Add Authentik and oauth2-proxy support to noble cluster setup, including environment variables, playbook tags, and landing URLs. Update README and kustomization.yaml to reflect new OIDC integration, enhancing security and user authentication capabilities.

clusters/noble/bootstrap/authentik/values.yaml

@@ -0,0 +1,51 @@
+# Authentik — noble lab (Helm: goauthentik/authentik)
+#
+# Secrets (secret_key, postgres password, bootstrap) are supplied at install time by Ansible
+# (-f authentik-extra-values.yaml from noble_authentik role). Do not commit real secrets here.
+#
+# DNS: auth.apps.noble.lab.pcenicni.dev → Traefik LB (see traefik/values.yaml).
+#
+# helm repo add goauthentik https://charts.goauthentik.io && helm repo update
+# kubectl apply -f clusters/noble/bootstrap/authentik/namespace.yaml
+# helm upgrade --install authentik goauthentik/authentik -n authentik --create-namespace \
+#   --version 2026.2.3 -f clusters/noble/bootstrap/authentik/values.yaml -f /path/to/extra.yaml --wait
+
+postgresql:
+  enabled: true
+  auth:
+    username: authentik
+    database: authentik
+    password: ""
+  primary:
+    persistence:
+      enabled: true
+      storageClassName: longhorn
+      size: 10Gi
+
+authentik:
+  secret_key: ""
+  postgresql:
+    name: authentik
+    user: authentik
+    password: ""
+    port: 5432
+
+server:
+  replicas: 1
+  ingress:
+    enabled: true
+    ingressClassName: traefik
+    annotations:
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+    hosts:
+      - host: auth.apps.noble.lab.pcenicni.dev
+        paths:
+          - path: /
+            pathType: Prefix
+    tls:
+      - secretName: authentik-apps-noble-tls
+        hosts:
+          - auth.apps.noble.lab.pcenicni.dev
+
+worker:
+  replicas: 1