# Traefik terminates TLS; the hop Traefik → Headlamp is often HTTP, so Headlamp may see
# X-Forwarded-Proto=http and build OAuth redirect/callback as http — Authentik then rejects
# the flow (redirect URI / PKCE / cookie issues). Force the external scheme for Headlamp.
# Also set host/port so post-callback redirects and cookie/session logic match the browser URL
# (see Headlamp in-cluster OIDC docs: X-Forwarded-Proto; missing Forwarded-* can strand users
# after IdP login).
# Ingress ref: <namespace>-headlamp-https-proto@kubernetescrd (e.g. headlamp-headlamp-https-proto@kubernetescrd).
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: headlamp-https-proto
  namespace: headlamp
  labels:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/component: ingress-middleware
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"
      X-Forwarded-Host: "headlamp.apps.noble.lab.pcenicni.dev"
      X-Forwarded-Port: "443"