Add Authentik and oauth2-proxy support to noble cluster setup, including environment variables, playbook tags, and landing URLs. Update README and kustomization.yaml to reflect new OIDC integration, enhancing security and user authentication capabilities.

clusters/noble/bootstrap/argocd/values-authentik-oidc.yaml

@@ -0,0 +1,20 @@
+# OIDC with Authentik (merged on `helm upgrade` after **noble_authentik** provisions providers + Secret **authentik-oidc**).
+# Issuer path uses provider slug **argocd** (see noble_authentik/configure_authentik.py).
+
+configs:
+  cm:
+    oidc.config: |
+      name: Authentik
+      issuer: https://auth.apps.noble.lab.pcenicni.dev/application/o/argocd/
+      clientID: argocd
+      clientSecret: $authentik-oidc:clientSecret
+      requestedScopes:
+        - openid
+        - profile
+        - email
+        - groups
+  rbac:
+    policy.default: role:readonly
+    policy.csv: |
+      g, admin, role:admin
+      g, noble-admins, role:admin

clusters/noble/bootstrap/authentik/namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authentik
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/warn: privileged

clusters/noble/bootstrap/authentik/values.yaml

@@ -0,0 +1,51 @@
+# Authentik — noble lab (Helm: goauthentik/authentik)
+#
+# Secrets (secret_key, postgres password, bootstrap) are supplied at install time by Ansible
+# (-f authentik-extra-values.yaml from noble_authentik role). Do not commit real secrets here.
+#
+# DNS: auth.apps.noble.lab.pcenicni.dev → Traefik LB (see traefik/values.yaml).
+#
+# helm repo add goauthentik https://charts.goauthentik.io && helm repo update
+# kubectl apply -f clusters/noble/bootstrap/authentik/namespace.yaml
+# helm upgrade --install authentik goauthentik/authentik -n authentik --create-namespace \
+#   --version 2026.2.3 -f clusters/noble/bootstrap/authentik/values.yaml -f /path/to/extra.yaml --wait
+
+postgresql:
+  enabled: true
+  auth:
+    username: authentik
+    database: authentik
+    password: ""
+  primary:
+    persistence:
+      enabled: true
+      storageClassName: longhorn
+      size: 10Gi
+
+authentik:
+  secret_key: ""
+  postgresql:
+    name: authentik
+    user: authentik
+    password: ""
+    port: 5432
+
+server:
+  replicas: 1
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - host: auth.apps.noble.lab.pcenicni.dev
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: authentik-apps-noble-tls
+        hosts:
+          - auth.apps.noble.lab.pcenicni.dev
+
+worker:
+  replicas: 1

clusters/noble/bootstrap/headlamp/values-authentik-oidc.yaml

@@ -0,0 +1,9 @@
+# OIDC with Authentik — credentials live in Secret **headlamp-oidc** (envFrom), created by **noble_authentik**.
+
+config:
+  oidc:
+    secret:
+      create: false
+    externalSecret:
+      enabled: true
+      name: headlamp-oidc

clusters/noble/bootstrap/kube-prometheus-stack/values-authentik-oidc.yaml

@@ -0,0 +1,33 @@
+# Authentik OIDC for Grafana; ForwardAuth to **oauth2-proxy** (OIDC to Authentik) for Prometheus / Alertmanager UIs.
+
+prometheus:
+  ingress:
+    annotations:
+      traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
+
+alertmanager:
+  ingress:
+    annotations:
+      traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
+
+grafana:
+  env:
+    GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
+      valueFrom:
+        secretKeyRef:
+          name: authentik-grafana-oauth
+          key: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+  grafana.ini:
+    auth:
+      disable_login_form: "false"
+    auth.generic_oauth:
+      enabled: true
+      name: Authentik
+      allow_sign_up: true
+      client_id: grafana
+      scopes: openid profile email groups
+      use_pkce: true
+      auth_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/oauth2/authorize/
+      token_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/oauth2/token/
+      api_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/userinfo/
+      role_attribute_path: "contains(groups[*], 'noble-admins') && 'Admin' || contains(groups[*], 'noble-editors') && 'Editor' || 'Viewer'"

clusters/noble/bootstrap/kustomization.yaml

@@ -9,6 +9,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - authentik/namespace.yaml
+  - oauth2-proxy/namespace.yaml
   - kube-prometheus-stack/namespace.yaml
   - loki/namespace.yaml
   - fluent-bit/namespace.yaml

clusters/noble/bootstrap/longhorn/values-authentik-forwardauth.yaml

@@ -0,0 +1,5 @@
+# ForwardAuth to **oauth2-proxy** (OIDC with Authentik) for the Longhorn UI Ingress.
+
+ingress:
+  annotations:
+    traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd

clusters/noble/bootstrap/oauth2-proxy/middleware-forwardauth.yaml

@@ -0,0 +1,16 @@
+# Traefik ForwardAuth → oauth2-proxy (OIDC with Authentik). Reference from Ingress:
+# traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: forward-auth
+  namespace: oauth2-proxy
+spec:
+  forwardAuth:
+    address: http://oauth2-proxy.oauth2-proxy.svc.cluster.local:4180/oauth2/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-Forwarded-User
+      - X-Forwarded-Email
+      - X-Forwarded-Preferred-Username
+      - X-Forwarded-Groups

clusters/noble/bootstrap/oauth2-proxy/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: oauth2-proxy

clusters/noble/bootstrap/oauth2-proxy/values.yaml

@@ -0,0 +1,47 @@
+# oauth2-proxy — OIDC client to **Authentik** (not BasicAuth). Used with Traefik ForwardAuth
+# so apps without native OIDC (Prometheus, Alertmanager, Longhorn UI) still get a full OAuth code flow.
+#
+# Client id/secret/cookie-secret are created by Ansible (Kubernetes Secret + Helm values).
+#
+# helm repo add oauth2-proxy https://oauth2-proxy.github.io/manifests && helm repo update
+# kubectl apply -f clusters/noble/bootstrap/oauth2-proxy/namespace.yaml
+# helm upgrade --install oauth2-proxy oauth2-proxy/oauth2-proxy -n oauth2-proxy \
+#   --version 10.4.3 -f clusters/noble/bootstrap/oauth2-proxy/values.yaml -f /path/to/extra.yaml --wait
+
+config:
+  # Populated by Ansible: Secret **oauth2-proxy-credentials** (keys client-id, client-secret, cookie-secret).
+  existingSecret: oauth2-proxy-credentials
+  clientID: oauth2-proxy
+  clientSecret: ""
+  cookieSecret: ""
+  cookieName: _oauth2_proxy
+  emailDomains: ["*"]
+
+ingress:
+  enabled: true
+  className: traefik
+  path: /
+  hosts:
+    - oauth2.apps.noble.lab.pcenicni.dev
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  tls:
+    - secretName: oauth2-apps-noble-tls
+      hosts:
+        - oauth2.apps.noble.lab.pcenicni.dev
+
+extraArgs:
+  provider: oidc
+  skip-provider-button: "true"
+  oidc-issuer-url: "https://auth.apps.noble.lab.pcenicni.dev/application/o/oauth2-proxy/"
+  redirect-url: "https://oauth2.apps.noble.lab.pcenicni.dev/oauth2/callback"
+  scope: "openid profile email groups"
+  cookie-domain: ".apps.noble.lab.pcenicni.dev"
+  whitelist-domain: ".apps.noble.lab.pcenicni.dev"
+  set-authorization-header: "true"
+  pass-access-token: "false"
+  reverse-proxy: "true"
+  upstream: static://200
+
+service:
+  portNumber: 4180