# OIDC with Authentik — credentials live in Secret **headlamp-oidc** (envFrom), created by **noble_authentik**.
#
# With **externalSecret**, the Headlamp chart only adds **-oidc-callback-url** / **-oidc-use-pkce** args when these
# values are set here (or under **env:**). The Secret alone is not enough — without them, login can fail or Authentik returns errors.

config:
  oidc:
    secret:
      create: false
    externalSecret:
      enabled: true
      name: headlamp-oidc
    callbackURL: "https://headlamp.apps.noble.lab.pcenicni.dev/oidc-callback"
    usePKCE: true