feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05)

Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.

Stack:
  kc.coulomb.social   — KeyCape OIDC server (stateless, custom Go)
  auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
  lldap.coulomb.social — LLDAP admin UI (IP-restricted)
  pink.coulomb.social — privacyIDEA MFA engine (unchanged)

Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-19 08:31:51 +00:00
parent d0ed7d9cd6
commit 0754dc32e6
31 changed files with 2098 additions and 1077 deletions

View File

@@ -23,8 +23,9 @@ If yes to any of the above, don't add it here.
| CP-NK-001 | ACME contact email | `bernd.worsch+netkingdom@gmail.com` | `sso-mfa/k8s/cert-manager/issuers.yaml:38` |
| CP-NK-002 | privacyIDEA portal hostname | `pink.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` |
| CP-NK-003 | privacyIDEA self-service hostname | `pink-account.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` |
| CP-NK-004 | Keycloak SSO hostname | `kc.coulomb.social` | `sso-mfa/k8s/keycloak/deployment.yaml`, `sso-mfa/k8s/keycloak/ingress.yaml` |
| CP-NK-005 | privacyIDEA Keycloak Provider JAR URL | *(not set — edit before apply)* | `sso-mfa/k8s/keycloak/deployment.yaml` |
| CP-NK-004 | KeyCape OIDC hostname | `kc.coulomb.social` | `sso-mfa/k8s/keycape/ingress.yaml`, `sso-mfa/k8s/authelia/configmap.yaml`, `sso-mfa/k8s/keycape/create-secrets.sh` |
| CP-NK-005 | Authelia login portal hostname | `auth.coulomb.social` | `sso-mfa/k8s/authelia/ingress.yaml`, `sso-mfa/k8s/authelia/configmap.yaml` |
| CP-NK-006 | LLDAP admin web UI hostname | `lldap.coulomb.social` | `sso-mfa/k8s/lldap/ingress.yaml` |
---
@@ -88,45 +89,58 @@ the entire cluster.
---
## CP-NK-004 — Keycloak SSO hostname
## CP-NK-004 — KeyCape OIDC hostname
**Value:** `kc.coulomb.social`
**Set:** 2026-03-19
**Set by:** worsch
**Location(s):**
- `sso-mfa/k8s/keycloak/deployment.yaml``KC_HOSTNAME` env var
- `sso-mfa/k8s/keycloak/ingress.yaml` — both Ingress `host` fields
- `sso-mfa/k8s/keycape/ingress.yaml` — Ingress `host` field
- `sso-mfa/k8s/authelia/configmap.yaml``redirect_uris` for the KeyCape OIDC client
- `sso-mfa/k8s/keycape/create-secrets.sh``issuer` and `redirectURI` in config.yaml
**Why non-default:** Subdomain prefix must be chosen by the operator. `kc` =
**K**ey**c**loak, consistent with the service-initial naming pattern.
**Why non-default:** Subdomain prefix must be chosen by the operator. `kc` is retained
from the original design (`kc` = **K**ey**C**ape) for DNS stability.
**Scope:** TLS certificate, Traefik routing, Keycloak's internal hostname strictness
check, and all OIDC/SAML redirect URIs registered in this realm. Changing this
hostname after clients are registered requires updating all registered redirect URIs.
**Scope:** TLS certificate, Traefik routing, KeyCape's OIDC issuer claim, and all
redirect URIs registered by downstream applications. Changing this hostname after
clients are registered requires updating all registered `redirect_uris`.
---
## CP-NK-005 — privacyIDEA Keycloak Provider JAR URL
## CP-NK-005 — Authelia login portal hostname
**Value:** *(not set — operator must edit before applying T05)*
**Set:**
**Set by:**
**Value:** `auth.coulomb.social`
**Set:** 2026-03-19
**Set by:** worsch
**Location(s):**
- `sso-mfa/k8s/keycloak/deployment.yaml``PROVIDER_JAR_URL` env var in the
`install-privacyidea-provider` init container
- `sso-mfa/k8s/authelia/ingress.yaml` — Ingress `host` field
- `sso-mfa/k8s/authelia/configmap.yaml``session.domain` parent domain comment
**Why non-default:** The JAR URL depends on the chosen release version, which must
be verified for compatibility with the deployed Keycloak image version. There is no
stable "latest" URL suitable for automation.
**Why non-default:** Subdomain prefix must be chosen by the operator. `auth` is the
conventional prefix for authentication portals.
**How to set:**
1. Browse https://github.com/privacyIDEA/keycloak-provider/releases
2. Choose a release compatible with the Keycloak image version in `deployment.yaml`.
3. Edit `deployment.yaml`: replace `EDIT_BEFORE_APPLY` with the `.jar` download URL.
4. Update this entry with the chosen URL and version.
**Scope:** TLS certificate, Traefik routing, and the Authelia login page that users'
browsers are redirected to during the OIDC flow. The session cookie `domain` is set
to the parent domain (`coulomb.social`) so the cookie is valid across both
`auth.coulomb.social` and `kc.coulomb.social`.
**Scope:** Keycloak init container only. If switching to a custom Keycloak image
(see T05 README "Custom image" section), this config point becomes obsolete and
can be removed.
---
## CP-NK-006 — LLDAP admin web UI hostname
**Value:** `lldap.coulomb.social`
**Set:** 2026-03-19
**Set by:** worsch
**Location(s):**
- `sso-mfa/k8s/lldap/ingress.yaml` — Ingress `host` field
**Why non-default:** Subdomain prefix must be chosen by the operator.
**Scope:** TLS certificate and Traefik routing for the LLDAP admin web UI. Access
is IP-restricted by the `lldap-admin-allowlist` Traefik Middleware (VPN/office
CIDRs only). The LDAP port (3890) is cluster-internal only and never exposed
via Ingress.