generated from coulomb/repo-seed
feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04)
Deploy privacyIDEA (MFA core) in the mfa namespace: - pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi) - configmap.yaml: pi.cfg reading secrets from env vars - deployment.yaml: Deployment + ClusterIP Service (port 8080) - middleware.yaml: Traefik RateLimit + admin IP AllowList - ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service) - create-secrets.sh: creates privacyidea-config Secret - enckey-bootstrap.sh: post-deploy key extraction + DR Secrets - bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret - verify-t04.sh: 8-section done-criteria checker Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003 (pink-account.coulomb.social) registered in CONFIG.md. pink = PrivacyIDEA Net Knights (project mnemonic). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -196,8 +196,9 @@ restore drill passed.
|
||||
```task
|
||||
id: NK-WP-0001-T04
|
||||
state_hub_task_id: 6ad1296a-a488-4031-b665-f77030e971ed
|
||||
status: todo
|
||||
status: in_progress
|
||||
priority: high
|
||||
note: Manifests committed (pvc, configmap, deployment, middleware, ingress). Scripts: create-secrets.sh, enckey-bootstrap.sh, bootstrap-admin.sh. verify-t04.sh. Domain pink.coulomb.social (CP-NK-002/003). Pending: apply to live cluster, run enckey-bootstrap.sh, bootstrap-admin.sh.
|
||||
```
|
||||
|
||||
Deploy privacyIDEA via `gpappsoft/privacyidea` Helm chart (Artifact Hub) or
|
||||
@@ -217,7 +218,7 @@ privacyidea:
|
||||
key: PI_ENCFILE
|
||||
ingress:
|
||||
enabled: true
|
||||
hostname: pi.yourdomain.com
|
||||
hostname: pink.coulomb.social
|
||||
tls: true
|
||||
```
|
||||
|
||||
@@ -233,7 +234,7 @@ WAF rules at Traefik level.
|
||||
4. Apply policies: WebUI restricted to VPN/office IPs; MFA required for
|
||||
all admin actions.
|
||||
|
||||
**Done when:** privacyIDEA reachable at pi.yourdomain.com with valid TLS,
|
||||
**Done when:** privacyIDEA reachable at pink.coulomb.social with valid TLS,
|
||||
pi-admin enrolled with MFA, trigger-admin created, rate-limiting active.
|
||||
|
||||
---
|
||||
@@ -287,7 +288,7 @@ In Keycloak:
|
||||
the enterprise tier (not in scope for this workplan phase).
|
||||
2. Create Authentication Flow "privacyIDEA Browser":
|
||||
- Add privacyIDEA execution step (REQUIRED)
|
||||
- Config: privacyIDEA URL = `https://pi.yourdomain.com`, service account
|
||||
- Config: privacyIDEA URL = `https://pink.coulomb.social`, service account
|
||||
= `trigger-admin` (secret from K8s Secret)
|
||||
- Optional: bypass group (break-glass) with strict restrictions + alerts
|
||||
3. Set this flow as the default browser flow.
|
||||
@@ -326,7 +327,7 @@ Define policies in privacyIDEA:
|
||||
- Enrollment rules (who can self-enroll, which token types)
|
||||
- Admin rights separation: super-admin vs. helpdesk-admin
|
||||
|
||||
Enable self-service portal at `pi-account.yourdomain.com` for user token
|
||||
Enable self-service portal at `pink-account.coulomb.social` for user token
|
||||
enrollment/replacement.
|
||||
|
||||
Configure auditing and log shipping: privacyIDEA audit logs + Keycloak
|
||||
@@ -395,7 +396,7 @@ documented and tested, HSTS and NetworkPolicies verified.
|
||||
- [ ] `sso`, `mfa`, `databases` namespaces + NetworkPolicies deployed
|
||||
- [ ] TLS everywhere via cert-manager (Traefik ingress)
|
||||
- [ ] PostgreSQL live; both DBs created; backup + restore tested
|
||||
- [ ] privacyIDEA running at `pi.yourdomain.com`; pi-admin MFA enrolled;
|
||||
- [ ] privacyIDEA running at `pink.coulomb.social`; pi-admin MFA enrolled;
|
||||
trigger-admin created with least-privilege rights
|
||||
- [ ] Keycloak running from custom image including privacyIDEA Provider JAR
|
||||
- [ ] Keycloak "privacyIDEA Browser" flow enforced as default
|
||||
|
||||
Reference in New Issue
Block a user