Add middleware-https-proto.yaml to enforce HTTPS scheme for Headlamp and update kustomization.yaml and values.yaml accordingly

clusters/noble/bootstrap/headlamp/middleware-https-proto.yaml

@@ -0,0 +1,16 @@
+# Traefik terminates TLS; the hop Traefik → Headlamp is often HTTP, so Headlamp may see
+# X-Forwarded-Proto=http and build OAuth redirect/callback as http — Authentik then rejects
+# the flow (redirect URI / PKCE / cookie issues). Force the external scheme for Headlamp.
+# Reference from Ingress: headlamp-https-proto@kubernetescrd (same namespace as the Ingress).
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: headlamp-https-proto
+  namespace: headlamp
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/component: ingress-middleware
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"