Update .gitignore to exclude all .tmp files and enhance clarity in middleware-https-proto.yaml by adding X-Forwarded-Host and X-Forwarded-Port headers for improved redirect handling in Headlamp.

.gitignore

@@ -6,7 +6,7 @@ talos/kubeconfig
 # Local secrets
 age-key.txt
 .env
-.tmp
+.tmp*
 
 # Generated by ansible noble_landing_urls
 ansible/output/noble-lab-ui-urls.md

clusters/noble/bootstrap/headlamp/middleware-https-proto.yaml

@@ -1,7 +1,10 @@
 # Traefik terminates TLS; the hop Traefik → Headlamp is often HTTP, so Headlamp may see
 # X-Forwarded-Proto=http and build OAuth redirect/callback as http — Authentik then rejects
 # the flow (redirect URI / PKCE / cookie issues). Force the external scheme for Headlamp.
-# Reference from Ingress: headlamp-https-proto@kubernetescrd (same namespace as the Ingress).
+# Also set host/port so post-callback redirects and cookie/session logic match the browser URL
+# (see Headlamp in-cluster OIDC docs: X-Forwarded-Proto; missing Forwarded-* can strand users
+# after IdP login).
+# Ingress ref: <namespace>-headlamp-https-proto@kubernetescrd (e.g. headlamp-headlamp-https-proto@kubernetescrd).
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -14,3 +17,5 @@ spec:
   headers:
     customRequestHeaders:
       X-Forwarded-Proto: "https"
+      X-Forwarded-Host: "headlamp.apps.noble.lab.pcenicni.dev"
+      X-Forwarded-Port: "443"