gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: gsdavidp:af3ab32de8d62714b037a75886cb3d5eacfbd0b8
Branches Tags
gsdavidp:main
..
compare: gsdavidp:95b18661444e47dcc525c5e5e412c2b05106cf52
Branches Tags
gsdavidp:main

2 Commits
af3ab32de8 ... 95b1866144

Author SHA1 Message Date
Nikholas Pcenicni
95b1866144 Update .gitignore to exclude all .tmp files and enhance clarity in middleware-https-proto.yaml by adding X-Forwarded-Host and X-Forwarded-Port headers for improved redirect handling in Headlamp. 2026-05-14 18:35:49 -04:00
Nikholas Pcenicni
86df02f9bd Update Traefik Ingress middleware reference in values.yaml for Headlamp to align with CRD naming conventions and improve documentation clarity. 2026-05-14 18:31:27 -04:00
3 changed files with 9 additions and 3 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -6,7 +6,7 @@ talos/kubeconfig
# Local secrets
age-key.txt
.env
.tmp
.tmp*
# Generated by ansible noble_landing_urls
ansible/output/noble-lab-ui-urls.md

7
clusters/noble/bootstrap/headlamp/middleware-https-proto.yaml
View File

@@ -1,7 +1,10 @@
# Traefik terminates TLS; the hop Traefik → Headlamp is often HTTP, so Headlamp may see
# X-Forwarded-Proto=http and build OAuth redirect/callback as http — Authentik then rejects
# the flow (redirect URI / PKCE / cookie issues). Force the external scheme for Headlamp.
# Reference from Ingress: headlamp-https-proto@kubernetescrd (same namespace as the Ingress).
# Also set host/port so post-callback redirects and cookie/session logic match the browser URL
# (see Headlamp in-cluster OIDC docs: X-Forwarded-Proto; missing Forwarded-* can strand users
# after IdP login).
# Ingress ref: <namespace>-headlamp-https-proto@kubernetescrd (e.g. headlamp-headlamp-https-proto@kubernetescrd).
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
@@ -14,3 +17,5 @@ spec:
headers:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Host: "headlamp.apps.noble.lab.pcenicni.dev"
X-Forwarded-Port: "443"

3
clusters/noble/bootstrap/headlamp/values.yaml
View File

@@ -27,7 +27,8 @@ ingress:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
# Headlamp OIDC behind Traefik: ensure external TLS scheme reaches the app (see middleware-https-proto.yaml).
traefik.ingress.kubernetes.io/router.middlewares: headlamp-https-proto@kubernetescrd
# Traefik Ingress refs CRD middlewares as <k8s-namespace>-<middleware-metadata.name>@kubernetescrd (see Traefik docs).
traefik.ingress.kubernetes.io/router.middlewares: headlamp-headlamp-https-proto@kubernetescrd
hosts:
- host: headlamp.apps.noble.lab.pcenicni.dev
paths: