feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03)

- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow
  replaces KeePassXC dependency; encrypted .env.age files committed to repo
- Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey
- Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext
- Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack
- Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug
- Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only
- Update postgresql/create-secrets.sh: remove keycloak secret
- Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API
- T02 COMPLETE: namespaces, network policies, cert-manager issuers applied
- T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-20 02:57:41 +00:00
parent 0d5d12cb67
commit 6d25d088d7
14 changed files with 181 additions and 66 deletions

Binary file not shown.

Binary file not shown.

View File

@@ -0,0 +1,7 @@
age-encryption.org/v1
-> X25519 yR2D3J78/vw1ohcdXCLy5IOoIuG+FtRs7Eiswk3gKyo
c9axBYTsFS4Gqb3Zdv5Gtk+/yEtKNH21iFLU1U3mxNs
--- Kc/0n9icRSyEEcAHJJdx2Vcv5CgjLucU8FdZArV3C2U
ìÏ9ÍôeY<EFBFBD>œ·ŒdT -GÄëÊ%½0xž ày=„0úOñî—Ö«ü豃־Qÿ"ú-[gßÁóÐ3eýœV3”<33>wt1½º<>“Cä$rj2\zû=IW ï7>=Ž<4B>ª8JUT¡G†læ"bv{g3@þ-¡â:Ƚ™2£;ÖÍPrÕUH<55>­Aö-Æë<C386>°ZØÌx¦„«.ïÑx}@EMž“+©ÚHÐ
€Óš´$¤Î;”¤¶>iûáÕe˜ò1xtCÌU¡4¹àÜÒO®¦zÃ
Žý<EFBFBD>O{qãÔ<C3A3>qE¬Ù¡?àS<ÂsµÎg©XL<58>¬ÎÂþy«í'‚¶Ùñ «f[넪Òü6<C3BC>°W£@C{‡¢#ö<>ñƒÅ9<C385>÷Î ¤%ò2³~ªyQ™(¥c ;¿ìùÄ͆’«#l`}uNÖ»Ž

Binary file not shown.