Add middleware-https-proto.yaml to enforce HTTPS scheme for Headlamp and update kustomization.yaml and values.yaml accordingly

clusters/noble/bootstrap/headlamp/kustomization.yaml

@@ -5,3 +5,4 @@ kind: Kustomization
 resources:
   - metrics-clusterrolebinding.yaml
   - oidc-noble-admins-clusterrolebinding.yaml
+  - middleware-https-proto.yaml

clusters/noble/bootstrap/headlamp/middleware-https-proto.yaml

@@ -0,0 +1,16 @@
+# Traefik terminates TLS; the hop Traefik → Headlamp is often HTTP, so Headlamp may see
+# X-Forwarded-Proto=http and build OAuth redirect/callback as http — Authentik then rejects
+# the flow (redirect URI / PKCE / cookie issues). Force the external scheme for Headlamp.
+# Reference from Ingress: headlamp-https-proto@kubernetescrd (same namespace as the Ingress).
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: headlamp-https-proto
+  namespace: headlamp
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/component: ingress-middleware
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"

clusters/noble/bootstrap/headlamp/values.yaml

@@ -26,6 +26,8 @@ ingress:
   ingressClassName: traefik
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
+    # Headlamp OIDC behind Traefik: ensure external TLS scheme reaches the app (see middleware-https-proto.yaml).
+    traefik.ingress.kubernetes.io/router.middlewares: headlamp-https-proto@kubernetescrd
   hosts:
     - host: headlamp.apps.noble.lab.pcenicni.dev
       paths: