From 6d25d088d76b73ae184b57b8a44ae9e177b39b46 Mon Sep 17 00:00:00 2001
From: Bernd Worsch <bernd.worsch@gmail.com>
Date: Fri, 20 Mar 2026 02:57:41 +0000
Subject: [PATCH] =?UTF-8?q?feat(sso-mfa):=20T02/T03=20live=20apply=20?=
 =?UTF-8?q?=E2=80=94=20age-encrypted=20secrets,=20CNPG=20cluster=20(NK-WP-?=
 =?UTF-8?q?0001-T02/T03)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow
  replaces KeePassXC dependency; encrypted .env.age files committed to repo
- Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey
- Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext
- Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack
- Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug
- Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only
- Update postgresql/create-secrets.sh: remove keycloak secret
- Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API
- T02 COMPLETE: namespaces, network policies, cert-manager issuers applied
- T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitignore                                    |   1 +
 sso-mfa/bootstrap/decrypt-secrets.sh          |  62 ++++++++++++++
 sso-mfa/bootstrap/encrypt-secrets.sh          |  79 ++++++++++++++++++
 .../secrets.enc/authelia/secrets.env.age      | Bin 0 -> 1507 bytes
 .../secrets.enc/breakglass/secrets.env.age    | Bin 0 -> 491 bytes
 .../secrets.enc/keycape/secrets.env.age       | Bin 0 -> 588 bytes
 .../secrets.enc/lldap/secrets.env.age         |   7 ++
 .../secrets.enc/postgres/secrets.env.age      | Bin 0 -> 594 bytes
 .../secrets.enc/privacyidea/secrets.env.age   | Bin 0 -> 1143 bytes
 .../network-policies/netpol-databases.yaml    |   2 +
 sso-mfa/k8s/postgresql/cluster.yaml           |  31 ++-----
 sso-mfa/k8s/postgresql/create-secrets.sh      |  30 ++-----
 sso-mfa/k8s/verify-t02.sh                     |   5 +-
 sso-mfa/k8s/verify-t03.sh                     |  30 +++----
 14 files changed, 181 insertions(+), 66 deletions(-)
 create mode 100755 sso-mfa/bootstrap/decrypt-secrets.sh
 create mode 100755 sso-mfa/bootstrap/encrypt-secrets.sh
 create mode 100644 sso-mfa/bootstrap/secrets.enc/authelia/secrets.env.age
 create mode 100644 sso-mfa/bootstrap/secrets.enc/breakglass/secrets.env.age
 create mode 100644 sso-mfa/bootstrap/secrets.enc/keycape/secrets.env.age
 create mode 100644 sso-mfa/bootstrap/secrets.enc/lldap/secrets.env.age
 create mode 100644 sso-mfa/bootstrap/secrets.enc/postgres/secrets.env.age
 create mode 100644 sso-mfa/bootstrap/secrets.enc/privacyidea/secrets.env.age

diff --git a/.gitignore b/.gitignore
index 8ba0b2d..669ac0d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,6 +1,7 @@
 # â”€â”€ Secrets (never commit) â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€
 sso-mfa/bootstrap/secrets/
 *.age
+!sso-mfa/bootstrap/secrets.enc/**/*.age
 *.kdbx
 
 # ---> Python
diff --git a/sso-mfa/bootstrap/decrypt-secrets.sh b/sso-mfa/bootstrap/decrypt-secrets.sh
new file mode 100755
index 0000000..84774a5
--- /dev/null
+++ b/sso-mfa/bootstrap/decrypt-secrets.sh
@@ -0,0 +1,62 @@
+#!/usr/bin/env bash
+# decrypt-secrets.sh â€” decrypt secrets.enc/ to secrets/ using age
+#
+# Usage:
+#   ./decrypt-secrets.sh [OUTPUT_DIR] [AGE_KEY_FILE]
+#
+# OUTPUT_DIR    where to write plaintext secrets (default: ./secrets)
+# AGE_KEY_FILE  age private key file             (default: ~/.config/net-kingdom/age.key)
+#
+# Decrypts all *.age files in secrets.enc/ to OUTPUT_DIR for use by
+# create-secrets.sh scripts. Shred OUTPUT_DIR when done:
+#   find secrets/ -type f -exec shred -u {} \; && rm -rf secrets/
+#
+# The age key must be present on the machine. Keep it outside the repo:
+#   ~/.config/net-kingdom/age.key
+
+set -euo pipefail
+
+OUTPUT_DIR="${1:-./secrets}"
+AGE_KEY="${2:-$HOME/.config/net-kingdom/age.key}"
+
+ENC_DIR="$(dirname "$OUTPUT_DIR")/secrets.enc"
+
+if [[ ! -d "$ENC_DIR" ]]; then
+    echo "ERROR: encrypted secrets directory not found: $ENC_DIR" >&2
+    echo "Expected secrets.enc/ next to the output directory." >&2
+    exit 1
+fi
+
+if [[ ! -f "$AGE_KEY" ]]; then
+    echo "ERROR: age key not found: $AGE_KEY" >&2
+    echo "Copy your age key to $AGE_KEY or pass the path as the second argument." >&2
+    exit 1
+fi
+
+if [[ -e "$OUTPUT_DIR" ]]; then
+    echo "ERROR: $OUTPUT_DIR already exists. Remove it first or choose a different path." >&2
+    exit 1
+fi
+
+echo "Decrypting $ENC_DIR â†’ $OUTPUT_DIR/"
+echo ""
+
+count=0
+for component_dir in "$ENC_DIR"/*/; do
+    component=$(basename "$component_dir")
+    mkdir -p "$OUTPUT_DIR/$component"
+    for f in "$component_dir"*.age; do
+        [[ -f "$f" ]] || continue
+        fname=$(basename "${f%.age}")
+        out="$OUTPUT_DIR/$component/$fname"
+        age -d -i "$AGE_KEY" -o "$out" "$f"
+        echo "  decrypted: secrets.enc/$component/$(basename "$f") â†’ $component/$fname"
+        count=$((count + 1))
+    done
+done
+
+echo ""
+echo "$count file(s) decrypted to $OUTPUT_DIR/"
+echo ""
+echo "Use create-secrets.sh scripts, then shred:"
+echo "  find $OUTPUT_DIR -type f -exec shred -u {} \\; && rm -rf $OUTPUT_DIR"
diff --git a/sso-mfa/bootstrap/encrypt-secrets.sh b/sso-mfa/bootstrap/encrypt-secrets.sh
new file mode 100755
index 0000000..df950f2
--- /dev/null
+++ b/sso-mfa/bootstrap/encrypt-secrets.sh
@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+# encrypt-secrets.sh â€” encrypt secrets/ directory to secrets.enc/ using age
+#
+# Usage:
+#   ./encrypt-secrets.sh [SECRETS_DIR] [AGE_KEY_FILE]
+#
+# SECRETS_DIR   plaintext secrets directory (default: ./secrets)
+# AGE_KEY_FILE  age private key file        (default: ~/.config/net-kingdom/age.key)
+#
+# Reads the public key from the age key file and encrypts each *.env file
+# (and pi.enc if present) to secrets.enc/<component>/<filename>.age.
+#
+# After a successful encrypt, shreds the plaintext secrets directory unless
+# --no-shred is passed.
+#
+# Run after gen-secrets.sh to store secrets safely in the repo.
+# Commit secrets.enc/ to git.
+
+set -euo pipefail
+
+SECRETS_DIR="${1:-./secrets}"
+AGE_KEY="${2:-$HOME/.config/net-kingdom/age.key}"
+NO_SHRED=false
+for arg in "$@"; do [[ "$arg" == "--no-shred" ]] && NO_SHRED=true; done
+
+if [[ ! -d "$SECRETS_DIR" ]]; then
+    echo "ERROR: secrets directory not found: $SECRETS_DIR" >&2
+    echo "Run gen-secrets.sh first." >&2
+    exit 1
+fi
+
+if [[ ! -f "$AGE_KEY" ]]; then
+    echo "ERROR: age key not found: $AGE_KEY" >&2
+    echo "Generate with: age-keygen -o $AGE_KEY" >&2
+    exit 1
+fi
+
+# Extract public key from the private key file
+PUBKEY=$(grep 'public key:' "$AGE_KEY" | awk '{print $NF}')
+if [[ -z "$PUBKEY" ]]; then
+    echo "ERROR: could not read public key from $AGE_KEY" >&2
+    exit 1
+fi
+
+ENC_DIR="$(dirname "$SECRETS_DIR")/secrets.enc"
+mkdir -p "$ENC_DIR"
+
+echo "Encrypting secrets â†’ $ENC_DIR/"
+echo "Recipient: $PUBKEY"
+echo ""
+
+count=0
+for component_dir in "$SECRETS_DIR"/*/; do
+    component=$(basename "$component_dir")
+    mkdir -p "$ENC_DIR/$component"
+    for f in "$component_dir"*; do
+        [[ -f "$f" ]] || continue
+        fname=$(basename "$f")
+        out="$ENC_DIR/$component/$fname.age"
+        age -r "$PUBKEY" -o "$out" "$f"
+        echo "  encrypted: $component/$fname â†’ secrets.enc/$component/$fname.age"
+        count=$((count + 1))
+    done
+done
+
+echo ""
+echo "$count file(s) encrypted to $ENC_DIR/"
+echo ""
+
+if [[ "$NO_SHRED" == false ]]; then
+    echo "Shredding plaintext secrets..."
+    find "$SECRETS_DIR" -type f -exec shred -u {} \;
+    rm -rf "$SECRETS_DIR"
+    echo "Done. Plaintext secrets shredded."
+else
+    echo "(--no-shred: plaintext kept at $SECRETS_DIR)"
+fi
+echo ""
+echo "Next: commit secrets.enc/ to git."
diff --git a/sso-mfa/bootstrap/secrets.enc/authelia/secrets.env.age b/sso-mfa/bootstrap/secrets.enc/authelia/secrets.env.age
new file mode 100644
index 0000000000000000000000000000000000000000..90cb7633d746d7982ab642ea094df8ef79c37119
GIT binary patch
literal 1507
zcmV<91swWeXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVhSSx8vG(}WcGgDJG
zGGQ}wWGiheWG`cORyb`dY&B3uRdhjQZ8m96ZB+_3Gg?b+a8zkIXEbv#I5#s!MN&?8
zRXBKUb~H#;XJSoyVR}P2LT-3SZ!iiiEiE8Uaz!_7Zb*4SP(yD-Q7?9GRWdPCWl(7{
zYczUjG&eI&K|xVUS#U6AGG_`%Y-#$x%0oP%7y*P_o0WV!h%!`f?{BU<6?b4v>~R>j
z1m?2`@VllnJ#0QQx)QAm0=E;~aHvcmvu{*=`$S_5b^;SBuP#Kk%S=9O{S;x(DE<#`
zof$_xsRK+B=`$W$?OdZ(vvokAPvG(*I)8+%J-w_@?e#DWL5RyAed(l^FF-59eT?M4
zWI)Mk54I>Dvaj!KFRt#m0O7gYH>oHVj+!Nx(2#4>VdL;blgZj{oTN$TLBJb6`_OdC
z12u$q0#s&q6{7uc%@(cae@V)1EQaZsw;&y1FR-IHd46WY0se=ax%rp^pK~PUM#&m+
z&)FpIpAHvbPyHoye+Nj;0C9{Nd_W>8t}4pkqCc5eQuybOeS%y0(hW7-xO2saqZ(6C
z&ThLU%CYFlsr;BX)yKflv9a-*?0M|2j*z(3C4EP2LJE|4>{5Jp2+giGl|0jL&7?KA
zZNayC%t8{UH?E1oBpioPyF=ktZ}*#dcG&mon^nqf2-0VIxmlvxF{L(05C1QsB9s<C
z_9AYh(6qBLR3nP`k&ut?%HBcw$Ek0UJvD0<M0|<obiNgepfC}v#fJyDnz#&x{l!ds
zXU_PJ;x@QP4#+TP2G@02Vo7^vBUqVs;RvE8X#a5Cy*XC(M6yy})QRlg2o*aoa_~V@
z_v>{2N_Moh{~yz0Eqpd2?Nj5nutp*l$255!%09N}h5Lk23-!j`jck|4{O^7OH+Z^e
zp$XExeo>@C+2VB3!xSUgAON8MH<+6}tV;RE28OKd2f9)T=?<!PfOYxm6_IHAsu`zQ
zk=Nu#hcWHgUgNh`1YiJQ5iO)~ei4jJl}%?X*9k|$t}{o<KiWpdm&MI$QMO(DvQP(E
z2_hGscX@U0qUf2B)CY~!2yb$UoH|T-X}q|RR*W4*KG-dc(ZsqQ()<#{7PV^R`qcF6
zp7m)!E3uMjF0mXC>7D&iaAdo>6P5>U{7_VQQ^H)Sh4IWQ0o?xxQSS#Le3Ar+HtMvS
zIF5><ho7$1Tr$~ZMKKwm#;1aBu4?;r4N6;sIHuw|iH^0T?=gg9<H_j{7m#6MN@K?E
z5yFz5qrA9s`-CI*Jv8(IeV?8dI*&$5WV#(_Yj%t#N$1{X#mB4r6MDx>$MaRi=KQw8
z2gpJ^lV`fm>`J}T>zQB0_9&}pzCV2g&#535mJ-chge2t<z`&Q@$2;p<(xX-zIqxl1
zQLMwe=Qwu^;!Em-(N%)Bn>ctg%@@9X?4cpPe?E7UN6nJWC2e<9m{O%yj$&KZMzH5#
zhA@)?)B|JB4=$kF*$;|)sgj9uAjzunL}KVc`9cjYJ2OA=8jveHUu?r09yR>>?K6=4
zus-4zkT$W%Q1|EPY=WXqh|f*Q=}_a{eO4~g)hdhJ?~FVF<+~!K+|)XOw#6y?qgKd=
zlerl>Nrx=N?b$e^v&_r}fOsgWXh8}(4{JzQ1klj5bDz!sN$sG+BMhVivuwR|BmyiG
zzcAh<h&c@?6At5eBXui4+AgR?+Vh`n=hHbhA)qP-7)?%S79k>CsIK-!8zi#uD!WyL
z4Hi$h)sm2MZ;`=-G*PWxc|(A;1D#Dk*=Fc)e2U;La(MQ4MdH52XX|P5*K}%EN)>-k
zsMq!lXok}WRn&>TXx_pXjiT-?k0EY#<3wv-m3!Y@mVXIyN}gRCC}&GZE4cDPhu2Zz
zmp%EF-mVs<f5Y`HOM`G}El%FUYCqo1YNqotxe8Xi?+nb@9t5i?(rvpb3dS<xwf{$Q
JYRgDYj~y$d(boU~

literal 0
HcmV?d00001

diff --git a/sso-mfa/bootstrap/secrets.enc/breakglass/secrets.env.age b/sso-mfa/bootstrap/secrets.enc/breakglass/secrets.env.age
new file mode 100644
index 0000000000000000000000000000000000000000..93205c9ae8472a5d15e7e686664f028e2f3421e6
GIT binary patch
literal 491
zcmV<H0TljWXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zV*X-!8mLr+aLFH2^4
zS5HD`PHZ`ORxmYgb8AOdH*$DpZ*p=&V{3P2SU3t*IBZihP&G+tHg`^EZB#dQPe(yD
zYIRvoHF|J2MrB%bX<0dJb4^T9cXtXcEiE8qXD@IuYIrw8GI29EV>VHFN>wm7PH;6<
zK}tAHMrKK7LTOY&bxCb`c54dMev_4aSr!?;p?F2rSGF-+ick5J!<Jt~Jt7<BYR<it
zR}cy;$O8b8T<=HbSKko!SlzI~Q~#ohOQCnJJTJN6u;d8LYI>M7hD;*`bAXrE2etAW
z$<$Nmp8QL8l!Ee|yBO)hLd4z*=7KlSfK;<5!kK`4Vj;i#iE8-^<!Y8Em*LNAF4<+@
zM?qzAAqd20#sd8#YBq1=6(3(5b=Z+^)o6Xu2GH!PjPzVuYr#X?7(MVhUMT9`EDVh<
z<f)0z+*R^@T4?0yE2myOxjPcMw-myQAO*bK{ru+9AhyxJ)BwkH?>HtQ1>Wvne6L*(
zp=da0^(p7;hI;fnL)<vRwR!W8Mue-!!=O8xtMvzKs2EYTILtO{QlTE*^fM9elqsK!
h(_nVpE=@SDP(O?to^X(PY${3Gx(_yu!@vZbR=bRg+Qa|=

literal 0
HcmV?d00001

diff --git a/sso-mfa/bootstrap/secrets.enc/keycape/secrets.env.age b/sso-mfa/bootstrap/secrets.enc/keycape/secrets.env.age
new file mode 100644
index 0000000000000000000000000000000000000000..a4d40e8f0e538d2ac6ffa9a926de79addd77cc1c
GIT binary patch
literal 588
zcmV-S0<-;LXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVaW>QRHPGxdhZEI(G
zLToTZO-OKfL1a=xb7*R0SSvVAY*A7-b8JdiGgS&_aaT%2crP$<b8|9dNN#XRLMv4@
zLu^S_L1}nIMNn2_FEcW2MszrGICBauEiE8UYE3jyXIVv5NN-hBHfnccXl7M2ML1S!
zLTO|xc`$QHP&qeiayL^~H)9IS;z0Zpl6CtFIavr0LW($gTvVsm%ikM+3JN-<sRCTh
z@Y%2GE=>QEi&sij%Y)>wXcCw+1V7-SZe7_xY%6n7#SVVal15Dv3y|tc<aM09de+CO
zGB8%}ji4{#Fk=x?PwWJ`!A8tm17>$?*K?L4=SW6CD3Al#60eM_0X0Y74O{lpcs4<Q
zl9%#z^#f&G7Wqz?O-ZVVU6e+`aQ2KtdEBYJxH+MWkG~p{+nI)A<`jyjU945DfHOQ&
z%B>e+WiiiBu776s7(<uCepwE$42)zss7qwn0gn0T#@i1`HOmYE+k!z^l!ox>^>Mk^
zN#JG&Nf1?~1X~b4TrplYX@rV_Y<XQ+BOvwpZ2(yH$|wBBBJs0<1ls4Q_I}=ZL3k9L
zwcw8lbBXLWCg|K}KHKOQXCZKGv_m-?In^=YZVzIfi!vuFl)s!d`1ThF3WQP`lUbW<
znt&~XZ_h&N!aTxsIdGoDi)M5EtS$X9NrlMw{$1by0AbjU*5aO|L93`ZQMj2p)R5vL
aWPR|%Q1Q_bhnkyEnrMoyx0+tkf!q-#3Im$}

literal 0
HcmV?d00001

diff --git a/sso-mfa/bootstrap/secrets.enc/lldap/secrets.env.age b/sso-mfa/bootstrap/secrets.enc/lldap/secrets.env.age
new file mode 100644
index 0000000..f5f7f84
--- /dev/null
+++ b/sso-mfa/bootstrap/secrets.enc/lldap/secrets.env.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> X25519 yR2D3J78/vw1ohcdXCLy5IOoIuG+FtRs7Eiswk3gKyo
+c9axBYTsFS4Gqb3Zdv5Gtk+/yEtKNH21iFLU1U3mxNs
+--- Kc/0n9icRSyEEcAHJJdx2Vcv5CgjLucU8FdZArV3C2U
+ìÏ9ÍôeYœ·ŒdT-GÄëÊiÎ‘%½0xžày=„0úOñî—Ö«üè±ƒÖ¾Qÿ"ú-[gß‹ÁóÐ3eýœV3”wt1½º“Cä$rj2\zû=IW ï7>=ŽKüª8JUT¡G†læ"bv{g3@þ-¡â:È½™2£;ÖÍPrÕUH­Aö-Æë°ZØÌx¦„«.ïÑx}@EMž“+©ÚHÐ
+€Óš´$¤Î;”¤<É¶>iûáÕe˜ò1xtCÌU¡4¹àÜÒ‚‘O®¦zÃ
+ŽýO{qãÔqE¬Ù¡?àS<ÂsµÎg©XL¬ÎÂþy«í'‚¶Ùñ«f[ë„ªÒü6°W£@C{‡¢#öxÐñƒÅ9÷Î¤%ò2³~ªyQ™(–¥c ;¿ìùÄÍ†’«#l`}uNÖ»ŽÍT‘™3èvE6Kˆ(]]þ‚,0Ç€r@óŠ-Áúêè„ÎŸ®4l>ú¼É]ª2²íø×Ê ^1}ƒRXK¬lïýæ	ûÃI¡z–¾,E™ó'(ª—ìÓœ‹”1Zý³ìS›¶‚‘&„ö=ZW´¹©íŸ²ÊLÏò	O”Â˜~â¹:l!Öam+¼¢¥åÂŸí˜²Ÿ™6TÅ¨„l™Ç¢ÈEò è.ä1ß1ÝøPælr°zÿçÁ²’Äæˆë­h±mGt§¬v®Ù(,
\ No newline at end of file
diff --git a/sso-mfa/bootstrap/secrets.enc/postgres/secrets.env.age b/sso-mfa/bootstrap/secrets.enc/postgres/secrets.env.age
new file mode 100644
index 0000000000000000000000000000000000000000..dd0a3c4f6439f3e6add1c064fb2d5fde3318960d
GIT binary patch
literal 594
zcmV-Y0<HaFXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVPFh^`FQ$j&gLS#!p
zXmxdPVo5hKbarzvQZp+tYdKkYI4ebDXIg7-dQl2aRYFC2aWGA2FmqBxLSjo{Nil0U
zV^36UOEX4EI5l)}MsaIrWJqmEPjd<_EiE8Qb2KqiQ!qtqFKlH?bvI2^L02*}PBckL
zO<{9*V{bV&Zc{i*GFM4adQ}RRCad<L;SsIPt`+}rgF!8I_mAz*jg1ehyKbF~50F{|
z!BVe9Qh+V=!PI>|rc)a@yX9KVmYDW;-wet1{Am?Qp+Mr@^6r$HQ_g_hsJ>B6c-y<g
zSpMl`Hqk{5&~sFVPWkgC1?yzu0T@dm0l~3=eN;|U1D+t0DSE-??IknP0FU#@@pCEg
z+sV~2`1>J6<i``&Wp^V31VqcT!?`!*C*r_Wt{fXG`aZn&yzVE;sbvOXArT3Dzrs#`
z;4d$lWCLG;LRjM}l4T@LPK1w9Cx}=`-l+pZflgP0Ts4i7+<!i|yuzUQ-Y`XoEjFp&
zl|PZxA|+kx3YlJ<l<l4nu2IE+X)c*)m_q#I@pEcl26L_nHcS;*9#x8XFqSRj_(%a*
z#04+kaQ-8|U!?G0l>{Qik&33`b)@9_4GAfSPKfQKpMMbcDpY%nx7v+)@NNU|2OX;A
z>=0Ag3@ik&zs^z;jKD%_6~*Iszd?T7KdBux-gOopCg_`r^S_Ko=gTnkY>Khcn)Kz-
gdw|~!Hp+IGcm;y(0Z$<a9X0B&VJjvd03by2V<+JUasU7T

literal 0
HcmV?d00001

diff --git a/sso-mfa/bootstrap/secrets.enc/privacyidea/secrets.env.age b/sso-mfa/bootstrap/secrets.enc/privacyidea/secrets.env.age
new file mode 100644
index 0000000000000000000000000000000000000000..194a3a1116bb1aa100b7f4b02e2dd19bb72c7583
GIT binary patch
literal 1143
zcmV--1c>`#XJsvAZewzJaCB*JZZ2<fXD@a!3N1b$STZ#=F*zVbVR|=ZMs{aPc}+`8
zWk^srMnYICP((^&V^T(OLRVpOOfY&$Xl`UgcR>nMQgUf%dQ4VXNkc?rZ!bbsaX4d9
zW_dDeF;i}CV^exmQZ;Z*S4uQDbZ-hREiE8ZOJ{U7HBd)SQ%QDrGC65%Lux}gV{Jls
zFl2E-b4fQhX+?D}Id?)$WpfIT9|f@|NEo7ZFPpE2NO^7<?u_x*DypFcpcq+KxO3e2
zMf6>Q4atXrGbzE%#gr}<wGezwtedF~=+v1LulT1NCD^;{hU^wr0zoI=Gw-4Y2Xn3r
zGx-|4L)p(qYUdetmsYD!EX!?fYxqQ~xI&S?Yl|Ng*7w9M3StNt$Md6*-rN<~Z`{M)
zY5`3-j!GG%wJBh5XUE&8{R9Wu)_Ux*W37b$%!JEhu&Aq?-lcyRY=O_rF4-yyu4FnJ
z@GvLHB1OWsBg$TSf}CYu7FYS!Z5)6EL$<M>(I+d@@o!EWQ4(A^N&SSQIQW~dEnERN
zMo_VIH^A8Ao<{LEy9>$q-XZvyiyIcFc`nQsP1R_p2TiAf?h|n$I}}m_luNtIc0>aO
ze3hO^wplroY5jm^0dSFriZ1HlKz7n1Z8^(R<5@tP)QuK|(JJd$Ug~MA^dbQ+Tf0jd
zc~Nir(``0%NE0Ax4{S`%B=1~GG3EJBFo79exxb>Bqv^dE%ib|rt6DFIbg9eP0VhpG
zSV~5qfgnc$Eirq=uAq2ZX;!=2?AZ2$V(8HwZh&o?A=F2ak(f3%Rpk_R&h2rnsst3h
zQPi`*Kxr3e-^=(C+Lu2V9?V6|bH92(=}ra5A|Jpr<<@Mg@P`QBYZ<`wF`0CMQVE#Z
z!D6?a9^qn~lx~&G17PZ8%U(U@@L+lNmJ2?NK%a0$N+1p|*}1HVR-LWgAGMB4upnOP
z41p9h^O!)IEUMS--mM6Tr_tVrau{JVmNNfI7&8fE<vfz|;QtgO&-n(ipVr7C+@uEW
z4;0nv)hbS)afI1?%n&Kq?tE(jREuJx&yfvl#ae)R3KnZsQDz1T9SukczZ>DJT)Q$v
zZggaX9D-6$2j2}Gp%jDR;qE&0H>^U0K|C%=78W1?(KYMuONm}Qs5|CaxmO_h>Ib>I
z<M_@u)Ry4=9gs@q1SN3)2`p$S!v0JIisEb{*Ov4J<c7Rv^JU5kPZdZch$C>Z0?D#G
zIHv~rAVK)*=YhO7ftczG0|mRzm0RZ^D)kKE&gk(NCtynWkLNx3mQ_sSeFT%?{_iMX
z_D}+XlC9KH%Ffh|>;mVhJQaM^Oi~Ic>!WmYmAJNnl}gH6L6&JTq3$3v=aN@5p3pgD
z9)@_kOZ`;4uSAZXdmTbq73IS^jpgdQJCkg6>x}OX!rv6VP?QD{0MWaRvO2420pwfY
z(<A)iV{OJjK9#@|5P%*gEOdD_5cFIvhq}57@G*n*dS}=)7&oG5-+KpFR4H(4V?+;A
JUfE%u&wXQn4g&xH

literal 0
HcmV?d00001

diff --git a/sso-mfa/k8s/network-policies/netpol-databases.yaml b/sso-mfa/k8s/network-policies/netpol-databases.yaml
index f6bd257..c77e3d4 100644
--- a/sso-mfa/k8s/network-policies/netpol-databases.yaml
+++ b/sso-mfa/k8s/network-policies/netpol-databases.yaml
@@ -93,6 +93,8 @@ spec:
       ports:
         - port: 5432
           protocol: TCP
+        - port: 8000   # CloudNativePG instance manager HTTP API (used for status extraction)
+          protocol: TCP
         - port: 9187   # CloudNativePG metrics exporter
           protocol: TCP
 ---
diff --git a/sso-mfa/k8s/postgresql/cluster.yaml b/sso-mfa/k8s/postgresql/cluster.yaml
index 4830e37..fb317fe 100644
--- a/sso-mfa/k8s/postgresql/cluster.yaml
+++ b/sso-mfa/k8s/postgresql/cluster.yaml
@@ -1,9 +1,10 @@
 # CloudNativePG Cluster â€” net-kingdom-pg
 #
-# Creates a PostgreSQL 16 cluster with two application databases:
-#   keycloak_db   (owner: keycloak)
+# Creates a PostgreSQL 16 cluster with one application database:
 #   privacyidea_db (owner: privacyidea)
 #
+# Note: keycloak_db removed â€” Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
+#
 # Prerequisites:
 #   - CloudNativePG operator installed (see README.md)
 #   - K8s Secrets created (see create-secrets.sh)
@@ -27,33 +28,19 @@ spec:
   imageName: ghcr.io/cloudnative-pg/postgresql:16
 
   # â”€â”€ Bootstrap â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€
-  # Creates keycloak_db with owner keycloak. privacyidea_db and the
-  # privacyidea role are created in postInitSQL (runs as superuser).
-  # managed.roles below reconciles passwords for both users continuously.
+  # Creates privacyidea_db with owner privacyidea.
+  # managed.roles below reconciles the password continuously from K8s Secret.
   bootstrap:
     initdb:
-      database: keycloak_db
-      owner: keycloak
+      database: privacyidea_db
+      owner: privacyidea
       secret:
-        name: net-kingdom-pg-keycloak-app
-      postInitSQL:
-        - "CREATE ROLE privacyidea WITH LOGIN;"
-        - "CREATE DATABASE privacyidea_db OWNER privacyidea;"
-        - "REVOKE CONNECT ON DATABASE privacyidea_db FROM PUBLIC;"
-        - "REVOKE CONNECT ON DATABASE keycloak_db FROM PUBLIC;"
-        - "GRANT CONNECT ON DATABASE keycloak_db TO keycloak;"
-        - "GRANT CONNECT ON DATABASE privacyidea_db TO privacyidea;"
+        name: net-kingdom-pg-privacyidea-app
 
   # â”€â”€ Managed roles â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€
-  # Operator reconciles these passwords continuously from K8s Secrets.
-  # This ensures password rotation in KeePassXC/Vault propagates to PG.
+  # Operator reconciles the password continuously from K8s Secret.
   managed:
     roles:
-      - name: keycloak
-        ensure: present
-        login: true
-        passwordSecret:
-          name: net-kingdom-pg-keycloak-app
       - name: privacyidea
         ensure: present
         login: true
diff --git a/sso-mfa/k8s/postgresql/create-secrets.sh b/sso-mfa/k8s/postgresql/create-secrets.sh
index e166337..ca4645b 100755
--- a/sso-mfa/k8s/postgresql/create-secrets.sh
+++ b/sso-mfa/k8s/postgresql/create-secrets.sh
@@ -7,10 +7,11 @@
 # <secrets-dir> is the output directory produced by sso-mfa/bootstrap/gen-secrets.sh
 # (default: ../../bootstrap/secrets).
 #
-# Creates two K8s Secrets in the databases namespace:
-#   net-kingdom-pg-keycloak-app       â€” keycloak DB credentials
+# Creates one K8s Secret in the databases namespace:
 #   net-kingdom-pg-privacyidea-app    â€” privacyIDEA DB credentials
 #
+# Note: net-kingdom-pg-keycloak-app removed â€” Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
+#
 # These secrets must exist before applying cluster.yaml.
 # Re-run this script whenever you rotate passwords in KeePassXC / gen-secrets.sh.
 
@@ -24,36 +25,23 @@ if [[ ! -d "$SECRETS_DIR" ]]; then
     exit 1
 fi
 
-PG_SECRETS="$SECRETS_DIR/postgres/secrets.env"
 PI_SECRETS="$SECRETS_DIR/privacyidea/secrets.env"
 
-if [[ ! -f "$PG_SECRETS" ]]; then
-    echo "ERROR: $PG_SECRETS not found" >&2
-    exit 1
-fi
 if [[ ! -f "$PI_SECRETS" ]]; then
     echo "ERROR: $PI_SECRETS not found" >&2
     exit 1
 fi
 
-# Source the generated env files (they contain KEY=VALUE pairs, no export)
+# Source the generated env file (KEY=VALUE pairs, no export)
 # Use a subshell to avoid polluting the current environment.
-PG_KC_PASS=$(bash -c "source $PG_SECRETS 2>/dev/null; echo \$PG_KEYCLOAK_PASSWORD")
 PI_DB_PASS=$(bash -c "source $PI_SECRETS 2>/dev/null; echo \$PI_DB_PASSWORD")
 
-if [[ -z "$PG_KC_PASS" || -z "$PI_DB_PASS" ]]; then
-    echo "ERROR: could not read passwords from secrets files." >&2
-    echo "Check that gen-secrets.sh ran successfully and the files are intact." >&2
+if [[ -z "$PI_DB_PASS" ]]; then
+    echo "ERROR: could not read PI_DB_PASSWORD from $PI_SECRETS" >&2
+    echo "Check that gen-secrets.sh ran successfully and the file is intact." >&2
     exit 1
 fi
 
-echo "Creating K8s Secret: net-kingdom-pg-keycloak-app"
-kubectl create secret generic net-kingdom-pg-keycloak-app \
-    --namespace=databases \
-    --from-literal=username=keycloak \
-    --from-literal=password="$PG_KC_PASS" \
-    --dry-run=client -o yaml | kubectl apply -f -
-
 echo "Creating K8s Secret: net-kingdom-pg-privacyidea-app"
 kubectl create secret generic net-kingdom-pg-privacyidea-app \
     --namespace=databases \
@@ -62,8 +50,8 @@ kubectl create secret generic net-kingdom-pg-privacyidea-app \
     --dry-run=client -o yaml | kubectl apply -f -
 
 echo ""
-echo "Done. Secrets created in namespace: databases"
+echo "Done. Secret created in namespace: databases"
 echo ""
 echo "Verify:"
 echo "  kubectl get secrets -n databases"
-echo "  kubectl describe secret net-kingdom-pg-keycloak-app -n databases"
+echo "  kubectl describe secret net-kingdom-pg-privacyidea-app -n databases"
diff --git a/sso-mfa/k8s/verify-t02.sh b/sso-mfa/k8s/verify-t02.sh
index 0205eb0..063b9e7 100755
--- a/sso-mfa/k8s/verify-t02.sh
+++ b/sso-mfa/k8s/verify-t02.sh
@@ -62,9 +62,8 @@ for ns in sso mfa databases; do
     check "allow-egress-dns in $ns" \
         $KUBECTL get networkpolicy allow-egress-dns -n "$ns"
 done
-check "allow-ingress-from-traefik in sso"       $KUBECTL get networkpolicy allow-ingress-from-traefik -n sso
-check "allow-egress-to-postgres in sso"         $KUBECTL get networkpolicy allow-egress-to-postgres -n sso
-check "allow-egress-to-privacyidea in sso"      $KUBECTL get networkpolicy allow-egress-to-privacyidea -n sso
+check "allow-traefik-to-keycape in sso"          $KUBECTL get networkpolicy allow-traefik-to-keycape -n sso
+check "allow-keycape-egress-to-privacyidea in sso" $KUBECTL get networkpolicy allow-keycape-egress-to-privacyidea -n sso
 check "allow-ingress-from-traefik in mfa"       $KUBECTL get networkpolicy allow-ingress-from-traefik -n mfa
 check "allow-ingress-from-keycloak in mfa"      $KUBECTL get networkpolicy allow-ingress-from-keycloak -n mfa
 check "allow-egress-to-postgres in mfa"         $KUBECTL get networkpolicy allow-egress-to-postgres -n mfa
diff --git a/sso-mfa/k8s/verify-t03.sh b/sso-mfa/k8s/verify-t03.sh
index 6ffa824..ff2a91a 100755
--- a/sso-mfa/k8s/verify-t03.sh
+++ b/sso-mfa/k8s/verify-t03.sh
@@ -4,11 +4,13 @@
 # Checks:
 #   1. CloudNativePG operator is installed and running
 #   2. Cluster net-kingdom-pg is Ready
-#   3. Both application databases exist (keycloak_db, privacyidea_db)
-#   4. Both application roles exist (keycloak, privacyidea)
+#   3. privacyidea_db database exists
+#   4. privacyidea role exists
 #   5. K8s Secrets are present in the databases namespace
 #   6. (Optional) Scheduled backup CR is present when backup is configured
 #
+# Note: keycloak_db removed â€” Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
+#
 # Usage:
 #   chmod +x verify-t03.sh
 #   ./verify-t03.sh
@@ -19,9 +21,9 @@ PASS=0
 FAIL=0
 WARN=0
 
-pass() { echo "  [PASS] $1"; ((PASS++)); }
-fail() { echo "  [FAIL] $1"; ((FAIL++)); }
-warn() { echo "  [WARN] $1"; ((WARN++)); }
+pass() { echo "  [PASS] $1"; PASS=$((PASS + 1)); }
+fail() { echo "  [FAIL] $1"; FAIL=$((FAIL + 1)); }
+warn() { echo "  [WARN] $1"; WARN=$((WARN + 1)); }
 
 section() { echo ""; echo "â”€â”€ $1 â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€"; }
 
@@ -76,15 +78,9 @@ section "3. Databases"
 
 if [[ -n "$PRIMARY_POD" ]]; then
     DB_LIST=$(kubectl exec -n databases "$PRIMARY_POD" -- \
-        psql -U postgres -tAc "SELECT datname FROM pg_database WHERE datname IN ('keycloak_db','privacyidea_db') ORDER BY datname;" \
+        psql -U postgres -tAc "SELECT datname FROM pg_database WHERE datname = 'privacyidea_db';" \
         2>/dev/null || echo "")
 
-    if echo "$DB_LIST" | grep -q "keycloak_db"; then
-        pass "keycloak_db exists"
-    else
-        fail "keycloak_db not found"
-    fi
-
     if echo "$DB_LIST" | grep -q "privacyidea_db"; then
         pass "privacyidea_db exists"
     else
@@ -99,15 +95,9 @@ section "4. Database roles"
 
 if [[ -n "$PRIMARY_POD" ]]; then
     ROLE_LIST=$(kubectl exec -n databases "$PRIMARY_POD" -- \
-        psql -U postgres -tAc "SELECT rolname FROM pg_roles WHERE rolname IN ('keycloak','privacyidea') ORDER BY rolname;" \
+        psql -U postgres -tAc "SELECT rolname FROM pg_roles WHERE rolname = 'privacyidea';" \
         2>/dev/null || echo "")
 
-    if echo "$ROLE_LIST" | grep -q "keycloak"; then
-        pass "role keycloak exists"
-    else
-        fail "role keycloak not found"
-    fi
-
     if echo "$ROLE_LIST" | grep -q "privacyidea"; then
         pass "role privacyidea exists"
     else
@@ -120,7 +110,7 @@ fi
 # â”€â”€ 5. K8s Secrets â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€
 section "5. K8s Secrets (databases namespace)"
 
-for secret in net-kingdom-pg-keycloak-app net-kingdom-pg-privacyidea-app; do
+for secret in net-kingdom-pg-privacyidea-app; do
     if kubectl get secret "$secret" -n databases &>/dev/null; then
         pass "Secret $secret exists"
     else