fix(authentik): pin chart 2026.5.2, grant_types allowlist, portal redirect URI

- Pin the helm-controller chart version (unset = silent latest upgrades) and
  move the image tag under global.image per the 2026.5 chart layout.
- Authentik 2026.5 enforces a per-provider grant_types allowlist; empty list
  rejected every authorize request. Allow authorization_code + refresh_token
  for portal and operator providers.
- Fix the portal redirect URI to the nuxt-oidc-auth callback path.
- Serve the auth ingress on :80 with a per-router HTTPS redirect so the
  cert-manager HTTP-01 solver keeps working.

infrastructure/production/fleet/authentik/values.yaml

@@ -8,10 +8,11 @@
 # pulls latest). After it's up, pin the installed chart + image versions here +
 # in RUNBOOK.md for reproducibility.
 
-image:
-  tag: "2026.5.2"   # deployed version (latest chart as of 2026-06-08)
-
 global:
+  # Image moved under global.image in chart 2026.5.x; the old top-level `image:`
+  # key now hard-fails the chart's deprecation guard.
+  image:
+    tag: "2026.5.2"   # deployed version; pinned == spec.version in helmchart.yaml
   # AUTHENTIK_SECRET_KEY, AUTHENTIK_POSTGRESQL__PASSWORD, AUTHENTIK_REDIS__PASSWORD,
   # AUTHENTIK_BOOTSTRAP_PASSWORD, AUTHENTIK_BOOTSTRAP_TOKEN
   envFrom:
@@ -45,6 +46,11 @@ server:
     ingressClassName: traefik
     annotations:
       cert-manager.io/cluster-issuer: letsencrypt-prod
+      # Serve on :80 too so the cert-manager ACME HTTP-01 solver can answer on
+      # port 80 at renewal; redirect-https bounces other traffic to HTTPS.
+      # (Middleware lives in authentik/redirect-middleware.yaml.)
+      traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
+      traefik.ingress.kubernetes.io/router.middlewares: dezky-auth-redirect-https@kubernetescrd
     hosts:
       - auth.dezky.eu
     paths: