From 95b18661444e47dcc525c5e5e412c2b05106cf52 Mon Sep 17 00:00:00 2001 From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com> Date: Thu, 14 May 2026 18:35:49 -0400 Subject: [PATCH] Update .gitignore to exclude all .tmp files and enhance clarity in middleware-https-proto.yaml by adding X-Forwarded-Host and X-Forwarded-Port headers for improved redirect handling in Headlamp. --- .gitignore | 2 +- .../noble/bootstrap/headlamp/middleware-https-proto.yaml | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 6c3b096..67b5f7d 100644 --- a/.gitignore +++ b/.gitignore @@ -6,7 +6,7 @@ talos/kubeconfig # Local secrets age-key.txt .env -.tmp +.tmp* # Generated by ansible noble_landing_urls ansible/output/noble-lab-ui-urls.md \ No newline at end of file diff --git a/clusters/noble/bootstrap/headlamp/middleware-https-proto.yaml b/clusters/noble/bootstrap/headlamp/middleware-https-proto.yaml index 5be7357..b4fdc24 100644 --- a/clusters/noble/bootstrap/headlamp/middleware-https-proto.yaml +++ b/clusters/noble/bootstrap/headlamp/middleware-https-proto.yaml @@ -1,7 +1,10 @@ # Traefik terminates TLS; the hop Traefik → Headlamp is often HTTP, so Headlamp may see # X-Forwarded-Proto=http and build OAuth redirect/callback as http — Authentik then rejects # the flow (redirect URI / PKCE / cookie issues). Force the external scheme for Headlamp. -# Reference from Ingress: headlamp-https-proto@kubernetescrd (same namespace as the Ingress). +# Also set host/port so post-callback redirects and cookie/session logic match the browser URL +# (see Headlamp in-cluster OIDC docs: X-Forwarded-Proto; missing Forwarded-* can strand users +# after IdP login). +# Ingress ref: -headlamp-https-proto@kubernetescrd (e.g. headlamp-headlamp-https-proto@kubernetescrd). apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: @@ -14,3 +17,5 @@ spec: headers: customRequestHeaders: X-Forwarded-Proto: "https" + X-Forwarded-Host: "headlamp.apps.noble.lab.pcenicni.dev" + X-Forwarded-Port: "443"