generated from coulomb/repo-seed
fix(sso-mfa): NK-WP-0003-T04 — correct privacyIDEA image and port
privacyidea/privacyidea:3.12 does not exist on Docker Hub. Correct image: privacyidea/otpserver:3.12.2 (port 5001). Updated files: - deployment.yaml: image, containerPort, probes, service port - ingress.yaml: backend service port - netpol-mfa.yaml: ingress port + keycloak → keycape label - netpol-sso.yaml: KeyCape egress port to privacyIDEA Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,8 +1,8 @@
|
|||||||
# NetworkPolicies for the mfa namespace (privacyIDEA)
|
# NetworkPolicies for the mfa namespace (privacyIDEA)
|
||||||
#
|
#
|
||||||
# Allowed paths:
|
# Allowed paths:
|
||||||
# INGRESS: Traefik (kube-system) → privacyIDEA :8080 (user-facing portal)
|
# INGRESS: Traefik (kube-system) → privacyIDEA :5001 (user-facing portal)
|
||||||
# INGRESS: Keycloak (sso) → privacyIDEA :8080 (Provider API calls)
|
# INGRESS: KeyCape (sso) → privacyIDEA :5001 (Provider API calls)
|
||||||
# EGRESS: privacyIDEA → databases :5432 (PostgreSQL)
|
# EGRESS: privacyIDEA → databases :5432 (PostgreSQL)
|
||||||
# EGRESS: all pods → kube-dns :53 (UDP+TCP)
|
# EGRESS: all pods → kube-dns :53 (UDP+TCP)
|
||||||
#
|
#
|
||||||
@@ -42,14 +42,14 @@ spec:
|
|||||||
matchLabels:
|
matchLabels:
|
||||||
app.kubernetes.io/name: traefik
|
app.kubernetes.io/name: traefik
|
||||||
ports:
|
ports:
|
||||||
- port: 8080
|
- port: 5001
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
---
|
---
|
||||||
# ── Allow ingress from Keycloak (Provider API calls) ─────────────────────────
|
# ── Allow ingress from KeyCape (Provider API calls) ──────────────────────────
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: networking.k8s.io/v1
|
||||||
kind: NetworkPolicy
|
kind: NetworkPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: allow-ingress-from-keycloak
|
name: allow-ingress-from-keycape
|
||||||
namespace: mfa
|
namespace: mfa
|
||||||
spec:
|
spec:
|
||||||
podSelector:
|
podSelector:
|
||||||
@@ -64,9 +64,9 @@ spec:
|
|||||||
net-kingdom/component: sso
|
net-kingdom/component: sso
|
||||||
podSelector:
|
podSelector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app.kubernetes.io/name: keycloak
|
app.kubernetes.io/name: keycape
|
||||||
ports:
|
ports:
|
||||||
- port: 8080
|
- port: 5001
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
---
|
---
|
||||||
# ── Allow egress to PostgreSQL ───────────────────────────────────────────────
|
# ── Allow egress to PostgreSQL ───────────────────────────────────────────────
|
||||||
|
|||||||
@@ -13,7 +13,7 @@
|
|||||||
# Allowed egress paths:
|
# Allowed egress paths:
|
||||||
# keycape → authelia :9091 (OIDC callback orchestration)
|
# keycape → authelia :9091 (OIDC callback orchestration)
|
||||||
# keycape → lldap :3890 (LDAP user lookups)
|
# keycape → lldap :3890 (LDAP user lookups)
|
||||||
# keycape → mfa :8080 (privacyIDEA MFA check and token validation)
|
# keycape → mfa :5001 (privacyIDEA MFA check and token validation)
|
||||||
# authelia → lldap :3890 (LDAP authentication backend)
|
# authelia → lldap :3890 (LDAP authentication backend)
|
||||||
# all pods → kube-dns :53 (DNS resolution)
|
# all pods → kube-dns :53 (DNS resolution)
|
||||||
#
|
#
|
||||||
@@ -201,7 +201,7 @@ spec:
|
|||||||
- port: 3890
|
- port: 3890
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
---
|
---
|
||||||
# ── KeyCape egress → privacyIDEA (mfa namespace) :8080 ───────────────────────
|
# ── KeyCape egress → privacyIDEA (mfa namespace) :5001 ───────────────────────
|
||||||
# KeyCape calls privacyIDEA to check and validate MFA tokens.
|
# KeyCape calls privacyIDEA to check and validate MFA tokens.
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: networking.k8s.io/v1
|
||||||
kind: NetworkPolicy
|
kind: NetworkPolicy
|
||||||
@@ -220,7 +220,7 @@ spec:
|
|||||||
matchLabels:
|
matchLabels:
|
||||||
net-kingdom/component: mfa
|
net-kingdom/component: mfa
|
||||||
ports:
|
ports:
|
||||||
- port: 8080
|
- port: 5001
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
---
|
---
|
||||||
# ── Authelia egress → LLDAP (within sso namespace) ───────────────────────────
|
# ── Authelia egress → LLDAP (within sso namespace) ───────────────────────────
|
||||||
|
|||||||
@@ -10,13 +10,8 @@
|
|||||||
# 5. enckey-bootstrap.sh — extract enckey + audit keys, create DR Secrets
|
# 5. enckey-bootstrap.sh — extract enckey + audit keys, create DR Secrets
|
||||||
# 6. bootstrap-admin.sh — create pi-admin (+ MFA enrolment) and trigger-admin
|
# 6. bootstrap-admin.sh — create pi-admin (+ MFA enrolment) and trigger-admin
|
||||||
#
|
#
|
||||||
# Container port: 8080.
|
# Container port: 5001.
|
||||||
# The official privacyidea/privacyidea image uses nginx internally.
|
# privacyidea/otpserver listens on port 5001 internally.
|
||||||
# If the image you pull listens on port 80 instead of 8080:
|
|
||||||
# - Change containerPort below to 80
|
|
||||||
# - Change the Service targetPort to 80
|
|
||||||
# - Update sso-mfa/k8s/network-policies/netpol-mfa.yaml ports to 80
|
|
||||||
# - Reapply both files
|
|
||||||
|
|
||||||
apiVersion: apps/v1
|
apiVersion: apps/v1
|
||||||
kind: Deployment
|
kind: Deployment
|
||||||
@@ -58,13 +53,14 @@ spec:
|
|||||||
containers:
|
containers:
|
||||||
- name: privacyidea
|
- name: privacyidea
|
||||||
# Pin to a specific release; update via image update policy.
|
# Pin to a specific release; update via image update policy.
|
||||||
# Check https://hub.docker.com/r/privacyidea/privacyidea for latest stable.
|
# Official image: https://hub.docker.com/r/privacyidea/otpserver
|
||||||
image: privacyidea/privacyidea:3.12
|
# privacyidea/privacyidea:3.12 does not exist — correct repo is otpserver.
|
||||||
|
image: privacyidea/otpserver:3.12.2
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
|
|
||||||
ports:
|
ports:
|
||||||
- name: http
|
- name: http
|
||||||
containerPort: 8080
|
containerPort: 5001
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
|
|
||||||
# ── Environment — sensitive values from Secret ──────────────────
|
# ── Environment — sensitive values from Secret ──────────────────
|
||||||
@@ -90,20 +86,20 @@ spec:
|
|||||||
# Startup probe: give PI up to 3 min to run DB migrations on first boot.
|
# Startup probe: give PI up to 3 min to run DB migrations on first boot.
|
||||||
startupProbe:
|
startupProbe:
|
||||||
tcpSocket:
|
tcpSocket:
|
||||||
port: 8080
|
port: 5001
|
||||||
initialDelaySeconds: 15
|
initialDelaySeconds: 15
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
failureThreshold: 18 # 18 × 10s = 3 min
|
failureThreshold: 18 # 18 × 10s = 3 min
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
tcpSocket:
|
tcpSocket:
|
||||||
port: 8080
|
port: 5001
|
||||||
initialDelaySeconds: 0
|
initialDelaySeconds: 0
|
||||||
periodSeconds: 15
|
periodSeconds: 15
|
||||||
failureThreshold: 3
|
failureThreshold: 3
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
path: /token/
|
path: /token/
|
||||||
port: 8080
|
port: 5001
|
||||||
initialDelaySeconds: 0
|
initialDelaySeconds: 0
|
||||||
periodSeconds: 10
|
periodSeconds: 10
|
||||||
failureThreshold: 3
|
failureThreshold: 3
|
||||||
@@ -147,6 +143,6 @@ spec:
|
|||||||
app.kubernetes.io/name: privacyidea
|
app.kubernetes.io/name: privacyidea
|
||||||
ports:
|
ports:
|
||||||
- name: http
|
- name: http
|
||||||
port: 8080
|
port: 5001
|
||||||
targetPort: 8080
|
targetPort: 5001
|
||||||
protocol: TCP
|
protocol: TCP
|
||||||
|
|||||||
@@ -46,7 +46,7 @@ spec:
|
|||||||
service:
|
service:
|
||||||
name: privacyidea
|
name: privacyidea
|
||||||
port:
|
port:
|
||||||
number: 8080
|
number: 5001
|
||||||
tls:
|
tls:
|
||||||
- secretName: pink-tls
|
- secretName: pink-tls
|
||||||
hosts:
|
hosts:
|
||||||
@@ -83,7 +83,7 @@ spec:
|
|||||||
service:
|
service:
|
||||||
name: privacyidea
|
name: privacyidea
|
||||||
port:
|
port:
|
||||||
number: 8080
|
number: 5001
|
||||||
tls:
|
tls:
|
||||||
- secretName: pink-tls
|
- secretName: pink-tls
|
||||||
hosts:
|
hosts:
|
||||||
@@ -114,7 +114,7 @@ spec:
|
|||||||
service:
|
service:
|
||||||
name: privacyidea
|
name: privacyidea
|
||||||
port:
|
port:
|
||||||
number: 8080
|
number: 5001
|
||||||
tls:
|
tls:
|
||||||
- secretName: pink-account-tls
|
- secretName: pink-account-tls
|
||||||
hosts:
|
hosts:
|
||||||
|
|||||||
@@ -134,6 +134,10 @@ state_hub_task_id: "9c9c1ec9-0cf5-4546-a83e-d74dbf3b27af"
|
|||||||
|
|
||||||
Deploy privacyIDEA into the `mfa` namespace.
|
Deploy privacyIDEA into the `mfa` namespace.
|
||||||
|
|
||||||
|
> **Image fix applied (2026-03-20):** `privacyidea/privacyidea:3.12` does not exist.
|
||||||
|
> Corrected to `privacyidea/otpserver:3.12.2` on port 5001.
|
||||||
|
> Updated: `deployment.yaml`, `ingress.yaml`, `netpol-mfa.yaml`, `netpol-sso.yaml`.
|
||||||
|
|
||||||
**Step 1 — Create K8s secrets from KeePassXC:**
|
**Step 1 — Create K8s secrets from KeePassXC:**
|
||||||
```bash
|
```bash
|
||||||
cd sso-mfa/k8s/privacyidea
|
cd sso-mfa/k8s/privacyidea
|
||||||
|
|||||||
Reference in New Issue
Block a user