generated from coulomb/repo-seed
feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04)
Deploy privacyIDEA (MFA core) in the mfa namespace: - pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi) - configmap.yaml: pi.cfg reading secrets from env vars - deployment.yaml: Deployment + ClusterIP Service (port 8080) - middleware.yaml: Traefik RateLimit + admin IP AllowList - ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service) - create-secrets.sh: creates privacyidea-config Secret - enckey-bootstrap.sh: post-deploy key extraction + DR Secrets - bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret - verify-t04.sh: 8-section done-criteria checker Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003 (pink-account.coulomb.social) registered in CONFIG.md. pink = PrivacyIDEA Net Knights (project mnemonic). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
38
CONFIG.md
38
CONFIG.md
@@ -21,6 +21,44 @@ If yes to any of the above, don't add it here.
|
||||
| ID | Name | Value | Location(s) |
|
||||
|----|------|-------|-------------|
|
||||
| CP-NK-001 | ACME contact email | `bernd.worsch+netkingdom@gmail.com` | `sso-mfa/k8s/cert-manager/issuers.yaml:38` |
|
||||
| CP-NK-002 | privacyIDEA portal hostname | `pink.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` |
|
||||
| CP-NK-003 | privacyIDEA self-service hostname | `pink-account.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` |
|
||||
|
||||
---
|
||||
|
||||
## CP-NK-002 — privacyIDEA portal hostname
|
||||
|
||||
**Value:** `pink.coulomb.social`
|
||||
**Set:** 2026-03-19
|
||||
**Set by:** worsch
|
||||
|
||||
**Location(s):**
|
||||
- `sso-mfa/k8s/privacyidea/ingress.yaml` — all three Ingress `host` fields
|
||||
|
||||
**Why non-default:** Subdomain prefix must be chosen by the operator; no naming
|
||||
convention existed in the repo before T04. `pink` = **P**rivacy**I**DEA
|
||||
**N**et **K**nights (project-specific mnemonic).
|
||||
|
||||
**Scope:** TLS certificate, Traefik routing, and all references to the
|
||||
privacyIDEA public URL (including Keycloak Provider config in T05/T06).
|
||||
|
||||
---
|
||||
|
||||
## CP-NK-003 — privacyIDEA self-service portal hostname
|
||||
|
||||
**Value:** `pink-account.coulomb.social`
|
||||
**Set:** 2026-03-19
|
||||
**Set by:** worsch
|
||||
|
||||
**Location(s):**
|
||||
- `sso-mfa/k8s/privacyidea/ingress.yaml` — `privacyidea-account` Ingress `host` field
|
||||
|
||||
**Why non-default:** Separate hostname for the self-service portal allows
|
||||
different firewall/allowlist rules from the admin portal. Follows the
|
||||
`<service>-account` naming convention used in the workplan design.
|
||||
|
||||
**Scope:** TLS certificate and Traefik routing for the user-facing
|
||||
self-service token enrolment portal.
|
||||
|
||||
---
|
||||
|
||||
|
||||
Reference in New Issue
Block a user