Fixing Headlamp OIDC login with Tailscale and tsidp

Alex Kretzschmar details a journey of configuring the Headlamp Kubernetes dashboard to work seamlessly with Tailscale's tsidp as an OIDC provider, ultimately ensuring a coherent identity flow throughout the system. Initially, despite setting up Tailscale as the identity provider, Kretzschmar faced challenges logging into Headlamp due to a mismatch in trust configuration between Headlamp and the Kubernetes API server. The issue stemmed from the API server not recognizing the OIDC issuer, leading to authentication failures. By configuring the Kubernetes API server to trust the same OIDC issuer as Headlamp, and mapping the OIDC claims to Kubernetes identities, he managed to align the components, allowing Tailscale's identity to flow smoothly through Kubernetes RBAC. This setup not only eliminated the need for kubeconfigs and static tokens but also effectively integrated Tailscale as the network path, DNS, HTTPS layer, and identity provider, leading to a streamlined, efficient authentication process for cluster access.