docs: dashboard access is forward-auth + token-paste (OIDC SSO blocked)

Correct the docs I'd written for the (reverted) oauth2-proxy SSO. Reality:
apiserver OIDC rejects all Authentik tokens (design §12), so the dashboard
uses forward-auth (admits kubernetes-* groups) + per-namespace SA token-paste.
Updates authentication.md, multi-tenancy.md, service-catalog, authentik-state,
and add-user skill (onboarding now documents the dashboard token). oauth2-proxy
+ k8s-dashboard OIDC app noted as idle. [ci skip]

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-04 07:48:38 +00:00
parent e4c3fbbbbb
commit 8e44ccaa65
5 changed files with 70 additions and 55 deletions

View file

@ -177,6 +177,17 @@ Tell the user to share these onboarding instructions with the new user:
- K8s Portal: `https://k8s-portal.viktorbarzin.me/onboarding?role=namespace-owner`
- README: `https://github.com/ViktorBarzin/infra#new-user-onboarding`
**Web dashboard access** (the `rbac` stack auto-creates a `dashboard-<user>` SA +
token for every namespace-owner — `stacks/rbac/modules/rbac/dashboard-sa.tf`):
the new user logs into `https://k8s.viktorbarzin.me` (forward-auth admits the
`kubernetes-*` groups) and pastes the **Token**:
```bash
kubectl -n NAMESPACE get secret dashboard-USERNAME-token -o jsonpath='{.data.token}' | base64 -d
```
Gives them `admin` on their namespace(s) + cluster read-only. (Token-paste is the
interim model while seamless OIDC SSO is blocked — see
`docs/plans/2026-06-04-k8s-dashboard-sso-design.md` §12.)
The user can decrypt their stack's state with:
```bash
vault login -method=oidc # authenticates via Authentik SSO