home-server/ansible/roles/noble_authentik/README.md

noble_authentik — Authentik + OIDC for the noble stack

Installs Authentik (Helm goauthentik/authentik) as the cluster IdP, oauth2-proxy as an OIDC client to Authentik for Traefik ForwardAuth (Prometheus, Alertmanager, Longhorn UI), and re-applies Helm values so Argo CD, Grafana, and Headlamp use native OIDC to Authentik (not HTTP BasicAuth).

Enable

1. Copy repository .env.sample to .env and set every NOBLE_AUTHENTIK_* variable (see comments there).
2. Set noble_authentik_install: true in ansible/inventory/group_vars/all.yml (or pass -e noble_authentik_install=true).
3. Run ansible-playbook playbooks/noble.yml --tags authentik (or a full noble.yml) from ansible/ with a working KUBECONFIG.

noble_authentik runs after noble_platform so Grafana / Headlamp / Prometheus exist before SSO Helm upgrades.

Variables

See defaults/main.yml. Hostnames default to auth.apps.noble.lab.pcenicni.dev and oauth2.apps.noble.lab.pcenicni.dev.

IdP configuration

When noble_authentik_configure_idp is true, Ansible runs files/configure_authentik.py (Python 3, stdlib only) with the bootstrap token to create/update OAuth2 providers and applications for argocd, grafana, headlamp, and oauth2-proxy, create noble-admins / noble-editors, and add the bootstrap user (by email) to those groups.

RBAC notes

• Argo CD: noble-admins group → role:admin (see clusters/noble/bootstrap/argocd/values-authentik-oidc.yaml).
• Grafana: noble-admins → Admin, noble-editors → Editor (see values-authentik-oidc.yaml).

Troubleshooting

• Re-run configure_authentik.py only by executing noble.yml with --tags authentik after fixing .env.
• If Authentik API calls fail, check flows exist (slug default-provider-authorization-implicit-consent) and TLS reaches AUTHENTIK_API_BASE.