Enhance Authentik role by adding Helm wait timeout for oauth2-proxy and improving task conditions for admin access and OAuth2 provider upserts. Update README with new variable descriptions and adjust Longhorn deployment tasks to ensure proper rollout before Loki installation, enhancing overall deployment reliability.

ansible/roles/noble_authentik/defaults/main.yml

@@ -14,6 +14,8 @@ noble_authentik_namespace: authentik
 # Helm release name (deployments: **{release}-server**, **{release}-worker**).
 noble_authentik_release_name: authentik
 noble_authentik_oauth2_proxy_chart_version: "10.4.3"
+# Helm **--wait** timeout for **oauth2-proxy** (first pull / API checks can exceed 10m).
+noble_authentik_oauth2_proxy_helm_wait_timeout: 10m
 
 noble_authentik_host: auth.apps.noble.lab.pcenicni.dev
 noble_authentik_public_url: "https://{{ noble_authentik_host }}"

ansible/roles/noble_authentik/files/worker_add_bootstrap_user_groups.py

@@ -51,5 +51,4 @@ def main() -> None:
     print("worker: bootstrap user group membership updated", flush=True)
 
 
-if __name__ == "__main__":
-    main()
+main()

ansible/roles/noble_authentik/files/worker_ensure_authentik_admin_access.py

@@ -69,5 +69,4 @@ def main() -> None:
     )
 
 
-if __name__ == "__main__":
-    main()
+main()

ansible/roles/noble_authentik/files/worker_upsert_oauth_oidc.py

@@ -106,5 +106,4 @@ def main() -> None:
     print("worker: OAuth2 providers + applications upserted", flush=True)
 
 
-if __name__ == "__main__":
-    main()
+main()

ansible/roles/noble_authentik/tasks/main.yml

@@ -276,7 +276,15 @@
       environment:
         KUBECONFIG: "{{ noble_kubeconfig }}"
       register: noble_authentik_worker_admin_access
-      changed_when: true
+      changed_when: >-
+        "worker:" in (noble_authentik_worker_admin_access.stdout | default(""))
+        and "authentik Admins" in (noble_authentik_worker_admin_access.stdout | default(""))
+      failed_when: >-
+        (noble_authentik_worker_admin_access.rc | default(-1)) != 0
+        or (
+          "worker:" not in (noble_authentik_worker_admin_access.stdout | default(""))
+          or "authentik Admins" not in (noble_authentik_worker_admin_access.stdout | default(""))
+        )
       when:
         - noble_authentik_configure_idp | default(true) | bool
         - noble_authentik_ensure_admin_ui_access | default(true) | bool
@@ -321,7 +329,15 @@
       environment:
         KUBECONFIG: "{{ noble_kubeconfig }}"
       register: noble_authentik_worker_oidc_upsert
-      changed_when: true
+      changed_when: >-
+        "worker: OAuth2 providers + applications upserted"
+        in (noble_authentik_worker_oidc_upsert.stdout | default(""))
+      failed_when: >-
+        (noble_authentik_worker_oidc_upsert.rc | default(-1)) != 0
+        or (
+          "worker: OAuth2 providers + applications upserted"
+          not in (noble_authentik_worker_oidc_upsert.stdout | default(""))
+        )
       when:
         - noble_authentik_configure_idp | default(true) | bool
         - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker'
@@ -366,7 +382,10 @@
       environment:
         KUBECONFIG: "{{ noble_kubeconfig }}"
       register: noble_authentik_worker_user_groups
-      changed_when: true
+      changed_when: >-
+        "worker: bootstrap user group membership updated"
+        in (noble_authentik_worker_user_groups.stdout | default(""))
+      failed_when: (noble_authentik_worker_user_groups.rc | default(-1)) != 0
       when:
         - noble_authentik_configure_idp | default(true) | bool
         - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker'
@@ -467,7 +486,7 @@
           - --force-conflicts
           - --wait
           - --timeout
-          - 10m
+          - "{{ noble_authentik_oauth2_proxy_helm_wait_timeout }}"
       environment:
         KUBECONFIG: "{{ noble_kubeconfig }}"
       changed_when: true