chore(workplans): revise workplans post NK-WP-0005

NK-WP-0005: mark all tasks done, status → done
NK-WP-0003: T01 marked done (NK-WP-0004/0005 complete); pre-conditions
  updated; done criteria reflect agent-bootstrap model (no KeePassXC)
NK-WP-0001: status → deferred; T05-T08 (Keycloak) deferred indefinitely;
  superseded_by: NK-WP-0003 added

Active work path is now NK-WP-0003 T02-T09.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-21 08:47:44 +00:00
parent 95656f2324
commit 0670e17b42
3 changed files with 54 additions and 34 deletions

View File

@@ -29,8 +29,8 @@ covers everything needed to reach a production-ready identity plane.
- [x] kubeconfig available at `~/.kube/config-hosteurope` — RAIL-BS-WP-0005 ✓
- [x] All manifests committed — net-kingdom `sso-mfa/k8s/`
- [x] KeyCape v0.1 complete — KEY-WP-0001 ✓
- [ ] SOPS + age integrated into net-kingdom (T01 below)
- [ ] Credential ops-bundle generated and stored in KeePassXC (T01 below)
- [x] SOPS + age integrated into net-kingdom — NK-WP-0004 ✓
- [x] Agent-driven credential bootstrap ready — NK-WP-0005 ✓ (run `make creds-agent-init`)
## Architecture
@@ -51,31 +51,32 @@ Authelia ──► PostgreSQL (authelia_db via CloudNativePG)
## Tasks
### T01 — Credential setup: SOPS + age + ops-bundle
### T01 — Credential setup
```task
id: NK-WP-0003-T01
status: todo
status: done
priority: high
state_hub_task_id: "6a22e17e-5854-4f8b-b419-9dc86d490357"
note: Superseded by NK-WP-0004 (credential foundation) and NK-WP-0005 (agent bootstrap).
Run `make creds-agent-init` to execute fully automated bootstrap.
The manual KeePassXC approach described here is retired — see
canon/standards/credential-management_v0.2.md for the current model.
```
Net-kingdom currently uses a manual KeePassXC + age-bundle approach while
railiance-infra uses SOPS with age keys. This task aligns them under the
Credential Management Standard (`canon/standards/credential-management_v0.1.md`).
~~Net-kingdom currently uses a manual KeePassXC + age-bundle approach~~
Completed via NK-WP-0004 + NK-WP-0005. The credential foundation is in place:
Steps:
1. Verify the operator age keypair exists at `~/.config/sops/age/key.txt`
(reuse the railiance key if already present — one keypair per operator)
2. Add `.sops.yaml` to net-kingdom root (mirror railiance-infra pattern):
- Encrypt files matching `secrets/.*` and `**/*.sops.yaml`
- Recipient: operator age public key
3. Run `sso-mfa/bootstrap/gen-secrets.sh ./secrets` to generate all service secrets
4. Store each secret in KeePassXC under the `net-kingdom/` group hierarchy
(see credential management standard for group layout)
5. Run `sso-mfa/bootstrap/pack-bundle.sh ./secrets <age-pub-key>` → encrypted ops bundle
6. Store ops bundle offsite (separate from KeePassXC)
7. Shred plaintext secrets: `find secrets/ -type f -exec shred -u {} \;`
- SOPS + age integrated — `~/.config/sops/age/keys.txt`, `.sops.yaml`, git hook
- Agent bootstrap: `make creds-agent-init` runs the full flow autonomously
- Credential standard: `canon/standards/credential-management_v0.2.md`
To bootstrap credentials before T02T09, run:
```bash
make creds-agent-init
```
This generates all secrets, encrypts to `secrets.enc/`, injects into the
cluster, and delivers the emergency bundle. No KeePassXC steps required.
### T02 — Apply cluster foundations
@@ -289,9 +290,11 @@ from NK-WP-0001 T08 scope.
## Done criteria
- [x] Credentials: `bootstrap_complete: true` in `creds-state.yaml` (NK-WP-0005)
- [ ] All verify-t*.sh scripts exit 0
- [ ] KeyCape acceptance test suite passes
- [ ] DB restore drill completed
- [ ] All key material backed up in KeePassXC + ops bundle
- [ ] privacyIDEA enckey backed up (K8s Secret + KeePassXC)
- [ ] Emergency bundle delivered and stored in personal password manager
- [ ] Ops bundle stored offsite
- [ ] privacyIDEA enckey backed up as K8s Secret (`privacyidea-enckey`)
- [ ] Monitoring active (Prometheus scraping all three services)