generated from coulomb/repo-seed
feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05)
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine. Stack: kc.coulomb.social — KeyCape OIDC server (stateless, custom Go) auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape) lldap.coulomb.social — LLDAP admin UI (IP-restricted) pink.coulomb.social — privacyIDEA MFA engine (unchanged) Changes: - Remove sso-mfa/k8s/keycloak/ (7 files) - Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README) - Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README) - Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README) - Update network-policies/netpol-sso.yaml for new component topology - Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks) - Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP) - Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak - Update k8s/README.md: network policy table reflects new traffic paths - Add sso-mfa/WORKPLAN.md: resumable task checklist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
120
sso-mfa/k8s/authelia/configmap.yaml
Normal file
120
sso-mfa/k8s/authelia/configmap.yaml
Normal file
@@ -0,0 +1,120 @@
|
||||
# ConfigMap — Authelia configuration (namespace: sso)
|
||||
#
|
||||
# Contains the full Authelia configuration.yml EXCEPT sensitive values,
|
||||
# which are injected at runtime via environment variables from authelia-secrets:
|
||||
#
|
||||
# AUTHELIA_JWT_SECRET_FILE
|
||||
# AUTHELIA_SESSION_SECRET_FILE
|
||||
# AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
|
||||
# AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
|
||||
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
|
||||
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
|
||||
# AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE
|
||||
#
|
||||
# The *_FILE convention tells Authelia to read the secret from a file path
|
||||
# (mounted from the authelia-secrets K8s Secret — see deployment.yaml).
|
||||
#
|
||||
# Access control policy is deliberately set to one_factor (password only).
|
||||
# MFA is handled out-of-band by KeyCape via the privacyIDEA adapter AFTER
|
||||
# Authelia confirms the user's password. Authelia must NOT prompt for a
|
||||
# second factor; doing so would double-challenge the user.
|
||||
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: authelia-config
|
||||
namespace: sso
|
||||
labels:
|
||||
app.kubernetes.io/name: authelia
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: sso
|
||||
data:
|
||||
configuration.yml: |
|
||||
---
|
||||
theme: dark
|
||||
|
||||
server:
|
||||
host: "0.0.0.0"
|
||||
port: 9091
|
||||
|
||||
log:
|
||||
level: info
|
||||
|
||||
# jwt_secret: injected via AUTHELIA_JWT_SECRET_FILE
|
||||
|
||||
authentication_backend:
|
||||
ldap:
|
||||
# LLDAP preset configures the correct attributes for lldap/lldap image.
|
||||
implementation: lldap
|
||||
url: ldap://lldap.sso.svc.cluster.local:3890
|
||||
base_dn: dc=netkingdom,dc=local
|
||||
username_attribute: uid
|
||||
additional_users_dn: ou=people
|
||||
users_filter: "(&(uid={input})(objectClass=inetOrgPerson))"
|
||||
additional_groups_dn: ou=groups
|
||||
groups_filter: "(member={dn})"
|
||||
group_name_attribute: cn
|
||||
mail_attribute: mail
|
||||
display_name_attribute: displayName
|
||||
user: uid=admin,ou=people,dc=netkingdom,dc=local
|
||||
# password: injected via AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
|
||||
|
||||
session:
|
||||
name: authelia_session
|
||||
# secret: injected via AUTHELIA_SESSION_SECRET_FILE
|
||||
expiration: 1h
|
||||
inactivity: 15m
|
||||
# domain must cover both auth.coulomb.social and kc.coulomb.social
|
||||
# so the session cookie is valid across the SSO flow redirect.
|
||||
domain: coulomb.social # CP-NK — parent domain; update if hostname domain changes
|
||||
|
||||
regulation:
|
||||
max_retries: 5
|
||||
find_time: 2m
|
||||
ban_time: 10m
|
||||
|
||||
storage:
|
||||
# encryption_key: injected via AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
|
||||
local:
|
||||
path: /var/authelia/data/db.sqlite3
|
||||
|
||||
notifier:
|
||||
disable_startup_check: true
|
||||
filesystem:
|
||||
filename: /var/authelia/data/notification.txt
|
||||
|
||||
# ── Access control ────────────────────────────────────────────────────────
|
||||
# one_factor = password only. MFA is handled by KeyCape + privacyIDEA.
|
||||
# Do NOT change to two_factor here.
|
||||
access_control:
|
||||
default_policy: one_factor
|
||||
|
||||
# ── OIDC identity provider ────────────────────────────────────────────────
|
||||
# Authelia acts as an upstream OIDC provider for KeyCape.
|
||||
# KeyCape is the only registered client.
|
||||
identity_providers:
|
||||
oidc:
|
||||
# hmac_secret: injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
|
||||
# issuer_private_key: injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
|
||||
clients:
|
||||
- id: keycape
|
||||
description: "KeyCape IAM Orchestration Layer"
|
||||
# secret (bcrypt hash): injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE
|
||||
public: false
|
||||
authorization_policy: one_factor
|
||||
consent_mode: implicit
|
||||
redirect_uris:
|
||||
# CP-NK-004 — update if kc.coulomb.social hostname changes
|
||||
- "https://kc.coulomb.social/authorize/callback"
|
||||
scopes:
|
||||
- openid
|
||||
- profile
|
||||
- email
|
||||
- groups
|
||||
grant_types:
|
||||
- authorization_code
|
||||
response_types:
|
||||
- code
|
||||
response_modes:
|
||||
- query
|
||||
userinfo_signing_algorithm: none
|
||||
Reference in New Issue
Block a user