Enhance Authentik and Newt configurations to support Open WebUI integration. Add necessary environment variables and secrets management for Open WebUI in .env.sample and Ansible tasks. Update README to clarify setup steps for automating HTTP resources with Pangolin, ensuring consistency with new branding and deployment practices.

clusters/noble/apps/open-webui/kustomization.yaml

@@ -2,4 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - namespace.yaml
   - application.yaml

clusters/noble/apps/open-webui/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: open-webui
+  labels:
+    app.kubernetes.io/name: open-webui

clusters/noble/apps/open-webui/values.yaml

@@ -1,10 +1,10 @@
 # Open WebUI — https://github.com/open-webui/helm-charts (chart **open-webui**).
 # Ingress: Traefik + cert-manager (same pattern as **`clusters/noble/apps/homepage/values.yaml`**).
 #
-# After sync: set an OpenAI-compatible API key (**`openaiApiKey`** below or **`openaiApiKeyExistingSecret`**),
-# or enable in-cluster **Ollama** / **Pipelines** in this file. Chart defaults ship a placeholder key — override before use.
-#
-# Optional: protect with ForwardAuth like **`clusters/noble/bootstrap/longhorn/values-authentik-forwardauth.yaml`**.
+# **Secrets** (**`OPENAI_API_KEY`**, **`WEBUI_SECRET_KEY`**, **`OAUTH_CLIENT_SECRET`**) are created in-cluster by
+# **`ansible-playbook … --tags authentik`** as **`open-webui/open-webui-secrets`** (see **noble_authentik** role and **`.env.sample`**).
+# **OIDC** uses Authentik provider slug **`open-webui`** (issuer **`…/application/o/open-webui/`**). Do **not** put ForwardAuth on this Ingress while using native OIDC (same pattern as Headlamp).
+# **Public host only** (Pangolin → Newt → Traefik): keep **ingress.host**, **OPENID_PROVIDER_URL**, **OPENID_REDIRECT_URI**, and **WEBUI_URL** in sync with **`noble_open_webui_public_host`** in Ansible **group_vars** (see **noble_authentik** README).
 #
 ollama:
   enabled: false
@@ -12,7 +12,6 @@ ollama:
 pipelines:
   enabled: false
 
-# External Ollama (when not using the subchart), e.g. `http://ollama.ollama.svc.cluster.local:11434`
 ollamaUrls: []
 
 ingress:
@@ -20,7 +19,7 @@ ingress:
   class: traefik
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-  host: open-webui.apps.noble.lab.pcenicni.dev
+  host: webui.nikflix.ca
   additionalHosts: []
   tls: true
   existingSecret: ""
@@ -28,8 +27,38 @@ ingress:
 enableOpenaiApi: true
 openaiBaseApiUrl: "https://api.openai.com/v1"
 openaiApiKey: ""
-# openaiApiKeyExistingSecret: open-webui-openai
-# openaiApiKeyExistingSecretKey: api-key
+openaiApiKeyExistingSecret: open-webui-secrets
+openaiApiKeyExistingSecretKey: OPENAI_API_KEY
+
+extraEnvVars:
+  - name: ENABLE_OAUTH_SIGNUP
+    value: "true"
+  - name: OAUTH_MERGE_ACCOUNTS_BY_EMAIL
+    value: "true"
+  - name: OAUTH_PROVIDER_NAME
+    value: "Authentik"
+  - name: OAUTH_CLIENT_ID
+    value: "open-webui"
+  - name: OPENID_PROVIDER_URL
+    value: "https://auth.nikflix.ca/application/o/open-webui/.well-known/openid-configuration"
+  - name: OAUTH_SCOPES
+    value: "openid email profile offline_access"
+  - name: OPENID_REDIRECT_URI
+    value: "https://webui.nikflix.ca/oauth/oidc/callback"
+  - name: WEBUI_URL
+    value: "https://webui.nikflix.ca"
+  - name: ENABLE_OAUTH_PERSISTENT_CONFIG
+    value: "false"
+  - name: WEBUI_SECRET_KEY
+    valueFrom:
+      secretKeyRef:
+        name: open-webui-secrets
+        key: WEBUI_SECRET_KEY
+  - name: OAUTH_CLIENT_SECRET
+    valueFrom:
+      secretKeyRef:
+        name: open-webui-secrets
+        key: OAUTH_CLIENT_SECRET
 
 persistence:
   enabled: true