You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After #2497 (Crossview embedded in Headlamp, public route removed), opening the Crossview tab in the in-cluster web Headlamp (including from mobile Safari) shows a blank embed. Maintainer-reported with a screenshot, 2026-07-05 ~13:59Z.
Root cause (live-verified)
The crossview-headlamp plugin resolves an embed URL in three steps: Ingress host → Service LoadBalancer → Headlamp-managed port-forward. #2497 removed the only browser-reachable option (the public route; the inert crossview-ingress was deliberately not restored), so the resolver falls through to the port-forward — which binds 127.0.0.1 inside the Headlamp backend pod and returns http://localhost:<random-port>. For any web/mobile browser that URL is (a) the user's own device, where nothing listens, and (b) mixed content inside the https Headlamp page, so the iframe renders blank. Headlamp backend logs confirm forwards starting at 13:59Z on random ports (45845, 46057, 43237, …).
Even the desktop flow's OIDC is broken as merged: the plugin leaves the local port unset (random per attempt), so the exact-match Dex callback http://localhost:3001/api/auth/oidc/callback registered in feat(crossview): embed in Headlamp again and drop the public route #2497 can never match.
Proposed direction
Target state (no new public host, works on mobile): serve Crossview same-origin under the Headlamp host (headlamp.${domain}/crossview) and have the plugin embed that path — same-origin sidesteps mixed content and framing entirely, and gives OIDC a stable callback URL. This needs two upstream changes (maintainer approval + AI-policy check before creating anything upstream):
crossplane-contrib/crossview: base-path/sub-path support (none in chart 4.5.0 — SPA assets, API routes, and the OIDC callback must work under a prefix).
MoeidHeidari/crossview-headlamp: teach the resolver a path/URL override (it reads only spec.rules[0].host today) and pass a fixed local port for the desktop port-forward flow.
Platform-side once those ship: an HTTPRoute path match on the headlamp host → crossview-service, netpol ingress from the gateway restored for that hop, Dex callback repointed to the stable same-origin URL. Interim alternatives (maintainer's call): restore a dedicated host (optionally oauth2-proxy-fronted), or accept desktop-only until the upstream changes land.
Rough size: M platform-side; the upstream halves gate it.
Problem
After #2497 (Crossview embedded in Headlamp, public route removed), opening the Crossview tab in the in-cluster web Headlamp (including from mobile Safari) shows a blank embed. Maintainer-reported with a screenshot, 2026-07-05 ~13:59Z.
Root cause (live-verified)
The crossview-headlamp plugin resolves an embed URL in three steps: Ingress host → Service LoadBalancer → Headlamp-managed port-forward. #2497 removed the only browser-reachable option (the public route; the inert
crossview-ingresswas deliberately not restored), so the resolver falls through to the port-forward — which binds 127.0.0.1 inside the Headlamp backend pod and returnshttp://localhost:<random-port>. For any web/mobile browser that URL is (a) the user's own device, where nothing listens, and (b) mixed content inside the https Headlamp page, so the iframe renders blank. Headlamp backend logs confirm forwards starting at 13:59Z on random ports (45845, 46057, 43237, …).Two structural consequences:
crossview-ingresscomment documented exactly this web-UI limitation).http://localhost:3001/api/auth/oidc/callbackregistered in feat(crossview): embed in Headlamp again and drop the public route #2497 can never match.Proposed direction
Target state (no new public host, works on mobile): serve Crossview same-origin under the Headlamp host (
headlamp.${domain}/crossview) and have the plugin embed that path — same-origin sidesteps mixed content and framing entirely, and gives OIDC a stable callback URL. This needs two upstream changes (maintainer approval + AI-policy check before creating anything upstream):crossplane-contrib/crossview: base-path/sub-path support (none in chart 4.5.0 — SPA assets, API routes, and the OIDC callback must work under a prefix).MoeidHeidari/crossview-headlamp: teach the resolver a path/URL override (it reads onlyspec.rules[0].hosttoday) and pass a fixed local port for the desktop port-forward flow.Platform-side once those ship: an
HTTPRoutepath match on the headlamp host →crossview-service, netpol ingress from the gateway restored for that hop, Dex callback repointed to the stable same-origin URL. Interim alternatives (maintainer's call): restore a dedicated host (optionally oauth2-proxy-fronted), or accept desktop-only until the upstream changes land.Rough size: M platform-side; the upstream halves gate it.