gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance Authentik role by updating README with detailed troubleshooting steps for Headlamp OIDC integration, including handling of scopes and PKCE settings. Adjust default variables for Headlamp OIDC scopes and ensure proper application of Kubernetes RBAC for OIDC groups. Update Helm tasks to apply necessary static manifests for Headlamp, improving overall deployment and authentication reliability.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-05-14 16:11:57 -04:00
parent 4bc8da0225
commit 1a50599cb4
11 changed files with 98 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
talos/runbooks/rbac.md
View File

@@ -2,6 +2,19 @@
**Headlamp** (`clusters/noble/bootstrap/headlamp/values.yaml`): the charts **ClusterRoleBinding** uses the built-in **`edit`** ClusterRole — not **`cluster-admin`**. Break-glass changes use **`kubectl`** with an admin kubeconfig.
**Headlamp OIDC + kube-apiserver (401 on `/clusters/main/version`, 200 on `/me`)**
Headlamp sends your **IdP JWT** to the Kubernetes API. **`/me`** is answered by Headlamp; **`/clusters/.../version`** is proxied to **kube-apiserver**. **401** there means **authentication failed** at the API server (RBAC would normally be **403** after a successful auth). You must:
1. **Roll out Talos control-plane config** that sets **`cluster.apiServer.extraArgs`** for the same Authentik app as Headlamp — see the second **`patches`** entry in **`talos/talconfig.yaml`** (`oidc-issuer-url`, `oidc-client-id: headlamp`, `oidc-username-claim`, `oidc-groups-claim`). After edits: **`talhelper genconfig -o out`**, then **`talosctl apply-config`** on each control plane (rolling).
2. **Ensure control planes can reach** `https://auth.apps.noble.lab.pcenicni.dev/...` (JWKS / discovery). If that URL is unreachable from nodes, OIDC validation fails.
3. **Apply cluster RBAC for OIDC groups**: **`kubectl apply -k clusters/noble/bootstrap/headlamp`** (includes **`oidc-noble-admins-clusterrolebinding.yaml`**). Your user must be in Authentik group **`noble-admins`** and the id_token should carry a **`groups`** claim if you rely on that binding.
Quick discovery check (any machine with DNS to Authentik):
```bash
curl -fsS "https://auth.apps.noble.lab.pcenicni.dev/application/o/headlamp/.well-known/openid-configuration" | head -c 400; echo
```
**Argo CD** (`clusters/noble/bootstrap/argocd/values.yaml`): **`policy.default: role:readonly`** — new OIDC/Git users get read-only unless you add **`g, <user-or-group>, role:admin`** (or another role) in **`configs.rbac.policy.csv`**. Local user **`admin`** stays **`role:admin`** via **`g, admin, role:admin`**.
**Audits**