feat: migrate cluster dashboard from legacy k8s-dashboard to Headlamp

[BetoFandino]

Description

This PR replaces the deprecated kubernetes-dashboard with Headlamp, a modern, extensible, and open-source Kubernetes UI from Kubernetes SIGs.

Since the original dashboard has been moved to a "retired" status, this migration ensures the Harmony project remains up-to-date with current Kubernetes ecosystem standards.

Key Changes

1. Chart Dependency Update

• Removed: kubernetes-dashboard (v7.14.0) from the kubernetes-retired repository.
• Added: headlamp (v0.40.0) from the kubernetes-sigs official repository.

2. Values Configuration

• Refactored values.yaml to replace the k8sdashboard key with headlamp.
• Updated comments and internal references to reflect Headlamp as the default cluster UI.
• Cleaned up templates/NOTES.txt to prevent nil pointer evaluation errors when legacy dashboard values are absent.

Recommended Configuration

Ingress Values

The following configuration is recommended for production-like environments using Nginx Ingress and Cert-Manager.

Note: Headlamp's internal service operates on port 80 (HTTP). The Ingress is configured for SSL Termination (HTTPS externally, HTTP internally) to avoid 502/503 errors.

headlamp:
  enabled: true
  ingress:
    enabled: true
    ingressClassName: nginx
    annotations:
      cert-manager.io/cluster-issuer: "letsencrypt-global"
      nginx.ingress.kubernetes.io/ssl-redirect: "true"
      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
      # Required to match Headlamp's default service protocol
      nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    tls:
      - hosts:
          - url.dashboard.example.net
        secretName: headlamp-tls
    hosts:
      - host: url.dashboard.example.net
        paths:
          - path: /
            type: Prefix

Security & RBAC

Unlike the previous panel, Headlamp requires explicit authentication. This example provides a GitOps-compatible RBAC configuration that automates token generation for Kubernetes 1.24+ via Secret annotations.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: admin-user
  namespace: {namespace}
---
apiVersion: v1
kind: Secret
metadata:
  name: admin-user-token
  namespace: {namespace}
  annotations:
    # Triggers automatic token generation
    kubernetes.io/service-account.name: admin-user
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: admin-user-binding
subjects:
- kind: ServiceAccount
  name: admin-user
  namespace: {namespace}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin

Migration Guide

For existing installations:

1. Cleanup: The old dashboard will be automatically disabled as the k8sdashboard key is no longer supported.

2. Activation: Set headlamp.enabled: true in your implementation values and add the configurations in the ingress value shown in the examples.

3. Authentication: After implementation and if I configure RBAC as shown in the previous steps, retrieve the login token by running:

kubectl -n {namespace} get secret admin-user-token -o jsonpath={.data.token} | base64 -d