I get redirected to OIDC auth pop up each time I click on any link/button inside headlamp UI. I'm using Azure AD for OIDC config. Headlamp installed in the cluster via helm

[andreistefanzx]

Describe the bug

I get redirected to OIDC auth pop up each time I click on any link/button inside headlamp UI. I'm using Azure AD for OIDC config. Headlamp installed in the Google GKE cluster via helm

To Reproduce

Steps to reproduce the bug:

1. Go to main page, click Sign In and go through OIDC auth
2. After authentication succeeds you can see the headlamp UI but if you click anything there, you'll get redirected to the OIDC auth screen again

Note:

• I don't get any logs while going through the auth step or after that
• Logs from headlamp pod:

k logs -l app.kubernetes.io/name=headlamp -f           
{"level":"info","source":"/headlamp/backend/cmd/headlamp.go","line":342,"time":"2025-02-05T05:59:17Z","message":"Plugins dir: /headlamp/plugins"}
{"level":"info","source":"/headlamp/backend/cmd/headlamp.go","line":343,"time":"2025-02-05T05:59:17Z","message":"Dynamic clusters support: false"}
{"level":"info","source":"/headlamp/backend/cmd/headlamp.go","line":344,"time":"2025-02-05T05:59:17Z","message":"Helm support: false"}
{"level":"info","source":"/headlamp/backend/cmd/headlamp.go","line":345,"time":"2025-02-05T05:59:17Z","message":"Proxy URLs: []"}
{"level":"info","pluginPath":"/headlamp/plugins/lost+found/main.js","source":"/headlamp/backend/pkg/plugins/plugins.go","line":197,"error":"stat /headlamp/plugins/lost+found/main.js: permission denied","time":"2025-02-05T05:59:17Z","message":"Not including plugin path, main.js not found"}
{"level":"info","context":"main","clusterURL":"https://K8S_API_IP:443","source":"/headlamp/backend/pkg/kubeconfig/kubeconfig.go","line":315,"time":"2025-02-05T05:59:17Z","message":"Proxy setup"}
*** Headlamp Server ***
  API Routers:
{"level":"error","source":"/headlamp/backend/cmd/headlamp.go","line":399,"error":"error loading kubeconfig files: error reading kubeconfig file: open : no such file or directory","time":"2025-02-05T05:59:17Z","message":"loading kubeconfig"}
{"level":"error","source":"/headlamp/backend/cmd/headlamp.go","line":410,"error":"error loading kubeconfig files: error reading kubeconfig file: open /home/headlamp/.config/Headlamp/kubeconfigs/config: no such file or directory","time":"2025-02-05T05:59:17Z","message":"loading dynamic kubeconfig"}

• I get this in Chrome Inspect:

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "nodes is forbidden: User \"system:anonymous\" cannot list resource \"nodes\" in API group \"\" at the cluster scope",
  "reason": "Forbidden",
  "details": {
    "kind": "nodes"
  },
  "code": 403
}

Environment (please provide info about your environment):

• Installation type: helm deployment in GKE cluster

 # my helm value for OIDC
config:
      # -- base url path at which headlamp should run
      baseURL: ""
      oidc:
        secret:
          create: false
        externalSecret:
          enabled: true
          name: headlamp-oidc
      extraArgs: []

• Headlamp Version: "0.28.0" helm chart

[tjbeckerGMI]

I am experiencing this same issue, running the same version inside of a cluster via helm, along with using Azure for OIDC auth.

Upon successfully authenticating in, it seems I have a split second to interact with the webpage and get it to load resources, but then I will lose access and get redirected to the sign in page

[yolossn]

Can you check if the Authorization header with Bearer token is sent to the requests made to the cluster.

Possibly Related
#2850

[tjbeckerGMI]

This is @andreistefanzx ticket so don't want to hijack it but from my testing, in that brief moment where I do have access, I am seeing an Authorization header with the token in it, but then an error will pop up saying "Lost connection to the cluster", and I no longer see that header being sent in my next interaction with the UI

[andreistefanzx]

I'm using GKE cluster. Headlamp might be sending the OIDC token but the k8s API will not accept it that's why we need to send impersonation headers, right?

[yolossn]

@andreistefanzx is your GKE cluster configured with Azure AD for OIDC auth?