docs: dashboard now auto-injects per-user SA token (no token-paste)
Update authentication.md, multi-tenancy.md, service-catalog, add-user skill to reflect the token-injector (X-authentik-username -> SA token -> Bearer). Note the extra k8s-dashboard apply needed when onboarding a namespace-owner (injector map regen). [ci skip] Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
parent
d649f4f287
commit
c4bd64f88a
4 changed files with 47 additions and 40 deletions
|
|
@ -177,16 +177,19 @@ Tell the user to share these onboarding instructions with the new user:
|
|||
- K8s Portal: `https://k8s-portal.viktorbarzin.me/onboarding?role=namespace-owner`
|
||||
- README: `https://github.com/ViktorBarzin/infra#new-user-onboarding`
|
||||
|
||||
**Web dashboard access** (the `rbac` stack auto-creates a `dashboard-<user>` SA +
|
||||
token for every namespace-owner — `stacks/rbac/modules/rbac/dashboard-sa.tf`):
|
||||
the new user logs into `https://k8s.viktorbarzin.me` (forward-auth admits the
|
||||
`kubernetes-*` groups) and pastes the **Token**:
|
||||
```bash
|
||||
kubectl -n NAMESPACE get secret dashboard-USERNAME-token -o jsonpath='{.data.token}' | base64 -d
|
||||
```
|
||||
Gives them `admin` on their namespace(s) + cluster read-only. (Token-paste is the
|
||||
interim model while seamless OIDC SSO is blocked — see
|
||||
`docs/plans/2026-06-04-k8s-dashboard-sso-design.md` §12.)
|
||||
**Web dashboard access** (auto-login, no token paste): the `rbac` stack
|
||||
auto-creates a `dashboard-<user>` SA + token for every namespace-owner
|
||||
(`dashboard-sa.tf`), and the **k8s-dashboard** stack's token-injector maps the
|
||||
user's Authentik identity → that token (`dashboard_injector.tf`, auto-derived
|
||||
from `k8s_users`). The new user just logs into `https://k8s.viktorbarzin.me` and
|
||||
lands in the dashboard scoped to their namespace (`admin` + cluster read-only).
|
||||
|
||||
> **Apply order for a new namespace-owner:** after the vault/rbac/woodpecker
|
||||
> applies above, ALSO `cd stacks/k8s-dashboard && ../../scripts/tg apply` so the
|
||||
> injector map picks up the new user. (Manual token fallback:
|
||||
> `kubectl -n NAMESPACE get secret dashboard-USERNAME-token -o jsonpath='{.data.token}' | base64 -d`.)
|
||||
> Seamless OIDC SSO is built but blocked — see
|
||||
> `docs/plans/2026-06-04-k8s-dashboard-sso-design.md` §12.
|
||||
|
||||
The user can decrypt their stack's state with:
|
||||
```bash
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue