Enhance Authentik role by updating README with detailed troubleshooting steps for Headlamp OIDC integration, including handling of scopes and PKCE settings. Adjust default variables for Headlamp OIDC scopes and ensure proper application of Kubernetes RBAC for OIDC groups. Update Helm tasks to apply necessary static manifests for Headlamp, improving overall deployment and authentication reliability.

ansible/roles/noble_authentik/tasks/main.yml

@@ -444,9 +444,9 @@
           --from-literal=OIDC_CLIENT_ID="{{ noble_authentik_client_id_headlamp }}" \
           --from-literal=OIDC_CLIENT_SECRET="${HEADLAMP_OIDC_SECRET}" \
           --from-literal=OIDC_ISSUER_URL="{{ noble_authentik_public_url }}/application/o/headlamp/" \
-          --from-literal=OIDC_SCOPES="openid profile email groups offline_access" \
+          --from-literal=OIDC_SCOPES="{{ noble_authentik_headlamp_oidc_scopes }}" \
           --from-literal=OIDC_CALLBACK_URL="https://headlamp.apps.noble.lab.pcenicni.dev/oidc-callback" \
-          --from-literal=OIDC_USE_PKCE="true" \
+          --from-literal=OIDC_USE_PKCE="{{ 'true' if (noble_authentik_headlamp_oidc_use_pkce | bool) else 'false' }}" \
           --dry-run=client -o yaml | kubectl apply -f -
       environment:
         KUBECONFIG: "{{ noble_kubeconfig }}"
@@ -566,6 +566,7 @@
           - "{{ noble_repo_root }}/clusters/noble/bootstrap/headlamp/values.yaml"
           - -f
           - "{{ noble_repo_root }}/clusters/noble/bootstrap/headlamp/values-authentik-oidc.yaml"
+          - --set=config.oidc.usePKCE={{ 'true' if (noble_authentik_headlamp_oidc_use_pkce | bool) else 'false' }}
           - --force-conflicts
           - --wait
           - --timeout
@@ -574,6 +575,17 @@
         KUBECONFIG: "{{ noble_kubeconfig }}"
       changed_when: true
 
+    - name: Apply Headlamp static manifests (metrics RBAC + OIDC group binding)
+      ansible.builtin.command:
+        argv:
+          - kubectl
+          - apply
+          - -k
+          - "{{ noble_repo_root }}/clusters/noble/bootstrap/headlamp"
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      changed_when: true
+
     - name: Helm upgrade Longhorn with ForwardAuth (oauth2-proxy OIDC)
       ansible.builtin.command:
         argv: