From 0670e17b426570e9381027c501b078979665c700 Mon Sep 17 00:00:00 2001 From: Bernd Worsch Date: Sat, 21 Mar 2026 08:47:44 +0000 Subject: [PATCH] chore(workplans): revise workplans post NK-WP-0005 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NK-WP-0005: mark all tasks done, status → done NK-WP-0003: T01 marked done (NK-WP-0004/0005 complete); pre-conditions updated; done criteria reflect agent-bootstrap model (no KeePassXC) NK-WP-0001: status → deferred; T05-T08 (Keycloak) deferred indefinitely; superseded_by: NK-WP-0003 added Active work path is now NK-WP-0003 T02-T09. Co-Authored-By: Claude Sonnet 4.6 --- workplans/NK-WP-0001-sso-mfa-platform.md | 27 ++++++++--- ...-keycape-privacyidea-cluster-deployment.md | 45 ++++++++++--------- ...-0005-agent-driven-credential-bootstrap.md | 16 +++---- 3 files changed, 54 insertions(+), 34 deletions(-) diff --git a/workplans/NK-WP-0001-sso-mfa-platform.md b/workplans/NK-WP-0001-sso-mfa-platform.md index 525e577..ce1bea1 100644 --- a/workplans/NK-WP-0001-sso-mfa-platform.md +++ b/workplans/NK-WP-0001-sso-mfa-platform.md @@ -3,22 +3,39 @@ id: NK-WP-0001 type: workplan title: "SSO & MFA Platform — Keycloak + privacyIDEA on Kubernetes" domain: netkingdom -status: active +status: deferred owner: worsch topic_slug: netkingdom state_hub_workstream_id: 39263c4b-ef70-4053-b782-350834b7e1be created: "2026-02-28" -updated: "2026-03-05" +updated: "2026-03-21" +superseded_by: NK-WP-0003 --- # SSO & MFA Platform — Keycloak + privacyIDEA on Kubernetes +> **Status: DEFERRED (2026-03-21)** +> The Keycloak path has been superseded by the KeyCape + Authelia + LLDAP +> stack (NK-WP-0003). Keycloak is out of scope for the current deployment. +> +> - T01 (secret bootstrap) → replaced by NK-WP-0004 + NK-WP-0005 +> - T02 (K8s foundations) → done, reused by NK-WP-0003 +> - T03 (PostgreSQL) → done, reused by NK-WP-0003 +> - T04 (privacyIDEA) → superseded by NK-WP-0003-T04 +> - T05–T08 (Keycloak) → deferred indefinitely; revisit if/when Keycloak +> is needed for enterprise federation or SAML requirements +> +> **Active work: see NK-WP-0003.** + ## Summary -Deploy a hardened SSO and MFA platform on Kubernetes: Keycloak as the +~~Deploy a hardened SSO and MFA platform on Kubernetes: Keycloak as the OIDC/SAML identity provider, privacyIDEA as the MFA/token engine, -integrated via the privacyIDEA Keycloak Provider. This is the foundational -security layer for the net-kingdom DevSecOps platform. +integrated via the privacyIDEA Keycloak Provider.~~ Deferred — see NK-WP-0003. + +This workplan is retained as a reference for the Keycloak-based architecture +decisions (D1–D5) and for the T01–T03 infrastructure that was built and +remains in use. ## Context diff --git a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md index ffd7b13..46f8e77 100644 --- a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md +++ b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md @@ -29,8 +29,8 @@ covers everything needed to reach a production-ready identity plane. - [x] kubeconfig available at `~/.kube/config-hosteurope` — RAIL-BS-WP-0005 ✓ - [x] All manifests committed — net-kingdom `sso-mfa/k8s/` ✓ - [x] KeyCape v0.1 complete — KEY-WP-0001 ✓ -- [ ] SOPS + age integrated into net-kingdom (T01 below) -- [ ] Credential ops-bundle generated and stored in KeePassXC (T01 below) +- [x] SOPS + age integrated into net-kingdom — NK-WP-0004 ✓ +- [x] Agent-driven credential bootstrap ready — NK-WP-0005 ✓ (run `make creds-agent-init`) ## Architecture @@ -51,31 +51,32 @@ Authelia ──► PostgreSQL (authelia_db via CloudNativePG) ## Tasks -### T01 — Credential setup: SOPS + age + ops-bundle +### T01 — Credential setup ```task id: NK-WP-0003-T01 -status: todo +status: done priority: high state_hub_task_id: "6a22e17e-5854-4f8b-b419-9dc86d490357" +note: Superseded by NK-WP-0004 (credential foundation) and NK-WP-0005 (agent bootstrap). + Run `make creds-agent-init` to execute fully automated bootstrap. + The manual KeePassXC approach described here is retired — see + canon/standards/credential-management_v0.2.md for the current model. ``` -Net-kingdom currently uses a manual KeePassXC + age-bundle approach while -railiance-infra uses SOPS with age keys. This task aligns them under the -Credential Management Standard (`canon/standards/credential-management_v0.1.md`). +~~Net-kingdom currently uses a manual KeePassXC + age-bundle approach~~ +Completed via NK-WP-0004 + NK-WP-0005. The credential foundation is in place: -Steps: -1. Verify the operator age keypair exists at `~/.config/sops/age/key.txt` - (reuse the railiance key if already present — one keypair per operator) -2. Add `.sops.yaml` to net-kingdom root (mirror railiance-infra pattern): - - Encrypt files matching `secrets/.*` and `**/*.sops.yaml` - - Recipient: operator age public key -3. Run `sso-mfa/bootstrap/gen-secrets.sh ./secrets` to generate all service secrets -4. Store each secret in KeePassXC under the `net-kingdom/` group hierarchy - (see credential management standard for group layout) -5. Run `sso-mfa/bootstrap/pack-bundle.sh ./secrets ` → encrypted ops bundle -6. Store ops bundle offsite (separate from KeePassXC) -7. Shred plaintext secrets: `find secrets/ -type f -exec shred -u {} \;` +- SOPS + age integrated — `~/.config/sops/age/keys.txt`, `.sops.yaml`, git hook +- Agent bootstrap: `make creds-agent-init` runs the full flow autonomously +- Credential standard: `canon/standards/credential-management_v0.2.md` + +To bootstrap credentials before T02–T09, run: +```bash +make creds-agent-init +``` +This generates all secrets, encrypts to `secrets.enc/`, injects into the +cluster, and delivers the emergency bundle. No KeePassXC steps required. ### T02 — Apply cluster foundations @@ -289,9 +290,11 @@ from NK-WP-0001 T08 scope. ## Done criteria +- [x] Credentials: `bootstrap_complete: true` in `creds-state.yaml` (NK-WP-0005) - [ ] All verify-t*.sh scripts exit 0 - [ ] KeyCape acceptance test suite passes - [ ] DB restore drill completed -- [ ] All key material backed up in KeePassXC + ops bundle -- [ ] privacyIDEA enckey backed up (K8s Secret + KeePassXC) +- [ ] Emergency bundle delivered and stored in personal password manager +- [ ] Ops bundle stored offsite +- [ ] privacyIDEA enckey backed up as K8s Secret (`privacyidea-enckey`) - [ ] Monitoring active (Prometheus scraping all three services) diff --git a/workplans/NK-WP-0005-agent-driven-credential-bootstrap.md b/workplans/NK-WP-0005-agent-driven-credential-bootstrap.md index fb879d9..d464c9f 100644 --- a/workplans/NK-WP-0005-agent-driven-credential-bootstrap.md +++ b/workplans/NK-WP-0005-agent-driven-credential-bootstrap.md @@ -4,7 +4,7 @@ type: workplan title: "Agent-Driven Credential Bootstrap — Zero Human Ops" domain: netkingdom repo: net-kingdom -status: active +status: done owner: custodian topic_slug: netkingdom created: "2026-03-21" @@ -102,7 +102,7 @@ The ops bundle IS the backup. The emergency bundle IS the human's key ring. ```task id: NK-WP-0005-T01 -status: todo +status: done priority: high state_hub_task_id: "6748cf8d-a7c7-47a2-b32a-2e26e05c4cba" ``` @@ -152,7 +152,7 @@ Add `schema_version: 2` so scripts can detect which model they are running. ```task id: NK-WP-0005-T02 -status: todo +status: done priority: high state_hub_task_id: "22940c39-8645-40e1-b947-17e85ea6d902" ``` @@ -213,7 +213,7 @@ resumes from where it left off (idempotent re-runs skip completed phases). ```task id: NK-WP-0005-T03 -status: todo +status: done priority: high state_hub_task_id: "42ce1486-5322-4cf2-9c71-1c1c61db5f46" ``` @@ -273,7 +273,7 @@ Only after Enter does the script continue and mark ```task id: NK-WP-0005-T04 -status: todo +status: done priority: medium state_hub_task_id: "ca713ce7-6f2c-4f0c-8b6c-88fc6e559190" ``` @@ -316,7 +316,7 @@ to `/creds-init`. ```task id: NK-WP-0005-T05 -status: todo +status: done priority: medium state_hub_task_id: "ac5d887e-c499-4cf6-91e7-90e2e0e78d4a" ``` @@ -345,7 +345,7 @@ creds-emergency-reprint: ```task id: NK-WP-0005-T06 -status: todo +status: done priority: low state_hub_task_id: "2f0782f7-db5d-4b8a-920b-582548c4591f" ``` @@ -374,7 +374,7 @@ MUST be delivered before the old one is revoked. ```task id: NK-WP-0005-T07 -status: todo +status: done priority: low state_hub_task_id: "42ac193d-7b56-48f7-8eba-757a6dad2fba" ```