22 lines
975 B
YAML
22 lines
975 B
YAML
# Traefik terminates TLS; the hop Traefik → Headlamp is often HTTP, so Headlamp may see
|
|
# X-Forwarded-Proto=http and build OAuth redirect/callback as http — Authentik then rejects
|
|
# the flow (redirect URI / PKCE / cookie issues). Force the external scheme for Headlamp.
|
|
# Also set host/port so post-callback redirects and cookie/session logic match the browser URL
|
|
# (see Headlamp in-cluster OIDC docs: X-Forwarded-Proto; missing Forwarded-* can strand users
|
|
# after IdP login).
|
|
# Ingress ref: <namespace>-headlamp-https-proto@kubernetescrd (e.g. headlamp-headlamp-https-proto@kubernetescrd).
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: headlamp-https-proto
|
|
namespace: headlamp
|
|
labels:
|
|
app.kubernetes.io/name: headlamp
|
|
app.kubernetes.io/component: ingress-middleware
|
|
spec:
|
|
headers:
|
|
customRequestHeaders:
|
|
X-Forwarded-Proto: "https"
|
|
X-Forwarded-Host: "headlamp.apps.noble.lab.pcenicni.dev"
|
|
X-Forwarded-Port: "443"
|