From c9b22c7dd362779b9deb83366a2b68f571b634aa Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Thu, 4 Jun 2026 02:53:16 +0000 Subject: [PATCH] feat(k8s-dashboard): cut over ingress to oauth2-proxy SSO Dashboard now authenticates via Authentik (oauth2-proxy, k8s-dashboard issuer) and applies each user's own RBAC via the apiserver multi-issuer AuthenticationConfiguration. Committed so CI converges (uncommitted local applies were being reverted by the Woodpecker terragrunt-apply pipeline). Co-Authored-By: Claude Opus 4.8 --- stacks/k8s-dashboard/main.tf | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/stacks/k8s-dashboard/main.tf b/stacks/k8s-dashboard/main.tf index 5528db0e..a3c2a65e 100644 --- a/stacks/k8s-dashboard/main.tf +++ b/stacks/k8s-dashboard/main.tf @@ -91,15 +91,21 @@ resource "helm_release" "kubernetes-dashboard" { module "ingress" { source = "../../modules/kubernetes/ingress_factory" - namespace = kubernetes_namespace.k8s-dashboard.metadata[0].name - name = "kubernetes-dashboard" - service_name = "kubernetes-dashboard-kong-proxy" - host = "k8s" - dns_type = "proxied" - tls_secret_name = var.tls_secret_name - auth = "required" - backend_protocol = "HTTPS" - port = 443 + namespace = kubernetes_namespace.k8s-dashboard.metadata[0].name + name = "kubernetes-dashboard" + service_name = "oauth2-proxy" + host = "k8s" + dns_type = "proxied" + tls_secret_name = var.tls_secret_name + # auth = "none": oauth2-proxy is the gate — it runs the Authentik OIDC + # code-flow and injects the user's id_token as Bearer for dashboard->apiserver + # auth. The apiserver trusts the k8s-dashboard issuer (rbac stack structured + # AuthenticationConfiguration), so per-user RBAC applies. A group policy on + # the Authentik app restricts login to the kubernetes-* RBAC groups. + # See docs/plans/2026-06-04-k8s-dashboard-sso-design.md. + auth = "none" + backend_protocol = "HTTP" + port = 4180 extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "Kubernetes Dashboard"