Data Flow: Headlamp UI
Purpose: For platform engineers, explains how operators access the cluster through Headlamp UI, authenticated via Keycloak OIDC and scoped by RBAC.
Flow Summary
Components
| Component | Namespace | Role |
|---|---|---|
| MetalLB | metallb-system | Exposes Headlamp via external IP |
| Gateway API | gateway-system | Routes HTTPS traffic to Headlamp service |
| Headlamp | headlamp | Kubernetes web dashboard with plugin support |
| Keycloak | keycloak | Issues OIDC tokens for Headlamp authentication |
| RBAC Manager | rbac-manager | Maps group claims to RoleBindings |
| Kubernetes API | kube-system | Serves resource requests scoped by user's RBAC |
Sequence
- Operator opens Headlamp URL in browser.
- Request hits MetalLB external IP, forwarded to Gateway API.
- Gateway API terminates TLS and routes to the Headlamp service in the
headlampnamespace. - Headlamp redirects to Keycloak for OIDC authentication.
- Operator authenticates against the upstream IdP (via Keycloak federation).
- Keycloak issues a JWT with group claims; browser stores the token.
- Headlamp uses the token to proxy requests to the Kubernetes API server.
- API server validates the JWT, extracts groups, and enforces RBAC.
- Operator sees only the resources their RoleBindings permit.
Deployment
Headlamp is deployed via FluxCD from openCenter-gitops-base. The branding plugin (@opencenter/headlamp-plugin-branding) is injected as an init container or ConfigMap mount. Plugins run entirely client-side — no server component beyond the Headlamp container itself.
Related
- Logical Diagram — full cluster architecture
- Auth Flow — Keycloak OIDC and RBAC details