generated from coulomb/repo-seed
feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03)
- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow replaces KeePassXC dependency; encrypted .env.age files committed to repo - Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey - Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext - Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack - Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug - Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only - Update postgresql/create-secrets.sh: remove keycloak secret - Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API - T02 COMPLETE: namespaces, network policies, cert-manager issuers applied - T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -1,9 +1,10 @@
|
||||
# CloudNativePG Cluster — net-kingdom-pg
|
||||
#
|
||||
# Creates a PostgreSQL 16 cluster with two application databases:
|
||||
# keycloak_db (owner: keycloak)
|
||||
# Creates a PostgreSQL 16 cluster with one application database:
|
||||
# privacyidea_db (owner: privacyidea)
|
||||
#
|
||||
# Note: keycloak_db removed — Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
|
||||
#
|
||||
# Prerequisites:
|
||||
# - CloudNativePG operator installed (see README.md)
|
||||
# - K8s Secrets created (see create-secrets.sh)
|
||||
@@ -27,33 +28,19 @@ spec:
|
||||
imageName: ghcr.io/cloudnative-pg/postgresql:16
|
||||
|
||||
# ── Bootstrap ────────────────────────────────────────────────────────────────
|
||||
# Creates keycloak_db with owner keycloak. privacyidea_db and the
|
||||
# privacyidea role are created in postInitSQL (runs as superuser).
|
||||
# managed.roles below reconciles passwords for both users continuously.
|
||||
# Creates privacyidea_db with owner privacyidea.
|
||||
# managed.roles below reconciles the password continuously from K8s Secret.
|
||||
bootstrap:
|
||||
initdb:
|
||||
database: keycloak_db
|
||||
owner: keycloak
|
||||
database: privacyidea_db
|
||||
owner: privacyidea
|
||||
secret:
|
||||
name: net-kingdom-pg-keycloak-app
|
||||
postInitSQL:
|
||||
- "CREATE ROLE privacyidea WITH LOGIN;"
|
||||
- "CREATE DATABASE privacyidea_db OWNER privacyidea;"
|
||||
- "REVOKE CONNECT ON DATABASE privacyidea_db FROM PUBLIC;"
|
||||
- "REVOKE CONNECT ON DATABASE keycloak_db FROM PUBLIC;"
|
||||
- "GRANT CONNECT ON DATABASE keycloak_db TO keycloak;"
|
||||
- "GRANT CONNECT ON DATABASE privacyidea_db TO privacyidea;"
|
||||
name: net-kingdom-pg-privacyidea-app
|
||||
|
||||
# ── Managed roles ────────────────────────────────────────────────────────────
|
||||
# Operator reconciles these passwords continuously from K8s Secrets.
|
||||
# This ensures password rotation in KeePassXC/Vault propagates to PG.
|
||||
# Operator reconciles the password continuously from K8s Secret.
|
||||
managed:
|
||||
roles:
|
||||
- name: keycloak
|
||||
ensure: present
|
||||
login: true
|
||||
passwordSecret:
|
||||
name: net-kingdom-pg-keycloak-app
|
||||
- name: privacyidea
|
||||
ensure: present
|
||||
login: true
|
||||
|
||||
Reference in New Issue
Block a user