generated from coulomb/repo-seed
feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05)
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine. Stack: kc.coulomb.social — KeyCape OIDC server (stateless, custom Go) auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape) lldap.coulomb.social — LLDAP admin UI (IP-restricted) pink.coulomb.social — privacyIDEA MFA engine (unchanged) Changes: - Remove sso-mfa/k8s/keycloak/ (7 files) - Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README) - Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README) - Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README) - Update network-policies/netpol-sso.yaml for new component topology - Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks) - Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP) - Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak - Update k8s/README.md: network policy table reflects new traffic paths - Add sso-mfa/WORKPLAN.md: resumable task checklist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
55
sso-mfa/WORKPLAN.md
Normal file
55
sso-mfa/WORKPLAN.md
Normal file
@@ -0,0 +1,55 @@
|
||||
# SSO-MFA Platform — Stack Migration Workplan
|
||||
# NK-WP-0001 — Keycloak → Authelia + LLDAP + KeyCape
|
||||
|
||||
**Updated:** 2026-03-19
|
||||
**Workstream:** sso-mfa-platform (39263c4b-ef70-4053-b782-350834b7e1be)
|
||||
|
||||
## Stack Decision
|
||||
|
||||
Keycloak + privacyIDEA replaced by:
|
||||
- **LLDAP** — lightweight LDAP directory (user store)
|
||||
- **Authelia** — authentication frontend (password auth + OIDC upstream)
|
||||
- **KeyCape** — OIDC orchestration layer (auth code flow + MFA via privacyIDEA adapter)
|
||||
- **privacyIDEA** — MFA engine (unchanged, still in `mfa` namespace)
|
||||
|
||||
Hostnames: kc.coulomb.social (KeyCape), auth.coulomb.social (Authelia), lldap.coulomb.social (LLDAP admin)
|
||||
|
||||
## Task Status
|
||||
|
||||
| Task | ID (hub) | Status | Notes |
|
||||
|------|----------|--------|-------|
|
||||
| T01 — Vault & secret bootstrap | 7992528c | done | |
|
||||
| T02 — K8s foundations | 721ca6b2 | done | Manifests authored; pending live cluster |
|
||||
| T03 — PostgreSQL | 7fa60004 | done | Manifests authored; pending live cluster |
|
||||
| T04 — privacyIDEA | 6ad1296a | **todo** | Manifests exist in k8s/privacyidea/; pending cluster |
|
||||
| T05 — SSO core (new stack) | b9f73aa6 | **in-progress** | See below |
|
||||
| T06 — Realm config & MFA flow | 3b6379a4 | todo | |
|
||||
| T07 — User mgmt & self-service | c7cf902a | todo | |
|
||||
| T08 — Backups, DR, break-glass | 9cbd1d89 | todo | |
|
||||
|
||||
## T05 — SSO Core (new stack: LLDAP + Authelia + KeyCape)
|
||||
|
||||
### Done
|
||||
- [x] LLDAP manifests: pvc.yaml, deployment.yaml, middleware.yaml, ingress.yaml, create-secrets.sh
|
||||
- [x] Authelia manifests: pvc.yaml, configmap.yaml, deployment.yaml, ingress.yaml, create-secrets.sh
|
||||
- [x] KeyCape manifests: deployment.yaml, middleware.yaml, ingress.yaml, create-secrets.sh
|
||||
- [x] NetworkPolicy: netpol-sso.yaml updated for new components
|
||||
- [x] Keycloak manifests staged for deletion
|
||||
|
||||
### In Progress (this session)
|
||||
- [x] keycape/create-pi-token.sh
|
||||
- [x] lldap/README.md
|
||||
- [x] authelia/README.md
|
||||
- [x] keycape/README.md
|
||||
- [x] Update CONFIG.md (fixed CP-NK-004, removed old CP-NK-005, added CP-NK-005 auth.*, CP-NK-006 lldap.*)
|
||||
- [x] Update bootstrap/gen-secrets.sh (removed Keycloak, added LLDAP/Authelia/KeyCape sections)
|
||||
- [x] Update k8s/README.md (network policy table)
|
||||
- [x] Replace verify-t05.sh (Keycloak → LLDAP+Authelia+KeyCape checks)
|
||||
- [ ] Commit all changes
|
||||
- [ ] Update state hub tasks
|
||||
|
||||
### Done-criteria for T05
|
||||
- All manifests present and consistent
|
||||
- gen-secrets.sh generates correct secrets for new stack
|
||||
- verify-t05.sh checks all three components
|
||||
- Committed to main
|
||||
Reference in New Issue
Block a user