From 0e3bb28befeb8478d2d85a61d5902ab6dac0704e Mon Sep 17 00:00:00 2001
From: teddy <sirteddy99@gmail.com>
Date: Tue, 9 Jun 2026 23:07:32 +0200
Subject: [PATCH] headlamp: serve over HTTPS at headlamp.roysland.net

Move ingress from headlamp.local (plain HTTP) to headlamp.roysland.net with a Let's Encrypt cert (cert-manager) and a Traefik HTTP->HTTPS redirect. Fixes the browser HTTPS-upgrade breaking the API calls against the self-signed Traefik default cert.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 headlamp/headlamp.yaml | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/headlamp/headlamp.yaml b/headlamp/headlamp.yaml
index 5af6096..2668629 100644
--- a/headlamp/headlamp.yaml
+++ b/headlamp/headlamp.yaml
@@ -91,15 +91,33 @@ spec:
     - port: 80
       targetPort: 4466
 ---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: https-redirect
+  namespace: kube-system
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: headlamp
   namespace: kube-system
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    # Force HTTP->HTTPS at Traefik (proxy-level, no app redirect loop).
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
 spec:
   ingressClassName: traefik
+  tls:
+    - hosts:
+        - headlamp.roysland.net
+      secretName: headlamp-tls
   rules:
-    - host: headlamp.local
+    - host: headlamp.roysland.net
       http:
         paths:
           - path: /