viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/k8s-dashboard
History
Viktor Barzin d649f4f287 feat(k8s-dashboard): auto-inject per-user SA token (no token-paste) 
nginx token-injector behind the existing forward-auth: maps X-authentik-username
(the user's email, injected by Authentik) -> that user's ServiceAccount token ->
sets Authorization: Bearer -> kong-proxy. Dashboard auto-authenticates; users
never see the token prompt. Mirrors the t3-dispatch pattern. Token map lives in a
Secret (namespace-owners' cluster-read covers configmaps, not secrets). Verified:
gheorghe->vabbit81 pods 200 + kube-system 200 (cluster-read); viktor->nodes 200
(admin); unmapped->401. namespace-owners auto-derived from k8s_users; admins
hardcoded (their Authentik identity != k8s_users email).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-05 09:19:10 +00:00
..
.terraform.lock.hcl Woodpecker CI deploy [CI SKIP] 2026-06-05 09:19:09 +00:00
authentik.tf fix(k8s-dashboard): use email_verified=true + groups scope mappings 2026-06-05 09:19:09 +00:00
dashboard_injector.tf feat(k8s-dashboard): auto-inject per-user SA token (no token-paste) 2026-06-05 09:19:10 +00:00
main.tf feat(k8s-dashboard): auto-inject per-user SA token (no token-paste) 2026-06-05 09:19:10 +00:00
oauth2_proxy.tf fix(k8s-dashboard): use email_verified=true + groups scope mappings 2026-06-05 09:19:09 +00:00
providers.tf feat(k8s-dashboard): add Authentik OIDC app for dashboard SSO 2026-06-05 09:19:07 +00:00
secrets [ci skip] Move Terraform modules into stack directories 2026-02-22 14:38:14 +00:00
terragrunt.hcl [ci skip] Phase 3: Create 66 service stacks and migrate state 2026-02-22 13:56:34 +00:00