Enhance Authentik deployment by adding verification for the presence of noble blueprints volume mounts in the authentik-worker deployment. Update README to clarify blueprint confirmation steps and troubleshooting for mounted files. This ensures proper configuration when blueprints are enabled.

ansible/roles/noble_authentik/README.md

@@ -56,6 +56,16 @@ Network isolation is enforced at **DNS and the tunnel**, not inside Authentik. O
 
 Tune titles via **`noble_authentik_blueprint_lab_brand_title`** and **`noble_authentik_blueprint_public_brand_title_prefix`**. After the worker applies blueprints, confirm **System → Brands** and **Flows** in the admin UI; fix any **`!Find`** failures if upstream default stage **names** change between Authentik versions.
 
+**Confirming blueprints on the cluster:** the Ansible task **Install Authentik (Helm)** uses **`changed_when: true`**, so a **“changed”** line there does **not** prove Helm mutated the release. When **`noble_authentik_blueprints_enabled`** is true, the role asserts the **worker** Deployment has a volumeMount named **`blueprints-cm-<noble_authentik_blueprints_configmap_name>`** (default **`blueprints-cm-authentik-noble-blueprints`**). You can also run:
+
+```bash
+kubectl -n authentik get configmap authentik-noble-blueprints -o yaml
+helm get values authentik -n authentik -o yaml | grep -A2 blueprints
+kubectl -n authentik get deploy -l app.kubernetes.io/component=worker -o yaml | grep blueprints-cm
+```
+
+Mounted files are applied asynchronously by **authentik-worker**; check **System → Blueprints** (or **Customization → Blueprints** depending on version) for instances sourced from **`/blueprints/mounted/cm-authentik-noble-blueprints/`**, and **`kubectl logs -n authentik deploy/authentik-worker`** if a blueprint shows **Error** / failed apply.
+
 ### “Secondary tenant” (separate PostgreSQL schema — alpha)
 
 Authentik **tenancy** (multiple isolated tenants in one deployment, **`AUTHENTIK_TENANTS__ENABLED`**) is **alpha**, requires **per-tenant Enterprise licensing**, **`AUTHENTIK_TENANTS__API_KEY`**, and **`AUTHENTIK_OUTPOSTS__DISABLE_EMBEDDED_OUTPOST=true`** (embedded outposts are unsupported with tenancy). It is **not** wired in this repo by default. See [Tenancy](https://docs.goauthentik.io/sys-mgmt/tenancy). For most homelabs, **one tenant** plus **`noble_authentik_ingress_extra_hosts`** is the right split.

ansible/roles/noble_authentik/tasks/main.yml

@@ -139,6 +139,24 @@
         KUBECONFIG: "{{ noble_kubeconfig }}"
       changed_when: true
 
+    - name: Verify authentik-worker mounts noble blueprints volume (Helm blueprints.configMaps)
+      ansible.builtin.shell: |
+        set -euo pipefail
+        WANT="blueprints-cm-{{ noble_authentik_blueprints_configmap_name }}"
+        D="$(kubectl get deploy -n "{{ noble_authentik_namespace }}" \
+          -l app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker \
+          -o jsonpath='{.items[0].metadata.name}')"
+        MOUNTS="$(kubectl get deploy -n "{{ noble_authentik_namespace }}" "$D" \
+          -o jsonpath='{.spec.template.spec.containers[0].volumeMounts[*].name}')"
+        if ! echo "$MOUNTS" | tr ' ' '\n' | grep -Fxq "$WANT"; then
+          echo "Expected volumeMount ${WANT} on ${D}; got: ${MOUNTS}" >&2
+          exit 1
+        fi
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      when: noble_authentik_blueprints_enabled | default(false) | bool
+      changed_when: false
+
     - name: Wait for authentik server rollout
       ansible.builtin.command:
         argv: