      {{- end }}
--- a/headlamp/templates/extra-manifests.yaml
+++ b/headlamp/templates/extra-manifests.yaml
@ -0,0 +1,6 @@
 {{- if .Values.extraManifests }}
 {{- range $manifest := .Values.extraManifests }}
 ---
 {{- tpl $manifest $ | nindent 0 }}
 {{- end }}
 {{- end }}
--- a/headlamp/templates/httproute.yaml
+++ b/headlamp/templates/httproute.yaml
@ -0,0 +1,37 @@
 {{- if .Values.httpRoute.enabled -}}
 {{- $fullName := include "headlamp.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: {{ $fullName }}
  namespace: {{ include "headlamp.namespace" . }}
  labels:
    {{- include "headlamp.labels" . | nindent 4 }}
    {{- with .Values.httpRoute.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.httpRoute.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  parentRefs:
    {{- required "A valid .Values.httpRoute.parentRefs entry is required when httpRoute.enabled is true" .Values.httpRoute.parentRefs | toYaml | nindent 4 }}
  {{- with .Values.httpRoute.hostnames }}
  hostnames:
    {{- toYaml . | nindent 4 }}
  {{- end }}
  rules:
    {{- if .Values.httpRoute.rules }}
    {{- toYaml .Values.httpRoute.rules | nindent 4 }}
    {{- else }}
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: {{ $fullName }}
          port: {{ $svcPort }}
    {{- end }}
 {{- end }}
--- a/headlamp/templates/ingress.yaml
+++ b/headlamp/templates/ingress.yaml
@ -0,0 +1,51 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "headlamp.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
 {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
 {{- else -}}
 apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
  name: {{ $fullName }}
  namespace: {{ include "headlamp.namespace" . }}
  labels:
    {{- include "headlamp.labels" . | nindent 4 }}
    {{- with .Values.ingress.labels }}
    {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.ingress.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  {{- if .Values.ingress.ingressClassName }}
  ingressClassName: {{ .Values.ingress.ingressClassName }} 
  {{- end }}
  {{- if .Values.ingress.tls }}
  tls:
    {{- range .Values.ingress.tls }}
    - hosts:
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
      secretName: {{ .secretName }}
    {{- end }}
  {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
    - host: {{ .host | quote }}
      http:
        paths:
          {{- range .paths }}
          - path: {{ .path }}
            pathType: {{ .type }}
            backend:
              service:
                name: {{ $fullName }}
                port: 
                  number: {{ $svcPort }}
          {{- end }}
    {{- end }}
 {{- end }}
--- a/headlamp/templates/pdb.yaml
+++ b/headlamp/templates/pdb.yaml
@ -0,0 +1,26 @@
 {{- if .Values.podDisruptionBudget.enabled }}
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  name: {{ include "headlamp.fullname" . }}
  namespace: {{ include "headlamp.namespace" . }}
  labels:
    {{- include "headlamp.labels" . | nindent 4 }}
 spec:
  {{- with .Values.podDisruptionBudget.maxUnavailable }}
  maxUnavailable: {{ . }}
  {{- end }}
  {{- with .Values.podDisruptionBudget.minAvailable }}
  minAvailable: {{ . }}
  {{- end }}
  {{- if (semverCompare ">= 1.27-0" .Capabilities.KubeVersion.Version) }}
  {{- if hasKey .Values.podDisruptionBudget "unhealthyPodEvictionPolicy" }}
  {{- with .Values.podDisruptionBudget.unhealthyPodEvictionPolicy }}
  unhealthyPodEvictionPolicy: {{ . }}
  {{- end }}
  {{- end }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "headlamp.selectorLabels" . | nindent 6 }}
 {{- end }}
--- a/headlamp/templates/plugin-configmap.yaml
+++ b/headlamp/templates/plugin-configmap.yaml
@ -0,0 +1,11 @@
 {{- if .Values.pluginsManager.enabled -}}
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "headlamp.fullname" . }}-plugin-config
  namespace: {{ include "headlamp.namespace" . }}
  labels:
    {{- include "headlamp.labels" . | nindent 4 }}
 data:
  plugin.yml: |{{ .Values.pluginsManager.configContent | nindent 4 }}
 {{- end }}
--- a/headlamp/templates/pvc.yaml
+++ b/headlamp/templates/pvc.yaml
@ -0,0 +1,32 @@
 {{- if .Values.persistentVolumeClaim.enabled -}}
 {{- $fullName := include "headlamp.fullname" . -}}
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: {{ $fullName }}
  namespace: {{ include "headlamp.namespace" . }}
  labels:
    {{- include "headlamp.labels" . | nindent 4 }}
  {{- with .Values.persistentVolumeClaim.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  {{- range .Values.persistentVolumeClaim.accessModes}}
  accessModes:
    - {{ . }}
  {{- end}}
  resources:
    requests:
      storage: {{ required "A valid .Values.persistentVolumeClaim.size entry required!" .Values.persistentVolumeClaim.size }}
  {{- with .Values.persistentVolumeClaim.volumeMode }}
  volumeMode: {{ . }}
  {{- end }}
  {{- with .Values.persistentVolumeClaim.storageClassName }}
  storageClassName: {{ . }}
  {{- end }}
  {{- with .Values.persistentVolumeClaim.selector }}
  selector:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- end}}
--- a/headlamp/templates/secret.yaml
+++ b/headlamp/templates/secret.yaml
@ -0,0 +1,41 @@
 {{- with .Values.config.oidc }}
 {{- if .secret.create -}}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ .secret.name }}
  namespace: {{ include "headlamp.namespace" $ }}
 type: Opaque
 data:
 {{- with .clientID }}
  clientID: {{ . | b64enc | quote }}
 {{- end }}
 {{- with .clientSecret }}
  clientSecret: {{ . | b64enc | quote }}
 {{- end }}
 {{- with .issuerURL }}
  issuerURL: {{ . | b64enc | quote }}
 {{- end }}
 {{- with .scopes }}
  scopes: {{ . | b64enc | quote }}
 {{- end }}
 {{- with .callbackURL }}
  callbackURL: {{ . | b64enc | quote }}
 {{- end }}
 {{- with .validatorClientID }}
  validatorClientID: {{ . | b64enc | quote }}
 {{- end }}
 {{- with .validatorIssuerURL }}
  validatorIssuerURL: {{ . | b64enc | quote }}
 {{- end }}
 {{- with .useAccessToken }}
  useAccessToken: {{ . | toString | b64enc | quote }}
 {{- end }}
 {{- with .usePKCE }}
  usePKCE: {{ . | toString | b64enc | quote }}
 {{- end }}
 {{- with .meUserInfoURL }}
  meUserInfoURL: {{ . | b64enc | quote }}
 {{- end }}
 {{- end }}
 {{- end }}
--- a/headlamp/templates/service.yaml
+++ b/headlamp/templates/service.yaml
@ -0,0 +1,35 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "headlamp.fullname" . }}
  namespace: {{ include "headlamp.namespace" . }}
  labels:
    {{- include "headlamp.labels" . | nindent 4 }}
  {{- with .Values.service.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  type: {{ .Values.service.type }}
  {{- if and .Values.service.clusterIP (eq .Values.service.type "ClusterIP") }}
  clusterIP: {{ .Values.service.clusterIP }}
  {{- end }}
  {{- if (or (eq .Values.service.type "LoadBalancer") (eq .Values.service.type "NodePort")) }}
  externalTrafficPolicy: {{ .Values.service.externalTrafficPolicy | quote }}
  {{- end }}
  {{ if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerSourceRanges))) }}
  loadBalancerSourceRanges: {{ .Values.service.loadBalancerSourceRanges | toYaml | nindent 2 }}
  {{ end }}
  {{- if (and (eq .Values.service.type "LoadBalancer") (not (empty .Values.service.loadBalancerIP))) }}
  loadBalancerIP: {{ .Values.service.loadBalancerIP }}
  {{- end }}
  ports:
    - port: {{ .Values.service.port }}
      targetPort: http
      protocol: TCP
      name: http
      {{- if and (or (eq .Values.service.type "NodePort") (eq .Values.service.type "LoadBalancer")) (not (empty .Values.service.nodePort)) }}
      nodePort: {{ .Values.service.nodePort }}
      {{- end }}
  selector:
    {{- include "headlamp.selectorLabels" . | nindent 4 }}
--- a/headlamp/templates/serviceaccount.yaml
+++ b/headlamp/templates/serviceaccount.yaml
@ -0,0 +1,13 @@
 {{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "headlamp.serviceAccountName" . }}
  namespace: {{ include "headlamp.namespace" . }}
  labels:
    {{- include "headlamp.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 {{- end }}
--- a/headlamp/tests/expected_templates/azure-oidc-with-validators.yaml
+++ b/headlamp/tests/expected_templates/azure-oidc-with-validators.yaml
@ -0,0 +1,145 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: OIDC_CLIENT_ID
              value: azure-client-id
            - name: OIDC_CLIENT_SECRET
              value: azure-client-secret
            - name: OIDC_ISSUER_URL
              value: https://login.microsoftonline.com/tenant-id/v2.0
            - name: OIDC_SCOPES
              value: openid email profile
            - name: OIDC_VALIDATOR_CLIENT_ID
              value: azure-validator-client-id
            - name: OIDC_VALIDATOR_ISSUER_URL
              value: https://login.microsoftonline.com/tenant-id/v2.0
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
            # Check if clientID is non empty either from env or oidc.config
            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
            # Check if clientSecret is non empty either from env or oidc.config
            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
            # Check if issuerURL is non empty either from env or oidc.config
            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
            # Check if scopes are non empty either from env or oidc.config
            - "-oidc-scopes=$(OIDC_SCOPES)"
            # Check if validatorClientID is non empty either from env or oidc.config
            - "-oidc-validator-client-id=$(OIDC_VALIDATOR_CLIENT_ID)"
            # Check if validatorIssuerURL is non empty either from env or oidc.config
            - "-oidc-validator-idp-issuer-url=$(OIDC_VALIDATOR_ISSUER_URL)"
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/default.yaml
+++ b/headlamp/tests/expected_templates/default.yaml
@ -0,0 +1,130 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/extra-args.yaml
+++ b/headlamp/tests/expected_templates/extra-args.yaml
@ -0,0 +1,131 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
            - -insecure-ssl
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/extra-manifests.yaml
+++ b/headlamp/tests/expected_templates/extra-manifests.yaml
@ -0,0 +1,147 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/extra-manifests.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: dummy-configmap
 data:
  key1: value1
  key2: value2
 ---
 # Source: headlamp/templates/extra-manifests.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: configmap-with-templated-data
 data:
  injectedKey: headlamp
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/host-users-override.yaml
+++ b/headlamp/tests/expected_templates/host-users-override.yaml
@ -0,0 +1,130 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: false
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/httproute-enabled.yaml
+++ b/headlamp/tests/expected_templates/httproute-enabled.yaml
@ -0,0 +1,160 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
 ---
 # Source: headlamp/templates/httproute.yaml
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/component: ingress
  annotations:
    gateway.example.com/annotation: test
 spec:
  parentRefs:
    - name: my-gateway
      namespace: gateway-namespace
  hostnames:
    - headlamp.example.com
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: headlamp
          port: 80
--- a/headlamp/tests/expected_templates/me-user-info-url-directly.yaml
+++ b/headlamp/tests/expected_templates/me-user-info-url-directly.yaml
@ -0,0 +1,133 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: ME_USER_INFO_URL
              value: /oauth2/userinfocustom1
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
            - "-me-user-info-url=$(ME_USER_INFO_URL)"
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/me-user-info-url.yaml
+++ b/headlamp/tests/expected_templates/me-user-info-url.yaml
@ -0,0 +1,137 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
  meUserInfoURL: "L29hdXRoMi91c2VyaW5mb2N1c3RvbTI="
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: ME_USER_INFO_URL
              valueFrom:
                secretKeyRef:
                  name: oidc
                  key: meUserInfoURL
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
            - "-me-user-info-url=$(ME_USER_INFO_URL)"
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/namespace-override-oidc-create-secret.yaml
+++ b/headlamp/tests/expected_templates/namespace-override-oidc-create-secret.yaml
@ -0,0 +1,162 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: mynamespace2
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: mynamespace2
 type: Opaque
 data:
  clientID: "dGVzdENsaWVudElk"
  clientSecret: "dGVzdENsaWVudFNlY3JldA=="
  issuerURL: "dGVzdElzc3VlclVSTA=="
  scopes: "dGVzdFNjb3Bl"
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: mynamespace2
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: mynamespace2
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: mynamespace2
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oidc
                  key: clientID
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oidc
                  key: clientSecret
            - name: OIDC_ISSUER_URL
              valueFrom:
                secretKeyRef:
                  name: oidc
                  key: issuerURL
            - name: OIDC_SCOPES
              valueFrom:
                secretKeyRef:
                  name: oidc
                  key: scopes
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
            # Check if clientID is non empty either from env or oidc.config
            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
            # Check if clientSecret is non empty either from env or oidc.config
            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
            # Check if issuerURL is non empty either from env or oidc.config
            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
            # Check if scopes are non empty either from env or oidc.config
            - "-oidc-scopes=$(OIDC_SCOPES)"
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/namespace-override.yaml
+++ b/headlamp/tests/expected_templates/namespace-override.yaml
@ -0,0 +1,130 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: mynamespace
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: mynamespace
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: mynamespace
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: mynamespace
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: mynamespace
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/non-azure-oidc.yaml
+++ b/headlamp/tests/expected_templates/non-azure-oidc.yaml
@ -0,0 +1,137 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: OIDC_CLIENT_ID
              value: generic-oidc-client
            - name: OIDC_CLIENT_SECRET
              value: generic-oidc-secret
            - name: OIDC_ISSUER_URL
              value: https://auth.example.com
            - name: OIDC_SCOPES
              value: openid email profile
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
            # Check if clientID is non empty either from env or oidc.config
            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
            # Check if clientSecret is non empty either from env or oidc.config
            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
            # Check if issuerURL is non empty either from env or oidc.config
            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
            # Check if scopes are non empty either from env or oidc.config
            - "-oidc-scopes=$(OIDC_SCOPES)"
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/oidc-create-secret.yaml
+++ b/headlamp/tests/expected_templates/oidc-create-secret.yaml
@ -0,0 +1,162 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
  clientID: "dGVzdENsaWVudElk"
  clientSecret: "dGVzdENsaWVudFNlY3JldA=="
  issuerURL: "dGVzdElzc3VlclVSTA=="
  scopes: "dGVzdFNjb3Bl"
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oidc
                  key: clientID
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oidc
                  key: clientSecret
            - name: OIDC_ISSUER_URL
              valueFrom:
                secretKeyRef:
                  name: oidc
                  key: issuerURL
            - name: OIDC_SCOPES
              valueFrom:
                secretKeyRef:
                  name: oidc
                  key: scopes
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
            # Check if clientID is non empty either from env or oidc.config
            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
            # Check if clientSecret is non empty either from env or oidc.config
            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
            # Check if issuerURL is non empty either from env or oidc.config
            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
            # Check if scopes are non empty either from env or oidc.config
            - "-oidc-scopes=$(OIDC_SCOPES)"
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/oidc-directly-env.yaml
+++ b/headlamp/tests/expected_templates/oidc-directly-env.yaml
@ -0,0 +1,146 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: OIDC_CLIENT_ID
              value: testClientId
            - name: OIDC_CLIENT_SECRET
              value: testClientSecret
            - name: OIDC_ISSUER_URL
              value: testIssuerURL
            - name: OIDC_SCOPES
              value: testScope
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
            # Check if clientID is non empty either from env or oidc.config
            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
            # Check if clientSecret is non empty either from env or oidc.config
            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
            # Check if issuerURL is non empty either from env or oidc.config
            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
            # Check if scopes are non empty either from env or oidc.config
            - "-oidc-scopes=$(OIDC_SCOPES)"
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/oidc-directly.yaml
+++ b/headlamp/tests/expected_templates/oidc-directly.yaml
@ -0,0 +1,137 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: OIDC_CLIENT_ID
              value: testClientId
            - name: OIDC_CLIENT_SECRET
              value: testClientSecret
            - name: OIDC_ISSUER_URL
              value: testIssuerURL
            - name: OIDC_SCOPES
              value: testScope
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
            # Check if clientID is non empty either from env or oidc.config
            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
            # Check if clientSecret is non empty either from env or oidc.config
            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
            # Check if issuerURL is non empty either from env or oidc.config
            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
            # Check if scopes are non empty either from env or oidc.config
            - "-oidc-scopes=$(OIDC_SCOPES)"
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/oidc-external-secret.yaml
+++ b/headlamp/tests/expected_templates/oidc-external-secret.yaml
@ -0,0 +1,127 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          # Check if externalSecret is enabled
          envFrom:
          - secretRef:
              name: oidc
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
            - "-oidc-scopes=$(OIDC_SCOPES)"
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/oidc-pkce.yaml
+++ b/headlamp/tests/expected_templates/oidc-pkce.yaml
@ -0,0 +1,140 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: OIDC_CLIENT_ID
              value: testClientId
            - name: OIDC_CLIENT_SECRET
              value: testClientSecret
            - name: OIDC_ISSUER_URL
              value: testIssuerURL
            - name: OIDC_SCOPES
              value: testScope
            - name: OIDC_USE_PKCE
              value: "true"
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
            # Check if clientID is non empty either from env or oidc.config
            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
            # Check if clientSecret is non empty either from env or oidc.config
            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
            # Check if issuerURL is non empty either from env or oidc.config
            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
            # Check if scopes are non empty either from env or oidc.config
            - "-oidc-scopes=$(OIDC_SCOPES)"
            - "-oidc-use-pkce=$(OIDC_USE_PKCE)"
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/oidc-validator-overrides.yaml
+++ b/headlamp/tests/expected_templates/oidc-validator-overrides.yaml
@ -0,0 +1,149 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
            - name: OIDC_CLIENT_ID
              value: testClientId
            - name: OIDC_CLIENT_SECRET
              value: testClientSecret
            - name: OIDC_ISSUER_URL
              value: testIssuerURL
            - name: OIDC_SCOPES
              value: testScope
            - name: OIDC_VALIDATOR_CLIENT_ID
              value: overriddenClientID
            - name: OIDC_VALIDATOR_ISSUER_URL
              value: overriddenIssuerURL
            - name: OIDC_USE_ACCESS_TOKEN
              value: "true"
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
            # Check if clientID is non empty either from env or oidc.config
            - "-oidc-client-id=$(OIDC_CLIENT_ID)"
            # Check if clientSecret is non empty either from env or oidc.config
            - "-oidc-client-secret=$(OIDC_CLIENT_SECRET)"
            # Check if issuerURL is non empty either from env or oidc.config
            - "-oidc-idp-issuer-url=$(OIDC_ISSUER_URL)"
            # Check if scopes are non empty either from env or oidc.config
            - "-oidc-scopes=$(OIDC_SCOPES)"
            # Check if validatorClientID is non empty either from env or oidc.config
            - "-oidc-validator-client-id=$(OIDC_VALIDATOR_CLIENT_ID)"
            # Check if validatorIssuerURL is non empty either from env or oidc.config
            - "-oidc-validator-idp-issuer-url=$(OIDC_VALIDATOR_ISSUER_URL)"
            # Check if useAccessToken is non false either from env or oidc.config
            - "-oidc-use-access-token=$(OIDC_USE_ACCESS_TOKEN)"
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/pod-disruption.yaml
+++ b/headlamp/tests/expected_templates/pod-disruption.yaml
@ -0,0 +1,150 @@
 ---
 # Source: headlamp/templates/pdb.yaml
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  maxUnavailable: 1
  unhealthyPodEvictionPolicy: IfHealthyBudget
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
--- a/headlamp/tests/expected_templates/security-context.yaml
+++ b/headlamp/tests/expected_templates/security-context.yaml
@ -0,0 +1,195 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/plugin-configmap.yaml
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: headlamp-plugin-config
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 data:
  plugin.yml: |
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        fsGroup: 2000
        runAsGroup: 3000
        runAsUser: 1000
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: headlamp
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
            seccompProfile:
              type: RuntimeDefault
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
          volumeMounts:
            - name: plugins-dir
              mountPath: /headlamp/plugins
        - name: headlamp-plugin
          image: node:18-alpine
          command: ["/bin/sh", "-c"]
          args:
            - |
              if [ -f "/config/plugin.yml" ]; then
                echo "Installing plugins from config..."
                cat /config/plugin.yml
                # Use a writable cache directory
                export NPM_CONFIG_CACHE=/tmp/npm-cache
                # Use a writable config directory
                export NPM_CONFIG_USERCONFIG=/tmp/npm-userconfig
                mkdir -p /tmp/npm-cache /tmp/npm-userconfig
                npx --yes @headlamp-k8s/pluginctl@1.0.0 install --config /config/plugin.yml --folderName /headlamp/plugins --watch
              fi
          volumeMounts:
            - name: plugins-dir
              mountPath: /headlamp/plugins
            - name: plugin-config
              mountPath: /config
          resources:
            null
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 1001
      volumes:
        - name: plugins-dir
          emptyDir: {}
        - name: plugin-config
          configMap:
            name: headlamp-plugin-config
--- a/headlamp/tests/expected_templates/tls-added.yaml
+++ b/headlamp/tests/expected_templates/tls-added.yaml
@ -0,0 +1,144 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
            - "-tls-cert-path=/headlamp-cert/headlamp-ca.crt"
            - "-tls-key-path=/headlamp-cert/headlamp-tls.key"
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
          volumeMounts:
            - mountPath: /headlamp-cert
              name: headlamp-cert
      volumes:
        - name: headlamp-cert
          secret:
            items:
            - key: tls.crt
              path: headlamp-ca.crt
            - key: tls.key
              path: headlamp-tls.key
            secretName: headlamp-tls
--- a/headlamp/tests/expected_templates/topology-spread-constraints-custom-selector.yaml
+++ b/headlamp/tests/expected_templates/topology-spread-constraints-custom-selector.yaml
@ -0,0 +1,141 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
      topologySpreadConstraints:
        - 
          labelSelector:
            matchLabels:
              app.kubernetes.io/name: headlamp
              custom-label: custom-value
          matchLabelKeys:
          - pod-template-hash
          maxSkew: 2
          topologyKey: topology.kubernetes.io/zone
          whenUnsatisfiable: ScheduleAnyway
--- a/headlamp/tests/expected_templates/topology-spread-constraints.yaml
+++ b/headlamp/tests/expected_templates/topology-spread-constraints.yaml
@ -0,0 +1,151 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
      topologySpreadConstraints:
        - 
          matchLabelKeys:
          - pod-template-hash
          maxSkew: 1
          topologyKey: topology.kubernetes.io/zone
          whenUnsatisfiable: ScheduleAnyway
          labelSelector:
            matchLabels:
              app.kubernetes.io/name: headlamp
              app.kubernetes.io/instance: headlamp
        - 
          matchLabelKeys:
          - pod-template-hash
          maxSkew: 1
          topologyKey: kubernetes.io/hostname
          whenUnsatisfiable: DoNotSchedule
          labelSelector:
            matchLabels:
              app.kubernetes.io/name: headlamp
              app.kubernetes.io/instance: headlamp
--- a/headlamp/tests/expected_templates/volumes-added.yaml
+++ b/headlamp/tests/expected_templates/volumes-added.yaml
@ -0,0 +1,133 @@
 ---
 # Source: headlamp/templates/serviceaccount.yaml
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 ---
 # Source: headlamp/templates/secret.yaml
 apiVersion: v1
 kind: Secret
 metadata:
  name: oidc
  namespace: default
 type: Opaque
 data:
 ---
 # Source: headlamp/templates/clusterrolebinding.yaml
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: headlamp-admin
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: headlamp
  namespace: default
 ---
 # Source: headlamp/templates/service.yaml
 apiVersion: v1
 kind: Service
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  type: ClusterIP
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
 ---
 # Source: headlamp/templates/deployment.yaml
 # This block of code is used to extract the values from the env.
 # This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: headlamp
  namespace: default
  labels:
    helm.sh/chart: headlamp-0.40.1
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/instance: headlamp
    app.kubernetes.io/version: "0.40.1"
    app.kubernetes.io/managed-by: Helm
 spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: headlamp
      app.kubernetes.io/instance: headlamp
  template:
    metadata:
      labels:
        app.kubernetes.io/name: headlamp
        app.kubernetes.io/instance: headlamp
    spec:
      serviceAccountName: headlamp
      automountServiceAccountToken: true
      hostUsers: true
      securityContext:
        {}
      containers:
        - name: headlamp
          securityContext:
            privileged: false
            runAsGroup: 101
            runAsNonRoot: true
            runAsUser: 100
          image: "ghcr.io/headlamp-k8s/headlamp:v0.40.1"
          imagePullPolicy: IfNotPresent
          env:
          args:
            - "-in-cluster"
            - "-in-cluster-context-name=main"
            - "-plugins-dir=/headlamp/plugins"
            - "-session-ttl=86400"
            # Check if externalSecret is disabled
          ports:
            - name: http
              containerPort: 4466
              protocol: TCP
          livenessProbe:
            httpGet:
              path: "/"
              port: http
          readinessProbe:
            httpGet:
              path: "/"
              port: http
          resources:
            {}
      volumes:
        - emptyDir: {}
          name: plugins
--- a/headlamp/tests/readme.md
+++ b/headlamp/tests/readme.md
@ -0,0 +1,96 @@
 ## Helm Template Testing
 The Helm template testing for the Headlamp chart ensures that the Helm templates generate the expected Kubernetes manifest files under different scenarios. This testing is crucial for validating changes to the Helm chart and ensuring its correctness before deployment.
 ### Expected Templates (`charts/headlamp/tests/expected_templates`)
 The `expected_templates` directory contains YAML files representing the expected Kubernetes manifest files generated by the Helm templates. Each YAML file corresponds to a specific Helm template in the `charts/headlamp/templates` directory. These files serve as reference points for comparing the actual rendered templates during testing.
 Example:
 - `deployment.yaml`: Represents the expected Kubernetes Deployment manifest.
 - `service.yaml`: Represents the expected Kubernetes Service manifest.
 ### Test Cases (`charts/headlamp/tests/test_cases`)
 The `test_cases` directory contains YAML files representing different test scenarios or configurations for the Helm chart. Each test case specifies a set of values for Helm chart configuration parameters (defined in `values.yaml`) to test various aspects of the chart under different conditions.
 Example:
 - `volumes-added.yaml`: Tests the behavior of the Helm chart when additional volumes are specified.
 - `ingress-enabled.yaml`: Tests the behavior of the Helm chart when Ingress is enabled.
 The Helm template testing script (`charts/headlamp/tests/test.sh`) dynamically renders Helm templates for each test case using the specified configuration values and compares them against the corresponding expected templates. This ensures that the Helm chart behaves as expected under different configurations.
 ## Adding Test Cases and Expected Templates
 To enhance the coverage of the Helm template testing for the Headlamp chart, you can add more test cases and corresponding expected templates. Follow these guidelines to add new test cases and expected templates effectively:
 ### Test Cases
 1. **Create a New Test Case Directory**: Inside the `charts/headlamp/tests/test_cases` directory, create a new directory representing the new test case. Choose a descriptive name for the directory that reflects the purpose or scenario of the test case.
 2. **Define Test Case Configuration**: Within the new test case directory, create a `values.yaml` file with custom name to define the configuration parameters for the Helm chart under the specific test scenario. Customize the values in this file to match the desired configuration for the test case.
 ## Expected Templates
 1. **Create Expected Templates**: Inside the `charts/headlamp/tests/expected_templates` directory, create YAML files representing the expected Kubernetes manifest files for the Helm templates under the new test scenarios. Each expected template file should correspond to a Helm template in the templates directory.
 2. **Match Test Cases with Expected Templates**: Ensure that each test case directory in `test_cases` has a corresponding expected template file in `expected_templates`. The expected template file should have the same name as the test case directory to establish the association.
 ## Running Helm Template Testing
 To run the Helm template testing for the Headlamp chart, follow these steps:
 ### Prerequisites
 - [Helm](https://helm.sh/) must be installed on your system.
 ### Running the Tests
 1. Run the Helm template testing using the provided Make directive from your root headlamp folder:
    ```bash
    make helm-template-test
    ```
 This will execute the `charts/headlamp/tests/test.sh` script, which dynamically renders and compares Helm templates for different test cases against their expected templates.
 ## Updating Template Versions
 When changes are made to the Helm chart that intentionally modify the rendered templates (such as version updates, new features, or bug fixes), you'll need to update the expected templates to match the new output. The `helm-update-template-version` command simplifies this process.
 ### How Template Version Updates Work
 The template version update process:
 1. Reads the current chart version and app version from `Chart.yaml`
 2. Checks each expected template file for version references
 3. Only updates files where versions are outdated
 4. Provides concise output showing only which files required updates
 ### When to Use Template Version Updates
 You should run the template version update when:
 - You've updated the Helm chart version in `Chart.yaml`
 - You've updated the app version in `Chart.yaml`
 - You've made intentional changes to templates that affect their rendered output
 - The `helm-template-test` command fails with template differences that are expected
 ### Running Template Version Updates
 To update the expected templates with the current versions:
 ```bash
 make helm-update-template-version
 ```
 This executes the `charts/headlamp/tests/update-version.sh` script, which renders templates with current versions and updates the expected templates accordingly.
 ### After Updating Template Versions
 After running the template version update:
 1. Review the changes to ensure they're as expected
 2. Run `helm-template-test` again to verify that tests now pass
 3. Commit the updated expected templates along with your chart changes
--- a/headlamp/tests/test.sh
+++ b/headlamp/tests/test.sh
@ -0,0 +1,122 @@
 #!/bin/bash
 # Enable strict mode
 set -euo pipefail
 # This script only tests templates - it does not update them
 # To update templates, use update-version.sh
 # Set up variables
 CHART_DIR="./charts/headlamp"
 TEST_CASES_DIR="${CHART_DIR}/tests/test_cases"
 EXPECTED_TEMPLATES_DIR="${CHART_DIR}/tests/expected_templates"
 # Print header information
 echo "Testing Helm chart templates against expected output..."
 # Function to render templates for a specific values file
 render_templates() {
    values_file="$1"
    output_dir="$2"
    # Render templates
    helm template headlamp ${CHART_DIR} --values ${values_file} > "${output_dir}/rendered_templates.yaml"
    # Verify the file was created successfully
    if [ ! -s "${output_dir}/rendered_templates.yaml" ]; then
        echo "ERROR: Failed to render templates for ${values_file}"
        exit 1
    fi
 }
 # Clean up function to handle errors and cleanup
 cleanup() {
    # Get exit code
    exit_code=$?
    # Clean up any temporary files/directories
    if [ -d "${CHART_DIR}/tests/defaultvaluetest" ]; then
        rm -rf "${CHART_DIR}/tests/defaultvaluetest"
    fi
    # Clean up test case output directories
    if [ "$(ls -A ${TEST_CASES_DIR} 2>/dev/null)" ]; then
        for values_file in ${TEST_CASES_DIR}/*; do
            case_name=$(basename "${values_file}")
            if [ -d "${CHART_DIR}/tests/${case_name}_output" ]; then
                rm -rf "${CHART_DIR}/tests/${case_name}_output"
            fi
        done
    fi
    # If exiting with error, help user understand what to do
    if [ $exit_code -ne 0 ]; then
        echo ""
        echo "============================================="
        echo "Test failed! To update expected templates to match current output:"
        echo "  1. Review the differences above carefully"
        echo "  2. If the changes are related to version, run:"
        echo "     make helm-update-template-version"
        echo "     This will update ALL expected templates with current Helm version"
        echo "  3. Verify the changes and commit them"
        echo "============================================="
    fi
    exit $exit_code
 }
 # Register cleanup function
 trap cleanup EXIT
 # Function to compare rendered templates with expected templates
 compare_templates() {
    values_file="$1"
    output_dir="$2"
    expected_file="$3"
    # Compare rendered template with expected template
    if ! diff_output=$(diff -u "${output_dir}/rendered_templates.yaml" "${expected_file}" 2>&1); then
        echo "Template test FAILED for ${values_file} against ${expected_file}:"
        echo "${diff_output}"
        echo "============================================="
        echo "The rendered template does not match the expected template!"
        echo "This could be due to changes in the chart or an outdated expected template."
        echo "If this is an intentional change, update the expected template."
        echo "============================================="
        exit 1
    else
        echo "Template test PASSED for ${values_file} against ${expected_file}"
    fi
 }
 # Check for default values.yaml test case
 mkdir -p "${CHART_DIR}/tests/defaultvaluetest"
 render_templates "${CHART_DIR}/values.yaml" ${CHART_DIR}/tests/defaultvaluetest
 compare_templates "${CHART_DIR}/values.yaml" ${CHART_DIR}/tests/defaultvaluetest "${EXPECTED_TEMPLATES_DIR}/default.yaml"
 # Cleanup is handled by the cleanup function
 # Check if TEST_CASES_DIR is not empty
 if [ "$(ls -A ${TEST_CASES_DIR})" ]; then
    # Iterate over each test case
    for values_file in ${TEST_CASES_DIR}/*; do
        case_name=$(basename "${values_file}")
        output_dir="${CHART_DIR}/tests/${case_name}_output"
        expected_file="${EXPECTED_TEMPLATES_DIR}/${case_name}"
        # Check if expected template exists for the current test case
        if [ -f "${expected_file}" ]; then
            # Create output directory for the current test case
            mkdir -p "${output_dir}"
            # Render templates for the current test case
            render_templates "${values_file}" "${output_dir}"
            # Compare rendered templates with expected templates for the current test case
            compare_templates "${values_file}" "${output_dir}" "${expected_file}"
            # Cleanup is handled by the cleanup function
        else
            echo "No expected template found for ${values_file}. Skipping template testing."
        fi
    done
 else
    echo "No test cases found in ${TEST_CASES_DIR}. Skipping template testing."
 fi
 echo "Template testing completed."
--- a/headlamp/tests/test_cases/azure-oidc-with-validators.yaml
+++ b/headlamp/tests/test_cases/azure-oidc-with-validators.yaml
@ -0,0 +1,12 @@
 # Test case: Azure OIDC provider WITH validator variables
 # Should include validator arguments in the deployment
 config:
  oidc:
    secret:
      create: false
    clientID: "azure-client-id"
    clientSecret: "azure-client-secret"
    issuerURL: "https://login.microsoftonline.com/tenant-id/v2.0"
    scopes: "openid email profile"
    validatorClientID: "azure-validator-client-id"
    validatorIssuerURL: "https://login.microsoftonline.com/tenant-id/v2.0"
--- a/headlamp/tests/test_cases/extra-args.yaml
+++ b/headlamp/tests/test_cases/extra-args.yaml
@ -0,0 +1,5 @@
 # This is a test case for extraArgs in the Headlamp deployment.
 # Each test case is a dictionary with the following keys:
 config:
  extraArgs:
  - -insecure-ssl
--- a/headlamp/tests/test_cases/extra-manifests.yaml
+++ b/headlamp/tests/test_cases/extra-manifests.yaml
@ -0,0 +1,16 @@
 extraManifests:
  - |
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: dummy-configmap
    data:
      key1: value1
      key2: value2
  - |
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: configmap-with-templated-data
    data:
      injectedKey: {{ .Release.Name }}
--- a/headlamp/tests/test_cases/host-users-override.yaml
+++ b/headlamp/tests/test_cases/host-users-override.yaml
@ -0,0 +1 @@
 hostUsers: false
--- a/headlamp/tests/test_cases/httproute-enabled.yaml
+++ b/headlamp/tests/test_cases/httproute-enabled.yaml
@ -0,0 +1,12 @@
 # Test case for HTTPRoute Gateway API configuration
 httpRoute:
  enabled: true
  annotations:
    gateway.example.com/annotation: "test"
  labels:
    app.kubernetes.io/component: ingress
  parentRefs:
    - name: my-gateway
      namespace: gateway-namespace
  hostnames:
    - headlamp.example.com
--- a/headlamp/tests/test_cases/me-user-info-url-directly.yaml
+++ b/headlamp/tests/test_cases/me-user-info-url-directly.yaml
@ -0,0 +1,3 @@
 env:
  - name: ME_USER_INFO_URL
    value: /oauth2/userinfocustom1
--- a/headlamp/tests/test_cases/me-user-info-url.yaml
+++ b/headlamp/tests/test_cases/me-user-info-url.yaml
@ -0,0 +1,4 @@
 # -- Headlamp OIDC me user info URL test case
 config:
  oidc:
    meUserInfoURL: /oauth2/userinfocustom2
--- a/headlamp/tests/test_cases/namespace-override-oidc-create-secret.yaml
+++ b/headlamp/tests/test_cases/namespace-override-oidc-create-secret.yaml
@ -0,0 +1,18 @@
 namespaceOverride: "mynamespace2"
 # This is a test case for the oidc.secret.create field in the Headlamp deployment.
 # The oidc.secret.create field is a boolean that determines whether to create a secret for OIDC.
 # The oidc.secret.name field is a string that specifies the name of the OIDC secret.
 # The oidc.clientID field is a string that specifies the client ID for OIDC.
 # The oidc.clientSecret field is a string that specifies the client secret for OIDC.
 # The oidc.issuerURL field is a string that specifies the issuer URL for OIDC.
 # The oidc.scopes field is a string that specifies the scopes for OIDC.
 config:
  oidc:
    secret:
      create: true
      name: oidc
    clientID: "testClientId"
    clientSecret: "testClientSecret"
    issuerURL: "testIssuerURL"
    scopes: "testScope"
--- a/headlamp/tests/test_cases/namespace-override.yaml
+++ b/headlamp/tests/test_cases/namespace-override.yaml
@ -0,0 +1 @@
 namespaceOverride: "mynamespace"
--- a/headlamp/tests/test_cases/non-azure-oidc.yaml
+++ b/headlamp/tests/test_cases/non-azure-oidc.yaml
@ -0,0 +1,10 @@
 # Test case: Non-Azure OIDC provider without validator variables
 # This should NOT include validator arguments in the deployment
 config:
  oidc:
    secret:
      create: false
    clientID: "generic-oidc-client"
    clientSecret: "generic-oidc-secret"
    issuerURL: "https://auth.example.com"
    scopes: "openid email profile"
--- a/headlamp/tests/test_cases/oidc-create-secret.yaml
+++ b/headlamp/tests/test_cases/oidc-create-secret.yaml
@ -0,0 +1,16 @@
 # This is a test case for the oidc.secret.create field in the Headlamp deployment.
 # The oidc.secret.create field is a boolean that determines whether to create a secret for OIDC.
 # The oidc.secret.name field is a string that specifies the name of the OIDC secret.
 # The oidc.clientID field is a string that specifies the client ID for OIDC.
 # The oidc.clientSecret field is a string that specifies the client secret for OIDC.
 # The oidc.issuerURL field is a string that specifies the issuer URL for OIDC.
 # The oidc.scopes field is a string that specifies the scopes for OIDC.
 config:
  oidc:
    secret:
      create: true
      name: oidc
    clientID: "testClientId"
    clientSecret: "testClientSecret"
    issuerURL: "testIssuerURL"
    scopes: "testScope"
--- a/headlamp/tests/test_cases/oidc-directly-env.yaml
+++ b/headlamp/tests/test_cases/oidc-directly-env.yaml
@ -0,0 +1,10 @@
 # This is a test case where user can set env values directly for OIDC configuration.
 env:
  - name: OIDC_CLIENT_ID
    value: testClientId
  - name: OIDC_CLIENT_SECRET
    value: testClientSecret
  - name: OIDC_ISSUER_URL
    value: testIssuerURL
  - name: OIDC_SCOPES
    value: testScope
--- a/headlamp/tests/test_cases/oidc-directly.yaml
+++ b/headlamp/tests/test_cases/oidc-directly.yaml
@ -0,0 +1,14 @@
 # This is a test case for the direct OIDC configuration in the Headlamp deployment.
 # The oidc.secret.create field is false to avoid creating a secret for OIDC.
 # The oidc.clientID field is a string that specifies the client ID for OIDC.
 # The oidc.clientSecret field is a string that specifies the client secret for OIDC.
 # The oidc.issuerURL field is a string that specifies the issuer URL for OIDC.
 # The oidc.scopes field is a string that specifies the scopes for OIDC.
 config:
  oidc:
    secret:
      create: false
    clientID: "testClientId"
    clientSecret: "testClientSecret"
    issuerURL: "testIssuerURL"
    scopes: "testScope"
--- a/headlamp/tests/test_cases/oidc-external-secret.yaml
+++ b/headlamp/tests/test_cases/oidc-external-secret.yaml
@ -0,0 +1,10 @@
 # This is a test case for OIDC external secret.
 # The oidc.externalSecret.enabled field is a boolean that determines whether to use an external secret for OIDC.
 # The oidc.externalSecret.name field is a string that specifies the name of the external OIDC secret.
 config:
  oidc:
    secret:
      create: false
    externalSecret:
      enabled: true
      name: oidc
--- a/headlamp/tests/test_cases/oidc-pkce.yaml
+++ b/headlamp/tests/test_cases/oidc-pkce.yaml
@ -0,0 +1,15 @@
 # This is a test case for the direct OIDC configuration in the Headlamp deployment.
 # The oidc.secret.create field is false to avoid creating a secret for OIDC.
 # The oidc.clientID field is a string that specifies the client ID for OIDC.
 # The oidc.clientSecret field is a string that specifies the client secret for OIDC.
 # The oidc.issuerURL field is a string that specifies the issuer URL for OIDC.
 # The oidc.scopes field is a string that specifies the scopes for OIDC.
 config:
  oidc:
    secret:
      create: false
    clientID: "testClientId"
    clientSecret: "testClientSecret"
    issuerURL: "testIssuerURL"
    scopes: "testScope"
    usePKCE: true
--- a/headlamp/tests/test_cases/oidc-validator-overrides.yaml
+++ b/headlamp/tests/test_cases/oidc-validator-overrides.yaml
@ -0,0 +1,20 @@
 # This is a test case for OIDC using the validator overrides and access_token.
 # The oidc.secret.create field is false to avoid creating a secret for OIDC.
 # The oidc.clientID field is a string that specifies the client ID for OIDC.
 # The oidc.clientSecret field is a string that specifies the client secret for OIDC.
 # The oidc.issuerURL field is a string that specifies the issuer URL for OIDC.
 # The oidc.scopes field is a string that specifies the scopes for OIDC.
 # The oidc.validatorClientID field is a string that specifies the ClientID used in validation for OIDC.
 # The oidc.validatorIssuerURL field is a string that specifies the IssuerURL used in validation for OIDC.
 # The oidc.useAccessToken field is a bool that determines if 'access_token' or 'id_token' is used for OIDC.
 config:
  oidc:
    secret:
      create: false
    clientID: "testClientId"
    clientSecret: "testClientSecret"
    issuerURL: "testIssuerURL"
    scopes: "testScope"
    validatorClientID: "overriddenClientID"
    validatorIssuerURL: "overriddenIssuerURL"
    useAccessToken: true
--- a/headlamp/tests/test_cases/pod-disruption.yaml
+++ b/headlamp/tests/test_cases/pod-disruption.yaml
@ -0,0 +1,5 @@
 podDisruptionBudget:
  enabled: true
  maxUnavailable: 1
  unhealthyPodEvictionPolicy: IfHealthyBudget
  minAvailable: null
--- a/headlamp/tests/test_cases/security-context.yaml
+++ b/headlamp/tests/test_cases/security-context.yaml
@ -0,0 +1,31 @@
 podSecurityContext:
  runAsUser: 1000
  runAsGroup: 3000
  fsGroup: 2000
  seccompProfile:
    type: RuntimeDefault
 # This config will be rendered into the container's securityContext.
 securityContext:
  runAsNonRoot: true
  allowPrivilegeEscalation: false
  readOnlyRootFilesystem: true
  capabilities:
    drop:
      - ALL
  seccompProfile:
    type: RuntimeDefault
 # Example override for the optional pluginsManager container securityContext
 pluginsManager:
  enabled: true
  baseImage: "node:18-alpine"
  version: "1.0.0"
  securityContext:
    runAsUser: 1001
    runAsNonRoot: true
    allowPrivilegeEscalation: false
    readOnlyRootFilesystem: true
    capabilities:
      drop:
        - ALL
--- a/headlamp/tests/test_cases/tls-added.yaml
+++ b/headlamp/tests/test_cases/tls-added.yaml
@ -0,0 +1,17 @@
 config:
  tlsCertPath: "/headlamp-cert/headlamp-ca.crt"
  tlsKeyPath: "/headlamp-cert/headlamp-tls.key"
 volumes:
  - name: "headlamp-cert"
    secret:
      secretName: "headlamp-tls"
      items:
        - key: "tls.crt"
          path: "headlamp-ca.crt"
        - key: "tls.key"
          path: "headlamp-tls.key"
 volumeMounts:
  - name: "headlamp-cert"
    mountPath: "/headlamp-cert"
--- a/headlamp/tests/test_cases/topology-spread-constraints-custom-selector.yaml
+++ b/headlamp/tests/test_cases/topology-spread-constraints-custom-selector.yaml
@ -0,0 +1,11 @@
 # Test case for topologySpreadConstraints with custom labelSelector
 topologySpreadConstraints:
  - maxSkew: 2
    topologyKey: topology.kubernetes.io/zone
    whenUnsatisfiable: ScheduleAnyway
    labelSelector:
      matchLabels:
        app.kubernetes.io/name: headlamp
        custom-label: custom-value
    matchLabelKeys:
      - pod-template-hash
--- a/headlamp/tests/test_cases/topology-spread-constraints.yaml
+++ b/headlamp/tests/test_cases/topology-spread-constraints.yaml
@ -0,0 +1,12 @@
 # Test case for topologySpreadConstraints with automatic labelSelector population
 topologySpreadConstraints:
  - maxSkew: 1
    topologyKey: topology.kubernetes.io/zone
    whenUnsatisfiable: ScheduleAnyway
    matchLabelKeys:
      - pod-template-hash
  - maxSkew: 1
    topologyKey: kubernetes.io/hostname
    whenUnsatisfiable: DoNotSchedule
    matchLabelKeys:
      - pod-template-hash
--- a/headlamp/tests/test_cases/volumes-added.yaml
+++ b/headlamp/tests/test_cases/volumes-added.yaml
@ -0,0 +1,5 @@
 # This is a test case for volumes in the Headlamp deployment.
 # The volumes field is a list of dictionaries that specify the volumes to add to the Headlamp deployment.
 volumes:
  - name: plugins
    emptyDir: {}
--- a/headlamp/tests/update-version.sh
+++ b/headlamp/tests/update-version.sh
@ -0,0 +1,93 @@
 #!/bin/bash
 # Enable strict mode
 set -euo pipefail
 # Set up variables
 CHART_DIR="./charts/headlamp"
 TEST_CASES_DIR="${CHART_DIR}/tests/test_cases"
 EXPECTED_TEMPLATES_DIR="${CHART_DIR}/tests/expected_templates"
 # Get the current chart, app and image version
 CURRENT_CHART_VERSION=$(grep '^version:' ${CHART_DIR}/Chart.yaml | awk '{print $2}')
 CURRENT_APP_VERSION=$(grep '^appVersion:' ${CHART_DIR}/Chart.yaml | awk '{print $2}')
 CURRENT_IMAGE_VERSION=$(grep '^appVersion:' ${CHART_DIR}/Chart.yaml | awk '{print $2}')
 echo "Checking and updating template versions..."
 echo "Using chart version: ${CURRENT_CHART_VERSION}, app version: ${CURRENT_APP_VERSION}, image version: ${CURRENT_IMAGE_VERSION}"
 # Function to render templates for a specific values file
 render_templates() {
    values_file="$1"
    output_dir="$2"
    # Render templates
    helm template headlamp ${CHART_DIR} --values ${values_file} > "${output_dir}/rendered_templates.yaml"
    if [ ! -s "${output_dir}/rendered_templates.yaml" ]; then
        echo "ERROR: Failed to render templates for ${values_file}"
        exit 1
    fi
 }
 # Check if versions need updating and update the expected template if needed
 check_and_update_template() {
    case_name="$1"
    values_file="$2"
    expected_file="${EXPECTED_TEMPLATES_DIR}/${case_name}"
    needs_update=false
    # Check if versions need updating
    if [ -f "${expected_file}" ]; then
        # Check chart version
        if ! grep -q "helm.sh/chart: headlamp-${CURRENT_CHART_VERSION}" "${expected_file}"; then
            needs_update=true
        fi
        # Check app version
        if ! grep -q "app.kubernetes.io/version: \"${CURRENT_APP_VERSION}\"" "${expected_file}"; then
            needs_update=true
        fi
        # Check image version
        if ! grep -q "ghcr.io/headlamp-k8s/headlamp:v${CURRENT_IMAGE_VERSION}" "${expected_file}"; then
            needs_update=true
        fi
    else
        # File doesn't exist, so it needs to be created
        needs_update=true
    fi
    if [ "$needs_update" = true ]; then
        echo "${case_name}: Updating to version ${CURRENT_CHART_VERSION}..."
        # Create temporary output directory
        output_dir="${CHART_DIR}/tests/update_${case_name}"
        mkdir -p "${output_dir}"
        # Render the template
        render_templates "${values_file}" "${output_dir}"
        # Update the expected template
        cp "${output_dir}/rendered_templates.yaml" "${expected_file}"
        # Clean up
        rm -rf "${output_dir}"
    else
        echo "${case_name}: Version ${CURRENT_CHART_VERSION} already up to date"  
    fi
 }
 # Check and update default template
 check_and_update_template "default.yaml" "${CHART_DIR}/values.yaml"
 # Check and update templates for each test case
 if [ "$(ls -A ${TEST_CASES_DIR})" ]; then
    for values_file in ${TEST_CASES_DIR}/*; do
        case_name=$(basename "${values_file}")
        check_and_update_template "${case_name}" "${values_file}"
    done
 else
    echo "No test cases found in ${TEST_CASES_DIR}."
 fi
 echo "Version check complete. Please review any changes before committing."
--- a/headlamp/values.schema.json
+++ b/headlamp/values.schema.json
@ -0,0 +1,577 @@
 {
  "$schema": "http://json-schema.org/draft-07/schema#",
  "type": "object",
  "properties": {
    "replicaCount": {
      "type": "integer",
      "description": "Number of replicas to deploy",
      "minimum": 1
    },
    "image": {
      "type": "object",
      "title": "Image",
      "description": "Image to deploy",
      "properties": {
        "registry": {
          "type": "string",
          "description": "Registry of the image"
        },
        "repository": {
          "type": "string",
          "description": "Repository of the image"
        },
        "pullPolicy": {
          "type": "string",
          "description": "Pull policy of the image",
          "enum": ["Always", "IfNotPresent", "Never"]
        },
        "tag": {
          "type": "string",
          "description": "Tag of the image"
        }
      }
    },
    "imagePullSecrets": {
      "type": "array",
      "description": "ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. If specified, these secrets will be passed to individual puller implementations for them to use.",
      "items": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string",
            "description": "Name of the image pull secret"
          }
        }
      }
    },
    "nameOverride": {
      "type": "string",
      "description": "Override the name of the chart"
    },
    "fullnameOverride": {
      "type": "string",
      "description": "Override the full name of the chart"
    },
    "namespaceOverride": {
      "type": "string",
      "description": "Override the deployment namespace; defaults to .Release.Namespace"
    },
    "initContainers": {
      "type": "array",
      "description": "Init containers",
      "items": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string",
            "description": "Name of the init container"
          },
          "image": {
            "type": "string",
            "description": "Image of the init container"
          },
          "imagePullPolicy": {
            "type": "string",
            "description": "Pull policy of the init container",
            "enum": ["Always", "IfNotPresent", "Never"]
          },
          "command": {
            "type": "array",
            "description": "Command of the init container",
            "items": {
              "type": "string"
            }
          },
          "args": {
            "type": "array",
            "description": "Arguments of the init container",
            "items": {
              "type": "string"
            }
          },
          "resources": {
            "type": "object",
            "description": "Resources of the init container",
            "properties": {
              "limits": {
                "type": "object",
                "description": "Limits of the init container",
                "properties": {
                  "cpu": {
                    "type": "string",
                    "description": "CPU limit"
                  },
                  "memory": {
                    "type": "string",
                    "description": "Memory limit"
                  }
                }
              },
              "requests": {
                "type": "object",
                "description": "Requests of the init container",
                "properties": {
                  "cpu": {
                    "type": "string",
                    "description": "CPU request"
                  },
                  "memory": {
                    "type": "string",
                    "description": "Memory request"
                  }
                }
              }
            }
          },
          "env": {
            "type": "array",
            "description": "Environment variables of the init container",
            "items": {
              "type": "object",
              "properties": {
                "name": {
                  "type": "string",
                  "description": "Name of the environment variable"
                },
                "value": {
                  "type": "string",
                  "description": "Value of the environment variable"
                }
              }
            }
          },
          "volumeMounts": {
            "type": "array",
            "description": "Volume mounts of the init container",
            "items":
              {
                "type": "object",
                "properties": {
                  "name": {
                    "type": "string",
                    "description": "Name of the volume mount"
                  },
                  "mountPath": {
                    "type": "string",
                    "description": "Mount path of the volume mount"
                  },
                  "readOnly": {
                    "type": "boolean",
                    "description": "Read only of the volume mount"
                  }
                }
              }
          }
        }
      }
    },
    "config": {
      "type": "object",
      "description": "Headlamp deployment configuration",
      "properties": {
        "baseURL": {
          "type": "string",
          "description": "Base URL of the application"
        },
        "sessionTTL": {
          "type": "integer",
          "description": "The time in seconds for the session to be valid",
          "default": 86400,
          "minimum": 1,
          "maximum": 31536000
        },
        "oidc": {
          "type": "object",
          "description": "OIDC configuration",
          "properties": {
            "secret": {
              "type": "object",
              "description": "Secret created by Headlamp to authenticate with the OIDC provider",
              "properties": {
                "name": {
                  "type": "string",
                  "description": "Name of the secret"
                },
                "create": {
                  "type": "boolean",
                  "description": "Create the secret"
                }
              }
            },
            "clientID": {
              "type": "string",
              "description": "Issuer of the OIDC provider"
            },
            "clientSecret": {
              "type": "string",
              "description": "Client ID of the OIDC provider"
            },
            "issuerURL": {
              "type": "string",
              "description": "Client secret of the OIDC provider"
            },
            "scopes": {
              "type": "string",
              "description": "Scopes of the OIDC provider"
            },
            "usePKCE": {
              "type": "boolean",
              "description": "Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow"
            },
            "externalSecret": {
              "type": "object",
              "description": "External secret to use for OIDC configuration",
              "properties": {
                "name": {
                  "type": "string",
                  "description": "Name of the external secret"
                },
                "enabled": {
                  "type": "boolean",
                  "description": "Enable the external secret"
                }
              }
            }
          }
        },
        "pluginsDir": {
          "type": "string",
          "description": "Directory to load plugins from"
        },
         "tlsCertPath": {
          "type": "string",
          "description": "Path of certificate file for TLS"
        },
        "tlsKeyPath": {
          "type": "string",
          "description": "Path of private key file for TLS"
        },
        "extraArgs": {
          "type": "array",
          "description": "Extra arguments to pass to the application",
          "items": {
            "type": "string"
          }
        }
      }
    },
    "env": {
      "type": "array",
      "description": "Environment variables to pass to the deployment",
      "items": {
        "type": "object",
        "properties": {
          "name": {
            "type": "string",
            "description": "Name of the environment variable"
          },
          "value": {
            "type": "string",
            "description": "Value of the environment variable"
          }
        },
        "required": ["name", "value"],
        "additionalProperties": false
      }
    },
    "automountServiceAccountToken": {
      "type": "boolean",
      "description": "Mount Service Account token in pod"
    },
    "serviceAccount": {
      "type": "object",
      "properties": {
        "create": {
          "type": "boolean",
          "description": "Specifies whether a service account should be created"
        },
        "annotations": {
          "type": "object",
          "description": "Annotations to add to the service account"
        },
        "name": {
          "type": "string",
          "description": "The name of the service account to use"
        }
      }
    },
    "clusterRoleBinding": {
      "type": "object",
      "properties": {
        "create": {
          "type": "boolean",
          "description": "Specifies whether a cluster role binding should be created"
        },
        "clusterRoleName": {
          "type": "string",
          "description": "The name of the ClusterRole to create in the cluster"
        },
        "annotations": {
          "type": "object",
          "description": "Annotations to add to the cluster role binding"
        }
      }
    },
    "service": {
      "type": "object",
      "properties": {
        "type": {
          "type": "string",
          "description": "Kubernetes Service type",
          "enum": ["ClusterIP", "NodePort", "LoadBalancer", "ExternalName"]
        },
        "port": {
          "type": "integer",
          "description": "Kubernetes Service port"
        },
        "clusterIP": {
          "type": "string",
          "description": "Kubernetes Service clusterIP"
        },
        "loadBalancerIP": {
          "type": "string",
          "description": "Kubernetes Service loadBalancerIP"
        },
        "loadBalancerSourceRanges": {
          "type": "array",
          "items": {
            "type": "string"
          },
          "description": "Kubernetes Service loadBalancerSourceRanges"
        },
        "nodePort": {
          "type": ["integer", "null"],
          "description": "Kubernetes Service Nodeport"
        }
      }
    },
    "persistentVolumeClaim": {
      "type": "object",
      "properties": {
        "enabled": {
          "type": "boolean",
          "description": "Enable Persistent Volume Claim"
        },
        "annotations": {
          "type": "object",
          "description": "Annotations to add to the persistent volume claim (if enabled)"
        },
        "accessModes": {
          "type": "array",
          "items": {
            "type": "string"
          }
        },
        "size": {
          "type": "string"
        },
        "storageClassName": {
          "type": "string"
        },
        "selector": {
          "type": "object",
          "properties": {
            "matchLabels": {
              "type": "object"
            },
            "matchExpressions": {
              "type": "array",
              "items": {
                "type": "object",
                "properties": {
                  "key": {
                    "type": "string"
                  },
                  "operator": {
                    "type": "string"
                  },
                  "values": {
                    "type": "array",
                    "items": {
                      "type": "string"
                    }
                  }
                }
              }
            }
          }
        },
        "volumeMode": {
          "type": "string"
        }
      }
    },
    "ingress": {
      "type": "object",
      "properties": {
        "enabled": {
          "type": "boolean",
          "description": "Enable ingress controller resource"
        },
        "annotations": {
          "type": "object",
          "description": "Annotations for Ingress resource"
        },
        "ingressClassName": {
          "type": "string",
          "description": "Ingress class name"
        },
        "hosts": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "host": {
                "type": "string"
              },
              "paths": {
                "type": "array",
                "items": {
                  "type": "object"
                }
              }
            }
          }
        },
        "tls": {
          "type": "array",
          "items": {
            "type": "object",
            "properties": {
              "secretName": {
                "type": "string"
              },
              "hosts": {
                "type": "array",
                "items": {
                  "type": "string"
                }
              }
            }
          }
        }
      }
    },
    "httpRoute": {
      "type": "object",
      "description": "HTTPRoute configuration for Gateway API",
      "properties": {
        "enabled": {
          "type": "boolean",
          "description": "Enable HTTPRoute resource for Gateway API"
        },
        "annotations": {
          "type": "object",
          "description": "Annotations for HTTPRoute resource"
        },
        "labels": {
          "type": "object",
          "description": "Additional labels for HTTPRoute resource"
        },
        "parentRefs": {
          "type": "array",
          "description": "Parent references (REQUIRED when enabled - HTTPRoute will not work without this)",
          "items": {
            "type": "object",
            "properties": {
              "name": {
                "type": "string",
                "description": "Name of the parent gateway"
              },
              "namespace": {
                "type": "string",
                "description": "Namespace of the parent gateway"
              },
              "sectionName": {
                "type": "string",
                "description": "Section name of the parent gateway listener"
              }
            },
            "required": ["name"]
          }
        },
        "hostnames": {
          "type": "array",
          "description": "Hostnames for the HTTPRoute",
          "items": {
            "type": "string"
          }
        },
        "rules": {
          "type": "array",
          "description": "Custom routing rules (optional, defaults to path prefix /)",
          "items": {
            "type": "object"
          }
        }
      }
    },
    "podDisruptionBudget": {
      "type": "object",
      "properties": {
        "enabled": {
          "type": "boolean",
          "default": false,
          "description": "Enable PodDisruptionBudget. See: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/"
        },
        "minAvailable": {
          "oneOf": [
            {
              "type": "null"
            },
            {
              "type": "integer",
              "minimum": 0
            },
            {
              "type": "string",
              "pattern": "^([0-9]+%?|[0-9]*\\.[0-9]+%)$"
            }
          ],
          "default": 0,
          "description": "Minimum number/percentage of pods that should remain scheduled. When it's set, maxUnavailable must be disabled by `maxUnavailable: null`"
        },
        "maxUnavailable": {
          "oneOf": [
            {
              "type": "null"
            },
            {
              "type": "integer",
              "minimum": 0
            },
            {
              "type": "string",
              "pattern": "^([0-9]+%?|[0-9]*\\.[0-9]+%)$"
            }
          ],
          "default": null,
          "description": "Maximum number/percentage of pods that may be made unavailable"
        },
        "unhealthyPodEvictionPolicy": {
          "oneOf": [
            {
              "type": "null"
            },
            {
              "type": "string",
              "enum": [
                "IfHealthyBudget",
                "AlwaysAllow"
              ]
            }
          ],
          "default": null,
          "description": "How are unhealthy, but running, pods counted for eviction"
        }
      }
    },
    "extraManifests": {
      "type": "array",
      "description": "Extra manifests to apply to the deployment",
      "items": {
        "type": "string"
      }
    }
  }
 }
--- a/headlamp/values.yaml
+++ b/headlamp/values.yaml
@ -0,0 +1,402 @@
 # Default values for headlamp.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 # -- Number of desired pods
 replicaCount: 1
 image:
  # -- Container image registry
  registry: ghcr.io
  # -- Container image name
  repository: headlamp-k8s/headlamp
  # -- Image pull policy. One of Always, Never, IfNotPresent
  pullPolicy: IfNotPresent
  # -- Container image tag, If "" uses appVersion in Chart.yaml
  tag: ""
 # -- An optional list of references to secrets in the same namespace to use for pulling any of the images used
 imagePullSecrets: []
 # -- Overrides the name of the chart
 nameOverride: ""
 # -- Overrides the full name of the chart
 fullnameOverride: ""
 # -- Override the deployment namespace; defaults to .Release.Namespace
 namespaceOverride: ""
 # -- An optional list of init containers to be run before the main containers.
 initContainers: []
 # -- An optional list of extra containers to be run along side the main containers.
 extraContainers: []
 config:
  inCluster: true
  inClusterContextName: "main"
  # -- base url path at which headlamp should run
  baseURL: ""
  # -- session token TTL in seconds (default is 24 hours)
  sessionTTL: 86400
  oidc:
    # Option 1:
    # @param config.oidc.secret - OIDC secret configuration
    # If you want to use an existing secret, set create to false and provide the name of the secret.
    # If you want to create a new secret, set create to true and provide the name of the secret.
    # Also provide the values for clientID, clientSecret, issuerURL, and scopes.
    # Example:
    # config:
    #   oidc:
    #     secret:
    #       create: true
    #       name: oidc
    secret:
      # -- Generate OIDC secret. If true, will generate a secret using .config.oidc.
      create: true
      # -- Name of the OIDC secret.
      name: oidc
    # Option 2:
    # @param config.oidc - OIDC env configuration
    # If you want to set the OIDC configuration directly, set the following values.
    # Example:
    # config:
    #   oidc:
    #     clientID: "clientID"
    #     clientSecret: "clientSecret"
    #     issuerURL: "issuerURL"
    #     scopes: "scopes"
    # -- OIDC client ID
    clientID: ""
    # -- OIDC client secret
    clientSecret: ""
    # -- OIDC issuer URL
    issuerURL: ""
    # -- OIDC scopes to be used
    scopes: ""
    # -- OIDC callback URL
    callbackURL: ""
    # -- OIDC client to be used during token validation
    validatorClientID: ""
    # -- OIDC Issuer URL to be used during token validation
    validatorIssuerURL: ""
    # -- Use 'access_token' instead of 'id_token' when authenticating using OIDC
    useAccessToken: false
    # -- Use PKCE (Proof Key for Code Exchange) for enhanced security in OIDC flow
    usePKCE: false
    # Option 3:
    # @param config.oidc - External OIDC secret configuration
    # If you want to use an external secret for OIDC configuration, enable this option.
    # Provide the name of the secret to use.
    # Example:
    # config:
    #   oidc:
    #     secret:
    #       create: false
    #     externalSecret:
    #       enabled: true
    #       name: oidc
    externalSecret:
      enabled: false
      name: ""
    # -- URL to fetch additional user info for the /me endpoint.
    # For oauth2proxy /oauth2/userinfo can be used. Empty and it will not be used.
    meUserInfoURL: ""
  # -- directory to look for plugins
  pluginsDir: "/headlamp/plugins"
  enableHelm: false
  watchPlugins: false
  # tlsCertPath: "/headlamp-cert/headlamp-ca.crt"
  # tlsKeyPath: "/headlamp-cert/headlamp-tls.key"
  # Extra arguments that can be given to the container. See charts/headlamp/README.md for more information.
  extraArgs: []
 # -- An optional list of environment variables
 # env:
 #   - name: KUBERNETES_SERVICE_HOST
 #     value: "localhost"
 #   - name: KUBERNETES_SERVICE_PORT
 #     value: "6443"
 # -- Mount Service Account token in pod
 automountServiceAccountToken: true
 serviceAccount:
  # -- Specifies whether a service account should be created
  create: true
  # -- Annotations to add to the service account
  annotations: {}
  # -- The name of the service account to use.(If not set and create is true, a name is generated using the fullname template)
  name: ""
 clusterRoleBinding:
  # -- Specified whether a cluster role binding should be created
  create: true
  # -- Set name of the Cluster Role with limited permissions from you cluster
  # for example - clusterRoleName: user-ro
  clusterRoleName: cluster-admin
  # -- Annotations to add to the cluster role binding
  annotations: {}
 # -- Annotations to add to the deployment
 deploymentAnnotations: {}
 # -- Annotations to add to the pod
 podAnnotations: {}
 # -- Labels to add to the pod
 podLabels: {}
 # -- Controls user namespace isolation for the Headlamp pod.
 # When true (default), the pod shares the host user namespace (user namespaces are DISABLED).
 # When false, the pod uses a separate user namespace (user namespaces are ENABLED) for stronger isolation,
 # if supported by the cluster. Set this to false if your cluster supports user namespaces and you want
 # additional isolation; leave as true if user namespaces are not available.
 # See: https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/
 hostUsers: true
 # -- Headlamp pod's Security Context
 podSecurityContext:
  {}
  # fsGroup: 2000
 # -- Headlamp containers Security Context
 securityContext:
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  runAsNonRoot: true
  privileged: false
  runAsUser: 100
  runAsGroup: 101
 # Uses these defaults if this is empty.
 #   allowPrivilegeEscalation: false
 #   runAsNonRoot: true
 #   seccompProfile:
 #     type: RuntimeDefault
 #   capabilities:
 #     drop:
 #       - ALL
 service:
  # -- Annotations to add to the service
  annotations: {}
  # -- Kubernetes Service type
  type: ClusterIP
  # -- Kubernetes Service port
  port: 80
  # -- Kubernetes Service clusterIP
  clusterIP: ""
  # -- Kubernetes Service loadBalancerIP
  loadBalancerIP: ""
  # -- Kubernetes Service loadBalancerSourceRanges
  loadBalancerSourceRanges: []
  # -- Kubernetes Service Nodeport
  nodePort: null
 # -- Headlamp containers volume mounts
 volumeMounts: []
 # -- Headlamp pod's volumes
 volumes: []
 persistentVolumeClaim:
  # -- Enable Persistent Volume Claim
  enabled: false
  # -- Annotations to add to the persistent volume claim (if enabled)
  annotations:
    {}
  # -- accessModes for the persistent volume claim, eg: ReadWriteOnce, ReadOnlyMany, ReadWriteMany etc.
  accessModes: []
  # -- size of the persistent volume claim, eg: 10Gi. Required if enabled is true.
  size: ""
  # -- storageClassName for the persistent volume claim.
  storageClassName: ""
  # -- selector for the persistent volume claim.
  selector: {}
  # -- volumeMode for the persistent volume claim, eg: Filesystem, Block.
  volumeMode: ""
 ingress:
  # -- Enable ingress controller resource
  enabled: false
  # -- Annotations for Ingress resource
  annotations:
    {}
    # kubernetes.io/tls-acme: "true"
  # -- Additional labels to add to the Ingress resource
  labels: {}
    # app.kubernetes.io/part-of: traefik
    # environment: prod
  # -- Ingress class name. replacement for the deprecated "kubernetes.io/ingress.class" annotation
  ingressClassName: ""
  # -- Hostname(s) for the Ingress resource
  # Please refer to https://kubernetes.io/docs/reference/kubernetes-api/service-resources/ingress-v1/#IngressSpec for more information.
  hosts:
    []
    # - host: chart-example.local
    #   paths:
    #   - path: /
    #     type: ImplementationSpecific
  # -- Ingress TLS configuration
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local
 # HTTPRoute configuration for Gateway API
 # Please refer to https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRoute
 httpRoute:
  # -- Enable HTTPRoute resource for Gateway API
  enabled: false
  # -- Annotations for HTTPRoute resource
  annotations: {}
  # -- Additional labels for HTTPRoute resource
  labels: {}
  # -- Parent references (REQUIRED when enabled - HTTPRoute will not work without this)
  # Example:
  # parentRefs:
  #   - name: my-gateway
  #     namespace: gateway-namespace
  parentRefs: []
  # -- Hostnames for the HTTPRoute
  # Example:
  # hostnames:
  #   - headlamp.example.com
  hostnames: []
  # -- Custom routing rules (optional, defaults to path prefix /)
  # If not specified, a default rule routing all traffic to the service is used
  rules: []
  # Example custom rules:
  # rules:
  #   - matches:
  #       - path:
  #           type: PathPrefix
  #           value: /headlamp
  #     backendRefs:
  #       - name: "{{ .Release.Name }}-headlamp"
  #         port: 80
 # -- CPU/Memory resource requests/limits
 resources:
  {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi
 # -- Node labels for pod assignment
 nodeSelector: {}
 # -- Toleration labels for pod assignment
 tolerations: []
 # -- Affinity settings for pod assignment
 affinity: {}
 # -- Topology Spread Constraints for pod assignment
 topologySpreadConstraints: []
 #  - maxSkew: 1
 #    topologyKey: topology.kubernetes.io/zone
 #    whenUnsatisfiable: ScheduleAnyway
 #    matchLabelKeys:
 #      - pod-template-hash
 #  - maxSkew: 1
 #    topologyKey: kubernetes.io/hostname
 #    whenUnsatisfiable: DoNotSchedule
 #    matchLabelKeys:
 #      - pod-template-hash
 # -- Pod priority class
 priorityClassName: ""
 # Plugin Manager Sidecar Container Configuration
 pluginsManager:
  # -- Enable plugin manager
  enabled: false
  # -- Plugin configuration file name
  configFile: "plugin.yml"
  # -- Plugin configuration content in YAML format. This is required if plugins.enabled is true.
  configContent: ""
  # -- Base node image to use
  baseImage: node:lts-alpine
  # -- Headlamp plugin package version to install
  version: latest
  # -- Plugin manager containers volume mounts
  volumeMounts: []
  # -- Plugin manager env variable configuration
  # env:
  # - name: HTTPS_PROXY
  #   value: "proxy.example.com:8080"
  # -- Specify resrouces
  # resources:
  #   requests:
  #     cpu: "500m"
  #     memory: "2048Mi"
  #   limits:
  #     cpu: "1000m"
  #     memory: "4096Mi"
  # If omitted, the plugin manager will inherit the global securityContext
  securityContext:
    {}
    # runAsUser: 1001
    # runAsNonRoot: true
    # allowPrivilegeEscalation: false
    # readOnlyRootFilesystem: true
    # capabilities:
    #   drop:
    #     - ALL
 podDisruptionBudget:
  # -- enable PodDisruptionBudget
  # ref: https://kubernetes.io/docs/concepts/workloads/pods/disruptions/
  enabled: false
  # @schema
  # type: [null, integer, string]
  # @schema
  # -- Minimum number/percentage of pods that should remain scheduled.
  # When it's set, maxUnavailable must be disabled by `maxUnavailable: null`
  minAvailable: 0
  # @schema
  # type: [null, integer, string]
  # @schema
  # -- Maximum number/percentage of pods that may be made unavailable
  maxUnavailable: null
  # @schema
  # type: [null, string]
  # @schema
  # -- How are unhealthy, but running, pods counted for eviction
  unhealthyPodEvictionPolicy: null
 # -- Additional Kubernetes manifests to be deployed. Include the manifest as nested YAML.
 extraManifests: []
 # - |
 #   apiVersion: v1
 #   kind: ConfigMap
 #   metadata:
 #     name: my-config
 #   data:
 #     key: value
 # - |
 #   apiVersion: v1
 #   kind: ConfigMap
 #   metadata:
 #     name: my-config-too
 #   data:
 #     key: value
--- a/manifests/headlamp/values.yaml
+++ b/manifests/headlamp/values.yaml
@ -0,0 +1,25 @@
 replicaCount: 1
 service:
  type: ClusterIP
  port: 80
 ingress:
  enabled: true
  className: traefik
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
  hosts:
    - host: headlamp.dvirlabs.com
      paths:
        - path: /
          pathType: Prefix
  tls: true
 resources:
  requests:
    cpu: 50m
    memory: 64Mi
  limits:
    memory: 128Mi