feat(k8s-dashboard): cut over ingress to oauth2-proxy SSO

Dashboard now authenticates via Authentik (oauth2-proxy, k8s-dashboard
issuer) and applies each user's own RBAC via the apiserver multi-issuer
AuthenticationConfiguration. Committed so CI converges (uncommitted local
applies were being reverted by the Woodpecker terragrunt-apply pipeline).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-04 02:53:16 +00:00
parent ed4ed6bd09
commit c9b22c7dd3

View file

@ -91,15 +91,21 @@ resource "helm_release" "kubernetes-dashboard" {
module "ingress" { module "ingress" {
source = "../../modules/kubernetes/ingress_factory" source = "../../modules/kubernetes/ingress_factory"
namespace = kubernetes_namespace.k8s-dashboard.metadata[0].name namespace = kubernetes_namespace.k8s-dashboard.metadata[0].name
name = "kubernetes-dashboard" name = "kubernetes-dashboard"
service_name = "kubernetes-dashboard-kong-proxy" service_name = "oauth2-proxy"
host = "k8s" host = "k8s"
dns_type = "proxied" dns_type = "proxied"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
auth = "required" # auth = "none": oauth2-proxy is the gate it runs the Authentik OIDC
backend_protocol = "HTTPS" # code-flow and injects the user's id_token as Bearer for dashboard->apiserver
port = 443 # auth. The apiserver trusts the k8s-dashboard issuer (rbac stack structured
# AuthenticationConfiguration), so per-user RBAC applies. A group policy on
# the Authentik app restricts login to the kubernetes-* RBAC groups.
# See docs/plans/2026-06-04-k8s-dashboard-sso-design.md.
auth = "none"
backend_protocol = "HTTP"
port = 4180
extra_annotations = { extra_annotations = {
"gethomepage.dev/enabled" = "true" "gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Kubernetes Dashboard" "gethomepage.dev/name" = "Kubernetes Dashboard"