Enhance Authentik and Newt configurations to support Open WebUI integration. Add necessary environment variables and secrets management for Open WebUI in .env.sample and Ansible tasks. Update README to clarify setup steps for automating HTTP resources with Pangolin, ensuring consistency with new branding and deployment practices.

ansible/roles/noble_authentik/defaults/main.yml

@@ -122,6 +122,7 @@ noble_authentik_client_id_argocd: argocd
 noble_authentik_client_id_grafana: grafana
 noble_authentik_client_id_headlamp: headlamp
 noble_authentik_client_id_oauth2_proxy: oauth2-proxy
+noble_authentik_client_id_open_webui: open-webui
 
 # Headlamp **OIDC_SCOPES** for Secret **headlamp-oidc**. Omit **groups** unless the Authentik OAuth2 provider
 # includes a separate **groups** ScopeMapping (2026.x defaults often embed groups in **profile** only; requesting
@@ -143,8 +144,15 @@ noble_authentik_client_secret_argocd: ""
 noble_authentik_client_secret_grafana: ""
 noble_authentik_client_secret_headlamp: ""
 noble_authentik_client_secret_oauth2_proxy: ""
+noble_authentik_client_secret_open_webui: ""
 noble_authentik_oauth2_proxy_cookie_secret: ""
 
+# **open-webui** namespace — Secret **open-webui-secrets** (Ansible **--tags authentik**). See **clusters/noble/apps/open-webui/values.yaml**.
+noble_open_webui_openai_api_key: ""
+noble_open_webui_webui_secret_key: ""
+# Public FQDN for Open WebUI (Ingress + OIDC **redirect_uri**). Set in **group_vars** (e.g. **webui.example.com**); must match GitOps **values.yaml** **ingress.host** and **OPENID_REDIRECT_URI** / **WEBUI_URL**.
+noble_open_webui_public_host: ""
+
 # Optional: OAuth2 provider flow PKs (UUID strings). When **both** are set, **configure_authentik.py**
 # skips **GET /flows/instances/** (avoids 403 if the API token cannot view flows). If unset, the role
 # tries **kubectl exec** into **authentik-worker** + **ak shell** to read the same slugs from the DB.