fix(headlamp): pin OIDC callback URL explicitly

xnoto · xnoto · commit 1f9dbbd9a20a · 2026-04-29T22:09:12.000-06:00
Add OIDC_CALLBACK_URL=https://headlamp.makeitwork.cloud/oidc-callback to the headlamp-oidc Secret and a (placeholder) callbackURL in the chart's oidc config so the chart renders the -oidc-callback-url arg. Removes any ambiguity from Headlamp inferring the callback URL from the request's Host header behind the Cloudflare proxy.
diff --git a/operators/headlamp/application.yaml b/operators/headlamp/application.yaml
@@ -35,6 +35,10 @@ spec:
             # doesn't depend on window.opener postMessage (which drops state
             # across cross-origin redirects through Dex/GitHub).
             useCookie: true
+            # Pin the callback URL Headlamp advertises to Dex so it doesn't
+            # depend on Host-header inference behind the Cloudflare proxy.
+            # Actual env value comes from headlamp-oidc Secret's OIDC_CALLBACK_URL.
+            callbackURL: "set-by-secret"
         serviceAccount:
           create: true
         clusterRoleBinding:
diff --git a/operators/headlamp/oidc-secret.yaml b/operators/headlamp/oidc-secret.yaml
@@ -11,6 +11,7 @@ stringData:
     OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:TXBMWVAEU7OLNJx6mrZcK3rbLlTB9GL5hTAAXTwwzSa9xTXLU8l/MJ51g2YcbmSWu8bNGa5mi1bExzkvSGhwXQ==,iv:xKDnl7qCPM2ttNWW2OU2a1f4FNzHDz+loLLKuBdN5+g=,tag:CT1vk4kf0sEKdXy9CUVgbg==,type:str]
     OIDC_ISSUER_URL: https://argocd.makeitwork.cloud/api/dex
     OIDC_SCOPES: openid profile email groups
+    OIDC_CALLBACK_URL: https://headlamp.makeitwork.cloud/oidc-callback
 sops:
     age:
         - recipient: age152ek83tm4fj5u70r3fecytn4kg7c5xca24erjchxexx4pfqg6das7q763l
@@ -22,7 +23,7 @@ sops:
             Y2FhOENiWW1aNy9WbER3eXIvNXhXRnMKzdWk5njxD8yiSjhv5a1jZ9giCZWTnNpK
             jvqHY7FMWuQMowlEwkbpgUeEbcf4kabl5clCr4w7mh0doYWt3u/7SQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-04-30T03:57:26Z"
-    mac: ENC[AES256_GCM,data:/3YRM68bw/3U5LqF6N44kHoONeGPTvickVVaoKOf+LiPCo91juSE/23q79ppDwjLROUaVf67peZoP+m/F/qM+0hGBTnunzgn3DencYeb640YEcuoJnAkrwMqQvcFjXKMBVFjeV5hN97/hY9FOPtgyEhHTQPSOkQvm/XDhhJXGeo=,iv:ghbaV+s9zgWRm+CsJVdLjNNijTyVaFXtaDT3aHRJBb0=,tag:oUSJ5Dwkd7V+HGyDxvdoOg==,type:str]
+    lastmodified: "2026-04-30T04:08:46Z"
+    mac: ENC[AES256_GCM,data:E2iADOwXoG6bcZesH+S6s9GCeas+Yqty6CYr1BhI2fNeyb7I2IlaPwadhx40cEH7DN/Rr4aId1VF3M6e4Vti3EA6qDfAEqOsPEX65QeVQHXwjHQQr8185EvxvNz0mILFtl5FWWTYUcP8JkTzkSmKwFlNmakV0QWpniJknKRH9O8=,iv:dXObwnkkpZ8woN4+v9eDCpKIXnBlmJzmZO5d9/YK8ag=,tag:QPrVNoUuYH/gJCaoaNrClQ==,type:str]
     encrypted_regex: ^(token|api-token|apiToken|clientID|clientSecret|client_id|client_secret|password|secret|github_token|CLOUDFLARE_API_TOKEN|credentials\.json|.*_SERVICE_KEY|GF_AUTH_GITHUB_CLIENT_SECRET|GF_SECURITY_ADMIN_PASSWORD|dex\.[a-z]+\.clientID|dex\.[a-z]+\.clientSecret|OIDC_CLIENT_(ID|SECRET))$
     version: 3.12.2
