feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03)

- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow
  replaces KeePassXC dependency; encrypted .env.age files committed to repo
- Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey
- Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext
- Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack
- Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug
- Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only
- Update postgresql/create-secrets.sh: remove keycloak secret
- Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API
- T02 COMPLETE: namespaces, network policies, cert-manager issuers applied
- T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

sso-mfa/k8s/postgresql/create-secrets.sh

@@ -7,10 +7,11 @@
 # <secrets-dir> is the output directory produced by sso-mfa/bootstrap/gen-secrets.sh
 # (default: ../../bootstrap/secrets).
 #
-# Creates two K8s Secrets in the databases namespace:
-#   net-kingdom-pg-keycloak-app       — keycloak DB credentials
+# Creates one K8s Secret in the databases namespace:
 #   net-kingdom-pg-privacyidea-app    — privacyIDEA DB credentials
 #
+# Note: net-kingdom-pg-keycloak-app removed — Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
+#
 # These secrets must exist before applying cluster.yaml.
 # Re-run this script whenever you rotate passwords in KeePassXC / gen-secrets.sh.
 
@@ -24,36 +25,23 @@ if [[ ! -d "$SECRETS_DIR" ]]; then
     exit 1
 fi
 
-PG_SECRETS="$SECRETS_DIR/postgres/secrets.env"
 PI_SECRETS="$SECRETS_DIR/privacyidea/secrets.env"
 
-if [[ ! -f "$PG_SECRETS" ]]; then
-    echo "ERROR: $PG_SECRETS not found" >&2
-    exit 1
-fi
 if [[ ! -f "$PI_SECRETS" ]]; then
     echo "ERROR: $PI_SECRETS not found" >&2
     exit 1
 fi
 
-# Source the generated env files (they contain KEY=VALUE pairs, no export)
+# Source the generated env file (KEY=VALUE pairs, no export)
 # Use a subshell to avoid polluting the current environment.
-PG_KC_PASS=$(bash -c "source $PG_SECRETS 2>/dev/null; echo \$PG_KEYCLOAK_PASSWORD")
 PI_DB_PASS=$(bash -c "source $PI_SECRETS 2>/dev/null; echo \$PI_DB_PASSWORD")
 
-if [[ -z "$PG_KC_PASS" || -z "$PI_DB_PASS" ]]; then
-    echo "ERROR: could not read passwords from secrets files." >&2
-    echo "Check that gen-secrets.sh ran successfully and the files are intact." >&2
+if [[ -z "$PI_DB_PASS" ]]; then
+    echo "ERROR: could not read PI_DB_PASSWORD from $PI_SECRETS" >&2
+    echo "Check that gen-secrets.sh ran successfully and the file is intact." >&2
     exit 1
 fi
 
-echo "Creating K8s Secret: net-kingdom-pg-keycloak-app"
-kubectl create secret generic net-kingdom-pg-keycloak-app \
-    --namespace=databases \
-    --from-literal=username=keycloak \
-    --from-literal=password="$PG_KC_PASS" \
-    --dry-run=client -o yaml | kubectl apply -f -
-
 echo "Creating K8s Secret: net-kingdom-pg-privacyidea-app"
 kubectl create secret generic net-kingdom-pg-privacyidea-app \
     --namespace=databases \
@@ -62,8 +50,8 @@ kubectl create secret generic net-kingdom-pg-privacyidea-app \
     --dry-run=client -o yaml | kubectl apply -f -
 
 echo ""
-echo "Done. Secrets created in namespace: databases"
+echo "Done. Secret created in namespace: databases"
 echo ""
 echo "Verify:"
 echo "  kubectl get secrets -n databases"
-echo "  kubectl describe secret net-kingdom-pg-keycloak-app -n databases"
+echo "  kubectl describe secret net-kingdom-pg-privacyidea-app -n databases"