Enhance Authentik role by updating README with detailed troubleshooting steps for Headlamp OIDC integration, including handling of scopes and PKCE settings. Adjust default variables for Headlamp OIDC scopes and ensure proper application of Kubernetes RBAC for OIDC groups. Update Helm tasks to apply necessary static manifests for Headlamp, improving overall deployment and authentication reliability.

clusters/noble/bootstrap/headlamp/README.md

@@ -15,7 +15,7 @@ helm upgrade --install headlamp headlamp/headlamp -n headlamp \
   --version 0.40.1 -f clusters/noble/bootstrap/headlamp/values.yaml --wait --timeout 10m
 ```
 
-Sign-in uses a **ServiceAccount token** (Headlamp docs: create a limited SA for day-to-day use). This repo binds the Headlamp workload SA to the built-in **`edit`** ClusterRole (**`clusterRoleBinding.clusterRoleName: edit`** in **`values.yaml`**) — not **`cluster-admin`**. For cluster-scoped admin work, use **`kubectl`** with your admin kubeconfig. Optional **OIDC** in **`config.oidc`** replaces token login for SSO.
+Sign-in uses a **ServiceAccount token** (Headlamp docs: create a limited SA for day-to-day use). This repo binds the Headlamp workload SA to the built-in **`edit`** ClusterRole (**`clusterRoleBinding.clusterRoleName: edit`** in **`values.yaml`**) — not **`cluster-admin`**. For cluster-scoped admin work, use **`kubectl`** with your admin kubeconfig. Optional **OIDC** in **`config.oidc`** replaces token login for SSO. **In-cluster OIDC requires kube-apiserver OIDC** (same Authentik app issuer + **`oidc-client-id: headlamp`**) or proxied K8s calls return **401** while **`/me`** still returns 200 — see **`talos/talconfig.yaml`**, **`oidc-noble-admins-clusterrolebinding.yaml`**, and **`ansible/roles/noble_authentik/README.md`** troubleshooting.
 
 ## Sign-in token (ServiceAccount `headlamp`)
 

clusters/noble/bootstrap/headlamp/kustomization.yaml

@@ -4,3 +4,4 @@ kind: Kustomization
 # Do not include it here — two Applications owning the same Namespace causes SharedResourceWarning.
 resources:
   - metrics-clusterrolebinding.yaml
+  - oidc-noble-admins-clusterrolebinding.yaml

clusters/noble/bootstrap/headlamp/oidc-noble-admins-clusterrolebinding.yaml

@@ -0,0 +1,19 @@
+# OIDC users in Authentik group **noble-admins** (claim **groups**) get the same cluster access as the Headlamp
+# ServiceAccount binding (**edit**). Requires kube-apiserver **oidc-*** extraArgs (see **talos/talconfig.yaml**).
+# If your IdP omits **groups** from the id_token, add a **groups** scope/mapping in Authentik or bind **User** subjects instead.
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: headlamp-oidc-noble-admins
+  labels:
+    app.kubernetes.io/name: headlamp
+    app.kubernetes.io/component: oidc-rbac
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: edit
+subjects:
+  - apiGroup: rbac.authorization.k8s.io
+    kind: Group
+    name: noble-admins

clusters/noble/bootstrap/headlamp/values-authentik-oidc.yaml

@@ -1,7 +1,9 @@
 # OIDC with Authentik — credentials live in Secret **headlamp-oidc** (envFrom), created by **noble_authentik**.
+# **OIDC_SCOPES** in that Secret must match scopes the Authentik provider exposes (see **noble_authentik_headlamp_oidc_scopes**).
 #
 # With **externalSecret**, the Headlamp chart only adds **-oidc-callback-url** / **-oidc-use-pkce** args when these
 # values are set here (or under **env:**). The Secret alone is not enough — without them, login can fail or Authentik returns errors.
+# **usePKCE** defaults **false** for Authentik confidential clients (Ansible **noble_authentik_headlamp_oidc_use_pkce** also passes **--set** on **--tags authentik**).
 
 config:
   oidc:
@@ -11,4 +13,4 @@ config:
       enabled: true
       name: headlamp-oidc
     callbackURL: "https://headlamp.apps.noble.lab.pcenicni.dev/oidc-callback"
-    usePKCE: true
+    usePKCE: false