ADR 0006: Identity-First Ingress for Service Access

The platform exposes services to multiple audiences (public, internal, VPN-only, management). To enforce consistent access control and auditing, authentication should be centralized and uniform rather than implemented independently by each service.

Decision

All services must be fronted by an ingress layer that enforces identity at the platform level. Services must integrate with the platform Identity Provider via SSO (OIDC/SAML) or trusted auth proxy headers, with MFA required for public and management access.

Consequences

Services must not expose unauthenticated endpoints unless explicitly approved in a Service Contract.
The ingress layer becomes a critical security control that must be monitored and hardened.
Service onboarding requires identity integration as a first-class step.

Homelab Project

ADR 0006: Identity-First Ingress for Service Access

Status

Context

Decision

Consequences

Keyboard shortcuts

Homelab Project

ADR 0006: Identity-First Ingress for Service Access

Status

Context

Decision

Consequences