From af3ab32de8d62714b037a75886cb3d5eacfbd0b8 Mon Sep 17 00:00:00 2001 From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com> Date: Thu, 14 May 2026 18:27:42 -0400 Subject: [PATCH] Add middleware-https-proto.yaml to enforce HTTPS scheme for Headlamp and update kustomization.yaml and values.yaml accordingly --- .../noble/bootstrap/headlamp/kustomization.yaml | 1 + .../headlamp/middleware-https-proto.yaml | 16 ++++++++++++++++ clusters/noble/bootstrap/headlamp/values.yaml | 2 ++ 3 files changed, 19 insertions(+) create mode 100644 clusters/noble/bootstrap/headlamp/middleware-https-proto.yaml diff --git a/clusters/noble/bootstrap/headlamp/kustomization.yaml b/clusters/noble/bootstrap/headlamp/kustomization.yaml index 07019bf..37d0543 100644 --- a/clusters/noble/bootstrap/headlamp/kustomization.yaml +++ b/clusters/noble/bootstrap/headlamp/kustomization.yaml @@ -5,3 +5,4 @@ kind: Kustomization resources: - metrics-clusterrolebinding.yaml - oidc-noble-admins-clusterrolebinding.yaml + - middleware-https-proto.yaml diff --git a/clusters/noble/bootstrap/headlamp/middleware-https-proto.yaml b/clusters/noble/bootstrap/headlamp/middleware-https-proto.yaml new file mode 100644 index 0000000..5be7357 --- /dev/null +++ b/clusters/noble/bootstrap/headlamp/middleware-https-proto.yaml @@ -0,0 +1,16 @@ +# Traefik terminates TLS; the hop Traefik → Headlamp is often HTTP, so Headlamp may see +# X-Forwarded-Proto=http and build OAuth redirect/callback as http — Authentik then rejects +# the flow (redirect URI / PKCE / cookie issues). Force the external scheme for Headlamp. +# Reference from Ingress: headlamp-https-proto@kubernetescrd (same namespace as the Ingress). +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: headlamp-https-proto + namespace: headlamp + labels: + app.kubernetes.io/name: headlamp + app.kubernetes.io/component: ingress-middleware +spec: + headers: + customRequestHeaders: + X-Forwarded-Proto: "https" diff --git a/clusters/noble/bootstrap/headlamp/values.yaml b/clusters/noble/bootstrap/headlamp/values.yaml index b9cc69f..e653fc8 100644 --- a/clusters/noble/bootstrap/headlamp/values.yaml +++ b/clusters/noble/bootstrap/headlamp/values.yaml @@ -26,6 +26,8 @@ ingress: ingressClassName: traefik annotations: cert-manager.io/cluster-issuer: letsencrypt-prod + # Headlamp OIDC behind Traefik: ensure external TLS scheme reaches the app (see middleware-https-proto.yaml). + traefik.ingress.kubernetes.io/router.middlewares: headlamp-https-proto@kubernetescrd hosts: - host: headlamp.apps.noble.lab.pcenicni.dev paths: