feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03)

- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow
  replaces KeePassXC dependency; encrypted .env.age files committed to repo
- Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey
- Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext
- Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack
- Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug
- Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only
- Update postgresql/create-secrets.sh: remove keycloak secret
- Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API
- T02 COMPLETE: namespaces, network policies, cert-manager issuers applied
- T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-20 02:57:41 +00:00
parent 0d5d12cb67
commit 6d25d088d7
14 changed files with 181 additions and 66 deletions

View File

@@ -1,9 +1,10 @@
# CloudNativePG Cluster — net-kingdom-pg
#
# Creates a PostgreSQL 16 cluster with two application databases:
# keycloak_db (owner: keycloak)
# Creates a PostgreSQL 16 cluster with one application database:
# privacyidea_db (owner: privacyidea)
#
# Note: keycloak_db removed — Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
#
# Prerequisites:
# - CloudNativePG operator installed (see README.md)
# - K8s Secrets created (see create-secrets.sh)
@@ -27,33 +28,19 @@ spec:
imageName: ghcr.io/cloudnative-pg/postgresql:16
# ── Bootstrap ────────────────────────────────────────────────────────────────
# Creates keycloak_db with owner keycloak. privacyidea_db and the
# privacyidea role are created in postInitSQL (runs as superuser).
# managed.roles below reconciles passwords for both users continuously.
# Creates privacyidea_db with owner privacyidea.
# managed.roles below reconciles the password continuously from K8s Secret.
bootstrap:
initdb:
database: keycloak_db
owner: keycloak
database: privacyidea_db
owner: privacyidea
secret:
name: net-kingdom-pg-keycloak-app
postInitSQL:
- "CREATE ROLE privacyidea WITH LOGIN;"
- "CREATE DATABASE privacyidea_db OWNER privacyidea;"
- "REVOKE CONNECT ON DATABASE privacyidea_db FROM PUBLIC;"
- "REVOKE CONNECT ON DATABASE keycloak_db FROM PUBLIC;"
- "GRANT CONNECT ON DATABASE keycloak_db TO keycloak;"
- "GRANT CONNECT ON DATABASE privacyidea_db TO privacyidea;"
name: net-kingdom-pg-privacyidea-app
# ── Managed roles ────────────────────────────────────────────────────────────
# Operator reconciles these passwords continuously from K8s Secrets.
# This ensures password rotation in KeePassXC/Vault propagates to PG.
# Operator reconciles the password continuously from K8s Secret.
managed:
roles:
- name: keycloak
ensure: present
login: true
passwordSecret:
name: net-kingdom-pg-keycloak-app
- name: privacyidea
ensure: present
login: true