docs: dashboard access is forward-auth + token-paste (OIDC SSO blocked)
Correct the docs I'd written for the (reverted) oauth2-proxy SSO. Reality: apiserver OIDC rejects all Authentik tokens (design §12), so the dashboard uses forward-auth (admits kubernetes-* groups) + per-namespace SA token-paste. Updates authentication.md, multi-tenancy.md, service-catalog, authentik-state, and add-user skill (onboarding now documents the dashboard token). oauth2-proxy + k8s-dashboard OIDC app noted as idle. [ci skip] Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
parent
e4c3fbbbbb
commit
8e44ccaa65
5 changed files with 70 additions and 55 deletions
|
|
@ -177,6 +177,17 @@ Tell the user to share these onboarding instructions with the new user:
|
|||
- K8s Portal: `https://k8s-portal.viktorbarzin.me/onboarding?role=namespace-owner`
|
||||
- README: `https://github.com/ViktorBarzin/infra#new-user-onboarding`
|
||||
|
||||
**Web dashboard access** (the `rbac` stack auto-creates a `dashboard-<user>` SA +
|
||||
token for every namespace-owner — `stacks/rbac/modules/rbac/dashboard-sa.tf`):
|
||||
the new user logs into `https://k8s.viktorbarzin.me` (forward-auth admits the
|
||||
`kubernetes-*` groups) and pastes the **Token**:
|
||||
```bash
|
||||
kubectl -n NAMESPACE get secret dashboard-USERNAME-token -o jsonpath='{.data.token}' | base64 -d
|
||||
```
|
||||
Gives them `admin` on their namespace(s) + cluster read-only. (Token-paste is the
|
||||
interim model while seamless OIDC SSO is blocked — see
|
||||
`docs/plans/2026-06-04-k8s-dashboard-sso-design.md` §12.)
|
||||
|
||||
The user can decrypt their stack's state with:
|
||||
```bash
|
||||
vault login -method=oidc # authenticates via Authentik SSO
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue