add generic multi-user cluster onboarding system

Data-driven user onboarding: add a JSON entry to Vault KV k8s_users,
apply vault + platform + woodpecker stacks, and everything is auto-generated.

Vault stack: namespace creation, per-user Vault policies with secret isolation
via identity entities/aliases, K8s deployer roles, CI policy update.

Platform stack: domains field in k8s_users type, TLS secrets per user namespace,
user domains merged into Cloudflare DNS, user-roles ConfigMap mounted in portal.

Woodpecker stack: admin list auto-generated from k8s_users, WOODPECKER_OPEN=true.

K8s-portal: dual-track onboarding (general/namespace-owner), namespace-owner
dashboard with Vault/kubectl commands, setup script adds Vault+Terraform+Terragrunt,
contributing page with CI pipeline template, versioned image tags in CI pipeline.

New: stacks/_template/ with copyable stack template for namespace-owners.

stacks/platform/modules/k8s-portal/files/src/routes/+page.svelte

@@ -20,10 +20,39 @@
 		{/if}
 	</section>
 
+	{#if data.role === 'namespace-owner'}
+		<section>
+			<h2>Your Namespace</h2>
+			<p><strong>Assigned namespaces:</strong> {data.namespaces.join(', ')}</p>
+
+			<h3>Quick Commands</h3>
+			<pre>
+# Check your pods
+kubectl get pods -n {data.namespaces[0]}
+
+# View quota usage
+kubectl describe resourcequota -n {data.namespaces[0]}
+
+# Log into Vault
+vault login -method=oidc
+
+# Store a secret
+vault kv put secret/{data.username}/myapp KEY=value
+
+# Get K8s deploy token
+vault write kubernetes/creds/{data.namespaces[0]}-deployer \
+  kubernetes_namespace={data.namespaces[0]}</pre>
+		</section>
+	{/if}
+
 	<section>
 		<h2>Get Started</h2>
 		<ol>
-			<li><a href="/onboarding">Complete the onboarding guide</a> (VPN, kubectl, git)</li>
+			{#if data.role === 'namespace-owner'}
+				<li><a href="/onboarding?role=namespace-owner">Complete the namespace-owner onboarding guide</a></li>
+			{:else}
+				<li><a href="/onboarding">Complete the onboarding guide</a> (VPN, kubectl, git)</li>
+			{/if}
 			<li><a href="/setup">Install kubectl and kubelogin</a></li>
 			<li><a href="/download">Download your kubeconfig</a></li>
 			<li>Run <code>kubectl get namespaces</code> to verify access</li>

stacks/platform/modules/k8s-portal/files/src/routes/contributing/+page.svelte

@@ -48,6 +48,59 @@
 		<p>Comment on your PR: "I need a database password for my-service." Viktor will add it to the encrypted secrets file and push to your branch.</p>
 		<p>Then reference it in your Terraform: <code>var.my_service_db_password</code></p>
 	</section>
+
+	<section>
+		<h2>Namespace Owner Workflow</h2>
+		<p>If you are a namespace owner, you can deploy your own apps:</p>
+		<ol>
+			<li>Clone the infra repo: <code>git clone https://github.com/ViktorBarzin/infra.git</code></li>
+			<li>Copy the template: <code>cp -r stacks/_template stacks/your-app</code></li>
+			<li>Rename: <code>mv stacks/your-app/main.tf.example stacks/your-app/main.tf</code></li>
+			<li>Edit <code>main.tf</code> — replace all <code>&lt;placeholders&gt;</code></li>
+			<li>Store secrets in Vault: <code>vault kv put secret/your-username/your-app KEY=value</code></li>
+			<li>Add your app domain to your <code>domains</code> list in Vault KV</li>
+			<li>Submit a PR, get it reviewed</li>
+			<li>After merge, admin runs <code>terragrunt apply</code></li>
+		</ol>
+	</section>
+
+	<section>
+		<h2>CI Pipeline Template</h2>
+		<p>Create a <code>.woodpecker.yml</code> in your app's Forgejo repo:</p>
+		<pre>{`steps:
+  - name: build
+    image: woodpeckerci/plugin-docker-buildx
+    settings:
+      repo: your-dockerhub-user/myapp
+      tag: ["\${CI_PIPELINE_NUMBER}", "latest"]
+      username:
+        from_secret: dockerhub-username
+      password:
+        from_secret: dockerhub-token
+      platforms: linux/amd64
+
+  - name: deploy
+    image: hashicorp/vault:1.18.1
+    commands:
+      - export VAULT_ADDR=http://vault-active.vault.svc.cluster.local:8200
+      - export VAULT_TOKEN=$(vault write -field=token auth/kubernetes/login
+          role=ci jwt=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token))
+      - KUBE_TOKEN=$(vault write -field=service_account_token
+          kubernetes/creds/YOUR_NAMESPACE-deployer
+          kubernetes_namespace=YOUR_NAMESPACE)
+      - kubectl --server=https://kubernetes.default.svc
+          --token=$KUBE_TOKEN
+          --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
+          -n YOUR_NAMESPACE set image deployment/myapp
+          myapp=your-dockerhub-user/myapp:\${CI_PIPELINE_NUMBER}`}</pre>
+	</section>
+
+	<section>
+		<h2>Need a secret for your app?</h2>
+		<p>As a namespace owner, you manage your own secrets in Vault:</p>
+		<pre>vault kv put secret/your-username/your-app DB_PASSWORD=mysecret API_KEY=abc123</pre>
+		<p>Then reference them in your Terraform using a <code>data "vault_kv_secret_v2"</code> block.</p>
+	</section>
 </main>
 
 <style>

stacks/platform/modules/k8s-portal/files/src/routes/onboarding/+page.svelte

@@ -1,7 +1,17 @@
+<script>
+	import { page } from '$app/stores';
+	let showNamespaceOwner = $derived($page.url.searchParams.get('role') === 'namespace-owner');
+</script>
+
 <main class="content">
 	<h1>Getting Started</h1>
 	<p>Welcome! Follow these steps to get access to the home Kubernetes cluster.</p>
 
+	<div class="role-tabs">
+		<a href="/onboarding" class:active={!showNamespaceOwner}>General User</a>
+		<a href="/onboarding?role=namespace-owner" class:active={showNamespaceOwner}>Namespace Owner</a>
+	</div>
+
 	<section>
 		<h2>Step 0 — Join the VPN</h2>
 		<p>The cluster is on a private network (<code>10.0.20.0/24</code>). You need VPN access first.</p>
@@ -35,45 +45,89 @@
 		<p>Use <a href="https://learn.microsoft.com/en-us/windows/wsl/install" target="_blank">WSL2</a> and follow the Linux instructions.</p>
 	</section>
 
-	<section>
-		<h2>Step 3 — Verify access</h2>
-		<p>Run this command. It will open your browser for login the first time:</p>
-		<pre>kubectl get namespaces</pre>
-		<p>You should see output like:</p>
-		<pre class="output">NAME              STATUS   AGE
+	{#if showNamespaceOwner}
+		<section>
+			<h2>Step 3 — Log into Vault</h2>
+			<p>Vault manages your secrets and issues dynamic Kubernetes credentials.</p>
+			<pre>vault login -method=oidc</pre>
+			<p>This opens your browser for Authentik SSO. After login, your token is saved to <code>~/.vault-token</code>.</p>
+		</section>
+
+		<section>
+			<h2>Step 4 — Verify kubectl access</h2>
+			<p>Run this command. It will open your browser for OIDC login the first time:</p>
+			<pre>kubectl get pods -n YOUR_NAMESPACE</pre>
+			<p>You should see an empty list (no resources) or your running pods.</p>
+		</section>
+
+		<section>
+			<h2>Step 5 — Clone the infra repo</h2>
+			<pre>git clone https://github.com/ViktorBarzin/infra.git
+cd infra</pre>
+			<p>This is where all the infrastructure configuration lives.</p>
+		</section>
+
+		<section>
+			<h2>Step 6 — Create your first app stack</h2>
+			<ol>
+				<li>Copy the template: <pre>cp -r stacks/_template stacks/myapp
+mv stacks/myapp/main.tf.example stacks/myapp/main.tf</pre></li>
+				<li>Edit <code>stacks/myapp/main.tf</code> — replace all <code>&lt;placeholders&gt;</code></li>
+				<li>Store secrets in Vault:
+					<pre>vault kv put secret/YOUR_USERNAME/myapp DB_PASSWORD=secret123</pre>
+				</li>
+				<li>Add your app domain to <code>domains</code> list in Vault KV <code>k8s_users</code></li>
+				<li>Submit a PR:
+					<pre>git checkout -b feat/myapp
+git add stacks/myapp/
+git commit -m "add myapp stack"
+git push -u origin feat/myapp</pre>
+				</li>
+				<li>Viktor reviews and merges</li>
+				<li>After merge: <code>cd stacks/myapp && terragrunt apply</code></li>
+			</ol>
+		</section>
+	{:else}
+		<section>
+			<h2>Step 3 — Verify access</h2>
+			<p>Run this command. It will open your browser for login the first time:</p>
+			<pre>kubectl get namespaces</pre>
+			<p>You should see output like:</p>
+			<pre class="output">NAME              STATUS   AGE
 default           Active   200d
 kube-system       Active   200d
 monitoring        Active   200d
 ...</pre>
-		<p>If you get a connection error, make sure your VPN is connected (<code>tailscale status</code>).</p>
-	</section>
+			<p>If you get a connection error, make sure your VPN is connected (<code>tailscale status</code>).</p>
+		</section>
 
-	<section>
-		<h2>Step 4 — Clone the repo</h2>
-		<pre>git clone https://github.com/ViktorBarzin/infra.git
+		<section>
+			<h2>Step 4 — Clone the repo</h2>
+			<pre>git clone https://github.com/ViktorBarzin/infra.git
 cd infra</pre>
-		<p>This is where all the infrastructure configuration lives.</p>
-	</section>
+			<p>This is where all the infrastructure configuration lives.</p>
+		</section>
 
-	<section>
-		<h2>Step 5 — Install your AI assistant (optional)</h2>
-		<p>Install <a href="https://github.com/openai/codex" target="_blank">Codex CLI</a> for AI-assisted cluster management:</p>
-		<pre>npm install -g @openai/codex</pre>
-		<p>Codex reads the <code>AGENTS.md</code> file in the repo and knows how to work with the cluster.</p>
-	</section>
+		<section>
+			<h2>Step 5 — Install your AI assistant (optional)</h2>
+			<p>Install <a href="https://github.com/openai/codex" target="_blank">Codex CLI</a> for AI-assisted cluster management:</p>
+			<pre>npm install -g @openai/codex</pre>
+			<p>Codex reads the <code>AGENTS.md</code> file in the repo and knows how to work with the cluster.</p>
+		</section>
 
-	<section>
-		<h2>Step 6 — Your first change</h2>
-		<ol>
-			<li>Create a branch: <pre>git checkout -b my-first-change</pre></li>
-			<li>Edit a service file (e.g., change an image tag in <code>stacks/echo/main.tf</code>)</li>
-			<li>Commit and push: <pre>git add . && git commit -m "my first change" && git push -u origin my-first-change</pre></li>
-			<li>Open a Pull Request on GitHub</li>
-			<li>Viktor reviews and merges</li>
-			<li>Woodpecker CI automatically applies the change to the cluster</li>
-			<li>Slack notification confirms it worked</li>
-		</ol>
-	</section>
+		<section>
+			<h2>Step 6 — Your first change</h2>
+			<ol>
+				<li>Create a branch: <pre>git checkout -b my-first-change</pre></li>
+				<li>Edit a service file (e.g., change an image tag in <code>stacks/echo/main.tf</code>)</li>
+				<li>Commit and push: <pre>git add . && git commit -m "my first change" && git push -u origin my-first-change</pre></li>
+				<li>Open a Pull Request on GitHub</li>
+				<li>Viktor reviews and merges</li>
+				<li>Woodpecker CI automatically applies the change to the cluster</li>
+				<li>Slack notification confirms it worked</li>
+			</ol>
+		</section>
+	{/if}
 </main>
 
 <style>
@@ -86,4 +140,7 @@ cd infra</pre>
 	.content code { background: #f0f0f0; padding: 2px 6px; border-radius: 3px; }
 	.content .prereq { font-size: 0.9rem; color: #666; font-style: italic; }
 	section { margin: 2rem 0; }
+	.role-tabs { display: flex; gap: 0; margin: 1.5rem 0; border-bottom: 2px solid #e0e0e0; }
+	.role-tabs a { padding: 0.5rem 1.5rem; text-decoration: none; color: #666; border-bottom: 2px solid transparent; margin-bottom: -2px; }
+	.role-tabs a.active { color: #333; border-bottom-color: #333; font-weight: 600; }
 </style>

stacks/platform/modules/k8s-portal/files/src/routes/setup/script/+server.ts

@@ -105,6 +105,44 @@ else
     echo "[OK] kubeseal installed"
 fi
 
+# Install Vault CLI
+if command -v vault &>/dev/null; then
+    echo "[OK] vault already installed"
+else
+    echo "[..] Installing Vault CLI..."
+    VAULT_VERSION="1.18.1"
+    curl -fsSLO "https://releases.hashicorp.com/vault/\${VAULT_VERSION}/vault_\${VAULT_VERSION}_linux_amd64.zip"
+    unzip -o "vault_\${VAULT_VERSION}_linux_amd64.zip" vault -d /tmp
+    \$SUDO mv /tmp/vault "\$INSTALL_DIR/"
+    rm -f "vault_\${VAULT_VERSION}_linux_amd64.zip"
+    echo "[OK] vault installed"
+fi
+
+# Install Terragrunt
+if command -v terragrunt &>/dev/null; then
+    echo "[OK] terragrunt already installed"
+else
+    echo "[..] Installing terragrunt..."
+    TG_VERSION=\$(curl -fsSL -o /dev/null -w "%{url_effective}" https://github.com/gruntwork-io/terragrunt/releases/latest | grep -o '[^/]*\$')
+    curl -fsSLO "https://github.com/gruntwork-io/terragrunt/releases/download/\${TG_VERSION}/terragrunt_linux_amd64"
+    chmod +x terragrunt_linux_amd64
+    \$SUDO mv terragrunt_linux_amd64 "\$INSTALL_DIR/terragrunt"
+    echo "[OK] terragrunt installed"
+fi
+
+# Install Terraform
+if command -v terraform &>/dev/null; then
+    echo "[OK] terraform already installed"
+else
+    echo "[..] Installing terraform..."
+    TF_VERSION="1.9.8"
+    curl -fsSLO "https://releases.hashicorp.com/terraform/\${TF_VERSION}/terraform_\${TF_VERSION}_linux_amd64.zip"
+    unzip -o "terraform_\${TF_VERSION}_linux_amd64.zip" terraform -d /tmp
+    \$SUDO mv /tmp/terraform "\$INSTALL_DIR/"
+    rm -f "terraform_\${TF_VERSION}_linux_amd64.zip"
+    echo "[OK] terraform installed"
+fi
+
 # Write kubeconfig
 mkdir -p ~/.kube
 cat > ~/.kube/config-home << 'KUBECONFIG_EOF'
@@ -168,6 +206,34 @@ else
     echo "[OK] kubeseal installed"
 fi
 
+# Install Vault CLI
+if command -v vault &>/dev/null; then
+    echo "[OK] vault already installed"
+else
+    echo "[..] Installing Vault CLI..."
+    brew tap hashicorp/tap
+    brew install hashicorp/tap/vault
+    echo "[OK] vault installed"
+fi
+
+# Install Terragrunt
+if command -v terragrunt &>/dev/null; then
+    echo "[OK] terragrunt already installed"
+else
+    echo "[..] Installing terragrunt..."
+    brew install terragrunt
+    echo "[OK] terragrunt installed"
+fi
+
+# Install Terraform
+if command -v terraform &>/dev/null; then
+    echo "[OK] terraform already installed"
+else
+    echo "[..] Installing terraform..."
+    brew install hashicorp/tap/terraform
+    echo "[OK] terraform installed"
+fi
+
 # Write kubeconfig
 mkdir -p ~/.kube
 cat > ~/.kube/config-home << 'KUBECONFIG_EOF'

stacks/platform/modules/k8s-portal/main.tf

@@ -66,7 +66,14 @@ resource "kubernetes_deployment" "k8s_portal" {
 
           volume_mount {
             name       = "config"
-            mount_path = "/config"
+            mount_path = "/config/ca.crt"
+            sub_path   = "ca.crt"
+            read_only  = true
+          }
+          volume_mount {
+            name       = "user-roles"
+            mount_path = "/config/users.json"
+            sub_path   = "users.json"
             read_only  = true
           }
           resources {
@@ -86,6 +93,12 @@ resource "kubernetes_deployment" "k8s_portal" {
             name = kubernetes_config_map.k8s_portal_config.metadata[0].name
           }
         }
+        volume {
+          name = "user-roles"
+          config_map {
+            name = "k8s-user-roles"
+          }
+        }
         dns_config {
           option {
             name  = "ndots"
@@ -95,6 +108,12 @@ resource "kubernetes_deployment" "k8s_portal" {
       }
     }
   }
+  lifecycle {
+    ignore_changes = [
+      spec[0].template[0].spec[0].dns_config,
+      spec[0].template[0].spec[0].container[0].image, # CI updates image tag
+    ]
+  }
 }
 
 resource "kubernetes_service" "k8s_portal" {

stacks/platform/modules/rbac/main.tf

@@ -6,6 +6,7 @@ variable "k8s_users" {
     role       = string                     # "admin", "power-user", "namespace-owner"
     email      = string                     # OIDC email claim
     namespaces = optional(list(string), []) # for namespace-owners
+    domains    = optional(list(string), []) # subdomains for user apps
     quota = optional(object({
       cpu_requests    = optional(string, "2")
       memory_requests = optional(string, "4Gi")
@@ -248,3 +249,15 @@ resource "kubernetes_config_map" "user_roles" {
     })
   }
 }
+
+# TLS secret in each user namespace (so they can create HTTPS ingresses)
+module "user_namespace_tls" {
+  for_each = nonsensitive(toset(flatten([
+    for name, user in var.k8s_users : user.namespaces
+    if user.role == "namespace-owner"
+  ])))
+
+  source          = "../../../../modules/kubernetes/setup_tls_secret"
+  namespace       = each.value
+  tls_secret_name = var.tls_secret_name
+}