Enhance Authentik role by updating README with detailed troubleshooting steps for Headlamp OIDC integration, including handling of scopes and PKCE settings. Adjust default variables for Headlamp OIDC scopes and ensure proper application of Kubernetes RBAC for OIDC groups. Update Helm tasks to apply necessary static manifests for Headlamp, improving overall deployment and authentication reliability.

ansible/roles/noble_authentik/defaults/main.yml

@@ -29,6 +29,15 @@ noble_authentik_client_id_grafana: grafana
 noble_authentik_client_id_headlamp: headlamp
 noble_authentik_client_id_oauth2_proxy: oauth2-proxy
 
+# Headlamp **OIDC_SCOPES** for Secret **headlamp-oidc**. Omit **groups** unless the Authentik OAuth2 provider
+# includes a separate **groups** ScopeMapping (2026.x defaults often embed groups in **profile** only; requesting
+# **groups** then yields **invalid_scope** on authorize). Override if your IdP exposes **groups** explicitly.
+noble_authentik_headlamp_oidc_scopes: "openid profile email offline_access"
+# PKCE for Headlamp OIDC. **false** is the default for Authentik **confidential** clients: auth still uses the
+# standard browser OAuth code flow; PKCE is optional and some users see the callback “flash” then login reset
+# when PKCE state/cookies do not survive the redirect. Set **true** if you require PKCE.
+noble_authentik_headlamp_oidc_use_pkce: false
+
 # Secrets / bootstrap — prefer **lookup('env', ...)** set via repository **.env** (see from_env.yml).
 noble_authentik_secret_key: ""
 noble_authentik_postgresql_password: ""