Enhance Authentik role in noble cluster setup by adding support for resolving OAuth2 flow, signing key, and scope mapping UUIDs from the worker database, improving API access under 2026+ RBAC. Update README with troubleshooting steps for common OAuth2 provider issues and adjust default variables for better configuration management. Ensure seamless integration with oauth2-proxy by allowing unverified email handling in development environments.
This commit is contained in:
Nikholas Pcenicni
@@ -3,8 +3,16 @@
|
||||
noble_authentik_install: false
|
||||
# When true, run **configure_authentik.py** against the Authentik API (requires bootstrap token + client secrets).
|
||||
noble_authentik_configure_idp: true
|
||||
# **worker** — upsert OAuth2 providers + applications via **ak shell** + Django ORM (avoids **GET …/providers/oauth2/** 403
|
||||
# for bootstrap tokens). **rest** — use the Authentik API only (needs a token that can list/patch OAuth2 providers).
|
||||
# When true (default), run **worker_ensure_authentik_admin_access.py** so **akadmin** / bootstrap email is in
|
||||
# **authentik Admins** with **is_superuser** on the group (fixes **/if/admin/** redirecting to user UI in 2026+).
|
||||
noble_authentik_ensure_admin_ui_access: true
|
||||
|
||||
noble_authentik_chart_version: "2026.2.3"
|
||||
noble_authentik_namespace: authentik
|
||||
# Helm release name (deployments: **{release}-server**, **{release}-worker**).
|
||||
noble_authentik_release_name: authentik
|
||||
noble_authentik_oauth2_proxy_chart_version: "10.4.3"
|
||||
|
||||
noble_authentik_host: auth.apps.noble.lab.pcenicni.dev
|
||||
@@ -33,9 +41,21 @@ noble_authentik_client_secret_oauth2_proxy: ""
|
||||
noble_authentik_oauth2_proxy_cookie_secret: ""
|
||||
|
||||
# Optional: OAuth2 provider flow PKs (UUID strings). When **both** are set, **configure_authentik.py**
|
||||
# skips **GET /flows/instances/** (avoids 403 if the API token user is not a superuser). See role README.
|
||||
# skips **GET /flows/instances/** (avoids 403 if the API token cannot view flows). If unset, the role
|
||||
# tries **kubectl exec** into **authentik-worker** + **ak shell** to read the same slugs from the DB.
|
||||
noble_authentik_oauth_authorization_flow_pk: ""
|
||||
noble_authentik_oauth_invalidation_flow_pk: ""
|
||||
# Optional: OAuth2 signing key (**CertificateKeyPair** UUID). When set, **configure_authentik.py** skips
|
||||
# **GET /crypto/certificatekeypairs/** (often 403 for bootstrap tokens). If unset, the role resolves it
|
||||
# from the worker DB when possible (see **resolve_oauth_signing_key_pk.py**).
|
||||
noble_authentik_oauth_signing_key_pk: ""
|
||||
# Optional: comma-separated **ScopeMapping** UUIDs (openid, email, profile, offline_access; optional **groups**
|
||||
# if you created a separate mapping — 2026.x defaults embed groups in **profile** only).
|
||||
# When set, **configure_authentik.py** skips **GET /propertymappings/...** (often 403 for bootstrap tokens).
|
||||
noble_authentik_oauth_scope_mapping_pks: ""
|
||||
# Optional: **Group** UUIDs for **noble-admins** / **noble-editors** (skip **GET /core/groups/** when set).
|
||||
noble_authentik_group_pk_noble_admins: ""
|
||||
noble_authentik_group_pk_noble_editors: ""
|
||||
|
||||
noble_authentik_helm_wait_timeout: 25m
|
||||
|
||||
|
||||
Reference in New Issue
Block a user