Enhance Authentik and Newt configurations to support Open WebUI integration. Add necessary environment variables and secrets management for Open WebUI in .env.sample and Ansible tasks. Update README to clarify setup steps for automating HTTP resources with Pangolin, ensuring consistency with new branding and deployment practices.

ansible/roles/noble_authentik/README.md

@@ -28,6 +28,8 @@ To expose the **same** Authentik instance on an **internet-facing** FQDN (while
 
 Then in **Pangolin**: link the domain, create an **HTTP** resource for that hostname, and set the **target** to your **Newt** site with **`ip:port`** pointing at the cluster **Traefik** HTTPS entry (same pattern as **`clusters/noble/bootstrap/newt/README.md`** — typically the MetalLB / LAN VIP and **443**). One Newt tunnel can front many hostnames.
 
+**Open WebUI (public hostname only):** Set **`noble_open_webui_public_host`** in **`group_vars`** to the same FQDN as **`clusters/noble/apps/open-webui/values.yaml`** **`ingress.host`** (for example **`webui.example.com`**). Add a **Pangolin** HTTP resource for that hostname to the same Newt target. Point **`OPENID_PROVIDER_URL`** in **`values.yaml`** at your **public** Authentik host (usually the first **`noble_authentik_ingress_extra_hosts`** entry, e.g. **`https://auth.example.com/application/o/open-webui/.well-known/openid-configuration`**), and set **`OPENID_REDIRECT_URI`** / **`WEBUI_URL`** to **`https://<noble_open_webui_public_host>/…`**. After changing **`noble_open_webui_public_host`**, re-run **`ansible-playbook playbooks/noble.yml --tags authentik`** so Authentik’s OAuth2 redirect URI matches.
+
 ### Split routing, two Brands, and optional blueprints
 
 This role supports a **single Authentik deployment** with **two hostnames** (lab + public) and **different Brands** per **`Host`**, without Authentik’s separate-database **Tenancy** feature (see [Tenancy](https://docs.goauthentik.io/sys-mgmt/tenancy) — alpha / licensing). [Brands](https://docs.goauthentik.io/brands/) choose default **authentication** (and related) **flows** and branding for each FQDN.
@@ -110,7 +112,7 @@ Authentik **tenancy** (multiple isolated tenants in one deployment, **`AUTHENTIK
 
 ## IdP configuration
 
-When **`noble_authentik_configure_idp`** is true, Ansible creates/updates OAuth2 providers and applications for **argocd**, **grafana**, **headlamp**, and **oauth2-proxy** using either the **worker ORM path** (default **`noble_authentik_oidc_provision_via: worker`**: **`kubectl exec`** + **`ak shell`** + **`files/worker_upsert_oauth_oidc.py`**, which avoids **2026+** REST **403** on **`GET …/providers/oauth2/**`) or the **REST-only path** (**`noble_authentik_oidc_provision_via: rest`**: **`files/configure_authentik.py`** needs a token that can list/patch OAuth2 providers). With the worker path and a bootstrap email, it also runs **`files/worker_add_bootstrap_user_groups.py`** so **`User.groups.add`** does not depend on **`GET …/core/users/**`. It then runs **`configure_authentik.py`** with **`AUTHENTIK_SKIP_OIDC_REST`** / **`AUTHENTIK_SKIP_USER_GROUP_REST`** when those worker steps ran, so the script only calls **`ensure_group`** over the API (skipped when **`AUTHENTIK_NOBLE_*_GROUP_PK`** are set).
+When **`noble_authentik_configure_idp`** is true, Ansible creates/updates OAuth2 providers and applications for **argocd**, **grafana**, **headlamp**, **open-webui**, and **oauth2-proxy** using either the **worker ORM path** (default **`noble_authentik_oidc_provision_via: worker`**: **`kubectl exec`** + **`ak shell`** + **`files/worker_upsert_oauth_oidc.py`**, which avoids **2026+** REST **403** on **`GET …/providers/oauth2/**`) or the **REST-only path** (**`noble_authentik_oidc_provision_via: rest`**: **`files/configure_authentik.py`** needs a token that can list/patch OAuth2 providers). With the worker path and a bootstrap email, it also runs **`files/worker_add_bootstrap_user_groups.py`** so **`User.groups.add`** does not depend on **`GET …/core/users/**`. It then runs **`configure_authentik.py`** with **`AUTHENTIK_SKIP_OIDC_REST`** / **`AUTHENTIK_SKIP_USER_GROUP_REST`** when those worker steps ran, so the script only calls **`ensure_group`** over the API (skipped when **`AUTHENTIK_NOBLE_*_GROUP_PK`** are set).
 
 ## RBAC notes
 
@@ -136,7 +138,7 @@ When **`noble_authentik_configure_idp`** is true, Ansible creates/updates OAuth2
 - **Headlamp OIDC authorize fails / `invalid_scope`**: Authentik often has no separate **`groups`** ScopeMapping (groups live under **`profile`**). Default **`noble_authentik_headlamp_oidc_scopes`** omits **`groups`**; add a **`groups`** mapping to the provider in Authentik and set **`noble_authentik_headlamp_oidc_scopes`** to include **`groups`** if you need that scope by name.
 - **Headlamp OIDC: Authentik flashes then back at login / page refresh**: Headlamp **does** support normal browser OAuth (redirect to Authentik and return to **`/oidc-callback`**). If the callback fails, the UI looks like it “drops” auth. Common causes: **`X-Forwarded-Proto`** not reaching Headlamp (callback built as **`http`** — see [Headlamp OIDC docs](https://headlamp.dev/docs/latest/installation/in-cluster/oidc)); **Traefik ForwardAuth** on the same Ingress (do not combine with native OIDC); **PKCE** state issues — this role defaults **`noble_authentik_headlamp_oidc_use_pkce: false`** for Authentik confidential clients (set **`true`** in **`group_vars`** if you need PKCE).
 - **Headlamp UI: `/me` works but `/clusters/main/version` (and other K8s calls) return 401**: Headlamp forwards your **OIDC id_token** to **kube-apiserver**. The API server must be configured with **OIDC** flags for the same **issuer** and **`oidc-client-id`** as Headlamp (see **`talos/talconfig.yaml`** patch and [Kubernetes OIDC authentication](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens)). Apply regenerated Talos configs to control plane nodes, then **`kubectl apply -k clusters/noble/bootstrap/headlamp`** (or **`--tags authentik`**) for **`oidc-noble-admins-clusterrolebinding.yaml`**. Ensure your user is in Authentik group **`noble-admins`** and the id_token includes a **`groups`** claim if you rely on that binding.
-- **Headlamp + Traefik ForwardAuth (`oauth2-proxy-forward-auth`)**: Do **not** put ForwardAuth on the **Headlamp** Ingress while using **native Headlamp OIDC**. Auth runs on **`/oidc-callback`** before Headlamp can finish the code exchange; ForwardAuth returns **401** and breaks login. Use **either** native OIDC (this repo’s **`values-authentik-oidc.yaml`**) **or** terminate auth at oauth2-proxy only (no **`config.oidc`**), not both.
+- **Headlamp + Traefik ForwardAuth (`oauth2-proxy-forward-auth`)**: Do **not** put ForwardAuth on the **Headlamp** Ingress while using **native Headlamp OIDC**. Auth runs on **`/oidc-callback`** before Headlamp can finish the code exchange; ForwardAuth returns **401** and breaks login. Use **either** native OIDC (this repo’s **`values-authentik-oidc.yaml`**) **or** terminate auth at oauth2-proxy only (no **`config.oidc`**), not both. The same applies to **Open WebUI** native OIDC (**`/oauth/oidc/callback`** in **`clusters/noble/apps/open-webui/values.yaml`**).
 
 ### Fix admin access manually (worker shell, no Ansible)
 

ansible/roles/noble_authentik/defaults/main.yml

@@ -122,6 +122,7 @@ noble_authentik_client_id_argocd: argocd
 noble_authentik_client_id_grafana: grafana
 noble_authentik_client_id_headlamp: headlamp
 noble_authentik_client_id_oauth2_proxy: oauth2-proxy
+noble_authentik_client_id_open_webui: open-webui
 
 # Headlamp **OIDC_SCOPES** for Secret **headlamp-oidc**. Omit **groups** unless the Authentik OAuth2 provider
 # includes a separate **groups** ScopeMapping (2026.x defaults often embed groups in **profile** only; requesting
@@ -143,8 +144,15 @@ noble_authentik_client_secret_argocd: ""
 noble_authentik_client_secret_grafana: ""
 noble_authentik_client_secret_headlamp: ""
 noble_authentik_client_secret_oauth2_proxy: ""
+noble_authentik_client_secret_open_webui: ""
 noble_authentik_oauth2_proxy_cookie_secret: ""
 
+# **open-webui** namespace — Secret **open-webui-secrets** (Ansible **--tags authentik**). See **clusters/noble/apps/open-webui/values.yaml**.
+noble_open_webui_openai_api_key: ""
+noble_open_webui_webui_secret_key: ""
+# Public FQDN for Open WebUI (Ingress + OIDC **redirect_uri**). Set in **group_vars** (e.g. **webui.example.com**); must match GitOps **values.yaml** **ingress.host** and **OPENID_REDIRECT_URI** / **WEBUI_URL**.
+noble_open_webui_public_host: ""
+
 # Optional: OAuth2 provider flow PKs (UUID strings). When **both** are set, **configure_authentik.py**
 # skips **GET /flows/instances/** (avoids 403 if the API token cannot view flows). If unset, the role
 # tries **kubectl exec** into **authentik-worker** + **ak shell** to read the same slugs from the DB.

ansible/roles/noble_authentik/tasks/from_env.yml

@@ -195,6 +195,69 @@
     - (noble_authentik_cs_o2_from_env.stdout | default('') | trim | length) > 0
   no_log: true
 
+- name: Load NOBLE_AUTHENTIK_CLIENT_SECRET_OPEN_WEBUI from .env when unset
+  ansible.builtin.shell: |
+    set -a
+    . "{{ noble_repo_root }}/.env"
+    set +a
+    printf '%s' "${NOBLE_AUTHENTIK_CLIENT_SECRET_OPEN_WEBUI:-}"
+  register: noble_authentik_cs_ow_from_env
+  when:
+    - noble_authentik_dotenv_stat.stat.exists | default(false)
+    - noble_authentik_client_secret_open_webui | default('') | length == 0
+  changed_when: false
+  no_log: true
+
+- name: Apply NOBLE_AUTHENTIK_CLIENT_SECRET_OPEN_WEBUI from .env
+  ansible.builtin.set_fact:
+    noble_authentik_client_secret_open_webui: "{{ noble_authentik_cs_ow_from_env.stdout | trim }}"
+  when:
+    - noble_authentik_cs_ow_from_env is defined
+    - (noble_authentik_cs_ow_from_env.stdout | default('') | trim | length) > 0
+  no_log: true
+
+- name: Load NOBLE_OPEN_WEBUI_OPENAI_API_KEY from .env when unset
+  ansible.builtin.shell: |
+    set -a
+    . "{{ noble_repo_root }}/.env"
+    set +a
+    printf '%s' "${NOBLE_OPEN_WEBUI_OPENAI_API_KEY:-}"
+  register: noble_open_webui_openai_from_env
+  when:
+    - noble_authentik_dotenv_stat.stat.exists | default(false)
+    - noble_open_webui_openai_api_key | default('') | length == 0
+  changed_when: false
+  no_log: true
+
+- name: Apply NOBLE_OPEN_WEBUI_OPENAI_API_KEY from .env
+  ansible.builtin.set_fact:
+    noble_open_webui_openai_api_key: "{{ noble_open_webui_openai_from_env.stdout | trim }}"
+  when:
+    - noble_open_webui_openai_from_env is defined
+    - (noble_open_webui_openai_from_env.stdout | default('') | trim | length) > 0
+  no_log: true
+
+- name: Load NOBLE_OPEN_WEBUI_WEBUI_SECRET_KEY from .env when unset
+  ansible.builtin.shell: |
+    set -a
+    . "{{ noble_repo_root }}/.env"
+    set +a
+    printf '%s' "${NOBLE_OPEN_WEBUI_WEBUI_SECRET_KEY:-}"
+  register: noble_open_webui_webui_secret_from_env
+  when:
+    - noble_authentik_dotenv_stat.stat.exists | default(false)
+    - noble_open_webui_webui_secret_key | default('') | length == 0
+  changed_when: false
+  no_log: true
+
+- name: Apply NOBLE_OPEN_WEBUI_WEBUI_SECRET_KEY from .env
+  ansible.builtin.set_fact:
+    noble_open_webui_webui_secret_key: "{{ noble_open_webui_webui_secret_from_env.stdout | trim }}"
+  when:
+    - noble_open_webui_webui_secret_from_env is defined
+    - (noble_open_webui_webui_secret_from_env.stdout | default('') | trim | length) > 0
+  no_log: true
+
 - name: Load NOBLE_AUTHENTIK_OAUTH2_PROXY_COOKIE_SECRET from .env when unset
   ansible.builtin.shell: |
     set -a

ansible/roles/noble_authentik/tasks/main.yml

@@ -22,9 +22,16 @@
           - noble_authentik_client_secret_grafana | default('') | length > 0
           - noble_authentik_client_secret_headlamp | default('') | length > 0
           - noble_authentik_client_secret_oauth2_proxy | default('') | length > 0
+          - noble_authentik_client_secret_open_webui | default('') | length > 0
           - noble_authentik_oauth2_proxy_cookie_secret | default('') | length > 0
+          - noble_open_webui_openai_api_key | default('') | length > 0
+          - noble_open_webui_webui_secret_key | default('') | length > 0
+          - noble_open_webui_public_host | default('') | trim | length > 0
         fail_msg: >-
           Authentik requires secrets in .env (see ansible/roles/noble_authentik/README.md) or matching -e extra-vars.
+          Includes Open WebUI: NOBLE_AUTHENTIK_CLIENT_SECRET_OPEN_WEBUI, NOBLE_OPEN_WEBUI_OPENAI_API_KEY,
+          NOBLE_OPEN_WEBUI_WEBUI_SECRET_KEY (see .env.sample). Set **noble_open_webui_public_host** (must match
+          **clusters/noble/apps/open-webui/values.yaml** ingress host; see README Pangolin section).
 
     - name: Require Authentik S3 media settings (same endpoint/keys as Velero; dedicated bucket)
       ansible.builtin.assert:
@@ -566,6 +573,32 @@
       no_log: true
       changed_when: true
 
+    - name: Ensure open-webui namespace exists (Secret before Argo first sync)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        kubectl create namespace open-webui --dry-run=client -o yaml | kubectl apply -f -
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      when: noble_authentik_configure_idp | default(true) | bool
+      changed_when: true
+
+    - name: Create Open WebUI secrets (OpenAI + WEBUI + OIDC client secret)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        kubectl -n open-webui create secret generic open-webui-secrets \
+          --from-literal=OPENAI_API_KEY="${OPENAI_API_KEY}" \
+          --from-literal=WEBUI_SECRET_KEY="${WEBUI_SECRET_KEY}" \
+          --from-literal=OAUTH_CLIENT_SECRET="${OAUTH_CLIENT_SECRET}" \
+          --dry-run=client -o yaml | kubectl apply -f -
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+        OPENAI_API_KEY: "{{ noble_open_webui_openai_api_key }}"
+        WEBUI_SECRET_KEY: "{{ noble_open_webui_webui_secret_key }}"
+        OAUTH_CLIENT_SECRET: "{{ noble_authentik_client_secret_open_webui }}"
+      no_log: true
+      when: noble_authentik_configure_idp | default(true) | bool
+      changed_when: true
+
     - name: Create oauth2-proxy credentials Secret (OIDC to Authentik; not BasicAuth)
       ansible.builtin.shell: |
         set -euo pipefail

ansible/roles/noble_authentik/templates/authentik-clients.json.j2

@@ -22,5 +22,11 @@
     "client_id": {{ noble_authentik_client_id_oauth2_proxy | to_json }},
     "client_secret": {{ noble_authentik_client_secret_oauth2_proxy | to_json }},
     "redirect_uri": "https://{{ noble_authentik_oauth2_proxy_host }}/oauth2/callback"
+  },
+  "open-webui": {
+    "name": "Open WebUI",
+    "client_id": {{ noble_authentik_client_id_open_webui | to_json }},
+    "client_secret": {{ noble_authentik_client_secret_open_webui | to_json }},
+    "redirect_uri": "https://{{ noble_open_webui_public_host | trim }}/oauth/oidc/callback"
   }
 }

ansible/roles/noble_authentik/templates/authentik-worker-oidc-spec.json.j2

@@ -27,6 +27,12 @@
       "client_id": {{ noble_authentik_client_id_oauth2_proxy | to_json }},
       "client_secret": {{ noble_authentik_client_secret_oauth2_proxy | to_json }},
       "redirect_uri": "https://{{ noble_authentik_oauth2_proxy_host }}/oauth2/callback"
+    },
+    "open-webui": {
+      "name": "Open WebUI",
+      "client_id": {{ noble_authentik_client_id_open_webui | to_json }},
+      "client_secret": {{ noble_authentik_client_secret_open_webui | to_json }},
+      "redirect_uri": "https://{{ noble_open_webui_public_host | trim }}/oauth/oidc/callback"
     }
   }
 }