backend: Add default service account token authentication option for in-cluster deployments #3606
Description
Is your feature request related to a problem? Please describe the impact that the lack of the feature requested is creating.
Currently, when deploying headlamp in-cluster the users have to create a service account token and paste in the frontend. But when users want to use an OIDC proxy infront of headlamp for authentication this step extra pasting service account token is redundant. At the same time making incluster authenticated by default can lead to security issues where users have headlamp open to internet without proper authentication.
Describe the solution you'd like
Add a configuration option that allows users to explicitly opt-in to using Kubernetes service account tokens for authentication when running Headlamp in-cluster. This provides:
- New configuration flags:
--use-service-account-token: Enable service account token authentication (opt-in)--service-account-token-path: Customize the path to the service account token (defaults to /var/run/secrets/kubernetes.io/serviceaccount/token)
- Security-first approach:
- Users must explicitly opt-in to use service account authentication
- This prevents accidental exposure of Headlamp without proper authentication
This enables users to deploy OAuth2Proxy in front of Headlamp for OIDC based authentication.
What users will benefit from this feature?
In-cluster users who want to use OIDC based authentication when the kubernetes cluster itself doesn't have OIDC authentication.
Are you able to implement this feature?
Yes
Do you want to help implement this feature? Please see our contribution docs. For any non-trivial contributions, we advise you to join our our slack channel to discuss the implementation with Headlamp's core developers.
Additional context
Related to #2614