coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CLAUDE.md, wiki protoplans, and NK-WP-0001 workplan

Browse Source 
Initialises the net-kingdom project structure:
- README.md: updated title and description
- CLAUDE.md: project instructions and State Hub integration config
- wiki/: three reference docs (NetKingdom overview, ChatGPT and Grok
  protoplans for the SSO/MFA platform)
- workplans/NK-WP-0001-sso-mfa-platform.md: combined workplan (8 phases,
  8 tasks) synthesised from the two protoplans; registered in the
  Custodian State Hub (workstream 39263c4b)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-02-28 17:21:51 +01:00
parent a852627f0c
commit 004a8d6e6b
6 changed files with 902 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
wiki/NetKingdom.md Normal file
View File

@@ -0,0 +1,8 @@
NetKingdom
*Open security core for dev sec ops on kubernetes*
Agent powered automation drives the cambrian explosion of vulnerabilities and security measures in modern IT.
This is a blueprint to bootstrap foundational dynamic security building on open source components minimizing threat exposure for critical use cases.
xxx

273
wiki/WorkplanOneChatgpt.md Normal file
View File

@@ -0,0 +1,273 @@
WorkplanOneChatgpt
*How to start according to chatgpt*
This is a protoplan not to be implemented directly but used as inspiration for an actual plan for implemenation!
Below is an integrated, Kubernetes-focused workplan that keeps the **“single private credential” bootstrap** idea, then rapidly evolves to **MFA-first admin access**, **least-privilege service accounts**, and **Keycloak SSO (OIDC/SAML) with privacyIDEA as the MFA engine**—exactly the combination privacyIDEA recommends. ([PrivacyIDEA][1])
---
## Architecture (Kubernetes target state)
**Ingress (TLS)**
* `keycloak.yourdomain.com` → Keycloak (SSO / sessions / OIDC+SAML)
* `pi.yourdomain.com` → privacyIDEA (MFA policies + token mgmt)
* optional: `pi-account.yourdomain.com` → privacyIDEA self-service portal
**Data**
* Keycloak DB (PostgreSQL)
* privacyIDEA DB (PostgreSQL or MariaDB; Postgres is a common choice)
* privacyIDEA encryption + audit key material stored as **K8s Secrets** (backed up securely)
**Integration**
* Keycloak runs the login flow
* privacyIDEA provides MFA via the **privacyIDEA Keycloak Provider** (JAR) ([GitHub][2])
---
## Workplan (phased deployment on Kubernetes)
### Phase 0 — Prereqs and “single private credential” rule
1. **Pick your one private credential**
Use it to unlock a vault (recommended), not as a daily admin password. The vault stores:
* initial privacyIDEA admin password (typed once)
* privacyIDEA crypto secrets (encryption/audit keys)
* Keycloak admin bootstrap secret
* DB credentials
2. Cluster prerequisites
* Ingress Controller (nginx / Traefik)
* `cert-manager` for TLS (Lets Encrypt or internal CA)
* StorageClass for persistent volumes
* (Optional but recommended) External Secrets Operator + real vault
---
### Phase 1 — Create namespaces, storage, network boundaries
1. Namespaces
* `sso` (Keycloak)
* `mfa` (privacyIDEA)
* `databases` (if you want shared DB ops)
2. NetworkPolicies (recommended)
* Only ingress controller can reach Keycloak/privacyIDEA services
* Only Keycloak pods can call privacyIDEA API endpoints needed for MFA
* Only app pods (or ingress) can reach Keycloak
This prevents lateral movement if any pod is compromised.
---
### Phase 2 — Deploy databases (prod-grade)
**Recommended**: PostgreSQL via a battle-tested chart/operator (CloudNativePG / Zalando / Bitnami Postgres chart).
1. Create DBs and users:
* `keycloak_db`, user `keycloak`
* `privacyidea_db`, user `privacyidea`
2. Store DB credentials as K8s Secrets (or ExternalSecrets).
3. Backups:
* Enable automated DB backups to object storage (S3/MinIO/etc.)
* Test restore early
---
### Phase 3 — Deploy privacyIDEA on Kubernetes (MFA core)
You have two common routes:
**Route A: Helm chart**
* There are community Helm approaches (example repo exists, but treat it as a starting point you should review/harden for production). ([GitHub][3])
**Route B: Roll your own manifests**
* Deployment + Service + Ingress + PVC + Secrets
* Often preferred for security review & long-term ownership
#### privacyIDEA critical secrets (do this before first real use)
privacyIDEA relies on secrets like `SECRET_KEY`, `PI_PEPPER`, and an encryption key file (`PI_ENCFILE`) / related key material. Generate once, mount as Secrets, back up carefully. ([GitHub][4])
(Those secrets are “if you lose them, you may lose access to encrypted token data”-class.)
**Work items**
1. Create K8s Secrets:
* `privacyidea-config` (env or ini fragments)
* `privacyidea-enckey` (encryption key material)
* `privacyidea-auditkeys` (audit signing/encryption keys)
2. Deploy privacyIDEA pods (Deployment) + Service
3. Add Ingress + TLS (`pi.yourdomain.com`)
4. Add rate limiting / WAF features at ingress (recommended)
#### Bootstrap: “single private credential”
1. Exec into the privacyIDEA pod and run the one-time admin creation (or equivalent `pi-manage` command).
2. That admin password is the **only password you ever manually type**.
3. Immediately log into WebUI and **enroll MFA for that admin** (TOTP/hardware token).
4. Immediately create:
* a **limited “trigger-admin”** service account used by Keycloak provider with *only* the `triggerchallenge`-type permission (least privilege)
* policies requiring MFA for admin actions
This aligns with the second opinion: bootstrap by one password, then transition to MFA + least privilege.
---
### Phase 4 — Deploy Keycloak on Kubernetes (SSO core)
Two common options:
**Option A: KeycloakX Helm chart (codecentric)**
* Widely used Helm chart for a StatefulSet-based Keycloak deployment. ([Artifact Hub][5])
**Option B: Keycloak Operator**
* Good for CRD-based lifecycle management; if your org prefers operators.
**Work items**
1. Deploy Keycloak pointing at `keycloak_db`
2. Configure Ingress + TLS (`keycloak.yourdomain.com`)
3. Bootstrap Keycloak admin secret (stored in vault / K8s Secret)
4. Set production settings:
* hostname strictness
* proxy mode
* metrics/logging
* realm import strategy (GitOps-friendly)
---
### Phase 5 — Add the privacyIDEA Keycloak Provider (JAR) in Kubernetes
The privacyIDEA provider is published on GitHub releases and needs to match your Keycloak version. ([GitHub][2])
**Kubernetes-friendly pattern**
1. Build a **custom Keycloak image**:
* Start from Keycloak base image
* Copy the provider JAR into `/opt/keycloak/providers/`
* Run `kc.sh build`
2. Deploy that image via Helm values (or operator spec)
This avoids “kubectl cp into running pods” and is the clean GitOps approach.
---
### Phase 6 — Configure the MFA flow (Keycloak → privacyIDEA)
**Work items**
1. In Keycloak:
* Create/choose realm
* Configure users source of truth (Keycloak internal or LDAP/AD)
2. Create Authentication Flow “privacyIDEA Browser”
* Add privacyIDEA execution step (REQUIRED)
* Configure:
* privacyIDEA base URL: `https://pi.yourdomain.com`
* service account: `trigger-admin` + secret (from K8s Secret)
* optional bypass group (“break-glass”) with strong restrictions & alerts
3. Set this flow as the default browser flow
4. Test:
* normal user MFA
* admin console MFA
* failure modes (OTP wrong, token missing, privacyIDEA down)
The providers releases/changelog track features like passkey handling and flow behavior—use the matching release notes when selecting versions. ([GitHub][2])
---
### Phase 7 — User management & token lifecycle (make it operable)
privacyIDEA 3.12 introduced a **Keycloak user resolver** (and Entra ID resolver), which can simplify identity alignment depending on your setup. ([NetKnights][6])
**Work items**
1. Decide identity source of truth:
* simplest: Keycloak internal users → privacyIDEA resolver (Keycloak resolver if you want that pattern)
* enterprise: LDAP/AD shared by both
2. Enable self-service portal where appropriate
3. Define policies:
* allowed token types
* enrollment rules
* admin rights separation (super-admin vs helpdesk-admin)
4. Add auditing / log shipping (privacyIDEA audit logs + Keycloak events)
---
### Phase 8 — Backups, DR, upgrades, and break-glass
**Backups**
* DB backups (Keycloak + privacyIDEA)
* privacyIDEA encryption/audit keys Secrets (encrypted export)
* realm exports (Keycloak) as code / git
**Disaster recovery drill**
* restore DB + keys into a fresh namespace
* verify token validation still works (this catches key/secret mistakes)
**Break-glass**
* keep a *disabled-by-default* Keycloak admin path or group exemption
* store break-glass credentials offline + vault
* alert on every use
---
## Deliverables checklist (what “done” looks like)
* [ ] `mfa` + `sso` namespaces deployed via GitOps/Helm
* [ ] TLS everywhere (cert-manager)
* [ ] privacyIDEA secrets generated, mounted, backed up
* [ ] privacyIDEA admin created once (single typed password), MFA enrolled immediately
* [ ] `trigger-admin` exists with minimal rights
* [ ] Keycloak runs from custom image including privacyIDEA provider JAR
* [ ] Keycloak “privacyIDEA Browser” flow enforced
* [ ] DB backups + restore tested
* [ ] NetworkPolicies in place
---
If you tell me **which Kubernetes flavor** youre using (k3s / AKS / EKS / GKE / OpenShift) and whether you want **Postgres operator vs Helm**, Ill turn this into a concrete, copy-pastable “repo plan” (folders, Helm values skeletons, Secrets/ExternalSecrets layout, and the exact build steps for the custom Keycloak image) without adding unnecessary complexity.
[1]: https://www.privacyidea.org/?feed=&utm_source=chatgpt.com "privacyIDEA 3.12 is available"
[2]: https://github.com/privacyidea/keycloak-provider/releases?utm_source=chatgpt.com "Releases · privacyidea/keycloak-provider"
[3]: https://github.com/gpappsoft/privacyidea-helm?utm_source=chatgpt.com "A helm chart to install a privacyIDEA stack"
[4]: https://github.com/privacyidea/privacyidea?utm_source=chatgpt.com "privacyidea/privacyidea: :closed_lock_with_key"
[5]: https://artifacthub.io/packages/helm/codecentric/keycloakx?utm_source=chatgpt.com "keycloakx 7.1.8"
[6]: https://netknights.it/en/press/multi-faktor-authentifizierung-privacyidea-in-version-3-12-erschienen/?utm_source=chatgpt.com "Multi-Factor Authentication privacyIDEA version 3.12 released"
xxx

171
wiki/WorkplanOneGrok.md Normal file
View File

@@ -0,0 +1,171 @@
WorkplanOneGrok
*How to start according to grok*
This is a protoplan not to be implemented directly but used as inspiration for an actual plan for implemenation!
**Integrated architecture (merging both opinions)**
Your single private credential remains the **root-of-trust** that only ever unlocks a vault. Everything else (initial admin passwords, database credentials, privacyIDEA crypto roots, TLS keys, Keycloak admin secret) lives inside the vault and is never typed manually again.
- **privacyIDEA** = MFA/token/policy engine (user resolvers, self-service enrollment, token types, audit)
- **Keycloak** = full SSO IdP (OIDC/SAML clients, realms, groups, session management)
- **Integration** = Keycloak PrivacyIDEA provider (MFA step in the browser flow)
- **Vault** = single unlock point (KeePassXC/Bitwarden local, or HashiCorp Vault in-cluster)
- **Databases** = private, encrypted, backed up with keys from the vault
- **K8s layer** = Helm + Official Keycloak Operator + community privacyIDEA Helm chart (gpappsoft/privacyidea) + cert-manager + Ingress
This satisfies both sources: you bootstrap from literally one secret, immediately move to MFA-protected admins, treat crypto roots (SECRET_KEY, PI_PEPPER, PI_ENCFILE) as crown jewels, and run everything declaratively on Kubernetes.
### Kubernetes Workplan (Day 07)
**Prerequisites**
- Running Kubernetes cluster (k3s, kind, EKS, AKS, GKE any with StorageClass and cert-manager installed).
- kubectl, Helm 3.
- Ingress controller (nginx-ingress or Traefik).
- cert-manager for automatic TLS.
- Your single master credential ready (KeePassXC file or age private key).
#### Day 0 Vault & Secret Bootstrap (single-credential principle)
1. Create your vault (recommended: KeePassXC .kdbx file or self-hosted Bitwarden; for production add HashiCorp Vault later).
2. Inside the vault generate/store (all random, never reuse):
- privacyIDEA: `SECRET_KEY` (64+ chars), `PI_PEPPER` (32+ chars), encryption key file content (`pi-manage create_enckey`).
- MariaDB root + privacyIDEA DB user passwords.
- Keycloak admin initial secret + DB password.
- TLS ACME account key (if not using cert-manager fully).
- Break-glass admin credentials + offline recovery OTP seed.
3. Export an encrypted “ops bundle” (age-encrypted tar of all secret YAML manifests) this bundle is the only thing you ever decrypt with your single credential.
4. Enable cluster encryption-at-rest (if not already).
#### Day 1 Foundation & Databases
```bash
# Deploy HashiCorp Vault (optional but ideal for rotation)
helm repo add hashicorp https://helm.releases.hashicorp.com
helm install vault hashicorp/vault --namespace vault --create-namespace -f vault-values.yaml
# Or use simple sops/age for GitOps
```
- Deploy MariaDB (Bitnami Helm or Crunchy Postgres Operator).
- Create Kubernetes Secrets from the vault (or use External Secrets Operator + Vault backend):
```yaml
apiVersion: v1
kind: Secret
metadata:
name: privacyidea-secrets
data:
SECRET_KEY: <base64-from-vault>
PI_PEPPER: <base64-from-vault>
PI_ENCFILE: <base64-content>
```
- Apply network policies: DBs only reachable from privacyIDEA/Keycloak pods.
#### Day 23 Deploy privacyIDEA (MFA core)
The community Helm chart (gpappsoft/privacyidea on Artifact Hub) deploys the full stack (privacyIDEA + MariaDB + optional Redis/RADIUS).
```bash
helm repo add privacyidea https://gpappsoft.github.io/helm-charts
helm install privacyidea privacyidea/privacyidea \
--namespace privacyidea --create-namespace \
-f values-privacyidea.yaml
```
Key parts of `values-privacyidea.yaml` (populated from vault):
```yaml
database:
password: <from-vault>
privacyidea:
config:
SECRET_KEY: <from-vault>
PI_PEPPER: <from-vault>
encfile: # mounted as secret volume
enabled: true
existingSecret: privacyidea-secrets
key: PI_ENCFILE
admin:
bootstrap: true # chart runs pi-manage internally
ingress:
enabled: true
hostname: pi.yourdomain.com
tls: true
```
Post-install (one-time job or manual):
- `kubectl exec` into privacyIDEA pod and run `pi-manage admin add pi-admin --email admin@yourdomain.com` (password from vault).
- Immediately enroll an MFA token for `pi-admin` via the UI.
- Create limited “trigger-admin” (only `triggerchallenge` right) for Keycloak.
- Apply day-1 policies: WebUI restricted to VPN/office IPs, MFA required for all admin actions, enrollment policies locked down.
#### Day 45 Deploy Keycloak + privacyIDEA MFA integration
1. Install the official Keycloak Operator:
```bash
kubectl apply -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/main/kubernetes/keycloaks.k8s.keycloak.org-v1.yml
kubectl apply -f https://raw.githubusercontent.com/keycloak/keycloak-k8s-resources/main/kubernetes/kubernetes.yml -n keycloak
```
2. Prepare the PrivacyIDEA provider JAR:
```bash
wget https://github.com/privacyidea/keycloak-provider/releases/latest/download/PrivacyIDEA-Provider.jar
kubectl create configmap privacyidea-provider --from-file=PrivacyIDEA-Provider.jar -n keycloak
```
3. Create Keycloak CR (with custom provider mount):
```yaml
apiVersion: k8s.keycloak.org/v2alpha1
kind: Keycloak
metadata:
name: keycloak
namespace: keycloak
spec:
instances: 2
db:
vendor: postgres # or mariadb
username: keycloak
passwordSecret: keycloak-db-secret # from vault
unsupported:
podTemplate:
spec:
volumes:
- name: providers
configMap:
name: privacyidea-provider
containers:
- name: keycloak
volumeMounts:
- name: providers
mountPath: /opt/keycloak/providers
additionalOptions:
- name: spi-authenticator-privacyidea-enabled
value: "true"
- name: spi-authenticator-privacyidea-url
value: "https://pi.yourdomain.com"
- name: spi-authenticator-privacyidea-service-account
value: "trigger-admin" # limited rights only
ingress:
enabled: true
```
4. In Keycloak UI (or via CR import): create realm, import same user resolver as privacyIDEA (LDAP/Keycloak internal/Entra), create custom browser flow with “PrivacyIDEA Forms” execution (REQUIRED). Bind as default flow.
#### Day 67 Policies, Self-Service, Break-Glass & Testing
- privacyIDEA: enable self-service enrollment policies + registration tokens.
- Keycloak: require MFA step-up for admin console and sensitive clients.
- Break-glass: store offline admin + recovery OTP in sealed envelope + vault. Alert on usage.
- End-to-end test: app → Keycloak → privacyIDEA OTP/push → SSO session.
- Configure backups (Velero or operator) encrypted with vault key.
- Monitoring: Prometheus + Grafana (optional).
### Security & Operations Checklist (do these before going live)
- All external traffic via Ingress + HSTS + strict TLS.
- privacyIDEA encryption keys backed up and never in image.
- Least-privilege service accounts everywhere.
- NetworkPolicies + PodSecurityPolicies.
- Rotate secrets via vault (External Secrets Operator handles re-injection).
- Test recovery: vault unlock → restore DB + keys → everything works.
This plan is production-ready, fully declarative, and scales. You start with one memorized credential and end with a hardened, auditable SSO+MFA platform.
If you tell me:
- Cluster type (k3s, EKS, bare-metal…)
- Existing user store (LDAP/AD/Entra/Keycloak internal)
- Target apps (Nextcloud, GitLab, custom…)
- Preference for GitOps (ArgoCD/Flux) or manual Helm
I can give you the exact `values.yaml` files, CRDs, and one-click scripts.
xxx