generated from coulomb/repo-seed
feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05)
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine. Stack: kc.coulomb.social — KeyCape OIDC server (stateless, custom Go) auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape) lldap.coulomb.social — LLDAP admin UI (IP-restricted) pink.coulomb.social — privacyIDEA MFA engine (unchanged) Changes: - Remove sso-mfa/k8s/keycloak/ (7 files) - Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README) - Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README) - Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README) - Update network-policies/netpol-sso.yaml for new component topology - Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks) - Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP) - Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak - Update k8s/README.md: network policy table reflects new traffic paths - Add sso-mfa/WORKPLAN.md: resumable task checklist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -2,6 +2,16 @@
|
||||
|
||||
Phase 1 of NK-WP-0001: namespaces, NetworkPolicies, cert-manager, StorageClass.
|
||||
|
||||
## SSO stack overview
|
||||
|
||||
The `sso` namespace hosts three components:
|
||||
- **KeyCape** (`kc.coulomb.social`) — OIDC orchestration layer, stateless
|
||||
- **Authelia** (`auth.coulomb.social`) — password authentication frontend
|
||||
- **LLDAP** (`lldap.coulomb.social`) — lightweight LDAP directory (admin UI restricted)
|
||||
|
||||
The `mfa` namespace hosts:
|
||||
- **privacyIDEA** (`pink.coulomb.social`) — MFA engine, called by KeyCape
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- K3s cluster running (ThreePhoenix HA or single-node dev)
|
||||
@@ -58,10 +68,14 @@ required paths are opened:
|
||||
|
||||
| Source | Destination | Port | Purpose |
|
||||
|--------|-------------|------|---------|
|
||||
| Traefik (kube-system) | Keycloak (sso) | 8080 | OIDC/SAML ingress |
|
||||
| Traefik (kube-system) | privacyIDEA (mfa) | 8080 | MFA portal ingress |
|
||||
| Keycloak (sso) | privacyIDEA (mfa) | 8080 | Provider API calls |
|
||||
| Keycloak (sso) | PostgreSQL (databases) | 5432 | DB |
|
||||
| Traefik (kube-system) | KeyCape (sso) | 8080 | OIDC endpoints — public |
|
||||
| Traefik (kube-system) | Authelia (sso) | 9091 | Login portal — public |
|
||||
| Traefik (kube-system) | LLDAP (sso) | 17170 | Admin web UI — IP-restricted |
|
||||
| Traefik (kube-system) | privacyIDEA (mfa) | 8080 | MFA portal — public |
|
||||
| KeyCape (sso) | Authelia (sso) | 9091 | OIDC token exchange |
|
||||
| KeyCape (sso) | LLDAP (sso) | 3890 | User attribute lookup |
|
||||
| KeyCape (sso) | privacyIDEA (mfa) | 8080 | MFA challenge + validation |
|
||||
| Authelia (sso) | LLDAP (sso) | 3890 | Credential validation |
|
||||
| privacyIDEA (mfa) | PostgreSQL (databases) | 5432 | DB |
|
||||
| CNPG operator (cnpg-system) | PostgreSQL (databases) | 5432/9187 | Operator + metrics |
|
||||
| All pods | kube-dns (kube-system) | 53 | DNS resolution |
|
||||
@@ -72,17 +86,18 @@ required paths are opened:
|
||||
After applying NetworkPolicies, confirm that illegal paths are blocked:
|
||||
|
||||
```bash
|
||||
# Test: Keycloak → databases direct (should be ALLOWED)
|
||||
# Test: KeyCape → privacyIDEA (should be ALLOWED)
|
||||
kubectl run test-allowed -n sso --rm -it --image=busybox --restart=Never \
|
||||
-- nc -zv net-kingdom-pg-rw.databases.svc.cluster.local 5432
|
||||
-- nc -zv privacyidea.mfa.svc.cluster.local 8080
|
||||
|
||||
# Test: mfa → sso (should be DENIED — privacyIDEA must not reach Keycloak directly)
|
||||
kubectl run test-denied -n mfa --rm -it --image=busybox --restart=Never \
|
||||
-- nc -zv -w3 keycloak.sso.svc.cluster.local 8080
|
||||
# Test: Authelia → privacyIDEA (should be DENIED — only KeyCape calls privacyIDEA)
|
||||
kubectl run test-denied -n sso --rm -it --image=busybox --restart=Never \
|
||||
-l app.kubernetes.io/name=authelia \
|
||||
-- nc -zv -w3 privacyidea.mfa.svc.cluster.local 8080
|
||||
|
||||
# Test: databases → sso (should be DENIED — DB pods must not initiate connections)
|
||||
kubectl run test-denied2 -n databases --rm -it --image=busybox --restart=Never \
|
||||
-- nc -zw3 keycloak.sso.svc.cluster.local 8080
|
||||
-- nc -zw3 keycape.sso.svc.cluster.local 8080
|
||||
```
|
||||
|
||||
## Notes
|
||||
|
||||
Reference in New Issue
Block a user