Enhance Authentik integration in noble cluster setup by adding support for OAuth2 flow primary keys in configuration. Update README with troubleshooting steps for common API errors and improve deployment reliability with tasks to wait for Authentik worker rollout and API readiness. Adjust Helm chart values for Grafana and Headlamp to accommodate new OIDC settings, ensuring seamless authentication and authorization processes.

2026-05-14 01:29:49 -04:00
parent 15d0e120d3
commit c392ce1e5a
10 changed files with 331 additions and 95 deletions
--- a/ansible/roles/noble_authentik/tasks/main.yml
+++ b/ansible/roles/noble_authentik/tasks/main.yml
@@ -90,6 +90,38 @@
        KUBECONFIG: "{{ noble_kubeconfig }}"
      changed_when: false

+    - name: Wait for authentik worker rollout
+      ansible.builtin.command:
+        argv:
+          - kubectl
+          - rollout
+          - status
+          - deployment/authentik-worker
+          - -n
+          - authentik
+          - --timeout=15m
+      environment:
+        KUBECONFIG: "{{ noble_kubeconfig }}"
+      changed_when: false
+      when: noble_authentik_configure_idp | default(true) | bool
+
+    - name: Wait until Authentik API accepts bootstrap token (worker finished bootstrap)
+      ansible.builtin.uri:
+        url: "{{ noble_authentik_api_base }}/core/applications/?page_size=1"
+        method: GET
+        headers:
+          Authorization: "Bearer {{ noble_authentik_bootstrap_token }}"
+          Accept: application/json
+        status_code: [200, 401, 403, 500, 502, 503]
+        timeout: 30
+      register: noble_authentik_api_bootstrap_ready
+      until: noble_authentik_api_bootstrap_ready.status == 200
+      retries: "{{ noble_authentik_bootstrap_api_wait_retries }}"
+      delay: "{{ noble_authentik_bootstrap_api_wait_delay }}"
+      when: noble_authentik_configure_idp | default(true) | bool
+      changed_when: false
+      no_log: true
+
    - name: Render Authentik API client descriptor (JSON)
      ansible.builtin.template:
        src: authentik-clients.json.j2
@@ -107,9 +139,10 @@
        AUTHENTIK_TOKEN: "{{ noble_authentik_bootstrap_token }}"
        BOOTSTRAP_EMAIL: "{{ noble_authentik_bootstrap_email }}"
        CLIENT_JSON: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-clients.json"
+        AUTHENTIK_OAUTH_AUTHORIZATION_FLOW_PK: "{{ noble_authentik_oauth_authorization_flow_pk | default('') }}"
+        AUTHENTIK_OAUTH_INVALIDATION_FLOW_PK: "{{ noble_authentik_oauth_invalidation_flow_pk | default('') }}"
      when: noble_authentik_configure_idp | default(true) | bool
      changed_when: true
-      no_log: true

    - name: Create argocd namespace Secret for OIDC client (Argo CD $authentik-oidc:clientSecret)
      ansible.builtin.shell: |