fix(sso-mfa): NK-WP-0003-T04 — correct privacyIDEA image and port

privacyidea/privacyidea:3.12 does not exist on Docker Hub.
Correct image: privacyidea/otpserver:3.12.2 (port 5001).

Updated files:
- deployment.yaml: image, containerPort, probes, service port
- ingress.yaml: backend service port
- netpol-mfa.yaml: ingress port + keycloak → keycape label
- netpol-sso.yaml: KeyCape egress port to privacyIDEA

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-20 23:54:18 +00:00
parent c10d7d2f8a
commit 01c8a07f3a
5 changed files with 28 additions and 28 deletions

View File

@@ -1,8 +1,8 @@
# NetworkPolicies for the mfa namespace (privacyIDEA)
#
# Allowed paths:
# INGRESS: Traefik (kube-system) → privacyIDEA :8080 (user-facing portal)
# INGRESS: Keycloak (sso) → privacyIDEA :8080 (Provider API calls)
# INGRESS: Traefik (kube-system) → privacyIDEA :5001 (user-facing portal)
# INGRESS: KeyCape (sso) → privacyIDEA :5001 (Provider API calls)
# EGRESS: privacyIDEA → databases :5432 (PostgreSQL)
# EGRESS: all pods → kube-dns :53 (UDP+TCP)
#
@@ -42,14 +42,14 @@ spec:
matchLabels:
app.kubernetes.io/name: traefik
ports:
- port: 8080
- port: 5001
protocol: TCP
---
# ── Allow ingress from Keycloak (Provider API calls) ─────────────────────────
# ── Allow ingress from KeyCape (Provider API calls) ─────────────────────────
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ingress-from-keycloak
name: allow-ingress-from-keycape
namespace: mfa
spec:
podSelector:
@@ -64,9 +64,9 @@ spec:
net-kingdom/component: sso
podSelector:
matchLabels:
app.kubernetes.io/name: keycloak
app.kubernetes.io/name: keycape
ports:
- port: 8080
- port: 5001
protocol: TCP
---
# ── Allow egress to PostgreSQL ───────────────────────────────────────────────

View File

@@ -13,7 +13,7 @@
# Allowed egress paths:
# keycape → authelia :9091 (OIDC callback orchestration)
# keycape → lldap :3890 (LDAP user lookups)
# keycape → mfa :8080 (privacyIDEA MFA check and token validation)
# keycape → mfa :5001 (privacyIDEA MFA check and token validation)
# authelia → lldap :3890 (LDAP authentication backend)
# all pods → kube-dns :53 (DNS resolution)
#
@@ -201,7 +201,7 @@ spec:
- port: 3890
protocol: TCP
---
# ── KeyCape egress → privacyIDEA (mfa namespace) :8080 ───────────────────────
# ── KeyCape egress → privacyIDEA (mfa namespace) :5001 ───────────────────────
# KeyCape calls privacyIDEA to check and validate MFA tokens.
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
@@ -220,7 +220,7 @@ spec:
matchLabels:
net-kingdom/component: mfa
ports:
- port: 8080
- port: 5001
protocol: TCP
---
# ── Authelia egress → LLDAP (within sso namespace) ───────────────────────────