docs(k8s-dashboard): dashboard SSO as-built (Option B multi-issuer apiserver)

Update authentication.md (structured multi-issuer AuthenticationConfiguration
+ dashboard SSO flow), multi-tenancy.md (web dashboard access), authentik-state
(new k8s-dashboard app + gheorghe groups), service-catalog (dashboard auth),
and the k8s-version-upgrade runbook (kubeadm wipes --authentication-config →
re-apply rbac post-upgrade). Design/plan addenda record the issuer-constraint
pivot from the original dual-aud approach. [ci skip]

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

docs/runbooks/k8s-version-upgrade.md

@@ -127,6 +127,28 @@ Exposed in K8s via ExternalSecret `k8s-upgrade-creds` in the `k8s-upgrade` names
 
 ## Common Operations
 
+### Post-upgrade: restore apiserver OIDC (REQUIRED after any control-plane bump)
+
+`kubeadm upgrade apply` **regenerates `/etc/kubernetes/manifests/kube-apiserver.yaml`
+and drops the `--authentication-config` flag**, silently disabling apiserver
+OIDC (kubectl/kubelogin CLI **and** the web dashboard SSO break — tokens get
+401). This is not auto-detected (the `rbac` stack's `null_resource` trigger is a
+content hash that doesn't change). After any control-plane upgrade, re-apply:
+
+```bash
+cd stacks/rbac
+TF_VAR_ssh_private_key="$(cat ~/.ssh/id_ed25519)" \
+  VAULT_ADDR=https://vault.viktorbarzin.me ../../scripts/tg apply \
+  --non-interactive -target=module.rbac.null_resource.apiserver_oidc_config
+```
+
+(`ssh_private_key` must be a key authorized for `wizard@<master>`; it is not yet
+wired from Vault.) The provisioner re-writes `/etc/kubernetes/pki/auth-config.yaml`
+(both `kubernetes` + `k8s-dashboard` issuers), re-adds the flag, and
+health-gates `/livez` with auto-rollback. Verify: `curl -sk
+https://localhost:6443/livez` on the master = `ok`, and the apiserver manifest
+contains `--authentication-config`. See `docs/plans/2026-06-04-k8s-dashboard-sso-design.md`.
+
 ### Verify the pipeline is healthy
 ```bash
 # CronJob present + not suspended