--- - name: Authentik disabled (set noble_authentik_install=true and .env — see role README) ansible.builtin.debug: msg: "Skipping noble_authentik (noble_authentik_install is false)." when: not (noble_authentik_install | default(false) | bool) - name: Authentik + OIDC stack when: noble_authentik_install | default(false) | bool block: - name: Include Authentik secrets from .env ansible.builtin.include_tasks: from_env.yml - name: Require Authentik secrets and bootstrap settings ansible.builtin.assert: that: - noble_authentik_secret_key | default('') | length > 0 - noble_authentik_postgresql_password | default('') | length > 0 - noble_authentik_bootstrap_token | default('') | length > 0 - noble_authentik_bootstrap_email | default('') | length > 0 - noble_authentik_bootstrap_password | default('') | length > 0 - noble_authentik_client_secret_argocd | default('') | length > 0 - noble_authentik_client_secret_grafana | default('') | length > 0 - noble_authentik_client_secret_headlamp | default('') | length > 0 - noble_authentik_client_secret_oauth2_proxy | default('') | length > 0 - noble_authentik_oauth2_proxy_cookie_secret | default('') | length > 0 fail_msg: >- Authentik requires secrets in .env (see ansible/roles/noble_authentik/README.md) or matching -e extra-vars. - name: Ensure Ansible temp dir for rendered Helm values ansible.builtin.file: path: "{{ noble_repo_root }}/ansible/.ansible-tmp" state: directory mode: "0700" - name: Render Authentik Helm extra values (secrets) ansible.builtin.template: src: authentik-extra-values.yaml.j2 dest: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-extra-values.yaml" mode: "0600" no_log: true - name: Apply Authentik and oauth2-proxy namespaces ansible.builtin.command: argv: - kubectl - apply - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/authentik/namespace.yaml" - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/oauth2-proxy/namespace.yaml" environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: true - name: Install Authentik (Helm) ansible.builtin.command: argv: - helm - upgrade - --install - authentik - goauthentik/authentik - --namespace - authentik - --version - "{{ noble_authentik_chart_version }}" - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/authentik/values.yaml" - -f - "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-extra-values.yaml" - --force-conflicts - --wait - --timeout - "{{ noble_authentik_helm_wait_timeout }}" environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: true - name: Wait for authentik server rollout ansible.builtin.command: argv: - kubectl - rollout - status - deployment/authentik-server - -n - authentik - --timeout=15m environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: false - name: Wait for authentik worker rollout ansible.builtin.command: argv: - kubectl - rollout - status - deployment/authentik-worker - -n - authentik - --timeout=15m environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: false when: noble_authentik_configure_idp | default(true) | bool - name: Wait until Authentik API accepts bootstrap token (worker finished bootstrap) ansible.builtin.uri: url: "{{ noble_authentik_api_base }}/core/applications/?page_size=1" method: GET headers: Authorization: "Bearer {{ noble_authentik_bootstrap_token }}" Accept: application/json status_code: [200, 401, 403, 500, 502, 503] timeout: 30 register: noble_authentik_api_bootstrap_ready until: noble_authentik_api_bootstrap_ready.status == 200 retries: "{{ noble_authentik_bootstrap_api_wait_retries }}" delay: "{{ noble_authentik_bootstrap_api_wait_delay }}" when: noble_authentik_configure_idp | default(true) | bool changed_when: false no_log: true - name: Render Authentik API client descriptor (JSON) ansible.builtin.template: src: authentik-clients.json.j2 dest: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-clients.json" mode: "0600" no_log: true # Authentik 2026+ RBAC: bootstrap tokens often cannot **GET /flows/instances/** (403). Resolve UUIDs # from the worker DB via **ak shell** when inventory PKs are unset (same slugs as configure_authentik.py). - name: Resolve OAuth provider flow UUIDs from authentik-worker (DB; bypasses flows API RBAC) ansible.builtin.shell: | set -euo pipefail NS="{{ noble_authentik_namespace }}" POD="$(kubectl get pods -n "$NS" \ -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \ -o jsonpath='{.items[0].metadata.name}')" REM=/tmp/ansible_resolve_oauth_flow_pks.py kubectl cp "{{ role_path }}/files/resolve_oauth_flow_pks.py" "${NS}/${POD}:${REM}" kubectl exec -n "$NS" "$POD" -- ak shell -c "exec(compile(open('${REM}').read(), 'ansible_resolve_oauth_flow_pks.py', 'exec'))" kubectl exec -n "$NS" "$POD" -- rm -f "$REM" || true environment: KUBECONFIG: "{{ noble_kubeconfig }}" register: noble_authentik_oauth_flow_pk_resolve changed_when: false when: - noble_authentik_configure_idp | default(true) | bool - (noble_authentik_oauth_authorization_flow_pk | default('') | trim | length) == 0 - (noble_authentik_oauth_invalidation_flow_pk | default('') | trim | length) == 0 - name: Apply OAuth flow PKs from worker resolution for configure_authentik.py ansible.builtin.set_fact: noble_authentik_oauth_authorization_flow_pk: "{{ (noble_authentik_oauth_flow_pk_resolve.stdout_lines | select('match', '^[0-9a-fA-F-]{36}$') | list)[0] }}" noble_authentik_oauth_invalidation_flow_pk: "{{ (noble_authentik_oauth_flow_pk_resolve.stdout_lines | select('match', '^[0-9a-fA-F-]{36}$') | list)[1] }}" when: - noble_authentik_oauth_flow_pk_resolve is defined - not (noble_authentik_oauth_flow_pk_resolve.skipped | default(false)) - (noble_authentik_oauth_flow_pk_resolve.rc | default(-1)) == 0 - (noble_authentik_oauth_flow_pk_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list | length) >= 2 # Bootstrap tokens often cannot list **/crypto/certificatekeypairs/** (403). - name: Resolve OAuth signing key UUID from authentik-worker (DB; bypasses crypto API RBAC) ansible.builtin.shell: | set -euo pipefail NS="{{ noble_authentik_namespace }}" POD="$(kubectl get pods -n "$NS" \ -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \ -o jsonpath='{.items[0].metadata.name}')" REM=/tmp/ansible_resolve_oauth_signing_key_pk.py kubectl cp "{{ role_path }}/files/resolve_oauth_signing_key_pk.py" "${NS}/${POD}:${REM}" kubectl exec -n "$NS" "$POD" -- ak shell -c "exec(compile(open('${REM}').read(), 'ansible_resolve_oauth_signing_key_pk.py', 'exec'))" kubectl exec -n "$NS" "$POD" -- rm -f "$REM" || true environment: KUBECONFIG: "{{ noble_kubeconfig }}" register: noble_authentik_oauth_signing_key_resolve changed_when: false when: - noble_authentik_configure_idp | default(true) | bool - (noble_authentik_oauth_signing_key_pk | default('') | trim | length) == 0 - name: Apply OAuth signing key PK from worker resolution for configure_authentik.py ansible.builtin.set_fact: noble_authentik_oauth_signing_key_pk: "{{ (noble_authentik_oauth_signing_key_resolve.stdout_lines | select('match', '^[0-9a-fA-F-]{36}$') | list)[0] }}" when: - noble_authentik_oauth_signing_key_resolve is defined - not (noble_authentik_oauth_signing_key_resolve.skipped | default(false)) - (noble_authentik_oauth_signing_key_resolve.rc | default(-1)) == 0 - (noble_authentik_oauth_signing_key_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list | length) >= 1 # Bootstrap tokens often cannot list **/propertymappings/provider/scope/** (403). - name: Resolve OAuth scope mapping UUIDs from authentik-worker (DB; bypasses propertymappings API RBAC) ansible.builtin.shell: | set -euo pipefail NS="{{ noble_authentik_namespace }}" POD="$(kubectl get pods -n "$NS" \ -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \ -o jsonpath='{.items[0].metadata.name}')" REM=/tmp/ansible_resolve_oauth_scope_mapping_pks.py kubectl cp "{{ role_path }}/files/resolve_oauth_scope_mapping_pks.py" "${NS}/${POD}:${REM}" kubectl exec -n "$NS" "$POD" -- ak shell -c "exec(compile(open('${REM}').read(), 'ansible_resolve_oauth_scope_mapping_pks.py', 'exec'))" kubectl exec -n "$NS" "$POD" -- rm -f "$REM" || true environment: KUBECONFIG: "{{ noble_kubeconfig }}" register: noble_authentik_oauth_scope_mapping_resolve changed_when: false when: - noble_authentik_configure_idp | default(true) | bool - (noble_authentik_oauth_scope_mapping_pks | default('') | trim | length) == 0 - name: Apply OAuth scope mapping PKs from worker resolution for configure_authentik.py ansible.builtin.set_fact: noble_authentik_oauth_scope_mapping_pks: "{{ (noble_authentik_oauth_scope_mapping_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list) | join(',') }}" when: - noble_authentik_oauth_scope_mapping_resolve is defined - not (noble_authentik_oauth_scope_mapping_resolve.skipped | default(false)) - (noble_authentik_oauth_scope_mapping_resolve.rc | default(-1)) == 0 - (noble_authentik_oauth_scope_mapping_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list | length) >= 4 # Bootstrap tokens often cannot **GET /core/groups/** (403). Worker **get_or_create** ensures groups exist. - name: Resolve noble-admins / noble-editors group UUIDs from authentik-worker (DB; bypasses groups API RBAC) ansible.builtin.shell: | set -euo pipefail NS="{{ noble_authentik_namespace }}" POD="$(kubectl get pods -n "$NS" \ -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \ -o jsonpath='{.items[0].metadata.name}')" REM=/tmp/ansible_resolve_noble_group_pks.py kubectl cp "{{ role_path }}/files/resolve_noble_group_pks.py" "${NS}/${POD}:${REM}" kubectl exec -n "$NS" "$POD" -- ak shell -c "exec(compile(open('${REM}').read(), 'ansible_resolve_noble_group_pks.py', 'exec'))" kubectl exec -n "$NS" "$POD" -- rm -f "$REM" || true environment: KUBECONFIG: "{{ noble_kubeconfig }}" register: noble_authentik_noble_group_resolve changed_when: false when: - noble_authentik_configure_idp | default(true) | bool - (noble_authentik_group_pk_noble_admins | default('') | trim | length) == 0 - (noble_authentik_group_pk_noble_editors | default('') | trim | length) == 0 - name: Apply noble group PKs from worker resolution for configure_authentik.py ansible.builtin.set_fact: noble_authentik_group_pk_noble_admins: "{{ (noble_authentik_noble_group_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list)[0] }}" noble_authentik_group_pk_noble_editors: "{{ (noble_authentik_noble_group_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list)[1] }}" when: - noble_authentik_noble_group_resolve is defined - not (noble_authentik_noble_group_resolve.skipped | default(false)) - (noble_authentik_noble_group_resolve.rc | default(-1)) == 0 - (noble_authentik_noble_group_resolve.stdout_lines | default([]) | select('match', '^[0-9a-fA-F-]{36}$') | list | length) >= 2 - name: Render Authentik worker admin-access spec (JSON for ak shell) ansible.builtin.template: src: authentik-worker-admin-access-spec.json.j2 dest: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-worker-admin-access-spec.json" mode: "0600" no_log: true when: - noble_authentik_configure_idp | default(true) | bool - noble_authentik_ensure_admin_ui_access | default(true) | bool - name: Ensure authentik Admins + superuser group flag (worker ORM; restores admin UI access) ansible.builtin.shell: | set -euo pipefail NS="{{ noble_authentik_namespace }}" POD="$(kubectl get pods -n "$NS" \ -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \ -o jsonpath='{.items[0].metadata.name}')" SPEC=/tmp/ansible_authentik_worker_admin_access_spec.json REM=/tmp/ansible_worker_ensure_authentik_admin_access.py kubectl cp "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-worker-admin-access-spec.json" "${NS}/${POD}:${SPEC}" kubectl cp "{{ role_path }}/files/worker_ensure_authentik_admin_access.py" "${NS}/${POD}:${REM}" kubectl exec -n "$NS" "$POD" -- env AUTHENTIK_WORKER_ADMIN_ACCESS_SPEC="${SPEC}" ak shell -c "exec(compile(open('${REM}').read(), 'ansible_worker_ensure_authentik_admin_access.py', 'exec'))" kubectl exec -n "$NS" "$POD" -- rm -f "$SPEC" "$REM" || true environment: KUBECONFIG: "{{ noble_kubeconfig }}" register: noble_authentik_worker_admin_access changed_when: >- "worker:" in (noble_authentik_worker_admin_access.stdout | default("")) and "authentik Admins" in (noble_authentik_worker_admin_access.stdout | default("")) failed_when: >- (noble_authentik_worker_admin_access.rc | default(-1)) != 0 or ( "worker:" not in (noble_authentik_worker_admin_access.stdout | default("")) or "authentik Admins" not in (noble_authentik_worker_admin_access.stdout | default("")) ) when: - noble_authentik_configure_idp | default(true) | bool - noble_authentik_ensure_admin_ui_access | default(true) | bool - name: Require OAuth PKs for worker OIDC upsert (ORM path) ansible.builtin.assert: that: - (noble_authentik_oauth_authorization_flow_pk | default('') | trim | length) > 0 - (noble_authentik_oauth_invalidation_flow_pk | default('') | trim | length) > 0 - (noble_authentik_oauth_signing_key_pk | default('') | trim | length) > 0 - (noble_authentik_oauth_scope_mapping_pks | default('') | trim | length) > 0 fail_msg: >- Worker OIDC provisioning needs flow UUIDs, signing key UUID, and comma-separated scope-mapping UUIDs. Ensure worker resolution tasks ran, or set noble_authentik_oauth_* inventory vars (see role README). when: - noble_authentik_configure_idp | default(true) | bool - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker' - name: Render Authentik worker OIDC spec (JSON for ak shell upsert) ansible.builtin.template: src: authentik-worker-oidc-spec.json.j2 dest: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-worker-oidc-spec.json" mode: "0600" no_log: true when: - noble_authentik_configure_idp | default(true) | bool - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker' - name: Upsert OAuth2 providers + applications in authentik-worker (ORM; bypasses provider REST RBAC) ansible.builtin.shell: | set -euo pipefail NS="{{ noble_authentik_namespace }}" POD="$(kubectl get pods -n "$NS" \ -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \ -o jsonpath='{.items[0].metadata.name}')" SPEC=/tmp/ansible_authentik_worker_oidc_spec.json REM=/tmp/ansible_worker_upsert_oauth_oidc.py kubectl cp "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-worker-oidc-spec.json" "${NS}/${POD}:${SPEC}" kubectl cp "{{ role_path }}/files/worker_upsert_oauth_oidc.py" "${NS}/${POD}:${REM}" kubectl exec -n "$NS" "$POD" -- env AUTHENTIK_WORKER_OIDC_SPEC="${SPEC}" ak shell -c "exec(compile(open('${REM}').read(), 'ansible_worker_upsert_oauth_oidc.py', 'exec'))" kubectl exec -n "$NS" "$POD" -- rm -f "$SPEC" "$REM" || true environment: KUBECONFIG: "{{ noble_kubeconfig }}" register: noble_authentik_worker_oidc_upsert changed_when: >- "worker: OAuth2 providers + applications upserted" in (noble_authentik_worker_oidc_upsert.stdout | default("")) failed_when: >- (noble_authentik_worker_oidc_upsert.rc | default(-1)) != 0 or ( "worker: OAuth2 providers + applications upserted" not in (noble_authentik_worker_oidc_upsert.stdout | default("")) ) when: - noble_authentik_configure_idp | default(true) | bool - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker' - name: Require noble group PKs for worker bootstrap group membership ansible.builtin.assert: that: - (noble_authentik_group_pk_noble_admins | default('') | trim | length) > 0 - (noble_authentik_group_pk_noble_editors | default('') | trim | length) > 0 fail_msg: >- Worker bootstrap group membership needs noble-admins / noble-editors UUIDs (worker DB resolve or inventory). See noble_authentik_group_pk_noble_* in defaults/README. when: - noble_authentik_configure_idp | default(true) | bool - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker' - (noble_authentik_bootstrap_email | default('') | trim | length) > 0 - name: Render Authentik worker user-groups spec (JSON for ak shell) ansible.builtin.template: src: authentik-worker-user-groups-spec.json.j2 dest: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-worker-user-groups-spec.json" mode: "0600" no_log: true when: - noble_authentik_configure_idp | default(true) | bool - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker' - (noble_authentik_bootstrap_email | default('') | trim | length) > 0 - name: Add bootstrap user to noble groups in authentik-worker (ORM; bypasses users API RBAC) ansible.builtin.shell: | set -euo pipefail NS="{{ noble_authentik_namespace }}" POD="$(kubectl get pods -n "$NS" \ -l "app.kubernetes.io/name=authentik,app.kubernetes.io/component=worker" \ -o jsonpath='{.items[0].metadata.name}')" SPEC=/tmp/ansible_authentik_worker_user_groups_spec.json REM=/tmp/ansible_worker_add_bootstrap_user_groups.py kubectl cp "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-worker-user-groups-spec.json" "${NS}/${POD}:${SPEC}" kubectl cp "{{ role_path }}/files/worker_add_bootstrap_user_groups.py" "${NS}/${POD}:${REM}" kubectl exec -n "$NS" "$POD" -- env AUTHENTIK_WORKER_USER_GROUPS_SPEC="${SPEC}" ak shell -c "exec(compile(open('${REM}').read(), 'ansible_worker_add_bootstrap_user_groups.py', 'exec'))" kubectl exec -n "$NS" "$POD" -- rm -f "$SPEC" "$REM" || true environment: KUBECONFIG: "{{ noble_kubeconfig }}" register: noble_authentik_worker_user_groups changed_when: >- "worker: bootstrap user group membership updated" in (noble_authentik_worker_user_groups.stdout | default("")) failed_when: (noble_authentik_worker_user_groups.rc | default(-1)) != 0 when: - noble_authentik_configure_idp | default(true) | bool - (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker' - (noble_authentik_bootstrap_email | default('') | trim | length) > 0 - name: Configure Authentik OAuth2/OIDC providers (API) ansible.builtin.command: argv: - python3 - "{{ role_path }}/files/configure_authentik.py" environment: AUTHENTIK_API_BASE: "{{ noble_authentik_api_base }}" AUTHENTIK_TOKEN: "{{ noble_authentik_bootstrap_token }}" BOOTSTRAP_EMAIL: "{{ noble_authentik_bootstrap_email }}" CLIENT_JSON: "{{ noble_repo_root }}/ansible/.ansible-tmp/authentik-clients.json" AUTHENTIK_OAUTH_AUTHORIZATION_FLOW_PK: "{{ noble_authentik_oauth_authorization_flow_pk | default('') }}" AUTHENTIK_OAUTH_INVALIDATION_FLOW_PK: "{{ noble_authentik_oauth_invalidation_flow_pk | default('') }}" AUTHENTIK_OAUTH_SIGNING_KEY_PK: "{{ noble_authentik_oauth_signing_key_pk | default('') }}" AUTHENTIK_OAUTH_SCOPE_MAPPING_PKS: "{{ noble_authentik_oauth_scope_mapping_pks | default('') }}" AUTHENTIK_NOBLE_ADMINS_GROUP_PK: "{{ noble_authentik_group_pk_noble_admins | default('') }}" AUTHENTIK_NOBLE_EDITORS_GROUP_PK: "{{ noble_authentik_group_pk_noble_editors | default('') }}" AUTHENTIK_SKIP_OIDC_REST: "{{ '1' if (noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker' else '' }}" AUTHENTIK_SKIP_USER_GROUP_REST: "{{ '1' if ((noble_authentik_oidc_provision_via | default('worker') | lower) == 'worker' and (noble_authentik_bootstrap_email | default('') | trim | length) > 0) else '' }}" when: noble_authentik_configure_idp | default(true) | bool changed_when: true - name: Create argocd namespace Secret for OIDC client (Argo CD $authentik-oidc:clientSecret) ansible.builtin.shell: | set -euo pipefail kubectl -n argocd create secret generic authentik-oidc \ --from-literal=clientSecret="${ARGOCD_OIDC_SECRET}" \ --dry-run=client -o yaml | kubectl apply -f - kubectl -n argocd label secret authentik-oidc app.kubernetes.io/part-of=argocd --overwrite environment: KUBECONFIG: "{{ noble_kubeconfig }}" ARGOCD_OIDC_SECRET: "{{ noble_authentik_client_secret_argocd }}" no_log: true changed_when: true - name: Create Grafana OIDC client secret (GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET) ansible.builtin.shell: | set -euo pipefail kubectl -n monitoring create secret generic authentik-grafana-oauth \ --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET="${GRAFANA_OIDC_SECRET}" \ --dry-run=client -o yaml | kubectl apply -f - environment: KUBECONFIG: "{{ noble_kubeconfig }}" GRAFANA_OIDC_SECRET: "{{ noble_authentik_client_secret_grafana }}" no_log: true changed_when: true - name: Create Headlamp OIDC env secret (OIDC_* env vars) ansible.builtin.shell: | set -euo pipefail kubectl -n headlamp create secret generic headlamp-oidc \ --from-literal=OIDC_CLIENT_ID="{{ noble_authentik_client_id_headlamp }}" \ --from-literal=OIDC_CLIENT_SECRET="${HEADLAMP_OIDC_SECRET}" \ --from-literal=OIDC_ISSUER_URL="{{ noble_authentik_public_url }}/application/o/headlamp/" \ --from-literal=OIDC_SCOPES="openid profile email groups offline_access" \ --from-literal=OIDC_CALLBACK_URL="https://headlamp.apps.noble.lab.pcenicni.dev/oidc-callback" \ --from-literal=OIDC_USE_PKCE="true" \ --dry-run=client -o yaml | kubectl apply -f - environment: KUBECONFIG: "{{ noble_kubeconfig }}" HEADLAMP_OIDC_SECRET: "{{ noble_authentik_client_secret_headlamp }}" no_log: true changed_when: true - name: Create oauth2-proxy credentials Secret (OIDC to Authentik; not BasicAuth) ansible.builtin.shell: | set -euo pipefail kubectl -n oauth2-proxy create secret generic oauth2-proxy-credentials \ --from-literal=client-id="{{ noble_authentik_client_id_oauth2_proxy }}" \ --from-literal=client-secret="${O2_CLIENT_SECRET}" \ --from-literal=cookie-secret="${O2_COOKIE_SECRET}" \ --dry-run=client -o yaml | kubectl apply -f - environment: KUBECONFIG: "{{ noble_kubeconfig }}" O2_CLIENT_SECRET: "{{ noble_authentik_client_secret_oauth2_proxy }}" O2_COOKIE_SECRET: "{{ noble_authentik_oauth2_proxy_cookie_secret }}" no_log: true changed_when: true - name: Install oauth2-proxy (Helm) — OIDC provider Authentik ansible.builtin.command: argv: - helm - upgrade - --install - oauth2-proxy - oauth2-proxy/oauth2-proxy - --namespace - oauth2-proxy - --version - "{{ noble_authentik_oauth2_proxy_chart_version }}" - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/oauth2-proxy/values.yaml" - --force-conflicts - --wait - --timeout - "{{ noble_authentik_oauth2_proxy_helm_wait_timeout }}" environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: true - name: Apply Traefik ForwardAuth Middleware (references oauth2-proxy OIDC session) ansible.builtin.command: argv: - kubectl - apply - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/oauth2-proxy/middleware-forwardauth.yaml" environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: true - name: Helm upgrade Argo CD with Authentik OIDC values ansible.builtin.command: argv: - helm - upgrade - --install - argocd - argo/argo-cd - --namespace - argocd - --version - "{{ noble_authentik_argocd_chart_version }}" - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/argocd/values.yaml" - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/argocd/values-authentik-oidc.yaml" - --force-conflicts - --wait - --timeout - 15m environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: true - name: Helm upgrade kube-prometheus-stack (Grafana OIDC + ForwardAuth on Prom/AM) ansible.builtin.command: argv: - helm - upgrade - --install - kube-prometheus - prometheus-community/kube-prometheus-stack - -n - monitoring - --version - "{{ noble_authentik_kube_prometheus_chart_version }}" - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/kube-prometheus-stack/values.yaml" - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/kube-prometheus-stack/values-authentik-oidc.yaml" - --force-conflicts - --wait - --timeout - "{{ noble_authentik_kube_prometheus_helm_wait_timeout }}" environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: true - name: Helm upgrade Headlamp with Authentik OIDC values ansible.builtin.command: argv: - helm - upgrade - --install - headlamp - headlamp/headlamp - --version - "{{ noble_authentik_headlamp_chart_version }}" - -n - headlamp - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/headlamp/values.yaml" - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/headlamp/values-authentik-oidc.yaml" - --force-conflicts - --wait - --timeout - 10m environment: KUBECONFIG: "{{ noble_kubeconfig }}" changed_when: true - name: Helm upgrade Longhorn with ForwardAuth (oauth2-proxy OIDC) ansible.builtin.command: argv: - helm - upgrade - --install - longhorn - longhorn/longhorn - -n - longhorn-system - --version - "{{ noble_authentik_longhorn_chart_version }}" - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/longhorn/values.yaml" - -f - "{{ noble_repo_root }}/clusters/noble/bootstrap/longhorn/values-authentik-forwardauth.yaml" - --force-conflicts - --wait - --timeout - "{{ noble_helm_longhorn_wait_timeout | default('20m') }}" environment: KUBECONFIG: "{{ noble_kubeconfig }}" register: noble_authentik_longhorn_helm retries: "{{ noble_helm_longhorn_retries | default(8) | int }}" delay: "{{ noble_helm_longhorn_retry_delay | default(25) | int }}" until: noble_authentik_longhorn_helm.rc == 0 changed_when: true