# Traefik terminates TLS; the hop Traefik → Headlamp is often HTTP, so Headlamp may see
# X-Forwarded-Proto=http and build OAuth redirect/callback as http — Authentik then rejects
# the flow (redirect URI / PKCE / cookie issues). Force the external scheme for Headlamp.
# Reference from Ingress: headlamp-https-proto@kubernetescrd (same namespace as the Ingress).
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: headlamp-https-proto
  namespace: headlamp
  labels:
    app.kubernetes.io/name: headlamp
    app.kubernetes.io/component: ingress-middleware
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"