generated from coulomb/repo-seed
feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04)
Deploy privacyIDEA (MFA core) in the mfa namespace: - pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi) - configmap.yaml: pi.cfg reading secrets from env vars - deployment.yaml: Deployment + ClusterIP Service (port 8080) - middleware.yaml: Traefik RateLimit + admin IP AllowList - ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service) - create-secrets.sh: creates privacyidea-config Secret - enckey-bootstrap.sh: post-deploy key extraction + DR Secrets - bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret - verify-t04.sh: 8-section done-criteria checker Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003 (pink-account.coulomb.social) registered in CONFIG.md. pink = PrivacyIDEA Net Knights (project mnemonic). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
152
sso-mfa/k8s/privacyidea/deployment.yaml
Normal file
152
sso-mfa/k8s/privacyidea/deployment.yaml
Normal file
@@ -0,0 +1,152 @@
|
||||
# Deployment + Service — privacyIDEA (namespace: mfa)
|
||||
#
|
||||
# Prerequisites (apply in order):
|
||||
# 1. pvc.yaml — privacyidea-data and privacyidea-logs PVCs
|
||||
# 2. configmap.yaml — privacyidea-cfg (pi.cfg template)
|
||||
# 3. create-secrets.sh — privacyidea-config Secret (PI_SECRET_KEY, PI_PEPPER, DB URI)
|
||||
# 4. This file
|
||||
#
|
||||
# After first pod starts successfully:
|
||||
# 5. enckey-bootstrap.sh — extract enckey + audit keys, create DR Secrets
|
||||
# 6. bootstrap-admin.sh — create pi-admin (+ MFA enrolment) and trigger-admin
|
||||
#
|
||||
# Container port: 8080.
|
||||
# The official privacyidea/privacyidea image uses nginx internally.
|
||||
# If the image you pull listens on port 80 instead of 8080:
|
||||
# - Change containerPort below to 80
|
||||
# - Change the Service targetPort to 80
|
||||
# - Update sso-mfa/k8s/network-policies/netpol-mfa.yaml ports to 80
|
||||
# - Reapply both files
|
||||
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: privacyidea
|
||||
namespace: mfa
|
||||
labels:
|
||||
app.kubernetes.io/name: privacyidea
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: mfa
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: privacyidea
|
||||
strategy:
|
||||
type: Recreate # single-node — avoid split-brain on PVC
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: privacyidea
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: mfa
|
||||
spec:
|
||||
# ── Security context ───────────────────────────────────────────────────
|
||||
securityContext:
|
||||
runAsNonRoot: false # privacyIDEA nginx needs root to bind port; revisit
|
||||
fsGroup: 999 # privacyidea group inside container
|
||||
|
||||
# ── Init: ensure log dir exists and has correct permissions ───────────
|
||||
initContainers:
|
||||
- name: init-logdir
|
||||
image: busybox:1.36
|
||||
command: ["sh", "-c", "mkdir -p /var/log/privacyidea && chmod 777 /var/log/privacyidea"]
|
||||
volumeMounts:
|
||||
- name: logs
|
||||
mountPath: /var/log/privacyidea
|
||||
|
||||
containers:
|
||||
- name: privacyidea
|
||||
# Pin to a specific release; update via image update policy.
|
||||
# Check https://hub.docker.com/r/privacyidea/privacyidea for latest stable.
|
||||
image: privacyidea/privacyidea:3.12
|
||||
imagePullPolicy: IfNotPresent
|
||||
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8080
|
||||
protocol: TCP
|
||||
|
||||
# ── Environment — sensitive values from Secret ──────────────────
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: privacyidea-config
|
||||
|
||||
# ── Volume mounts ───────────────────────────────────────────────
|
||||
volumeMounts:
|
||||
# pi.cfg overlaid into the data PVC as a single file (subPath).
|
||||
- name: config
|
||||
mountPath: /etc/privacyidea/pi.cfg
|
||||
subPath: pi.cfg
|
||||
readOnly: true
|
||||
# Data PVC: enckey, audit keys, scripts, and other PI runtime files.
|
||||
- name: data
|
||||
mountPath: /etc/privacyidea
|
||||
# Logs PVC: persistent application logs.
|
||||
- name: logs
|
||||
mountPath: /var/log/privacyidea
|
||||
|
||||
# ── Probes ──────────────────────────────────────────────────────
|
||||
# Startup probe: give PI up to 3 min to run DB migrations on first boot.
|
||||
startupProbe:
|
||||
tcpSocket:
|
||||
port: 8080
|
||||
initialDelaySeconds: 15
|
||||
periodSeconds: 10
|
||||
failureThreshold: 18 # 18 × 10s = 3 min
|
||||
livenessProbe:
|
||||
tcpSocket:
|
||||
port: 8080
|
||||
initialDelaySeconds: 0
|
||||
periodSeconds: 15
|
||||
failureThreshold: 3
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /token/
|
||||
port: 8080
|
||||
initialDelaySeconds: 0
|
||||
periodSeconds: 10
|
||||
failureThreshold: 3
|
||||
|
||||
# ── Resources ───────────────────────────────────────────────────
|
||||
# Raise limits for production; privacyIDEA handles crypto and DB queries.
|
||||
resources:
|
||||
requests:
|
||||
cpu: "100m"
|
||||
memory: "256Mi"
|
||||
limits:
|
||||
cpu: "500m"
|
||||
memory: "512Mi"
|
||||
|
||||
# ── Volumes ─────────────────────────────────────────────────────────
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: privacyidea-cfg
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: privacyidea-data
|
||||
- name: logs
|
||||
persistentVolumeClaim:
|
||||
claimName: privacyidea-logs
|
||||
|
||||
---
|
||||
# Service — ClusterIP; Traefik and Keycloak reach privacyIDEA via this.
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: privacyidea
|
||||
namespace: mfa
|
||||
labels:
|
||||
app.kubernetes.io/name: privacyidea
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: mfa
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app.kubernetes.io/name: privacyidea
|
||||
ports:
|
||||
- name: http
|
||||
port: 8080
|
||||
targetPort: 8080
|
||||
protocol: TCP
|
||||
Reference in New Issue
Block a user