Add Authentik OIDC provider K8s manifests and wire deployment

- deploy/authentik.yaml: PostgreSQL StatefulSet, Redis, Authentik
  server (NodePort 30900) and worker, all in cameleer namespace
- deploy/server.yaml: Add CAMELEER_JWT_SECRET and CAMELEER_OIDC_*
  env vars from secrets (all optional for backward compat)
- ci.yml: Create authentik-credentials and cameleer-oidc secrets,
  deploy Authentik before the server
- HOWTO.md: Authentik setup instructions, updated architecture
  diagram and Gitea secrets list

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

HOWTO.md

@@ -125,6 +125,31 @@ curl -s -X POST http://localhost:8081/api/v1/auth/oidc/callback \
 
 Local login remains available as fallback even when OIDC is enabled.
 
+### Authentik Setup (OIDC Provider)
+
+Authentik is deployed alongside the Cameleer stack. After first deployment:
+
+1. **Initial setup**: Open `http://192.168.50.86:30900/if/flow/initial-setup/` and create the admin account
+2. **Create provider**: Admin Interface → Providers → Create → OAuth2/OpenID Provider
+   - Name: `Cameleer`
+   - Authorization flow: `default-provider-authorization-explicit-consent`
+   - Client type: `Confidential`
+   - Redirect URIs: `http://192.168.50.86:30090/callback` (or your UI URL)
+   - Note the **Client ID** and **Client Secret**
+3. **Create application**: Admin Interface → Applications → Create
+   - Name: `Cameleer`
+   - Provider: select `Cameleer` (created above)
+4. **Configure roles** (optional): Create groups in Authentik and map them to Cameleer roles via the `roles-claim` config. Default claim path is `realm_access.roles`. For Authentik, you may need to customize the OIDC scope to include group claims.
+5. **Set env vars** on the Cameleer server:
+   ```
+   CAMELEER_OIDC_ENABLED=true
+   CAMELEER_OIDC_ISSUER=http://authentik:9000/application/o/cameleer/
+   CAMELEER_OIDC_CLIENT_ID=<client-id-from-step-2>
+   CAMELEER_OIDC_CLIENT_SECRET=<client-secret-from-step-2>
+   ```
+
+For K8s deployment, these are managed via the `cameleer-oidc` secret (see CI/CD section).
+
 ### User Management (ADMIN only)
 
 ```bash
@@ -362,9 +387,13 @@ The full stack is deployed to k3s via CI/CD on push to `main`. K8s manifests are
 
 ```
 cameleer namespace:
-  ClickHouse (StatefulSet, 2Gi PVC) ← clickhouse:8123 (ClusterIP)
-  cameleer3-server (Deployment)     ← NodePort 30081
-  cameleer3-ui (Deployment, Nginx)  ← NodePort 30090
+  ClickHouse (StatefulSet, 2Gi PVC)        ← clickhouse:8123 (ClusterIP)
+  cameleer3-server (Deployment)            ← NodePort 30081
+  cameleer3-ui (Deployment, Nginx)         ← NodePort 30090
+  Authentik Server (Deployment)            ← NodePort 30900
+  Authentik Worker (Deployment)
+  Authentik PostgreSQL (StatefulSet, 1Gi)  ← ClusterIP
+  Authentik Redis (Deployment)             ← ClusterIP
 ```
 
 ### Access (from your network)
@@ -374,12 +403,13 @@ cameleer namespace:
 | Web UI | `http://192.168.50.86:30090` |
 | Server API | `http://192.168.50.86:30081/api/v1/health` |
 | Swagger UI | `http://192.168.50.86:30081/api/v1/swagger-ui.html` |
+| Authentik | `http://192.168.50.86:30900` |
 
 ### CI/CD Pipeline
 
 Push to `main` triggers: **build** (UI npm + Maven, unit tests) → **docker** (buildx amd64 for server + UI, push to Gitea registry) → **deploy** (kubectl apply + rolling update).
 
-Required Gitea org secrets: `REGISTRY_TOKEN`, `KUBECONFIG_BASE64`, `CAMELEER_AUTH_TOKEN`, `CLICKHOUSE_USER`, `CLICKHOUSE_PASSWORD`, `CAMELEER_UI_USER` (optional), `CAMELEER_UI_PASSWORD` (optional), `CAMELEER_JWT_SECRET` (recommended — tokens survive restarts).
+Required Gitea org secrets: `REGISTRY_TOKEN`, `KUBECONFIG_BASE64`, `CAMELEER_AUTH_TOKEN`, `CAMELEER_JWT_SECRET`, `CLICKHOUSE_USER`, `CLICKHOUSE_PASSWORD`, `CAMELEER_UI_USER` (optional), `CAMELEER_UI_PASSWORD` (optional), `AUTHENTIK_PG_PASSWORD`, `AUTHENTIK_SECRET_KEY`, `CAMELEER_OIDC_ENABLED`, `CAMELEER_OIDC_ISSUER`, `CAMELEER_OIDC_CLIENT_ID`, `CAMELEER_OIDC_CLIENT_SECRET`.
 
 ### Manual K8s Commands