From 93d602de9d5ca8bc68687cf834d5d83935131c1b Mon Sep 17 00:00:00 2001 From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com> Date: Thu, 14 May 2026 22:26:41 -0400 Subject: [PATCH] Enhance Authentik deployment by adding verification for the presence of noble blueprints volume mounts in the authentik-worker deployment. Update README to clarify blueprint confirmation steps and troubleshooting for mounted files. This ensures proper configuration when blueprints are enabled. --- ansible/roles/noble_authentik/README.md | 10 ++++++++++ ansible/roles/noble_authentik/tasks/main.yml | 18 ++++++++++++++++++ 2 files changed, 28 insertions(+) diff --git a/ansible/roles/noble_authentik/README.md b/ansible/roles/noble_authentik/README.md index fc9d31f..8aa21e0 100644 --- a/ansible/roles/noble_authentik/README.md +++ b/ansible/roles/noble_authentik/README.md @@ -56,6 +56,16 @@ Network isolation is enforced at **DNS and the tunnel**, not inside Authentik. O Tune titles via **`noble_authentik_blueprint_lab_brand_title`** and **`noble_authentik_blueprint_public_brand_title_prefix`**. After the worker applies blueprints, confirm **System → Brands** and **Flows** in the admin UI; fix any **`!Find`** failures if upstream default stage **names** change between Authentik versions. +**Confirming blueprints on the cluster:** the Ansible task **Install Authentik (Helm)** uses **`changed_when: true`**, so a **“changed”** line there does **not** prove Helm mutated the release. When **`noble_authentik_blueprints_enabled`** is true, the role asserts the **worker** Deployment has a volumeMount named **`blueprints-cm-`** (default **`blueprints-cm-authentik-noble-blueprints`**). You can also run: + +```bash +kubectl -n authentik get configmap authentik-noble-blueprints -o yaml +helm get values authentik -n authentik -o yaml | grep -A2 blueprints +kubectl -n authentik get deploy -l app.kubernetes.io/component=worker -o yaml | grep blueprints-cm +``` + +Mounted files are applied asynchronously by **authentik-worker**; check **System → Blueprints** (or **Customization → Blueprints** depending on version) for instances sourced from **`/blueprints/mounted/cm-authentik-noble-blueprints/`**, and **`kubectl logs -n authentik deploy/authentik-worker`** if a blueprint shows **Error** / failed apply. + ### “Secondary tenant” (separate PostgreSQL schema — alpha) Authentik **tenancy** (multiple isolated tenants in one deployment, **`AUTHENTIK_TENANTS__ENABLED`**) is **alpha**, requires **per-tenant Enterprise licensing**, **`AUTHENTIK_TENANTS__API_KEY`**, and **`AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true`** (embedded outposts are unsupported with tenancy). It is **not** wired in this repo by default. See [Tenancy](https://docs.goauthentik.io/sys-mgmt/tenancy). For most homelabs, **one tenant** plus **`noble_authentik_ingress_extra_hosts`** is the right split. diff --git a/ansible/roles/noble_authentik/tasks/main.yml b/ansible/roles/noble_authentik/tasks/main.yml index 1810819..854e7a3 100644 --- a/ansible/roles/noble_authentik/tasks/main.yml +++ b/ansible/roles/noble_authentik/tasks/main.yml @@ -139,6 +139,24 @@ KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: true + - name: Verify authentik-worker mounts noble blueprints volume (Helm blueprints.configMaps) + ansible.builtin.shell: | + set -euo pipefail + WANT="blueprints-cm-{{ noble_authentik_blueprints_configmap_name }}" + D="$(kubectl get deploy -n "{{ noble_authentik_namespace }}" \ + -l app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker \ + -o jsonpath='{.items[0].metadata.name}')" + MOUNTS="$(kubectl get deploy -n "{{ noble_authentik_namespace }}" "$D" \ + -o jsonpath='{.spec.template.spec.containers[0].volumeMounts[*].name}')" + if ! echo "$MOUNTS" | tr ' ' '\n' | grep -Fxq "$WANT"; then + echo "Expected volumeMount ${WANT} on ${D}; got: ${MOUNTS}" >&2 + exit 1 + fi + environment: + KUBECONFIG: "{{ noble_kubeconfig }}" + when: noble_authentik_blueprints_enabled | default(false) | bool + changed_when: false + - name: Wait for authentik server rollout ansible.builtin.command: argv: