generated from coulomb/repo-seed
feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05)
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine. Stack: kc.coulomb.social — KeyCape OIDC server (stateless, custom Go) auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape) lldap.coulomb.social — LLDAP admin UI (IP-restricted) pink.coulomb.social — privacyIDEA MFA engine (unchanged) Changes: - Remove sso-mfa/k8s/keycloak/ (7 files) - Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README) - Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README) - Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README) - Update network-policies/netpol-sso.yaml for new component topology - Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks) - Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP) - Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak - Update k8s/README.md: network policy table reflects new traffic paths - Add sso-mfa/WORKPLAN.md: resumable task checklist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
137
sso-mfa/k8s/lldap/deployment.yaml
Normal file
137
sso-mfa/k8s/lldap/deployment.yaml
Normal file
@@ -0,0 +1,137 @@
|
||||
# Deployment + Service — LLDAP (namespace: sso)
|
||||
#
|
||||
# LLDAP is the lightweight LDAP directory backing both Authelia (credential
|
||||
# validation) and KeyCape (user attribute lookup). Configured via environment
|
||||
# variables only; no config file is needed.
|
||||
#
|
||||
# Prerequisites:
|
||||
# 1. pvc.yaml — lldap-data PVC
|
||||
# 2. create-secrets.sh — lldap-secrets (LLDAP_JWT_SECRET, LLDAP_LDAP_USER_PASS)
|
||||
# 3. This file
|
||||
#
|
||||
# Ports:
|
||||
# 3890 — LDAP (internal only; Authelia and KeyCape reach LLDAP here)
|
||||
# 17170 — Web UI (ingress restricted to VPN via middleware — see ingress.yaml)
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: lldap
|
||||
namespace: sso
|
||||
labels:
|
||||
app.kubernetes.io/name: lldap
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: sso
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: lldap
|
||||
strategy:
|
||||
type: Recreate # single replica; SQLite cannot be accessed concurrently
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: lldap
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: sso
|
||||
spec:
|
||||
securityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
fsGroup: 1000
|
||||
|
||||
containers:
|
||||
- name: lldap
|
||||
# Check https://hub.docker.com/r/lldap/lldap for latest stable tag.
|
||||
image: lldap/lldap:stable
|
||||
imagePullPolicy: IfNotPresent
|
||||
|
||||
ports:
|
||||
- name: ldap
|
||||
containerPort: 3890
|
||||
protocol: TCP
|
||||
- name: web-ui
|
||||
containerPort: 17170
|
||||
protocol: TCP
|
||||
|
||||
env:
|
||||
- name: LLDAP_LDAP_BASE_DN
|
||||
value: dc=netkingdom,dc=local
|
||||
- name: LLDAP_HTTP_HOST
|
||||
value: "0.0.0.0"
|
||||
- name: LLDAP_LDAP_HOST
|
||||
value: "0.0.0.0"
|
||||
- name: LLDAP_HTTP_PORT
|
||||
value: "17170"
|
||||
- name: LLDAP_LDAP_PORT
|
||||
value: "3890"
|
||||
# Sensitive values from Secret
|
||||
- name: LLDAP_JWT_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: lldap-secrets
|
||||
key: LLDAP_JWT_SECRET
|
||||
- name: LLDAP_LDAP_USER_PASS
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: lldap-secrets
|
||||
key: LLDAP_LDAP_USER_PASS
|
||||
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
|
||||
# LLDAP health check — HTTP endpoint at /health on web UI port
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /health
|
||||
port: 17170
|
||||
initialDelaySeconds: 10
|
||||
periodSeconds: 15
|
||||
failureThreshold: 3
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /health
|
||||
port: 17170
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
failureThreshold: 3
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: "50m"
|
||||
memory: "64Mi"
|
||||
limits:
|
||||
cpu: "200m"
|
||||
memory: "128Mi"
|
||||
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: lldap-data
|
||||
|
||||
---
|
||||
# Service — ClusterIP; LDAP port for Authelia/KeyCape, Web UI for Traefik.
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: lldap
|
||||
namespace: sso
|
||||
labels:
|
||||
app.kubernetes.io/name: lldap
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: sso
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app.kubernetes.io/name: lldap
|
||||
ports:
|
||||
- name: ldap
|
||||
port: 3890
|
||||
targetPort: 3890
|
||||
protocol: TCP
|
||||
- name: web-ui
|
||||
port: 17170
|
||||
targetPort: 17170
|
||||
protocol: TCP
|
||||
Reference in New Issue
Block a user