feat(k8s-dashboard): cut over ingress to oauth2-proxy SSO

Dashboard now authenticates via Authentik (oauth2-proxy, k8s-dashboard
issuer) and applies each user's own RBAC via the apiserver multi-issuer
AuthenticationConfiguration. Committed so CI converges (uncommitted local
applies were being reverted by the Woodpecker terragrunt-apply pipeline).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

stacks/k8s-dashboard/main.tf

@@ -91,15 +91,21 @@ resource "helm_release" "kubernetes-dashboard" {
 
 module "ingress" {
   source           = "../../modules/kubernetes/ingress_factory"
-  namespace        = kubernetes_namespace.k8s-dashboard.metadata[0].name
-  name             = "kubernetes-dashboard"
-  service_name     = "kubernetes-dashboard-kong-proxy"
-  host             = "k8s"
-  dns_type         = "proxied"
-  tls_secret_name  = var.tls_secret_name
-  auth             = "required"
-  backend_protocol = "HTTPS"
-  port             = 443
+  namespace    = kubernetes_namespace.k8s-dashboard.metadata[0].name
+  name         = "kubernetes-dashboard"
+  service_name = "oauth2-proxy"
+  host         = "k8s"
+  dns_type     = "proxied"
+  tls_secret_name = var.tls_secret_name
+  # auth = "none": oauth2-proxy is the gate — it runs the Authentik OIDC
+  # code-flow and injects the user's id_token as Bearer for dashboard->apiserver
+  # auth. The apiserver trusts the k8s-dashboard issuer (rbac stack structured
+  # AuthenticationConfiguration), so per-user RBAC applies. A group policy on
+  # the Authentik app restricts login to the kubernetes-* RBAC groups.
+  # See docs/plans/2026-06-04-k8s-dashboard-sso-design.md.
+  auth             = "none"
+  backend_protocol = "HTTP"
+  port             = 4180
   extra_annotations = {
     "gethomepage.dev/enabled"      = "true"
     "gethomepage.dev/name"         = "Kubernetes Dashboard"