diff --git a/sso-mfa/k8s/network-policies/netpol-mfa.yaml b/sso-mfa/k8s/network-policies/netpol-mfa.yaml index 906b22c..b6b6122 100644 --- a/sso-mfa/k8s/network-policies/netpol-mfa.yaml +++ b/sso-mfa/k8s/network-policies/netpol-mfa.yaml @@ -1,8 +1,8 @@ # NetworkPolicies for the mfa namespace (privacyIDEA) # # Allowed paths: -# INGRESS: Traefik (kube-system) → privacyIDEA :8080 (user-facing portal) -# INGRESS: Keycloak (sso) → privacyIDEA :8080 (Provider API calls) +# INGRESS: Traefik (kube-system) → privacyIDEA :5001 (user-facing portal) +# INGRESS: KeyCape (sso) → privacyIDEA :5001 (Provider API calls) # EGRESS: privacyIDEA → databases :5432 (PostgreSQL) # EGRESS: all pods → kube-dns :53 (UDP+TCP) # @@ -42,14 +42,14 @@ spec: matchLabels: app.kubernetes.io/name: traefik ports: - - port: 8080 + - port: 5001 protocol: TCP --- -# ── Allow ingress from Keycloak (Provider API calls) ───────────────────────── +# ── Allow ingress from KeyCape (Provider API calls) ────────────────────────── apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: allow-ingress-from-keycloak + name: allow-ingress-from-keycape namespace: mfa spec: podSelector: @@ -64,9 +64,9 @@ spec: net-kingdom/component: sso podSelector: matchLabels: - app.kubernetes.io/name: keycloak + app.kubernetes.io/name: keycape ports: - - port: 8080 + - port: 5001 protocol: TCP --- # ── Allow egress to PostgreSQL ─────────────────────────────────────────────── diff --git a/sso-mfa/k8s/network-policies/netpol-sso.yaml b/sso-mfa/k8s/network-policies/netpol-sso.yaml index 30b5408..0b09a04 100644 --- a/sso-mfa/k8s/network-policies/netpol-sso.yaml +++ b/sso-mfa/k8s/network-policies/netpol-sso.yaml @@ -13,7 +13,7 @@ # Allowed egress paths: # keycape → authelia :9091 (OIDC callback orchestration) # keycape → lldap :3890 (LDAP user lookups) -# keycape → mfa :8080 (privacyIDEA MFA check and token validation) +# keycape → mfa :5001 (privacyIDEA MFA check and token validation) # authelia → lldap :3890 (LDAP authentication backend) # all pods → kube-dns :53 (DNS resolution) # @@ -201,7 +201,7 @@ spec: - port: 3890 protocol: TCP --- -# ── KeyCape egress → privacyIDEA (mfa namespace) :8080 ─────────────────────── +# ── KeyCape egress → privacyIDEA (mfa namespace) :5001 ─────────────────────── # KeyCape calls privacyIDEA to check and validate MFA tokens. apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -220,7 +220,7 @@ spec: matchLabels: net-kingdom/component: mfa ports: - - port: 8080 + - port: 5001 protocol: TCP --- # ── Authelia egress → LLDAP (within sso namespace) ─────────────────────────── diff --git a/sso-mfa/k8s/privacyidea/deployment.yaml b/sso-mfa/k8s/privacyidea/deployment.yaml index 96594e7..8a46edf 100644 --- a/sso-mfa/k8s/privacyidea/deployment.yaml +++ b/sso-mfa/k8s/privacyidea/deployment.yaml @@ -10,13 +10,8 @@ # 5. enckey-bootstrap.sh — extract enckey + audit keys, create DR Secrets # 6. bootstrap-admin.sh — create pi-admin (+ MFA enrolment) and trigger-admin # -# Container port: 8080. -# The official privacyidea/privacyidea image uses nginx internally. -# If the image you pull listens on port 80 instead of 8080: -# - Change containerPort below to 80 -# - Change the Service targetPort to 80 -# - Update sso-mfa/k8s/network-policies/netpol-mfa.yaml ports to 80 -# - Reapply both files +# Container port: 5001. +# privacyidea/otpserver listens on port 5001 internally. apiVersion: apps/v1 kind: Deployment @@ -58,13 +53,14 @@ spec: containers: - name: privacyidea # Pin to a specific release; update via image update policy. - # Check https://hub.docker.com/r/privacyidea/privacyidea for latest stable. - image: privacyidea/privacyidea:3.12 + # Official image: https://hub.docker.com/r/privacyidea/otpserver + # privacyidea/privacyidea:3.12 does not exist — correct repo is otpserver. + image: privacyidea/otpserver:3.12.2 imagePullPolicy: IfNotPresent ports: - name: http - containerPort: 8080 + containerPort: 5001 protocol: TCP # ── Environment — sensitive values from Secret ────────────────── @@ -90,20 +86,20 @@ spec: # Startup probe: give PI up to 3 min to run DB migrations on first boot. startupProbe: tcpSocket: - port: 8080 + port: 5001 initialDelaySeconds: 15 periodSeconds: 10 failureThreshold: 18 # 18 × 10s = 3 min livenessProbe: tcpSocket: - port: 8080 + port: 5001 initialDelaySeconds: 0 periodSeconds: 15 failureThreshold: 3 readinessProbe: httpGet: path: /token/ - port: 8080 + port: 5001 initialDelaySeconds: 0 periodSeconds: 10 failureThreshold: 3 @@ -147,6 +143,6 @@ spec: app.kubernetes.io/name: privacyidea ports: - name: http - port: 8080 - targetPort: 8080 + port: 5001 + targetPort: 5001 protocol: TCP diff --git a/sso-mfa/k8s/privacyidea/ingress.yaml b/sso-mfa/k8s/privacyidea/ingress.yaml index 523c074..52ac68b 100644 --- a/sso-mfa/k8s/privacyidea/ingress.yaml +++ b/sso-mfa/k8s/privacyidea/ingress.yaml @@ -46,7 +46,7 @@ spec: service: name: privacyidea port: - number: 8080 + number: 5001 tls: - secretName: pink-tls hosts: @@ -83,7 +83,7 @@ spec: service: name: privacyidea port: - number: 8080 + number: 5001 tls: - secretName: pink-tls hosts: @@ -114,7 +114,7 @@ spec: service: name: privacyidea port: - number: 8080 + number: 5001 tls: - secretName: pink-account-tls hosts: diff --git a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md index 15388b4..ffd7b13 100644 --- a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md +++ b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md @@ -134,6 +134,10 @@ state_hub_task_id: "9c9c1ec9-0cf5-4546-a83e-d74dbf3b27af" Deploy privacyIDEA into the `mfa` namespace. +> **Image fix applied (2026-03-20):** `privacyidea/privacyidea:3.12` does not exist. +> Corrected to `privacyidea/otpserver:3.12.2` on port 5001. +> Updated: `deployment.yaml`, `ingress.yaml`, `netpol-mfa.yaml`, `netpol-sso.yaml`. + **Step 1 — Create K8s secrets from KeePassXC:** ```bash cd sso-mfa/k8s/privacyidea