follow similar steps to legacy k8s dashboard and update access notes

Pearl1594 · Pearl1594 · commit 887317eb1b78 · 2026-03-10T13:21:21.000-04:00
diff --git a/scripts/util/create-kubernetes-binaries-iso.sh b/scripts/util/create-kubernetes-binaries-iso.sh
@@ -102,55 +102,6 @@ echo "Downloading Headlamp manifest from ${HEADLAMP_DASHBOARD_URL}"
 headlamp_conf_file="${working_dir}/headlamp.yaml"
 curl -sSL ${HEADLAMP_DASHBOARD_URL} -o ${headlamp_conf_file}
 
-# Patch the Headlamp manifest to add missing components
-echo "Patching Headlamp manifest with missing ServiceAccount and ClusterRoleBinding..."
-
-if ! grep -q "kind: ServiceAccount" ${headlamp_conf_file}; then
-  echo "Adding missing ServiceAccount to Headlamp manifest"
-  cat > ${headlamp_conf_file}.tmp << 'EOF'
----
-# ServiceAccount for Headlamp (added by CloudStack)
-kind: ServiceAccount
-apiVersion: v1
-metadata:
-  name: headlamp-admin
-  namespace: kube-system
----
-# ClusterRoleBinding to grant cluster-admin permissions to Headlamp (added by CloudStack)
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: headlamp-admin
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-  - kind: ServiceAccount
-    name: headlamp-admin
-    namespace: kube-system
----
-EOF
-  cat ${headlamp_conf_file} >> ${headlamp_conf_file}.tmp
-  mv ${headlamp_conf_file}.tmp ${headlamp_conf_file}
-fi
-
-if grep -q "kind: Deployment" ${headlamp_conf_file} && ! grep -q "serviceAccountName:" ${headlamp_conf_file}; then
-  echo "Adding serviceAccountName to Headlamp Deployment"
-  awk '/kind: Deployment/,0 {
-    if (/^    spec:$/ && !found) {
-      print
-      print "      serviceAccountName: headlamp-admin"
-      found=1
-      next
-    }
-  }
-  {print}' ${headlamp_conf_file} > ${headlamp_conf_file}.tmp
-  mv ${headlamp_conf_file}.tmp ${headlamp_conf_file}
-fi
-
-echo "Headlamp manifest patched successfully"
-
 # TODO : Change the url once merged
 AUTOSCALER_URL="https://raw.githubusercontent.com/kubernetes/autoscaler/master/cluster-autoscaler/cloudprovider/cloudstack/examples/cluster-autoscaler-standard.yaml"
 echo "Downloading kubernetes cluster autoscaler ${AUTOSCALER_URL}"
diff --git a/ui/src/views/compute/KubernetesServiceTab.vue b/ui/src/views/compute/KubernetesServiceTab.vue
@@ -66,32 +66,62 @@
           </a-timeline>
         </a-card>
         <a-card :title="$t('label.kubernetes.dashboard')">
+          <p><strong>Note:</strong> CloudStack Kubernetes clusters use <strong>Headlamp</strong> dashboard (deployed in <code>kube-system</code> namespace). For backward compatibility with older clusters using Kubernetes Dashboard, please check your cluster configuration.</p>
           <a-timeline>
             <a-timeline-item>
               <p>
-                {{ $t('label.run.proxy.locally') }}<br><br>
-                <code><b>kubectl --kubeconfig /custom/path/kube.conf proxy</b></code>
+                <strong>Access Headlamp Dashboard (new clusters)</strong><br><br>
+                <strong>Step 1:</strong> Run port-forward command:<br>
+                <code><b>kubectl --kubeconfig /custom/path/kube.conf port-forward -n kube-system service/headlamp 8080:80</b></code><br><br>
+                <strong>Step 2:</strong> Open in your browser:<br>
+                <a href="http://localhost:8080"><code>http://localhost:8080</code></a>
               </p>
             </a-timeline-item>
             <a-timeline-item>
               <p>
-                {{ $t('label.open.url') }}<br><br>
+                <strong>Access Kubernetes Dashboard (legacy clusters)</strong><br><br>
+                <strong>Step 1:</strong> {{ $t('label.run.proxy.locally') }}<br>
+                <code><b>kubectl --kubeconfig /custom/path/kube.conf proxy</b></code><br><br>
+                <strong>Step 2:</strong> {{ $t('label.open.url') }}<br>
                 <a href="http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/"><code>http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/</code></a>
               </p>
             </a-timeline-item>
             <a-timeline-item>
+              <p>
+                <strong>Create Access Token for Headlamp (new clusters)</strong>
+              </p>
               <p v-html="$t('label.kubernetes.dashboard.create.token')"></p>
               <p v-html="$t('label.kubernetes.dashboard.create.token.desc')"></p>
-              <a-textarea :value="'kubectl --kubeconfig /custom/path/kube.conf apply -f - <<EOF\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: kubernetes-dashboard-admin-user\n  namespace: kubernetes-dashboard\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: kubernetes-dashboard-admin-user\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: cluster-admin\nsubjects:\n- kind: ServiceAccount\n  name: kubernetes-dashboard-admin-user\n  namespace: kubernetes-dashboard\n---\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/service-account-token\nmetadata:\n  name: kubernetes-dashboard-token\n  namespace: kubernetes-dashboard\n  annotations:\n    kubernetes.io/service-account.name: kubernetes-dashboard-admin-user\nEOF'" :rows="10" readonly />
+              <a-textarea :value="'kubectl --kubeconfig /custom/path/kube.conf apply -f - <<EOF\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: headlamp-admin\n  namespace: kube-system\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: headlamp-admin\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: cluster-admin\nsubjects:\n- kind: ServiceAccount\n  name: headlamp-admin\n  namespace: kube-system\n---\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/service-account-token\nmetadata:\n  name: headlamp-admin-token\n  namespace: kube-system\n  annotations:\n    kubernetes.io/service-account.name: headlamp-admin\nEOF'" :rows="12" readonly />
+              <br><br>
+              <p>{{ $t('label.token.for.dashboard.login') }}:</p>
+              <code><b>kubectl --kubeconfig /custom/path/kube.conf describe secret headlamp-admin-token -n kube-system</b></code>
+            </a-timeline-item>
+            <a-timeline-item>
+              <p>
+                <strong>Create Access Token for Kubernetes Dashboard (legacy clusters)</strong>
+              </p>
+              <p v-html="$t('label.kubernetes.dashboard.create.token.desc')"></p>
+              <a-textarea :value="'kubectl --kubeconfig /custom/path/kube.conf apply -f - <<EOF\napiVersion: v1\nkind: ServiceAccount\nmetadata:\n  name: kubernetes-dashboard-admin-user\n  namespace: kubernetes-dashboard\n---\napiVersion: rbac.authorization.k8s.io/v1\nkind: ClusterRoleBinding\nmetadata:\n  name: kubernetes-dashboard-admin-user\nroleRef:\n  apiGroup: rbac.authorization.k8s.io\n  kind: ClusterRole\n  name: cluster-admin\nsubjects:\n- kind: ServiceAccount\n  name: kubernetes-dashboard-admin-user\n  namespace: kubernetes-dashboard\n---\napiVersion: v1\nkind: Secret\ntype: kubernetes.io/service-account-token\nmetadata:\n  name: kubernetes-dashboard-token\n  namespace: kubernetes-dashboard\n  annotations:\n    kubernetes.io/service-account.name: kubernetes-dashboard-admin-user\nEOF'" :rows="12" readonly />
+              <br><br>
+              <p>{{ $t('label.token.for.dashboard.login') }}:</p>
+              <code><b>kubectl --kubeconfig /custom/path/kube.conf describe secret kubernetes-dashboard-token -n kubernetes-dashboard</b></code>
             </a-timeline-item>
             <a-timeline-item>
               <p>
-                {{ $t('label.token.for.dashboard.login') }}<br><br>
-                <code><b>kubectl --kubeconfig /custom/path/kube.conf describe secret $(kubectl --kubeconfig /custom/path/kube.conf get secrets -n kube-system | grep headlamp-admin | awk '{print $1}') -n kube-system</b></code>
+                <strong>Important Notes:</strong><br>
+                • <strong>Port-forwarding is recommended for Headlamp</strong> - simpler and more reliable than kubectl proxy<br>
+                • Token is only needed if accessing Headlamp via NodePort or LoadBalancer with external access<br>
+                • For Kubernetes 1.24+, service account tokens are no longer auto-generated - use the Secret resource shown above or <code>kubectl create token</code> command<br>
+                • <strong>Cluster-admin role grants full control</strong> - use with caution and only for trusted administrators<br>
+                • Keep the port-forward command running while using the dashboard (press Ctrl+C to stop)
               </p>
             </a-timeline-item>
           </a-timeline>
-          <p>{{ $t('label.more.access.dashboard.ui') }}, <a href="https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#accessing-the-dashboard-ui">https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#accessing-the-dashboard-ui</a></p>
+          <p>{{ $t('label.more.access.dashboard.ui') }}:
+            <a href="https://headlamp.dev/docs/latest/">Headlamp Documentation</a> |
+            <a href="https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/#accessing-the-dashboard-ui">Kubernetes Dashboard (Legacy)</a>
+          </p>
         </a-card>
         <a-card :title="$t('label.access.kubernetes.nodes')">
           <p v-html="$t('label.kubernetes.access.details')"></p>
