backend: Add optional TLS termination support

Add optional backend TLS termination by introducing tls-cert-path and
tls-key-path configuration fields (flags, config, HeadlampCFG). When both
paths are provided the server will call http.ListenAndServeTLS, otherwise it
falls back to plain HTTP. Log the configured TLS certificate and key paths
at startup.

Also:
- Update Helm chart to allow passing tls cert/key as args and add chart test
	case + expected template to mount TLS secret.
- Add documentation describing in-cluster TLS/backend termination and usage.
- Add a unit test TestStartHeadlampServerTLS and accompanying test cert/key
	fixtures.

No breaking changes; behavior is opt-in when TLS paths are set.

Co-authored-by: René Dudfield <renedudfield@microsoft.com>
Co-authored-by: vijayant7 <vijayantprakash@gmail.com>

Author: 3 people

backend/cmd/headlamp.go

@@ -377,6 +377,8 @@ func createHeadlampHandler(config *HeadlampConfig) http.Handler {
 	logger.Log(logger.LevelInfo, nil, nil, "Dynamic clusters support: "+fmt.Sprint(config.EnableDynamicClusters))
 	logger.Log(logger.LevelInfo, nil, nil, "Helm support: "+fmt.Sprint(config.EnableHelm))
 	logger.Log(logger.LevelInfo, nil, nil, "Proxy URLs: "+fmt.Sprint(config.ProxyURLs))
+	logger.Log(logger.LevelInfo, nil, nil, "TLS certificate path: "+config.TLSCertPath)
+	logger.Log(logger.LevelInfo, nil, nil, "TLS key path: "+config.TLSKeyPath)
 
 	plugins.PopulatePluginsCache(config.StaticPluginDir, config.PluginDir, config.cache)
 
@@ -1095,15 +1097,18 @@ func StartHeadlampServer(config *HeadlampConfig) {
 	}
 
 	handler := createHeadlampHandler(config)
-
 	handler = config.OIDCTokenRefreshMiddleware(handler)
 
 	addr := fmt.Sprintf("%s:%d", config.ListenAddr, config.Port)
 
-	// Start server
-	if err := http.ListenAndServe(addr, handler); err != nil { //nolint:gosec
-		logger.Log(logger.LevelError, nil, err, "Failed to start server")
+	if config.TLSCertPath != "" && config.TLSKeyPath != "" {
+		err = http.ListenAndServeTLS(addr, config.TLSCertPath, config.TLSKeyPath, handler) //nolint:gosec
+	} else {
+		err = http.ListenAndServe(addr, handler) //nolint:gosec
+	}
 
+	if err != nil {
+		logger.Log(logger.LevelError, nil, err, "Failed to start server")
 		HandleServerStartError(&err)
 	}
 }

backend/cmd/headlamp_test.go

@@ -1018,6 +1018,51 @@ func TestStartHeadlampServer(t *testing.T) {
 	}
 }
 
+func TestStartHeadlampServerTLS(t *testing.T) {
+	tempDir, err := os.MkdirTemp("", "headlamp-test")
+	require.NoError(t, err)
+	defer os.RemoveAll(tempDir)
+
+	cfg := &HeadlampConfig{
+		HeadlampCFG: &headlampconfig.HeadlampCFG{
+			Port:            8185,
+			PluginDir:       tempDir,
+			KubeConfigStore: kubeconfig.NewContextStore(),
+			TLSCertPath:     "headlamp_testdata/headlamp.crt",
+			TLSKeyPath:      "headlamp_testdata/headlamp.key",
+		},
+		cache:           cache.New[interface{}](),
+		telemetryConfig: GetDefaultTestTelemetryConfig(),
+	}
+
+	go StartHeadlampServer(cfg)
+	time.Sleep(200 * time.Millisecond)
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	pool, err := x509.SystemCertPool()
+	if pool == nil {
+		pool = x509.NewCertPool()
+	}
+
+	require.NoError(t, err)
+	crt, err := os.ReadFile("headlamp_testdata/headlamp.crt")
+	require.NoError(t, err)
+	pool.AppendCertsFromPEM(crt)
+
+	req, err := http.NewRequestWithContext(ctx, "GET", "https://localhost:8185/config", nil)
+	require.NoError(t, err)
+
+	resp, err := (&http.Client{
+		Transport: &http.Transport{TLSClientConfig: &tls.Config{MinVersion: tls.VersionTLS12, RootCAs: pool}},
+	}).Do(req)
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+}
+
 //nolint:funlen
 func TestHandleClusterHelm(t *testing.T) {
 	// Set up test environment

backend/cmd/headlamp_testdata/headlamp.crt

@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFIzCCAwugAwIBAgIUR/w8+wnm5l79eym3uorgYBd75K0wDQYJKoZIhvcNAQEL
+BQAwEzERMA8GA1UEAwwIaGVhZGxhbXAwHhcNMjUwMzI2MDkzMzMyWhcNMzUwMzI0
+MDkzMzMyWjATMREwDwYDVQQDDAhoZWFkbGFtcDCCAiIwDQYJKoZIhvcNAQEBBQAD
+ggIPADCCAgoCggIBAMgmg41Bh/3uBBNuIiJH9A3aGV4/BcNFdzTH+LBQh0XV06kv
+3lfazvIfcayHhRxzIKiakf/8pCgp4vexK7QNzE+x4C1P2CoD8Bnn3pH6NP6ruQ9i
+ygFtZT4npcf2JRjZGGIXMnZQdrxckW77iWIquYaK604YLjTv4mylIXOLz/CqA675
+fJZb+NR0IhtPzMxKq2g+PryvFrZowwqsu+takyhRsOuPjsS3Netdcsz4/MnjQAxc
+hHnSc9hHJ2UWKbH/akx4+MIgzDWFuC+HVXPjPZfP0GwEJ6DKcmLEA06v/sWizs/E
+G43aHOLsz1oxn8qs7bdfIQGvO+zhQlZFO+k01q4VBzisk1P6LMvdmag7OkR+FjxE
+J3LpWn0un/iQ07fF/mU7ne9s7KSdBHm8i9ZjmQvmyg9Z/T5wZdmMFDJ7zOc4U7dv
+sSeQKapo7dbiUogXf9y99jJDtKjV2mrQ0k3o9zzH0LUztmf6GDHWb0r8HDcverOE
+wjl80zsh58IDR60ij7q1Ri1NVx27lbUkN/6uLO6K/D7weMwLHtWRebCB175Fghzd
+YHU5G4VolfvjhHcC815Ta1qToxjtSZ7gox0FO8Pk0zfyhanXn2yQqsf7vEbpE/OH
+XQGBbKxMgnCUrWrHxsNqggB2SbVdX4K9/tvU3DEf4M3npApNMbVVhZgT1BMTAgMB
+AAGjbzBtMB0GA1UdDgQWBBSjm04cqdUTx9EQ7NMA32j5lEVn9zAfBgNVHSMEGDAW
+gBSjm04cqdUTx9EQ7NMA32j5lEVn9zAPBgNVHRMBAf8EBTADAQH/MBoGA1UdEQQT
+MBGCCWxvY2FsaG9zdIcEfwAAATANBgkqhkiG9w0BAQsFAAOCAgEAkhSkyfvD2jnf
+L7eFARu9u2T1eWNBOsX1fLfaKp69EnDNxrH3hDl07aHlN2pSgiKa5BH6Qjs0oRO2
+e/w4Pr+DqwF6MoypLu1QmKz3FD9qezD9F6i5glFAex+pI+3jYHLyaGV+JjbxDl7D
+Ou8qcUlIApe5RekTZqXbGWzrMvl3Ty3rK2pFIScg+CstibErLPT+cnBLlO7K+8YX
+1PeqHB0d7luQlIpSWH+hY6/Qv3hzjewU0Rb5wmEwlg98QnaiegXSirNIdGeRvVvI
+wDqeU1WDaVuCtY71MQreF9x+xi8ly+04EKxVSPRUFfph38CUrxgSWk6o80PCXIjV
+T7EkNHI47kbagiIYsTS6PhWMPvhEA+JLCU784zRKtWIWX5dTn5/nuFnoCotAh2nf
+XkDGAQT8Pi8EGsEX8rCP1L0quPSDoyZcC3VlH8C3Q2f3AnL988q/s+gimAntk6oY
+qXvfR7TwX12PYBeLj8+u6I9HvU5TA261BCycwGOoDgl8Bg25S3U2x6hSQwy88PFR
+co//bJl17Z8P1uLOyO6oLqqtPU1qpjfUQUqGI3ULvkGFVINNLRHCSCI3SKV+pZ/5
+Si8RolSDHuURXDzEf3V4J7mAwtcz7bAxLzJitq4Y+n1YMQB756iXQlFO1R/rLube
+AQ5EE7bu3GMww0Tm1HFOxvESIzCFkJo=
+-----END CERTIFICATE-----

backend/cmd/headlamp_testdata/headlamp.key

@@ -0,0 +1,52 @@
+-----BEGIN PRIVATE KEY-----
+MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQDIJoONQYf97gQT
+biIiR/QN2hlePwXDRXc0x/iwUIdF1dOpL95X2s7yH3Gsh4UccyCompH//KQoKeL3
+sSu0DcxPseAtT9gqA/AZ596R+jT+q7kPYsoBbWU+J6XH9iUY2RhiFzJ2UHa8XJFu
++4liKrmGiutOGC407+JspSFzi8/wqgOu+XyWW/jUdCIbT8zMSqtoPj68rxa2aMMK
+rLvrWpMoUbDrj47EtzXrXXLM+PzJ40AMXIR50nPYRydlFimx/2pMePjCIMw1hbgv
+h1Vz4z2Xz9BsBCegynJixANOr/7Fos7PxBuN2hzi7M9aMZ/KrO23XyEBrzvs4UJW
+RTvpNNauFQc4rJNT+izL3ZmoOzpEfhY8RCdy6Vp9Lp/4kNO3xf5lO53vbOyknQR5
+vIvWY5kL5soPWf0+cGXZjBQye8znOFO3b7EnkCmqaO3W4lKIF3/cvfYyQ7So1dpq
+0NJN6Pc8x9C1M7Zn+hgx1m9K/Bw3L3qzhMI5fNM7IefCA0etIo+6tUYtTVcdu5W1
+JDf+rizuivw+8HjMCx7VkXmwgde+RYIc3WB1ORuFaJX744R3AvNeU2tak6MY7Ume
+4KMdBTvD5NM38oWp159skKrH+7xG6RPzh10BgWysTIJwlK1qx8bDaoIAdkm1XV+C
+vf7b1NwxH+DN56QKTTG1VYWYE9QTEwIDAQABAoICAAzcqLyFlwsi5gEnpSrly9Gu
+D85GJ4UmbCQoq5sM+bxrosfvCw9DQOQ/UAtBxDSRU2pyUGqOXjA0jODU8lWGQ3hl
+ml3fESmWCjJn+54O4aPx/hj2hLu1v3lQi+8/KqAfp1j6W6RNxGuTWUc0A96al0SF
+ndxtYl7FgZvwuqcVt32kN0thvfddnq5sbhqqNKN2MvCme1qdt8xuDAaeFg9oSSeg
+pElm9so+ackfvrZcU8ZXg7Cnq122v/oIjIgK9g/5tWeHqJi1Cdpwpubq//tMAZPF
+Z4PhenhzOgmNxhai6bDipv6kAA9MEmokxKhrovSfy0Dq7JCSpbuxuBUaKuDwI9F7
+4NKDqV1aeeJLObgCjrWQFqSjSENuDhrGa5tkPkLioPr26jgqeFVDIaQaMvoQGqx4
+gBjVnPhWelsYZ+/xyv/n3+Dyotn/kXZkWbeuQtMhk1sSFmtaI+yVKiMofSnv4401
+CvVgJE/hsQd4e5HUnueWzdYGcww99iHPfqp1ui5zs+1BPE9Yw+Sb14UBnRaEnAGB
+gEMmHLRhOcluPa61QXPhCRkMiolamBs6M+wwZn2OGcWBBhiSP/ppPQnw6TKEmdqe
+ZR/jGTEyLekw+wgxTtFf9PU6KEt8VWxfsaXjQkW6l5heODpVgUe9ANQbcsVNkGhu
+Pea4qQwns/ftvmNmmLZFAoIBAQDTn2N1KZW72AeipBvHDm3fEchU5sf5/H88SIcA
+EWnqTdDvhxRgWKeIakVl1ipzIpy+Dbrcyj1MmCf+vV+jOc9SuZuEraNPM8zfaXHB
+eBV29+JYj/FCwaL0TXb7xEfp9ewtIatoAhF70piPf5WqcdBIFBwZsoq71+X89XjD
+WdxpWiB8Ia/aVvAR0QGQ65iqaV3Z/4vcR2s7m2be4yL2Hdurfqk2LgTfR3JvFMj/
+rP9galvjt7pj2jSVe+b4GSOvOahdG+U+N2v6TuniIhNzSvPd54x+b2Hk+xf6w3Kz
+tP0SGIGLAFIAzKF29zLz6nw0xIadGUqtlzcYR2xXyiF3z5BnAoIBAQDyH0LQgoMz
+Ggfop3w1CB6LESx8OKGN/GkUkjwskxDOLE2rmmwDGHUav2QoFP+bMirDrMdkYUvB
+/LUAQMR0xHhH2F1aaopl4+fSRXME6/22HGiS9YexsrKo4n0zZ8dDBnnPtZutBsrl
+6tXhRPjPat4vAtok0ZQB6KefhdD9wT+S3F8JyU5drj8f9XYFgm3f3k3TjtmnurGw
+xqb0DDULlF8+cNyAG0FixDB/b/j4xYH+TVd9AfkYcJ75GiVTe8EfCP5OryFVI/J3
+pLy9K3q8O04SqQhqH6RA4AuS/5oqRL79HWgmKhXuz3VSmjXRI19U22WpY33X7Nzj
+B2yJu8Iq08x1AoIBAQDJopi1TcYpkRDVWuBMrebqIJtsqefovTjOS5y15+GvKi3l
+zCMSGeanB/rPqVwRD+2g+JwPO3Nkw6V4ByBU+gQcolUX+gocsRKH3IRS/wQUsuOr
+1preLHoDpLu177NFrNg3uFkFZNMb0/Eg6UPFf2QhCWgs4/1kNbYhbBKAr+JfT0yc
+ecyAkU107Fw9pP11gae2ytKMNFBsHwnJXUo2jwR7Rtgbk4V46S6TwI4zbrZ1O2IK
+e0jRU1u/AqtzwSBLGPjennGy8kOj4AThPe6ib8wkpzcqUR5JeyXB/PARYmWvFEJ6
+GvgHYvKF08tstQNbk9VfYnXRKL+KFqOYkjOJYPAJAoIBAEW2xpAu5AP0vM46W0MR
+wWmdWkeyLqIpSUBJEtZqye3zR7HfVrZVdnJrJTV9RlOzUCjjOM4oTZ3fW2ZlP6u3
+XkKhg8+i2ZKY2ojqwkFqibTD3UBjPdzmbRa/j/kbKn6cALrTua1KRWWKBmdEaree
+N7clhRYQ2iLqkEkYSKKn39wzY5H3yn6iyz4yePcBJQ3Ofm4ptXXcBYm2yR9/3E4n
+PH1IFdU1A9CiWKx42yEWDWXhcw1lYgmtc7iZ1KGDAoojFsYlGt3e6dOVNVrqh/5m
+vQYWcXvM/IhJekurGQKOpMdQjkpe183ZIhjUmiZLnwlZ2p25LeTcKIWd/5xw2Wln
+bnkCggEASBZJ5pjzMxBbzQgIgxjV7ZXjI/Hpe3fL3sCcjyGTy4kgFJYuWWHYsEWq
+ymNe9Z3DTUqfExAlmidgssP+RPeeckARaE1XrPNP+zPYuudkDWeVpDZUrtBaYIsY
+5jpBsuiZKMxPm1NRcC08m0aCs01HG5TVbHWp6IGORCXKGsRAg7YrfYqyNuHHEhaU
+iqkZOL3H2G6dU6FJM0ekp04bhtuXK8K1ECPLH7QRl6K4D6F7M8pY5Qk4IXDE+Gsq
+n/gk7OI5VCMzihpiEcdGcyw4p33leN6HNoHLHczzs8mvfI1TxP5UXa3JFC7tVT0P
+XgrdPr+sPnhXC+ydU3uPmvJS4irwFg==
+-----END PRIVATE KEY-----

backend/cmd/server.go

@@ -77,6 +77,8 @@ func createHeadlampConfig(conf *config.Config) *HeadlampConfig {
 			KubeConfigStore:       kubeConfigStore,
 			BaseURL:               conf.BaseURL,
 			ProxyURLs:             strings.Split(conf.ProxyURLs, ","),
+			TLSCertPath:           conf.TLSCertPath,
+			TLSKeyPath:            conf.TLSKeyPath,
 		},
 		oidcClientID:              conf.OidcClientID,
 		oidcValidatorClientID:     conf.OidcValidatorClientID,

backend/pkg/config/config.go

@@ -56,6 +56,9 @@ type Config struct {
 	UseOTLPHTTP        *bool    `koanf:"use-otlp-http"`
 	StdoutTraceEnabled *bool    `koanf:"stdout-trace-enabled"`
 	SamplingRate       *float64 `koanf:"sampling-rate"`
+	// TLS config
+	TLSCertPath string `koanf:"tls-cert-path"`
+	TLSKeyPath  string `koanf:"tls-key-path"`
 }
 
 func (c *Config) Validate() error {
@@ -353,6 +356,9 @@ func flagset() *flag.FlagSet {
 	f.Bool("use-otlp-http", false, "Use HTTP instead of gRPC for OTLP export")
 	f.Bool("stdout-trace-enabled", false, "Enable tracing output to stdout")
 	f.Float64("sampling-rate", 1.0, "Sampling rate for traces")
+	// TLS flags
+	f.String("tls-cert-path", "", "Certificate for serving TLS")
+	f.String("tls-key-path", "", "Key for serving TLS")
 
 	return f
 }

backend/pkg/headlampconfig/headlampConfig.go

@@ -25,4 +25,6 @@ type HeadlampCFG struct {
 	Metrics               *telemetry.Metrics
 	BaseURL               string
 	ProxyURLs             []string
+	TLSCertPath           string
+	TLSKeyPath            string
 }

charts/headlamp/README.md

@@ -73,6 +73,8 @@ $ helm install my-headlamp headlamp/headlamp \
 | config.baseURL | string | `""` | Base URL path for Headlamp UI |
 | config.pluginsDir | string | `"/headlamp/plugins"` | Directory to load Headlamp plugins from |
 | config.extraArgs | array | `[]` | Additional arguments for Headlamp server |
+| config.tlsCertPath | string | `""` | Certificate for serving TLS |
+| config.tlsKeyPath | string | `""` | Key for serving TLS |
 
 ### OIDC Configuration
 

charts/headlamp/templates/deployment.yaml

@@ -263,6 +263,12 @@ spec:
             {{- with .Values.config.baseURL }}
             - "-base-url={{ . }}"
             {{- end }}
+            {{- with .Values.config.tlsCertPath }}
+            - "-tls-cert-path={{ . }}"
+            {{- end }}
+            {{- with .Values.config.tlsKeyPath }}
+            - "-tls-key-path={{ . }}"
+            {{- end }}
             {{- with .Values.config.extraArgs }}
               {{- toYaml . | nindent 12 }}
             {{- end }}

charts/headlamp/tests/expected_templates/tls-added.yaml

@@ -0,0 +1,141 @@
+---
+# Source: headlamp/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: headlamp
+  namespace: default
+  labels:
+    helm.sh/chart: headlamp-0.35.0
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/version: "0.35.0"
+    app.kubernetes.io/managed-by: Helm
+---
+# Source: headlamp/templates/secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: oidc
+  namespace: default
+type: Opaque
+data:
+---
+# Source: headlamp/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: headlamp-admin
+  labels:
+    helm.sh/chart: headlamp-0.35.0
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/version: "0.35.0"
+    app.kubernetes.io/managed-by: Helm
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: headlamp
+  namespace: default
+---
+# Source: headlamp/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: headlamp
+  namespace: default
+  labels:
+    helm.sh/chart: headlamp-0.35.0
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/version: "0.35.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  type: ClusterIP
+  
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+---
+# Source: headlamp/templates/deployment.yaml
+# This block of code is used to extract the values from the env.
+# This is done to check if the values are non-empty and if they are, they are used in the deployment.yaml.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: headlamp
+  namespace: default
+  labels:
+    helm.sh/chart: headlamp-0.35.0
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/instance: headlamp
+    app.kubernetes.io/version: "0.35.0"
+    app.kubernetes.io/managed-by: Helm
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: headlamp
+      app.kubernetes.io/instance: headlamp
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: headlamp
+        app.kubernetes.io/instance: headlamp
+    spec:
+      serviceAccountName: headlamp
+      automountServiceAccountToken: true
+      securityContext:
+        {}
+      containers:
+        - name: headlamp
+          securityContext:
+            privileged: false
+            runAsGroup: 101
+            runAsNonRoot: true
+            runAsUser: 100
+          image: "ghcr.io/headlamp-k8s/headlamp:v0.35.0"
+          imagePullPolicy: IfNotPresent
+          
+          env:
+          args:
+            - "-in-cluster"
+            - "-plugins-dir=/headlamp/plugins"
+            # Check if externalSecret is disabled
+            - "-tls-cert-path=/headlamp-cert/headlamp-ca.crt"
+            - "-tls-key-path=/headlamp-cert/headlamp-tls.key"
+          ports:
+            - name: http
+              containerPort: 4466
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: "/"
+              port: http
+          readinessProbe:
+            httpGet:
+              path: "/"
+              port: http
+          resources:
+            {}
+          volumeMounts:
+            - mountPath: /headlamp-cert
+              name: headlamp-cert
+      volumes:
+        - name: headlamp-cert
+          secret:
+            items:
+            - key: tls.crt
+              path: headlamp-ca.crt
+            - key: tls.key
+              path: headlamp-tls.key
+            secretName: headlamp-tls