Add custom API server endpoint configuration for proxy scenarios

backend/cmd/headlamp.go

@@ -427,28 +427,29 @@
 	}
 
 	// In-cluster
 	if config.UseInCluster {
 		context, err := kubeconfig.GetInClusterContext(
 			config.InClusterContextName,
 			config.OidcIdpIssuerURL,
 			config.OidcClientID, config.OidcClientSecret,
 			strings.Join(config.OidcScopes, ","),
 			config.OidcSkipTLSVerify,
-			config.OidcCACert)
+			config.OidcCACert,
+			config.APIServerEndpoint)
 		if err != nil {
 			logger.Log(logger.LevelError, nil, err, "Failed to get in-cluster context")
-		}
-
-		context.Source = kubeconfig.InCluster
+		} else {
+			context.Source = kubeconfig.InCluster
 
-		err = context.SetupProxy()
-		if err != nil {
-			logger.Log(logger.LevelError, nil, err, "Failed to setup proxy for in-cluster context")
-		}
+			err = context.SetupProxy()
+			if err != nil {
+				logger.Log(logger.LevelError, nil, err, "Failed to setup proxy for in-cluster context")
+			}
 
-		err = config.KubeConfigStore.AddContext(context)
-		if err != nil {
-			logger.Log(logger.LevelError, nil, err, "Failed to add in-cluster context")
+			err = config.KubeConfigStore.AddContext(context)
+			if err != nil {
+				logger.Log(logger.LevelError, nil, err, "Failed to add in-cluster context")
+			}
 		}
 	}
 

backend/cmd/headlamp_test.go

@@ -1731,3 +1731,44 @@ func TestHandleClusterServiceProxy(t *testing.T) {
 		assert.Equal(t, "OK", rr.Body.String())
 	}
 }
+
+// TestCustomAPIServerEndpoint tests the custom API server endpoint configuration
+// with validation logic, simulating kube-oidc-proxy scenarios.
+func TestCustomAPIServerEndpoint(t *testing.T) {
+	// Test https validation directly - should reject http URLs
+	// Since validation now happens before InClusterConfig, this will always test validation
+	_, err := kubeconfig.GetInClusterContext(
+		"test-cluster",
+		"", "", "", "",
+		false, "",
+		"http://insecure-proxy.example.com:443", // http scheme should be rejected
+	)
+
+	// Should always fail with validation error (validation happens before in-cluster check)
+	require.Error(t, err, "Expected error with http:// URL")
+	assert.Contains(t, err.Error(), "must be a full https:// URL",
+		"Error should be about https requirement")
+
+	// Test with valid https URL - will fail with in-cluster error if not actually in cluster
+	if os.Getenv("HEADLAMP_RUN_INTEGRATION_TESTS") != strconv.FormatBool(istrue) {
+		t.Skip("skipping full integration test (validation already tested above)")
+	}
+
+	ctx, err := kubeconfig.GetInClusterContext(
+		"test-cluster",
+		"", "", "", "",
+		false, "",
+		"https://kube-oidc-proxy.example.com:443", // Valid https endpoint
+	)
+	if err != nil {
+		if strings.Contains(err.Error(), "unable to load in-cluster configuration") {
+			t.Skip("not running in cluster environment, cannot test full functionality")
+		}
+
+		t.Fatalf("unexpected error with valid https endpoint: %v", err)
+	}
+
+	// If we get here, we're in a cluster and endpoint was accepted
+	assert.Equal(t, "https://kube-oidc-proxy.example.com:443", ctx.Cluster.Server,
+		"Custom endpoint should be used")
+}

backend/cmd/server.go

@@ -82,6 +82,7 @@ func buildHeadlampCFG(conf *config.Config, kubeConfigStore kubeconfig.ContextSto
 	return &headlampconfig.HeadlampCFG{
 		UseInCluster:          conf.InCluster,
 		InClusterContextName:  conf.InClusterContextName,
+		APIServerEndpoint:     conf.APIServerEndpoint,
 		KubeConfigPath:        conf.KubeConfigPath,
 		SkippedKubeContexts:   conf.SkippedKubeContexts,
 		ListenAddr:            conf.ListenAddr,

backend/pkg/config/config.go

@@ -35,6 +35,7 @@ type Config struct {
 	Version              bool   `koanf:"version"`
 	InCluster            bool   `koanf:"in-cluster"`
 	InClusterContextName string `koanf:"in-cluster-context-name"`
+	APIServerEndpoint    string `koanf:"api-server-endpoint"`
 	DevMode              bool   `koanf:"dev"`
 	InsecureSsl          bool   `koanf:"insecure-ssl"`
 	LogLevel             string `koanf:"log-level"`
@@ -415,6 +416,10 @@ func addGeneralFlags(f *flag.FlagSet) {
 	f.Bool("version", false, "Print version information and exit")
 	f.Bool("in-cluster", false, "Set when running from a k8s cluster")
 	f.String("in-cluster-context-name", "main", "Name to use for the in-cluster Kubernetes context")
+	f.String(
+		"api-server-endpoint", "",
+		"Custom Kubernetes API server endpoint; only used with --in-cluster and must be a full https:// URL",
+	)
 	f.Bool("dev", false, "Allow connections from other origins")
 	f.Bool("cache-enabled", false, "K8s cache in backend")
 	f.Bool("no-browser", false, "Disable automatically opening the browser when using embedded frontend")

backend/pkg/config/config_test.go

@@ -55,6 +55,13 @@ func TestParseBasic(t *testing.T) {
 				assert.Equal(t, config.DefaultMeUsernamePath, conf.MeUsernamePath)
 			},
 		},
+		{
+			name: "api_server_endpoint_flag",
+			args: []string{"go run ./cmd", "--api-server-endpoint=https://kube-proxy.example.com"},
+			verify: func(t *testing.T, conf *config.Config) {
+				assert.Equal(t, "https://kube-proxy.example.com", conf.APIServerEndpoint)
+			},
+		},
 	}
 
 	for _, tt := range tests {
@@ -141,6 +148,16 @@ var ParseWithEnvTests = []struct {
 			assert.Equal(t, "warn", conf.LogLevel)
 		},
 	},
+	{
+		name: "api_server_endpoint_from_env",
+		args: []string{"go run ./cmd"},
+		env: map[string]string{
+			"HEADLAMP_CONFIG_API_SERVER_ENDPOINT": "https://kube-oidc-proxy.example.com:443",
+		},
+		verify: func(t *testing.T, conf *config.Config) {
+			assert.Equal(t, "https://kube-oidc-proxy.example.com:443", conf.APIServerEndpoint)
+		},
+	},
 }
 
 func TestParseWithEnv(t *testing.T) {

backend/pkg/headlampconfig/headlampConfig.go

@@ -41,6 +41,7 @@ type HeadlampConfig struct {
 type HeadlampCFG struct {
 	UseInCluster          bool
 	InClusterContextName  string
+	APIServerEndpoint     string
 	ListenAddr            string
 	CacheEnabled          bool
 	DevMode               bool

backend/pkg/kubeconfig/export_test.go

@@ -8,6 +8,9 @@ import "net/http"
 // BuildUserAgent is exported for testing.
 var BuildUserAgent = buildUserAgent
 
+// ValidateAPIServerEndpoint is exported for testing.
+var ValidateAPIServerEndpoint = validateAPIServerEndpoint
+
 // UserAgentRoundTripper is exported for testing.
 type UserAgentRoundTripper struct {
 	Base      roundTripperInterface

backend/pkg/kubeconfig/kubeconfig.go

@@ -1001,6 +1001,82 @@ func splitKubeConfigPath(path string) []string {
 	return strings.Split(path, delimiter)
 }
 
+// validateAPIServerEndpoint validates and returns a trimmed API server endpoint.
+// Returns empty string if endpoint is empty, or an error if endpoint is invalid.
+func validateAPIServerEndpoint(endpoint string) (string, error) {
+	trimmed := strings.TrimSpace(endpoint)
+	if trimmed == "" {
+		return "", nil
+	}
+
+	parsedURL, err := url.Parse(trimmed)
+	if err != nil || !parsedURL.IsAbs() || parsedURL.Host == "" || parsedURL.Hostname() == "" {
+		return "", fmt.Errorf(
+			"invalid custom API server endpoint %q: must be an absolute URL with scheme and host",
+			trimmed,
+		)
+	}
+
+	if parsedURL.Scheme != "https" {
+		return "", fmt.Errorf(
+			"invalid custom API server endpoint %q: must be a full https:// URL",
+			trimmed,
+		)
+	}
+
+	// Disallow embedded credentials, query strings, fragments, and non-root paths
+	if parsedURL.User != nil {
+		return "", fmt.Errorf(
+			"invalid custom API server endpoint %q: must not include user info (credentials)",
+			trimmed,
+		)
+	}
+
+	if parsedURL.RawQuery != "" {
+		return "", fmt.Errorf(
+			"invalid custom API server endpoint %q: must not include a query string",
+			trimmed,
+		)
+	}
+
+	if parsedURL.Fragment != "" {
+		return "", fmt.Errorf(
+			"invalid custom API server endpoint %q: must not include a fragment",
+			trimmed,
+		)
+	}
+
+	if parsedURL.Path != "" && parsedURL.Path != "/" {
+		return "", fmt.Errorf(
+			"invalid custom API server endpoint %q: path must be empty or '/' (scheme+host[:port] only)",
+			trimmed,
+		)
+	}
+
+	return trimmed, nil
+}
+
+// buildOIDCConfig creates an OIDC configuration if the required parameters are provided.
+func buildOIDCConfig(
+	clientID, issuerURL, scopes string,
+	clientSecret string,
+	skipTLSVerify bool,
+	caCert string,
+) *OidcConfig {
+	if clientID == "" || issuerURL == "" || scopes == "" {
+		return nil
+	}
+
+	return &OidcConfig{
+		ClientID:      clientID,
+		ClientSecret:  clientSecret,
+		IdpIssuerURL:  issuerURL,
+		Scopes:        strings.Split(scopes, ","),
+		SkipTLSVerify: &skipTLSVerify,
+		CACert:        &caCert,
+	}
+}
+
 // GetInClusterContext returns the in-cluster context.
 func GetInClusterContext(
 	contextName string,
@@ -1009,14 +1085,28 @@ func GetInClusterContext(
 	oidcScopes string,
 	oidcSkipTLSVerify bool,
 	oidcCACert string,
+	customAPIServerEndpoint string,
 ) (*Context, error) {
+	// Validate custom endpoint first, before attempting to load in-cluster config
+	customEndpoint, err := validateAPIServerEndpoint(customAPIServerEndpoint)
+	if err != nil {
+		return nil, err
+	}
+
 	clusterConfig, err := rest.InClusterConfig()
 	if err != nil {
 		return nil, err
 	}
 
+	// Use custom API server endpoint if provided, otherwise use default from in-cluster config
+	apiServerHost := clusterConfig.Host
+
+	if customEndpoint != "" {
+		apiServerHost = customEndpoint
+	}
+
 	cluster := &api.Cluster{
-		Server:                   clusterConfig.Host,
+		Server:                   apiServerHost,
 		CertificateAuthority:     clusterConfig.CAFile,
 		CertificateAuthorityData: clusterConfig.CAData,
 	}
@@ -1033,19 +1123,14 @@ func GetInClusterContext(
 
 	inClusterAuthInfo := &api.AuthInfo{}
 
-	var oidcConf *OidcConfig
-
-	if oidcClientID != "" && oidcIssuerURL != "" && oidcScopes != "" {
-		// client secret is optional for in-cluster OIDC configuration
-		oidcConf = &OidcConfig{
-			ClientID:      oidcClientID,
-			ClientSecret:  oidcClientSecret,
-			IdpIssuerURL:  oidcIssuerURL,
-			Scopes:        strings.Split(oidcScopes, ","),
-			SkipTLSVerify: &oidcSkipTLSVerify,
-			CACert:        &oidcCACert,
-		}
-	}
+	oidcConf := buildOIDCConfig(
+		oidcClientID,
+		oidcIssuerURL,
+		oidcScopes,
+		oidcClientSecret,
+		oidcSkipTLSVerify,
+		oidcCACert,
+	)
 
 	return &Context{
 		Name:        contextName,