coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add CLAUDE.md, wiki protoplans, and NK-WP-0001 workplan

Browse Source 
Initialises the net-kingdom project structure:
- README.md: updated title and description
- CLAUDE.md: project instructions and State Hub integration config
- wiki/: three reference docs (NetKingdom overview, ChatGPT and Grok
  protoplans for the SSO/MFA platform)
- workplans/NK-WP-0001-sso-mfa-platform.md: combined workplan (8 phases,
  8 tasks) synthesised from the two protoplans; registered in the
  Custodian State Hub (workstream 39263c4b)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-02-28 17:21:51 +01:00
parent a852627f0c
commit 004a8d6e6b
6 changed files with 902 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

273
wiki/WorkplanOneChatgpt.md Normal file
View File

@@ -0,0 +1,273 @@
WorkplanOneChatgpt
*How to start according to chatgpt*
This is a protoplan not to be implemented directly but used as inspiration for an actual plan for implemenation!
Below is an integrated, Kubernetes-focused workplan that keeps the **“single private credential” bootstrap** idea, then rapidly evolves to **MFA-first admin access**, **least-privilege service accounts**, and **Keycloak SSO (OIDC/SAML) with privacyIDEA as the MFA engine**—exactly the combination privacyIDEA recommends. ([PrivacyIDEA][1])
---
## Architecture (Kubernetes target state)
**Ingress (TLS)**
* `keycloak.yourdomain.com` → Keycloak (SSO / sessions / OIDC+SAML)
* `pi.yourdomain.com` → privacyIDEA (MFA policies + token mgmt)
* optional: `pi-account.yourdomain.com` → privacyIDEA self-service portal
**Data**
* Keycloak DB (PostgreSQL)
* privacyIDEA DB (PostgreSQL or MariaDB; Postgres is a common choice)
* privacyIDEA encryption + audit key material stored as **K8s Secrets** (backed up securely)
**Integration**
* Keycloak runs the login flow
* privacyIDEA provides MFA via the **privacyIDEA Keycloak Provider** (JAR) ([GitHub][2])
---
## Workplan (phased deployment on Kubernetes)
### Phase 0 — Prereqs and “single private credential” rule
1. **Pick your one private credential**
Use it to unlock a vault (recommended), not as a daily admin password. The vault stores:
* initial privacyIDEA admin password (typed once)
* privacyIDEA crypto secrets (encryption/audit keys)
* Keycloak admin bootstrap secret
* DB credentials
2. Cluster prerequisites
* Ingress Controller (nginx / Traefik)
* `cert-manager` for TLS (Lets Encrypt or internal CA)
* StorageClass for persistent volumes
* (Optional but recommended) External Secrets Operator + real vault
---
### Phase 1 — Create namespaces, storage, network boundaries
1. Namespaces
* `sso` (Keycloak)
* `mfa` (privacyIDEA)
* `databases` (if you want shared DB ops)
2. NetworkPolicies (recommended)
* Only ingress controller can reach Keycloak/privacyIDEA services
* Only Keycloak pods can call privacyIDEA API endpoints needed for MFA
* Only app pods (or ingress) can reach Keycloak
This prevents lateral movement if any pod is compromised.
---
### Phase 2 — Deploy databases (prod-grade)
**Recommended**: PostgreSQL via a battle-tested chart/operator (CloudNativePG / Zalando / Bitnami Postgres chart).
1. Create DBs and users:
* `keycloak_db`, user `keycloak`
* `privacyidea_db`, user `privacyidea`
2. Store DB credentials as K8s Secrets (or ExternalSecrets).
3. Backups:
* Enable automated DB backups to object storage (S3/MinIO/etc.)
* Test restore early
---
### Phase 3 — Deploy privacyIDEA on Kubernetes (MFA core)
You have two common routes:
**Route A: Helm chart**
* There are community Helm approaches (example repo exists, but treat it as a starting point you should review/harden for production). ([GitHub][3])
**Route B: Roll your own manifests**
* Deployment + Service + Ingress + PVC + Secrets
* Often preferred for security review & long-term ownership
#### privacyIDEA critical secrets (do this before first real use)
privacyIDEA relies on secrets like `SECRET_KEY`, `PI_PEPPER`, and an encryption key file (`PI_ENCFILE`) / related key material. Generate once, mount as Secrets, back up carefully. ([GitHub][4])
(Those secrets are “if you lose them, you may lose access to encrypted token data”-class.)
**Work items**
1. Create K8s Secrets:
* `privacyidea-config` (env or ini fragments)
* `privacyidea-enckey` (encryption key material)
* `privacyidea-auditkeys` (audit signing/encryption keys)
2. Deploy privacyIDEA pods (Deployment) + Service
3. Add Ingress + TLS (`pi.yourdomain.com`)
4. Add rate limiting / WAF features at ingress (recommended)
#### Bootstrap: “single private credential”
1. Exec into the privacyIDEA pod and run the one-time admin creation (or equivalent `pi-manage` command).
2. That admin password is the **only password you ever manually type**.
3. Immediately log into WebUI and **enroll MFA for that admin** (TOTP/hardware token).
4. Immediately create:
* a **limited “trigger-admin”** service account used by Keycloak provider with *only* the `triggerchallenge`-type permission (least privilege)
* policies requiring MFA for admin actions
This aligns with the second opinion: bootstrap by one password, then transition to MFA + least privilege.
---
### Phase 4 — Deploy Keycloak on Kubernetes (SSO core)
Two common options:
**Option A: KeycloakX Helm chart (codecentric)**
* Widely used Helm chart for a StatefulSet-based Keycloak deployment. ([Artifact Hub][5])
**Option B: Keycloak Operator**
* Good for CRD-based lifecycle management; if your org prefers operators.
**Work items**
1. Deploy Keycloak pointing at `keycloak_db`
2. Configure Ingress + TLS (`keycloak.yourdomain.com`)
3. Bootstrap Keycloak admin secret (stored in vault / K8s Secret)
4. Set production settings:
* hostname strictness
* proxy mode
* metrics/logging
* realm import strategy (GitOps-friendly)
---
### Phase 5 — Add the privacyIDEA Keycloak Provider (JAR) in Kubernetes
The privacyIDEA provider is published on GitHub releases and needs to match your Keycloak version. ([GitHub][2])
**Kubernetes-friendly pattern**
1. Build a **custom Keycloak image**:
* Start from Keycloak base image
* Copy the provider JAR into `/opt/keycloak/providers/`
* Run `kc.sh build`
2. Deploy that image via Helm values (or operator spec)
This avoids “kubectl cp into running pods” and is the clean GitOps approach.
---
### Phase 6 — Configure the MFA flow (Keycloak → privacyIDEA)
**Work items**
1. In Keycloak:
* Create/choose realm
* Configure users source of truth (Keycloak internal or LDAP/AD)
2. Create Authentication Flow “privacyIDEA Browser”
* Add privacyIDEA execution step (REQUIRED)
* Configure:
* privacyIDEA base URL: `https://pi.yourdomain.com`
* service account: `trigger-admin` + secret (from K8s Secret)
* optional bypass group (“break-glass”) with strong restrictions & alerts
3. Set this flow as the default browser flow
4. Test:
* normal user MFA
* admin console MFA
* failure modes (OTP wrong, token missing, privacyIDEA down)
The providers releases/changelog track features like passkey handling and flow behavior—use the matching release notes when selecting versions. ([GitHub][2])
---
### Phase 7 — User management & token lifecycle (make it operable)
privacyIDEA 3.12 introduced a **Keycloak user resolver** (and Entra ID resolver), which can simplify identity alignment depending on your setup. ([NetKnights][6])
**Work items**
1. Decide identity source of truth:
* simplest: Keycloak internal users → privacyIDEA resolver (Keycloak resolver if you want that pattern)
* enterprise: LDAP/AD shared by both
2. Enable self-service portal where appropriate
3. Define policies:
* allowed token types
* enrollment rules
* admin rights separation (super-admin vs helpdesk-admin)
4. Add auditing / log shipping (privacyIDEA audit logs + Keycloak events)
---
### Phase 8 — Backups, DR, upgrades, and break-glass
**Backups**
* DB backups (Keycloak + privacyIDEA)
* privacyIDEA encryption/audit keys Secrets (encrypted export)
* realm exports (Keycloak) as code / git
**Disaster recovery drill**
* restore DB + keys into a fresh namespace
* verify token validation still works (this catches key/secret mistakes)
**Break-glass**
* keep a *disabled-by-default* Keycloak admin path or group exemption
* store break-glass credentials offline + vault
* alert on every use
---
## Deliverables checklist (what “done” looks like)
* [ ] `mfa` + `sso` namespaces deployed via GitOps/Helm
* [ ] TLS everywhere (cert-manager)
* [ ] privacyIDEA secrets generated, mounted, backed up
* [ ] privacyIDEA admin created once (single typed password), MFA enrolled immediately
* [ ] `trigger-admin` exists with minimal rights
* [ ] Keycloak runs from custom image including privacyIDEA provider JAR
* [ ] Keycloak “privacyIDEA Browser” flow enforced
* [ ] DB backups + restore tested
* [ ] NetworkPolicies in place
---
If you tell me **which Kubernetes flavor** youre using (k3s / AKS / EKS / GKE / OpenShift) and whether you want **Postgres operator vs Helm**, Ill turn this into a concrete, copy-pastable “repo plan” (folders, Helm values skeletons, Secrets/ExternalSecrets layout, and the exact build steps for the custom Keycloak image) without adding unnecessary complexity.
[1]: https://www.privacyidea.org/?feed=&utm_source=chatgpt.com "privacyIDEA 3.12 is available"
[2]: https://github.com/privacyidea/keycloak-provider/releases?utm_source=chatgpt.com "Releases · privacyidea/keycloak-provider"
[3]: https://github.com/gpappsoft/privacyidea-helm?utm_source=chatgpt.com "A helm chart to install a privacyIDEA stack"
[4]: https://github.com/privacyidea/privacyidea?utm_source=chatgpt.com "privacyidea/privacyidea: :closed_lock_with_key"
[5]: https://artifacthub.io/packages/helm/codecentric/keycloakx?utm_source=chatgpt.com "keycloakx 7.1.8"
[6]: https://netknights.it/en/press/multi-faktor-authentifizierung-privacyidea-in-version-3-12-erschienen/?utm_source=chatgpt.com "Multi-Factor Authentication privacyIDEA version 3.12 released"
xxx