generated from coulomb/repo-seed
feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03)
- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow replaces KeePassXC dependency; encrypted .env.age files committed to repo - Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey - Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext - Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack - Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug - Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only - Update postgresql/create-secrets.sh: remove keycloak secret - Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API - T02 COMPLETE: namespaces, network policies, cert-manager issuers applied - T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,9 +1,10 @@
|
||||
# CloudNativePG Cluster — net-kingdom-pg
|
||||
#
|
||||
# Creates a PostgreSQL 16 cluster with two application databases:
|
||||
# keycloak_db (owner: keycloak)
|
||||
# Creates a PostgreSQL 16 cluster with one application database:
|
||||
# privacyidea_db (owner: privacyidea)
|
||||
#
|
||||
# Note: keycloak_db removed — Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
|
||||
#
|
||||
# Prerequisites:
|
||||
# - CloudNativePG operator installed (see README.md)
|
||||
# - K8s Secrets created (see create-secrets.sh)
|
||||
@@ -27,33 +28,19 @@ spec:
|
||||
imageName: ghcr.io/cloudnative-pg/postgresql:16
|
||||
|
||||
# ── Bootstrap ────────────────────────────────────────────────────────────────
|
||||
# Creates keycloak_db with owner keycloak. privacyidea_db and the
|
||||
# privacyidea role are created in postInitSQL (runs as superuser).
|
||||
# managed.roles below reconciles passwords for both users continuously.
|
||||
# Creates privacyidea_db with owner privacyidea.
|
||||
# managed.roles below reconciles the password continuously from K8s Secret.
|
||||
bootstrap:
|
||||
initdb:
|
||||
database: keycloak_db
|
||||
owner: keycloak
|
||||
database: privacyidea_db
|
||||
owner: privacyidea
|
||||
secret:
|
||||
name: net-kingdom-pg-keycloak-app
|
||||
postInitSQL:
|
||||
- "CREATE ROLE privacyidea WITH LOGIN;"
|
||||
- "CREATE DATABASE privacyidea_db OWNER privacyidea;"
|
||||
- "REVOKE CONNECT ON DATABASE privacyidea_db FROM PUBLIC;"
|
||||
- "REVOKE CONNECT ON DATABASE keycloak_db FROM PUBLIC;"
|
||||
- "GRANT CONNECT ON DATABASE keycloak_db TO keycloak;"
|
||||
- "GRANT CONNECT ON DATABASE privacyidea_db TO privacyidea;"
|
||||
name: net-kingdom-pg-privacyidea-app
|
||||
|
||||
# ── Managed roles ────────────────────────────────────────────────────────────
|
||||
# Operator reconciles these passwords continuously from K8s Secrets.
|
||||
# This ensures password rotation in KeePassXC/Vault propagates to PG.
|
||||
# Operator reconciles the password continuously from K8s Secret.
|
||||
managed:
|
||||
roles:
|
||||
- name: keycloak
|
||||
ensure: present
|
||||
login: true
|
||||
passwordSecret:
|
||||
name: net-kingdom-pg-keycloak-app
|
||||
- name: privacyidea
|
||||
ensure: present
|
||||
login: true
|
||||
|
||||
@@ -7,10 +7,11 @@
|
||||
# <secrets-dir> is the output directory produced by sso-mfa/bootstrap/gen-secrets.sh
|
||||
# (default: ../../bootstrap/secrets).
|
||||
#
|
||||
# Creates two K8s Secrets in the databases namespace:
|
||||
# net-kingdom-pg-keycloak-app — keycloak DB credentials
|
||||
# Creates one K8s Secret in the databases namespace:
|
||||
# net-kingdom-pg-privacyidea-app — privacyIDEA DB credentials
|
||||
#
|
||||
# Note: net-kingdom-pg-keycloak-app removed — Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
|
||||
#
|
||||
# These secrets must exist before applying cluster.yaml.
|
||||
# Re-run this script whenever you rotate passwords in KeePassXC / gen-secrets.sh.
|
||||
|
||||
@@ -24,36 +25,23 @@ if [[ ! -d "$SECRETS_DIR" ]]; then
|
||||
exit 1
|
||||
fi
|
||||
|
||||
PG_SECRETS="$SECRETS_DIR/postgres/secrets.env"
|
||||
PI_SECRETS="$SECRETS_DIR/privacyidea/secrets.env"
|
||||
|
||||
if [[ ! -f "$PG_SECRETS" ]]; then
|
||||
echo "ERROR: $PG_SECRETS not found" >&2
|
||||
exit 1
|
||||
fi
|
||||
if [[ ! -f "$PI_SECRETS" ]]; then
|
||||
echo "ERROR: $PI_SECRETS not found" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Source the generated env files (they contain KEY=VALUE pairs, no export)
|
||||
# Source the generated env file (KEY=VALUE pairs, no export)
|
||||
# Use a subshell to avoid polluting the current environment.
|
||||
PG_KC_PASS=$(bash -c "source $PG_SECRETS 2>/dev/null; echo \$PG_KEYCLOAK_PASSWORD")
|
||||
PI_DB_PASS=$(bash -c "source $PI_SECRETS 2>/dev/null; echo \$PI_DB_PASSWORD")
|
||||
|
||||
if [[ -z "$PG_KC_PASS" || -z "$PI_DB_PASS" ]]; then
|
||||
echo "ERROR: could not read passwords from secrets files." >&2
|
||||
echo "Check that gen-secrets.sh ran successfully and the files are intact." >&2
|
||||
if [[ -z "$PI_DB_PASS" ]]; then
|
||||
echo "ERROR: could not read PI_DB_PASSWORD from $PI_SECRETS" >&2
|
||||
echo "Check that gen-secrets.sh ran successfully and the file is intact." >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "Creating K8s Secret: net-kingdom-pg-keycloak-app"
|
||||
kubectl create secret generic net-kingdom-pg-keycloak-app \
|
||||
--namespace=databases \
|
||||
--from-literal=username=keycloak \
|
||||
--from-literal=password="$PG_KC_PASS" \
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
|
||||
echo "Creating K8s Secret: net-kingdom-pg-privacyidea-app"
|
||||
kubectl create secret generic net-kingdom-pg-privacyidea-app \
|
||||
--namespace=databases \
|
||||
@@ -62,8 +50,8 @@ kubectl create secret generic net-kingdom-pg-privacyidea-app \
|
||||
--dry-run=client -o yaml | kubectl apply -f -
|
||||
|
||||
echo ""
|
||||
echo "Done. Secrets created in namespace: databases"
|
||||
echo "Done. Secret created in namespace: databases"
|
||||
echo ""
|
||||
echo "Verify:"
|
||||
echo " kubectl get secrets -n databases"
|
||||
echo " kubectl describe secret net-kingdom-pg-keycloak-app -n databases"
|
||||
echo " kubectl describe secret net-kingdom-pg-privacyidea-app -n databases"
|
||||
|
||||
Reference in New Issue
Block a user