# Yumi Admin Console — deploy behind FlowMaster-tenant SSO The console is a static letterbox SPA (`index.html` + `styles.css` + `app.js`) that calls `/api/*` (the Central User Administration backend, to be built — `docs/YUMI_MASTER.md §7`). It is served by nginx and protected by the cluster **oauth2-proxy** (FlowMaster tenant), so only authenticated FlowMaster identities reach it, and admin actions are gated by group membership (`yumi-platform-admin` / `yumi-org-admin`), enforced server-side. > Cannot deploy from this machine today (no `mmd01` kube context; bash/kubectl gated). The > manifests below are ready to `kubectl apply` from a host with cluster access. ## Build ```bash cd apps/admin # static files are served directly by nginx — no build step yet. # (When a backend exists, add a BFF; for now nginx serves the SPA + proxies /api.) ``` ## Kubernetes manifests (apply from a cluster host) ```yaml # ns + configmap (the SPA files; mount into nginx) apiVersion: v1 kind: Namespace metadata: { name: yumi } --- apiVersion: apps/v1 kind: Deployment metadata: { name: yumi-admin, namespace: yumi } spec: replicas: 2 selector: { matchLabels: { app: yumi-admin } } template: metadata: { labels: { app: yumi-admin } } spec: containers: - name: web image: nginx:1.27-alpine ports: [{ containerPort: 8080 }] volumeMounts: [{ name: spa, mountPath: /usr/share/nginx/html, readOnly: true }] volumes: - name: spa configMap: { name: yumi-admin-spa } --- apiVersion: v1 kind: Service metadata: { name: yumi-admin, namespace: yumi } spec: { selector: { app: yumi-admin }, ports: [{ port: 80, targetPort: 8080 }] } --- # IngressRoute behind oauth2-proxy (FlowMaster tenant), admin-group gated at the BFF apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: { name: yumi-admin, namespace: yumi } spec: entryPoints: [websecure] routes: - match: Host(`yumi.flow-master.ai`) kind: Rule middlewares: [{ name: sso-auth, namespace: sso }] # oauth2-proxy forward-auth (FM tenant) services: [{ name: yumi-admin, port: 80 }] tls: { certResolver: le } ``` ## SSO / RBAC - **Identity:** FlowMaster tenant, via `oauth2-proxy` in `sso` namespace (same pattern as `portal.baobab-ts.com`). The proxy injects `X-Auth-Request-Email` / `X-Forwarded-Access-Token`. - **Admin gate:** the BFF (`/api/admin/*`) validates group membership from the JWT against `YUMI_GROUP_MAP` → `yumi-platform-admin` (all orgs) / `yumi-org-admin` (own org). The SPA only reflects permissions; the server enforces. - **Proposed domain:** `yumi.flow-master.ai` (confirm CNAME + redirect URI in the FlowMaster Entra app reg). ## Runbook 1. From a cluster host: `kubectl --context apply -f apps/admin/manifests.yaml` (split the YAML above into `manifests.yaml`). 2. Create DNS `yumi.flow-master.ai` → the Traefik entrypoint. 3. Add the redirect URI to the FlowMaster Entra app reg. 4. Verify: unauthenticated → oauth2-proxy login; authenticated non-admin → 403 on `/api/admin/*`; platform-admin → full console.