guacamole: enable json auth for remotedesktop sso

apps/guacamole/guacamole.yaml

@@ -307,6 +307,13 @@ spec:
             # Recordings are written by guacd and read by guacamole web (history UI).
             - name: RECORDING_SEARCH_PATH
               value: /var/lib/guacamole/recordings
+            - name: JSON_ENABLED
+              value: "true"
+            - name: JSON_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: guacamole-json-auth-key
+                  key: password
             # Map well-formed env vars to guacamole.properties at container start.
             # Lets the 1Password vault extension read its config (op-connect-url,
             # op-connect-token, op-vault-id) without templating the ConfigMap.
@@ -447,6 +454,14 @@ metadata:
 spec:
   itemPath: vaults/IAmWorkin/items/Guacamole
 ---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: guacamole-json-auth-key
+  namespace: guacamole
+spec:
+  itemPath: vaults/IAmWorkin/items/Guacamole JSON Auth
+---
 # Blue Jay Branding Extension (CSS + translations)
 apiVersion: v1
 kind: ConfigMap
@@ -468,7 +483,7 @@ data:
     # MySQL/guacd settings provided via env vars — do NOT duplicate here
 
     # Extension Priority
-    extension-priority: mysql, ban, bluejay, onepassword-vault, *
+    extension-priority: mysql, ban, bluejay, onepassword-vault, json, *
 
     # Ban (brute force)
     ban-max-invalid-attempts: 5