Enable KeyCape bootstrap MFA mode

2026-05-25 00:16:05 +02:00
parent 4cc22bec9e
commit 5af876eb8c
4 changed files with 17 additions and 7 deletions
--- a/sso-mfa/k8s/keycape/create-secrets.sh
+++ b/sso-mfa/k8s/keycape/create-secrets.sh
@@ -94,7 +94,8 @@ authelia:
 privacyidea:
  baseURL: "http://privacyidea.mfa.svc.cluster.local:8080"
  adminToken: "${PI_ADMIN_TOKEN}"
-  realm: "netkingdom"
+  realm: "coulomb"
+  requireForAll: true

 # ── OIDC client registrations ─────────────────────────────────────────────────
 # clientType: "public" for SPAs/native apps (PKCE, no client secret)
--- a/sso-mfa/k8s/keycape/deployment.yaml
+++ b/sso-mfa/k8s/keycape/deployment.yaml
@@ -54,7 +54,7 @@ spec:
          # 2026-05-24: direct-imported into railiance01 k3s for the
          # bootstrap-console OIDC/MFA rollout. Use IfNotPresent while the
          # HTTP registry push/pull path is being cleaned up.
-          image: 92.205.130.254:32166/coulomb/key-cape:main-56d279a
+          image: 92.205.130.254:32166/coulomb/key-cape:main-937cb39
          imagePullPolicy: IfNotPresent

          ports:
--- a/sso-mfa/k8s/verify-t06.sh
+++ b/sso-mfa/k8s/verify-t06.sh
@@ -6,11 +6,11 @@
 # Sections:
 #   1.  privacyIDEA pod Running+Ready (namespace: mfa)
 #   2.  privacyIDEA API reachable
-#   3.  Realm "netkingdom" exists in privacyIDEA
-#   4.  LDAP resolver "lldap-netkingdom" exists
+#   3.  Realm "coulomb" exists in privacyIDEA
+#   4.  LDAP resolver "lldap-coulomb" exists
 #   5.  LDAP resolver resolves users (LLDAP connectivity)
 #   6.  KeyCape→privacyIDEA token: valid admin token in keycape-pi-token
-#   7.  KeyCape can list tokens in the netkingdom realm
+#   7.  KeyCape can list tokens in the coulomb realm
 #   8.  Self-enrollment policy exists
 #   9.  Authentication policy exists
 #  10.  Self-service portal reachable (pink-account.coulomb.social)
@@ -30,8 +30,8 @@ PI_HOST="pink.coulomb.social"
 PI_URL="https://$PI_HOST"
 PI_NAMESPACE="mfa"
 SSO_NAMESPACE="sso"
-REALM_NAME="netkingdom"
-RESOLVER_NAME="lldap-netkingdom"
+REALM_NAME="coulomb"
+RESOLVER_NAME="lldap-coulomb"

 PASS=0
 FAIL=0
--- a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
+++ b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md
@@ -192,6 +192,15 @@ commit `56d279a` now uses HTTP Basic auth for the upstream token exchange, the
 image `main-56d279a` was direct-imported into Railiance k3s, and the live
 deployment runs that tag.

+**2026-05-24:** Fixed the follow-up `mfa check error`. Live privacyIDEA
+validation succeeds in the `coulomb` realm, while KeyCape had been configured
+for `netkingdom` and was also trying to pre-list tokens with an expired or
+invalid privacyIDEA admin JWT. KeyCape commit `937cb39` adds bootstrap mode
+`privacyidea.requireForAll`, which requires OTP for every authenticated user
+without depending on token-list admin credentials. The live `keycape-config`
+now uses `realm: coulomb` and `requireForAll: true`, and Railiance runs image
+`main-937cb39`.
+
 **2026-05-24:** Stepped back from ad hoc secret rollout and added the
 custodian age-key bootstrap model to the control surface. The UI now records
 the custodian public age recipient, a derived fingerprint, and a non-secret