viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/k8s-dashboard
History
Viktor Barzin cb96d5d590 fix(k8s-dashboard): use email_verified=true + groups scope mappings 
The apiserver rejects the email username-claim when email_verified is false
(invalid bearer token 401). Authentik external/social users are unverified,
so the default scope-email mapping fails. Mirror the proven kubernetes
provider: use the custom 'Kubernetes Email (verified)' mapping (hardcodes
email_verified=true) + 'Kubernetes Groups'. Drop the now-unneeded dual-aud
mapping (apiserver trusts the k8s-dashboard issuer w/ audience=client_id) and
align oauth2-proxy scope to 'openid email profile groups'.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-05 09:19:09 +00:00
..
.terraform.lock.hcl Woodpecker CI deploy [CI SKIP] 2026-06-05 09:19:09 +00:00
authentik.tf fix(k8s-dashboard): use email_verified=true + groups scope mappings 2026-06-05 09:19:09 +00:00
main.tf feat(k8s-dashboard): cut over ingress to oauth2-proxy SSO 2026-06-05 09:19:09 +00:00
oauth2_proxy.tf fix(k8s-dashboard): use email_verified=true + groups scope mappings 2026-06-05 09:19:09 +00:00
providers.tf feat(k8s-dashboard): add Authentik OIDC app for dashboard SSO 2026-06-05 09:19:07 +00:00
secrets [ci skip] Move Terraform modules into stack directories 2026-02-22 14:38:14 +00:00
terragrunt.hcl [ci skip] Phase 3: Create 66 service stacks and migrate state 2026-02-22 13:56:34 +00:00