gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c392ce1e5a5df192b93a6de9df1f2b208fbff0ea
home-server/ansible/roles/noble_authentik
History
Nikholas Pcenicni c392ce1e5a Enhance Authentik integration in noble cluster setup by adding support for OAuth2 flow primary keys in configuration. Update README with troubleshooting steps for common API errors and improve deployment reliability with tasks to wait for Authentik worker rollout and API readiness. Adjust Helm chart values for Grafana and Headlamp to accommodate new OIDC settings, ensuring seamless authentication and authorization processes.
2026-05-14 01:29:49 -04:00
..
defaults
Enhance Authentik integration in noble cluster setup by adding support for OAuth2 flow primary keys in configuration. Update README with troubleshooting steps for common API errors and improve deployment reliability with tasks to wait for Authentik worker rollout and API readiness. Adjust Helm chart values for Grafana and Headlamp to accommodate new OIDC settings, ensuring seamless authentication and authorization processes.
2026-05-14 01:29:49 -04:00
files
Enhance Authentik integration in noble cluster setup by adding support for OAuth2 flow primary keys in configuration. Update README with troubleshooting steps for common API errors and improve deployment reliability with tasks to wait for Authentik worker rollout and API readiness. Adjust Helm chart values for Grafana and Headlamp to accommodate new OIDC settings, ensuring seamless authentication and authorization processes.
2026-05-14 01:29:49 -04:00
tasks
Enhance Authentik integration in noble cluster setup by adding support for OAuth2 flow primary keys in configuration. Update README with troubleshooting steps for common API errors and improve deployment reliability with tasks to wait for Authentik worker rollout and API readiness. Adjust Helm chart values for Grafana and Headlamp to accommodate new OIDC settings, ensuring seamless authentication and authorization processes.
2026-05-14 01:29:49 -04:00
templates
Add Authentik and oauth2-proxy support to noble cluster setup, including environment variables, playbook tags, and landing URLs. Update README and kustomization.yaml to reflect new OIDC integration, enhancing security and user authentication capabilities.
2026-05-14 00:23:48 -04:00
README.md
Enhance Authentik integration in noble cluster setup by adding support for OAuth2 flow primary keys in configuration. Update README with troubleshooting steps for common API errors and improve deployment reliability with tasks to wait for Authentik worker rollout and API readiness. Adjust Helm chart values for Grafana and Headlamp to accommodate new OIDC settings, ensuring seamless authentication and authorization processes.
2026-05-14 01:29:49 -04:00

README.md

noble_authentik — Authentik + OIDC for the noble stack

Installs Authentik (Helm goauthentik/authentik) as the cluster IdP, oauth2-proxy as an OIDC client to Authentik for Traefik ForwardAuth (Prometheus, Alertmanager, Longhorn UI), and re-applies Helm values so Argo CD, Grafana, and Headlamp use native OIDC to Authentik (not HTTP BasicAuth).

Enable

  1. Copy repository .env.sample to .env and set every NOBLE_AUTHENTIK_* variable (see comments there).
  2. Set noble_authentik_install: true in ansible/inventory/group_vars/all.yml (or pass -e noble_authentik_install=true).
  3. Run ansible-playbook playbooks/noble.yml --tags authentik (or a full noble.yml) from ansible/ with a working KUBECONFIG.

noble_authentik runs after noble_platform so Grafana / Headlamp / Prometheus exist before SSO Helm upgrades.

Variables

See defaults/main.yml. Hostnames default to auth.apps.noble.lab.pcenicni.dev and oauth2.apps.noble.lab.pcenicni.dev.

IdP configuration

When noble_authentik_configure_idp is true, Ansible runs files/configure_authentik.py (Python 3, stdlib only) with the bootstrap token to create/update OAuth2 providers and applications for argocd, grafana, headlamp, and oauth2-proxy, create noble-admins / noble-editors, and add the bootstrap user (by email) to those groups.

RBAC notes

  • Argo CD: noble-admins group → role:admin (see clusters/noble/bootstrap/argocd/values-authentik-oidc.yaml).
  • Grafana: noble-admins → Admin, noble-editors → Editor (see values-authentik-oidc.yaml).

Troubleshooting

  • Re-run configure_authentik.py only by executing noble.yml with --tags authentik after fixing .env.
  • If Authentik API calls fail, check flows exist (slug default-provider-authorization-implicit-consent) and TLS reaches AUTHENTIK_API_BASE.
  • GET …/flows/instances/… → HTTP 403 with Token invalid/expired: the bootstrap API token is not accepted yet (common right after install: worker still creating it) or NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN in .env does not match the value Helm applied. Re-run --tags authentik (the role waits for GET …/core/applications/ to return 200 with your token). If you rotated the token in .env only, run the play again so Helm picks up the new value, or mint a new API token for akadmin in the admin UI.
  • GET …/flows/instances/… → HTTP 403 with permission errors (Authentik 2026+ RBAC): the bearer tokens user must be able to view flows. The Helm bootstrap token belongs to akadmin, which must be in the authentik Admins group. Add akadmin to Directory → Groups → authentik Admins, or create a new API token for akadmin after fixing groups, and put that token in NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN. As a workaround, set noble_authentik_oauth_authorization_flow_pk and noble_authentik_oauth_invalidation_flow_pk (both required) to the flows UUID primary keys from Admin → Flows (or -e / group_vars); the configure script then skips flow list API calls.
  • /if/admin/ redirects to /if/user/ (even as akadmin): the admin UI only loads when canAccessAdmin is true. That comes from user.isSuperuser on GET /api/v3/core/users/me/, which is not the Django username — in Authentik 2026.x it is derived from membership in a group with the superuser flag (bootstrap blueprint: authentik Admins). If isSuperuser is false in /me, akadmin is missing that membership or the groups flag is off. Fix in Directory → Groups when you can, or run the worker shell below, then log out and sign in again.

Fix akadmin superuser / admin redirect (worker shell)

kubectl exec -it deploy/authentik-worker -n authentik -- ak shell -c "from authentik.core.models import User, Group; u=User.objects.get(username='akadmin'); adm,_=Group.objects.get_or_create(name='authentik Admins', defaults={'is_superuser': True}); adm.is_superuser=True; adm.save(update_fields=['is_superuser']); adm.users.add(u); u=User.objects.get(pk=u.pk); print('all_groups', list(u.all_groups().values_list('name', flat=True))); print('is_superuser', u.is_superuser)"

Then log out of Authentik (or use a private window) and sign in again as akadmin.

  • Grafana / Headlamp / ForwardAuth “Unauthorized” or Authentik “Not found” (Authentik 2026.x): OAuth endpoints are no longer under /application/o/<app>/oauth2/.... Use issuer discovery (Grafana server_url at …/application/o/<slug>/; oauth2-proxy oidc-issuer-url; Headlamp -oidc-idp-issuer-url). Re-apply Traefik (allowCrossNamespace so Ingresses can use Middleware in oauth2-proxy), kube-prometheus-stack, and Headlamp after updating values (e.g. ansible-playbook playbooks/noble.yml --tags authentik).
Reference in New Issue View Git Blame Copy Permalink