From 0e3bb28befeb8478d2d85a61d5902ab6dac0704e Mon Sep 17 00:00:00 2001 From: teddy Date: Tue, 9 Jun 2026 23:07:32 +0200 Subject: [PATCH 1/2] headlamp: serve over HTTPS at headlamp.roysland.net Move ingress from headlamp.local (plain HTTP) to headlamp.roysland.net with a Let's Encrypt cert (cert-manager) and a Traefik HTTP->HTTPS redirect. Fixes the browser HTTPS-upgrade breaking the API calls against the self-signed Traefik default cert. Co-Authored-By: Claude Opus 4.8 (1M context) --- headlamp/headlamp.yaml | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/headlamp/headlamp.yaml b/headlamp/headlamp.yaml index 5af6096..2668629 100644 --- a/headlamp/headlamp.yaml +++ b/headlamp/headlamp.yaml @@ -91,15 +91,33 @@ spec: - port: 80 targetPort: 4466 --- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: https-redirect + namespace: kube-system +spec: + redirectScheme: + scheme: https + permanent: true +--- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: headlamp namespace: kube-system + annotations: + cert-manager.io/cluster-issuer: letsencrypt + # Force HTTP->HTTPS at Traefik (proxy-level, no app redirect loop). + traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd spec: ingressClassName: traefik + tls: + - hosts: + - headlamp.roysland.net + secretName: headlamp-tls rules: - - host: headlamp.local + - host: headlamp.roysland.net http: paths: - path: / From a064f4125084b91e187b72894d4d76fe660d1a53 Mon Sep 17 00:00:00 2001 From: teddy Date: Tue, 9 Jun 2026 23:07:32 +0200 Subject: [PATCH 2/2] passbolt: fix login behind Traefik (TLS termination, GPG fingerprint) Traefik terminates TLS and forwards HTTP, so PASSBOLT_SSL_FORCE=false (in-container redirect caused an infinite loop); Service/Ingress on port 80; add HTTP->HTTPS redirect middleware at Traefik instead. Set PASSBOLT_GPG_SERVER_KEY_FINGERPRINT to the migrated server key (1471F6B1...) so the GPG login handshake completes. Co-Authored-By: Claude Opus 4.8 (1M context) --- passbolt/passbolt.yaml | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/passbolt/passbolt.yaml b/passbolt/passbolt.yaml index 826dde4..548c9d4 100644 --- a/passbolt/passbolt.yaml +++ b/passbolt/passbolt.yaml @@ -121,6 +121,11 @@ spec: env: - name: APP_FULL_BASE_URL value: "https://pb.roysland.net" + # Must match the server key on the gpg PVC (uid passbolt@yourdomain.com). + # Without it passbolt's config fingerprint mismatches the actual key and + # the GPG login handshake fails (web login loops back to the login page). + - name: PASSBOLT_GPG_SERVER_KEY_FINGERPRINT + value: "1471F6B122637CC7A95E63DCA214B492C0F7DF56" - name: DATASOURCES_DEFAULT_HOST value: "mariadb" - name: DATASOURCES_DEFAULT_PORT @@ -140,8 +145,12 @@ spec: secretKeyRef: name: passbolt-secrets key: DATASOURCES_DEFAULT_DATABASE + # TLS is terminated by Traefik, which forwards plain HTTP to :80. + # The container must NOT force its own HTTP->HTTPS redirect or it + # creates an infinite redirect loop. APP_FULL_BASE_URL stays https + # so generated links remain https. - name: PASSBOLT_SSL_FORCE - value: "true" + value: "false" ports: - containerPort: 80 - containerPort: 443 @@ -170,6 +179,16 @@ spec: - port: 80 targetPort: 80 --- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: https-redirect + namespace: passbolt +spec: + redirectScheme: + scheme: https + permanent: true +--- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -177,6 +196,8 @@ metadata: namespace: passbolt annotations: cert-manager.io/cluster-issuer: letsencrypt + # Force HTTP->HTTPS at Traefik (proxy-level, no app redirect loop). + traefik.ingress.kubernetes.io/router.middlewares: passbolt-https-redirect@kubernetescrd spec: ingressClassName: traefik tls: