Enhance Authentik integration in noble cluster setup by adding support for OAuth2 flow primary keys in configuration. Update README with troubleshooting steps for common API errors and improve deployment reliability with tasks to wait for Authentik worker rollout and API readiness. Adjust Helm chart values for Grafana and Headlamp to accommodate new OIDC settings, ensuring seamless authentication and authorization processes.

clusters/noble/bootstrap/argocd/app-of-apps/headlamp-application.yaml

@@ -16,6 +16,7 @@ spec:
         releaseName: headlamp
         valueFiles:
           - $values/clusters/noble/bootstrap/headlamp/values.yaml
+          - $values/clusters/noble/bootstrap/headlamp/values-authentik-oidc.yaml
     - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
       targetRevision: HEAD
       path: clusters/noble/bootstrap/headlamp

clusters/noble/bootstrap/argocd/app-of-apps/kube-prometheus-application.yaml

@@ -17,6 +17,7 @@ spec:
         releaseName: kube-prometheus
         valueFiles:
           - $values/clusters/noble/bootstrap/kube-prometheus-stack/values.yaml
+          - $values/clusters/noble/bootstrap/kube-prometheus-stack/values-authentik-oidc.yaml
     - repoURL: https://gitea.pcenicni.ca/gsdavidp/home-server.git
       targetRevision: HEAD
       ref: values

clusters/noble/bootstrap/headlamp/values-authentik-oidc.yaml

@@ -1,4 +1,7 @@
 # OIDC with Authentik — credentials live in Secret **headlamp-oidc** (envFrom), created by **noble_authentik**.
+#
+# With **externalSecret**, the Headlamp chart only adds **-oidc-callback-url** / **-oidc-use-pkce** args when these
+# values are set here (or under **env:**). The Secret alone is not enough — without them, login can fail or Authentik returns errors.
 
 config:
   oidc:
@@ -7,3 +10,5 @@ config:
     externalSecret:
       enabled: true
       name: headlamp-oidc
+    callbackURL: "https://headlamp.apps.noble.lab.pcenicni.dev/oidc-callback"
+    usePKCE: true

clusters/noble/bootstrap/kube-prometheus-stack/values-authentik-oidc.yaml

@@ -11,12 +11,12 @@ alertmanager:
       traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
 
 grafana:
-  env:
+  # Grafana chart maps plain strings under **env** only. Use **envValueFrom** for secretKeyRef.
+  envValueFrom:
     GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
-      valueFrom:
-        secretKeyRef:
-          name: authentik-grafana-oauth
-          key: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+      secretKeyRef:
+        name: authentik-grafana-oauth
+        key: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
   grafana.ini:
     auth:
       disable_login_form: "false"
@@ -27,7 +27,7 @@ grafana:
       client_id: grafana
       scopes: openid profile email groups
       use_pkce: true
-      auth_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/oauth2/authorize/
-      token_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/oauth2/token/
-      api_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/userinfo/
+      # Authentik 2026.x: OAuth endpoints live under /application/o/authorize|token|userinfo/ (no …/oauth2/… per app).
+      # Use issuer discovery like Argo CD — do not hardcode legacy /application/o/<slug>/oauth2/* URLs (they 404).
+      server_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/
       role_attribute_path: "contains(groups[*], 'noble-admins') && 'Admin' || contains(groups[*], 'noble-editors') && 'Editor' || 'Viewer'"

clusters/noble/bootstrap/traefik/values.yaml

@@ -27,3 +27,8 @@ gatewayClass:
 
 deployment:
   replicas: 1
+
+# Ingresses in **monitoring** / **longhorn** reference Middleware **forward-auth** in **oauth2-proxy** (ForwardAuth).
+providers:
+  kubernetesCRD:
+    allowCrossNamespace: true