feat(guacamole): SSO OIDC sur le domaine HTTPS (auth./portail.funklab.online)

Bascule des endpoints OIDC de kaya.freeboxos.fr:9080/9081 vers les URLs
publiques HTTPS. Les ports restent un chemin réseau valide mais le SSO
est désormais canonique sur le domaine.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
alkatrazz 2026-07-07 16:12:33 +02:00
parent 8319ee60c0
commit 7e99cf3206

View file

@ -43,19 +43,18 @@ spec:
- name: WEBAPP_CONTEXT - name: WEBAPP_CONTEXT
value: "ROOT" value: "ROOT"
# --- SSO OIDC → Authentik (app « guacamole » dans l'UI Authentik) --- # --- SSO OIDC → Authentik (app « guacamole » dans l'UI Authentik) ---
# Endpoints navigateur : URL publique kaya.freeboxos.fr (une seule URL # URL canonique = domaine HTTPS (auth./portail.funklab.online), LAN inclus
# canonique, LAN inclus — hairpin NAT Freebox) ; JWKS : appel # (split-horizon dnsmasq). JWKS : appel serveur→serveur via le Service interne.
# serveur→serveur via le Service interne
- name: OPENID_AUTHORIZATION_ENDPOINT - name: OPENID_AUTHORIZATION_ENDPOINT
value: "http://kaya.freeboxos.fr:9081/application/o/authorize/" value: "https://auth.funklab.online/application/o/authorize/"
- name: OPENID_JWKS_ENDPOINT - name: OPENID_JWKS_ENDPOINT
value: "http://authentik.auth.svc.cluster.local:9000/application/o/guacamole/jwks/" value: "http://authentik.auth.svc.cluster.local:9000/application/o/guacamole/jwks/"
- name: OPENID_ISSUER - name: OPENID_ISSUER
value: "http://kaya.freeboxos.fr:9081/application/o/guacamole/" value: "https://auth.funklab.online/application/o/guacamole/"
- name: OPENID_CLIENT_ID - name: OPENID_CLIENT_ID
value: "guacamole" value: "guacamole"
- name: OPENID_REDIRECT_URI - name: OPENID_REDIRECT_URI
value: "http://kaya.freeboxos.fr:9080/" value: "https://portail.funklab.online/"
- name: OPENID_USERNAME_CLAIM_TYPE - name: OPENID_USERNAME_CLAIM_TYPE
value: "preferred_username" value: "preferred_username"
- name: OPENID_SCOPE - name: OPENID_SCOPE