88 lines
5.1 KiB
YAML
88 lines
5.1 KiB
YAML
---
|
|
# Set **noble_authentik_install: true** after filling **.env** (see role README and repository **.env.sample**).
|
|
noble_authentik_install: false
|
|
# When true, run **configure_authentik.py** against the Authentik API (requires bootstrap token + client secrets).
|
|
noble_authentik_configure_idp: true
|
|
# **worker** — upsert OAuth2 providers + applications via **ak shell** + Django ORM (avoids **GET …/providers/oauth2/** 403
|
|
# for bootstrap tokens). **rest** — use the Authentik API only (needs a token that can list/patch OAuth2 providers).
|
|
# When true (default), run **worker_ensure_authentik_admin_access.py** so **akadmin** / bootstrap email is in
|
|
# **authentik Admins** with **is_superuser** on the group (fixes **/if/admin/** redirecting to user UI in 2026+).
|
|
noble_authentik_ensure_admin_ui_access: true
|
|
|
|
noble_authentik_chart_version: "2026.2.3"
|
|
noble_authentik_namespace: authentik
|
|
# Helm release name (deployments: **{release}-server**, **{release}-worker**).
|
|
noble_authentik_release_name: authentik
|
|
noble_authentik_oauth2_proxy_chart_version: "10.4.3"
|
|
# Helm **--wait** timeout for **oauth2-proxy** (first pull / API checks can exceed 10m).
|
|
noble_authentik_oauth2_proxy_helm_wait_timeout: 10m
|
|
|
|
noble_authentik_host: auth.apps.noble.lab.pcenicni.dev
|
|
noble_authentik_public_url: "https://{{ noble_authentik_host }}"
|
|
noble_authentik_api_base: "{{ noble_authentik_public_url }}/api/v3"
|
|
|
|
# Optional extra Ingress hostnames (FQDN strings) for the **same** Authentik release — e.g. a **public** name
|
|
# (Pangolin HTTP resource → Newt site → Traefik) while **`noble_authentik_host`** stays the in-lab name.
|
|
# Ansible merges these into **server.ingress.hosts** / **tls** (one cert Secret with multiple SANs).
|
|
noble_authentik_ingress_extra_hosts: []
|
|
|
|
noble_authentik_oauth2_proxy_host: oauth2.apps.noble.lab.pcenicni.dev
|
|
|
|
# OIDC client ids (must match Authentik providers created by configure script)
|
|
noble_authentik_client_id_argocd: argocd
|
|
noble_authentik_client_id_grafana: grafana
|
|
noble_authentik_client_id_headlamp: headlamp
|
|
noble_authentik_client_id_oauth2_proxy: oauth2-proxy
|
|
|
|
# Headlamp **OIDC_SCOPES** for Secret **headlamp-oidc**. Omit **groups** unless the Authentik OAuth2 provider
|
|
# includes a separate **groups** ScopeMapping (2026.x defaults often embed groups in **profile** only; requesting
|
|
# **groups** then yields **invalid_scope** on authorize). Override if your IdP exposes **groups** explicitly.
|
|
noble_authentik_headlamp_oidc_scopes: "openid profile email offline_access"
|
|
# PKCE for Headlamp OIDC. **false** is the default for Authentik **confidential** clients: auth still uses the
|
|
# standard browser OAuth code flow; PKCE is optional and some users see the callback “flash” then login reset
|
|
# when PKCE state/cookies do not survive the redirect. Set **true** if you require PKCE.
|
|
noble_authentik_headlamp_oidc_use_pkce: false
|
|
|
|
# Secrets / bootstrap — prefer **lookup('env', ...)** set via repository **.env** (see from_env.yml).
|
|
noble_authentik_secret_key: ""
|
|
noble_authentik_postgresql_password: ""
|
|
noble_authentik_bootstrap_token: ""
|
|
noble_authentik_bootstrap_email: ""
|
|
noble_authentik_bootstrap_password: ""
|
|
|
|
noble_authentik_client_secret_argocd: ""
|
|
noble_authentik_client_secret_grafana: ""
|
|
noble_authentik_client_secret_headlamp: ""
|
|
noble_authentik_client_secret_oauth2_proxy: ""
|
|
noble_authentik_oauth2_proxy_cookie_secret: ""
|
|
|
|
# Optional: OAuth2 provider flow PKs (UUID strings). When **both** are set, **configure_authentik.py**
|
|
# skips **GET /flows/instances/** (avoids 403 if the API token cannot view flows). If unset, the role
|
|
# tries **kubectl exec** into **authentik-worker** + **ak shell** to read the same slugs from the DB.
|
|
noble_authentik_oauth_authorization_flow_pk: ""
|
|
noble_authentik_oauth_invalidation_flow_pk: ""
|
|
# Optional: OAuth2 signing key (**CertificateKeyPair** UUID). When set, **configure_authentik.py** skips
|
|
# **GET /crypto/certificatekeypairs/** (often 403 for bootstrap tokens). If unset, the role resolves it
|
|
# from the worker DB when possible (see **resolve_oauth_signing_key_pk.py**).
|
|
noble_authentik_oauth_signing_key_pk: ""
|
|
# Optional: comma-separated **ScopeMapping** UUIDs (openid, email, profile, offline_access; optional **groups**
|
|
# if you created a separate mapping — 2026.x defaults embed groups in **profile** only).
|
|
# When set, **configure_authentik.py** skips **GET /propertymappings/...** (often 403 for bootstrap tokens).
|
|
noble_authentik_oauth_scope_mapping_pks: ""
|
|
# Optional: **Group** UUIDs for **noble-admins** / **noble-editors** (skip **GET /core/groups/** when set).
|
|
noble_authentik_group_pk_noble_admins: ""
|
|
noble_authentik_group_pk_noble_editors: ""
|
|
|
|
noble_authentik_helm_wait_timeout: 25m
|
|
|
|
# After Helm --wait, the worker still creates the bootstrap API token; poll the public API before configure_authentik.py.
|
|
noble_authentik_bootstrap_api_wait_retries: 36
|
|
noble_authentik_bootstrap_api_wait_delay: 5
|
|
|
|
# Re-apply the same chart versions as the rest of noble.yml when flipping SSO on.
|
|
noble_authentik_argocd_chart_version: "9.5.14"
|
|
noble_authentik_kube_prometheus_chart_version: "85.0.3"
|
|
noble_authentik_headlamp_chart_version: "0.42.0"
|
|
noble_authentik_longhorn_chart_version: "1.11.2"
|
|
noble_authentik_kube_prometheus_helm_wait_timeout: 60m
|