fix(headlamp): pin OIDC callback URL explicitly

[xnoto]

Summary

The auth loop persists despite `useCookie` and matching client secrets. Most likely remaining cause: Headlamp infers its OIDC callback URL from the inbound request's `Host` header. Behind Cloudflare's proxy and with the popup flow, the value Headlamp advertises to Dex (and uses on token exchange's `redirect_uri` parameter) may differ from what Dex's staticClient registered, causing Dex to silently issue a code that doesn't validate later — or Headlamp's exchange to be rejected.

Pin the callback URL explicitly:

• `operators/headlamp/oidc-secret.yaml` — add `OIDC_CALLBACK_URL=https://headlamp.makeitwork.cloud/oidc-callback\` to the existing Secret. envFrom picks it up.
• `operators/headlamp/application.yaml` — set `config.oidc.callbackURL: "set-by-secret"` so the chart actually renders the `-oidc-callback-url=$(OIDC_CALLBACK_URL)` arg (the chart only adds it when the value is non-empty; actual value comes from the Secret).

Test plan

• After merge: `kubectl -n headlamp get deployment headlamp -o jsonpath='{.spec.template.spec.containers[0].args}'` includes `-oidc-callback-url=$(OIDC_CALLBACK_URL)`
• After merge: login at `https://headlamp.makeitwork.cloud\` lands on the dashboard instead of looping

🤖 Generated with Claude Code