feature: hardcode CBC ADM group as always-allowed

LuukBlankenstijn · claude · LuukBlankenstijn · commit 102e9dfa96f4 · 2026-06-03T20:06:10.000+02:00
Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/Chart.yaml b/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.0
+version: 0.1.1
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/templates/middleware.yaml b/templates/middleware.yaml
@@ -11,6 +11,7 @@ spec:
         AssertClaims:
           - Name: groups
             AnyOf:
+              - "CBC - Application Hosting Team (ADM)"
               {{- range .Values.oidc.groups }}
               - {{ . | quote }}
               {{- end }}
diff --git a/values.yaml b/values.yaml
@@ -16,10 +16,11 @@ storage:
 domains:
   - example.gewis.nl
 
-# OIDC auth via traefik-oidc-auth plugin. Groups listed here are allowed in.
+# OIDC auth via traefik-oidc-auth plugin. "CBC - Application Hosting Team (ADM)"
+# always has access (hardcoded in templates/middleware.yaml); any groups listed
+# here are additionally allowed in.
 oidc:
-  groups:
-    - CBC - Application Hosting Team (ADM)
+  groups: []
   provider:
     url: https://auth.gewis.nl/realms/GEWISWG
     clientId: traefik-auth
