home-server/ansible/roles/noble_authentik/README.md

noble_authentik — Authentik + OIDC for the noble stack

Installs Authentik (Helm goauthentik/authentik) as the cluster IdP, oauth2-proxy as an OIDC client to Authentik for Traefik ForwardAuth (Prometheus, Alertmanager, Longhorn UI), and re-applies Helm values so Argo CD, Grafana, and Headlamp use native OIDC to Authentik (not HTTP BasicAuth).

Enable

1. Copy repository .env.sample to .env and set every NOBLE_AUTHENTIK_* variable (see comments there).
2. Set noble_authentik_install: true in ansible/inventory/group_vars/all.yml (or pass -e noble_authentik_install=true).
3. Run ansible-playbook playbooks/noble.yml --tags authentik (or a full noble.yml) from ansible/ with a working KUBECONFIG.

noble_authentik runs after noble_platform so Grafana / Headlamp / Prometheus exist before SSO Helm upgrades.

Variables

See defaults/main.yml. Hostnames default to auth.apps.noble.lab.pcenicni.dev and oauth2.apps.noble.lab.pcenicni.dev.

IdP configuration

When noble_authentik_configure_idp is true, Ansible runs files/configure_authentik.py (Python 3, stdlib only) with the bootstrap token to create/update OAuth2 providers and applications for argocd, grafana, headlamp, and oauth2-proxy, create noble-admins / noble-editors, and add the bootstrap user (by email) to those groups.

RBAC notes

• Argo CD: noble-admins group → role:admin (see clusters/noble/bootstrap/argocd/values-authentik-oidc.yaml).
• Grafana: noble-admins → Admin, noble-editors → Editor (see values-authentik-oidc.yaml).

Troubleshooting

• Re-run configure_authentik.py only by executing noble.yml with --tags authentik after fixing .env.
• If Authentik API calls fail, check flows exist (slug default-provider-authorization-implicit-consent) and TLS reaches AUTHENTIK_API_BASE.
• GET …/flows/instances/… → HTTP 403 with Token invalid/expired: the bootstrap API token is not accepted yet (common right after install: worker still creating it) or NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN in .env does not match the value Helm applied. Re-run --tags authentik (the role waits for GET …/core/applications/ to return 200 with your token). If you rotated the token in .env only, run the play again so Helm picks up the new value, or mint a new API token for akadmin in the admin UI.
• GET …/flows/instances/… → HTTP 403 with permission errors (Authentik 2026+ RBAC): the bearer token’s user must be able to view flows. The Helm bootstrap token belongs to akadmin, which must be in the authentik Admins group. Add akadmin to Directory → Groups → authentik Admins, or create a new API token for akadmin after fixing groups, and put that token in NOBLE_AUTHENTIK_BOOTSTRAP_TOKEN. As a workaround, set noble_authentik_oauth_authorization_flow_pk and noble_authentik_oauth_invalidation_flow_pk (both required) to the flows’ UUID primary keys from Admin → Flows (or -e / group_vars); the configure script then skips flow list API calls.
• /if/admin/ redirects to /if/user/ (even as akadmin): the admin UI only loads when canAccessAdmin is true. That comes from user.isSuperuser on GET /api/v3/core/users/me/, which is not the Django username — in Authentik 2026.x it is derived from membership in a group with the superuser flag (bootstrap blueprint: authentik Admins). If isSuperuser is false in /me, akadmin is missing that membership or the group’s flag is off. Fix in Directory → Groups when you can, or run the worker shell below, then log out and sign in again.

Fix akadmin superuser / admin redirect (worker shell)

kubectl exec -it deploy/authentik-worker -n authentik -- ak shell -c "from authentik.core.models import User, Group; u=User.objects.get(username='akadmin'); adm,_=Group.objects.get_or_create(name='authentik Admins', defaults={'is_superuser': True}); adm.is_superuser=True; adm.save(update_fields=['is_superuser']); adm.users.add(u); u=User.objects.get(pk=u.pk); print('all_groups', list(u.all_groups().values_list('name', flat=True))); print('is_superuser', u.is_superuser)"

Then log out of Authentik (or use a private window) and sign in again as akadmin.

• Grafana / Headlamp / ForwardAuth “Unauthorized” or Authentik “Not found” (Authentik 2026.x): OAuth endpoints are no longer under /application/o/<app>/oauth2/.... Use issuer discovery (Grafana server_url at …/application/o/<slug>/; oauth2-proxy oidc-issuer-url; Headlamp -oidc-idp-issuer-url). Re-apply Traefik (allowCrossNamespace so Ingresses can use Middleware in oauth2-proxy), kube-prometheus-stack, and Headlamp after updating values (e.g. ansible-playbook playbooks/noble.yml --tags authentik).