Enhance Authentik integration in noble cluster setup by adding support for OAuth2 flow primary keys in configuration. Update README with troubleshooting steps for common API errors and improve deployment reliability with tasks to wait for Authentik worker rollout and API readiness. Adjust Helm chart values for Grafana and Headlamp to accommodate new OIDC settings, ensuring seamless authentication and authorization processes.

clusters/noble/bootstrap/kube-prometheus-stack/values-authentik-oidc.yaml

@@ -11,12 +11,12 @@ alertmanager:
       traefik.ingress.kubernetes.io/router.middlewares: oauth2-proxy-forward-auth@kubernetescrd
 
 grafana:
-  env:
+  # Grafana chart maps plain strings under **env** only. Use **envValueFrom** for secretKeyRef.
+  envValueFrom:
     GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET:
-      valueFrom:
-        secretKeyRef:
-          name: authentik-grafana-oauth
-          key: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
+      secretKeyRef:
+        name: authentik-grafana-oauth
+        key: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
   grafana.ini:
     auth:
       disable_login_form: "false"
@@ -27,7 +27,7 @@ grafana:
       client_id: grafana
       scopes: openid profile email groups
       use_pkce: true
-      auth_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/oauth2/authorize/
-      token_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/oauth2/token/
-      api_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/userinfo/
+      # Authentik 2026.x: OAuth endpoints live under /application/o/authorize|token|userinfo/ (no …/oauth2/… per app).
+      # Use issuer discovery like Argo CD — do not hardcode legacy /application/o/<slug>/oauth2/* URLs (they 404).
+      server_url: https://auth.apps.noble.lab.pcenicni.dev/application/o/grafana/
       role_attribute_path: "contains(groups[*], 'noble-admins') && 'Admin' || contains(groups[*], 'noble-editors') && 'Editor' || 'Viewer'"