From 5af876eb8c6f4b22cf895084747352a408944e0c Mon Sep 17 00:00:00 2001 From: tegwick Date: Mon, 25 May 2026 00:16:05 +0200 Subject: [PATCH] Enable KeyCape bootstrap MFA mode --- sso-mfa/k8s/keycape/create-secrets.sh | 3 ++- sso-mfa/k8s/keycape/deployment.yaml | 2 +- sso-mfa/k8s/verify-t06.sh | 10 +++++----- ...form-root-custody-and-openbao-identity-bootstrap.md | 9 +++++++++ 4 files changed, 17 insertions(+), 7 deletions(-) diff --git a/sso-mfa/k8s/keycape/create-secrets.sh b/sso-mfa/k8s/keycape/create-secrets.sh index e28bea8..1b2300b 100644 --- a/sso-mfa/k8s/keycape/create-secrets.sh +++ b/sso-mfa/k8s/keycape/create-secrets.sh @@ -94,7 +94,8 @@ authelia: privacyidea: baseURL: "http://privacyidea.mfa.svc.cluster.local:8080" adminToken: "${PI_ADMIN_TOKEN}" - realm: "netkingdom" + realm: "coulomb" + requireForAll: true # ── OIDC client registrations ───────────────────────────────────────────────── # clientType: "public" for SPAs/native apps (PKCE, no client secret) diff --git a/sso-mfa/k8s/keycape/deployment.yaml b/sso-mfa/k8s/keycape/deployment.yaml index e18c5ad..13b1422 100644 --- a/sso-mfa/k8s/keycape/deployment.yaml +++ b/sso-mfa/k8s/keycape/deployment.yaml @@ -54,7 +54,7 @@ spec: # 2026-05-24: direct-imported into railiance01 k3s for the # bootstrap-console OIDC/MFA rollout. Use IfNotPresent while the # HTTP registry push/pull path is being cleaned up. - image: 92.205.130.254:32166/coulomb/key-cape:main-56d279a + image: 92.205.130.254:32166/coulomb/key-cape:main-937cb39 imagePullPolicy: IfNotPresent ports: diff --git a/sso-mfa/k8s/verify-t06.sh b/sso-mfa/k8s/verify-t06.sh index 5530636..873378e 100755 --- a/sso-mfa/k8s/verify-t06.sh +++ b/sso-mfa/k8s/verify-t06.sh @@ -6,11 +6,11 @@ # Sections: # 1. privacyIDEA pod Running+Ready (namespace: mfa) # 2. privacyIDEA API reachable -# 3. Realm "netkingdom" exists in privacyIDEA -# 4. LDAP resolver "lldap-netkingdom" exists +# 3. Realm "coulomb" exists in privacyIDEA +# 4. LDAP resolver "lldap-coulomb" exists # 5. LDAP resolver resolves users (LLDAP connectivity) # 6. KeyCape→privacyIDEA token: valid admin token in keycape-pi-token -# 7. KeyCape can list tokens in the netkingdom realm +# 7. KeyCape can list tokens in the coulomb realm # 8. Self-enrollment policy exists # 9. Authentication policy exists # 10. Self-service portal reachable (pink-account.coulomb.social) @@ -30,8 +30,8 @@ PI_HOST="pink.coulomb.social" PI_URL="https://$PI_HOST" PI_NAMESPACE="mfa" SSO_NAMESPACE="sso" -REALM_NAME="netkingdom" -RESOLVER_NAME="lldap-netkingdom" +REALM_NAME="coulomb" +RESOLVER_NAME="lldap-coulomb" PASS=0 FAIL=0 diff --git a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md index 4e37069..6f2d12a 100644 --- a/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md +++ b/workplans/NET-WP-0015-platform-root-custody-and-openbao-identity-bootstrap.md @@ -192,6 +192,15 @@ commit `56d279a` now uses HTTP Basic auth for the upstream token exchange, the image `main-56d279a` was direct-imported into Railiance k3s, and the live deployment runs that tag. +**2026-05-24:** Fixed the follow-up `mfa check error`. Live privacyIDEA +validation succeeds in the `coulomb` realm, while KeyCape had been configured +for `netkingdom` and was also trying to pre-list tokens with an expired or +invalid privacyIDEA admin JWT. KeyCape commit `937cb39` adds bootstrap mode +`privacyidea.requireForAll`, which requires OTP for every authenticated user +without depending on token-list admin credentials. The live `keycape-config` +now uses `realm: coulomb` and `requireForAll: true`, and Railiance runs image +`main-937cb39`. + **2026-05-24:** Stepped back from ad hoc secret rollout and added the custodian age-key bootstrap model to the control surface. The UI now records the custodian public age recipient, a derived fingerprint, and a non-secret