A walkthrough of configuring Headlamp (a Kubernetes dashboard) to authenticate via Tailscale's tsidp OIDC server, with the Kubernetes API server configured to trust the same issuer. The core problem was that Headlamp accepted the OIDC token but the kube-apiserver did not, because it lacked the oidc-issuer-url, oidc-client-id, and claim mappings. The fix involved adding those flags to kube-apiserver and creating a ClusterRoleBinding so the OIDC-derived identity maps to Kubernetes permissions. The result is a single Tailscale identity flowing through network access, DNS, HTTPS, authentication, and RBAC without kubeconfigs or static tokens.
Table of contents
Why login was brokenTrust me, broConfiguring kube-apiserverCluster level identity mappingThis is so niceSort: