feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03)

- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow
  replaces KeePassXC dependency; encrypted .env.age files committed to repo
- Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey
- Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext
- Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack
- Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug
- Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only
- Update postgresql/create-secrets.sh: remove keycloak secret
- Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API
- T02 COMPLETE: namespaces, network policies, cert-manager issuers applied
- T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-20 02:57:41 +00:00
parent 0d5d12cb67
commit 6d25d088d7
14 changed files with 181 additions and 66 deletions

View File

@@ -1,9 +1,10 @@
# CloudNativePG Cluster — net-kingdom-pg
#
# Creates a PostgreSQL 16 cluster with two application databases:
# keycloak_db (owner: keycloak)
# Creates a PostgreSQL 16 cluster with one application database:
# privacyidea_db (owner: privacyidea)
#
# Note: keycloak_db removed — Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
#
# Prerequisites:
# - CloudNativePG operator installed (see README.md)
# - K8s Secrets created (see create-secrets.sh)
@@ -27,33 +28,19 @@ spec:
imageName: ghcr.io/cloudnative-pg/postgresql:16
# ── Bootstrap ────────────────────────────────────────────────────────────────
# Creates keycloak_db with owner keycloak. privacyidea_db and the
# privacyidea role are created in postInitSQL (runs as superuser).
# managed.roles below reconciles passwords for both users continuously.
# Creates privacyidea_db with owner privacyidea.
# managed.roles below reconciles the password continuously from K8s Secret.
bootstrap:
initdb:
database: keycloak_db
owner: keycloak
database: privacyidea_db
owner: privacyidea
secret:
name: net-kingdom-pg-keycloak-app
postInitSQL:
- "CREATE ROLE privacyidea WITH LOGIN;"
- "CREATE DATABASE privacyidea_db OWNER privacyidea;"
- "REVOKE CONNECT ON DATABASE privacyidea_db FROM PUBLIC;"
- "REVOKE CONNECT ON DATABASE keycloak_db FROM PUBLIC;"
- "GRANT CONNECT ON DATABASE keycloak_db TO keycloak;"
- "GRANT CONNECT ON DATABASE privacyidea_db TO privacyidea;"
name: net-kingdom-pg-privacyidea-app
# ── Managed roles ────────────────────────────────────────────────────────────
# Operator reconciles these passwords continuously from K8s Secrets.
# This ensures password rotation in KeePassXC/Vault propagates to PG.
# Operator reconciles the password continuously from K8s Secret.
managed:
roles:
- name: keycloak
ensure: present
login: true
passwordSecret:
name: net-kingdom-pg-keycloak-app
- name: privacyidea
ensure: present
login: true

View File

@@ -7,10 +7,11 @@
# <secrets-dir> is the output directory produced by sso-mfa/bootstrap/gen-secrets.sh
# (default: ../../bootstrap/secrets).
#
# Creates two K8s Secrets in the databases namespace:
# net-kingdom-pg-keycloak-app — keycloak DB credentials
# Creates one K8s Secret in the databases namespace:
# net-kingdom-pg-privacyidea-app — privacyIDEA DB credentials
#
# Note: net-kingdom-pg-keycloak-app removed — Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
#
# These secrets must exist before applying cluster.yaml.
# Re-run this script whenever you rotate passwords in KeePassXC / gen-secrets.sh.
@@ -24,36 +25,23 @@ if [[ ! -d "$SECRETS_DIR" ]]; then
exit 1
fi
PG_SECRETS="$SECRETS_DIR/postgres/secrets.env"
PI_SECRETS="$SECRETS_DIR/privacyidea/secrets.env"
if [[ ! -f "$PG_SECRETS" ]]; then
echo "ERROR: $PG_SECRETS not found" >&2
exit 1
fi
if [[ ! -f "$PI_SECRETS" ]]; then
echo "ERROR: $PI_SECRETS not found" >&2
exit 1
fi
# Source the generated env files (they contain KEY=VALUE pairs, no export)
# Source the generated env file (KEY=VALUE pairs, no export)
# Use a subshell to avoid polluting the current environment.
PG_KC_PASS=$(bash -c "source $PG_SECRETS 2>/dev/null; echo \$PG_KEYCLOAK_PASSWORD")
PI_DB_PASS=$(bash -c "source $PI_SECRETS 2>/dev/null; echo \$PI_DB_PASSWORD")
if [[ -z "$PG_KC_PASS" || -z "$PI_DB_PASS" ]]; then
echo "ERROR: could not read passwords from secrets files." >&2
echo "Check that gen-secrets.sh ran successfully and the files are intact." >&2
if [[ -z "$PI_DB_PASS" ]]; then
echo "ERROR: could not read PI_DB_PASSWORD from $PI_SECRETS" >&2
echo "Check that gen-secrets.sh ran successfully and the file is intact." >&2
exit 1
fi
echo "Creating K8s Secret: net-kingdom-pg-keycloak-app"
kubectl create secret generic net-kingdom-pg-keycloak-app \
--namespace=databases \
--from-literal=username=keycloak \
--from-literal=password="$PG_KC_PASS" \
--dry-run=client -o yaml | kubectl apply -f -
echo "Creating K8s Secret: net-kingdom-pg-privacyidea-app"
kubectl create secret generic net-kingdom-pg-privacyidea-app \
--namespace=databases \
@@ -62,8 +50,8 @@ kubectl create secret generic net-kingdom-pg-privacyidea-app \
--dry-run=client -o yaml | kubectl apply -f -
echo ""
echo "Done. Secrets created in namespace: databases"
echo "Done. Secret created in namespace: databases"
echo ""
echo "Verify:"
echo " kubectl get secrets -n databases"
echo " kubectl describe secret net-kingdom-pg-keycloak-app -n databases"
echo " kubectl describe secret net-kingdom-pg-privacyidea-app -n databases"