feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03)

- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow
  replaces KeePassXC dependency; encrypted .env.age files committed to repo
- Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey
- Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext
- Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack
- Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug
- Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only
- Update postgresql/create-secrets.sh: remove keycloak secret
- Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API
- T02 COMPLETE: namespaces, network policies, cert-manager issuers applied
- T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-20 02:57:41 +00:00
parent 0d5d12cb67
commit 6d25d088d7
14 changed files with 181 additions and 66 deletions

View File

@@ -4,11 +4,13 @@
# Checks:
# 1. CloudNativePG operator is installed and running
# 2. Cluster net-kingdom-pg is Ready
# 3. Both application databases exist (keycloak_db, privacyidea_db)
# 4. Both application roles exist (keycloak, privacyidea)
# 3. privacyidea_db database exists
# 4. privacyidea role exists
# 5. K8s Secrets are present in the databases namespace
# 6. (Optional) Scheduled backup CR is present when backup is configured
#
# Note: keycloak_db removed — Keycloak replaced by Authelia+LLDAP+KeyCape (T05).
#
# Usage:
# chmod +x verify-t03.sh
# ./verify-t03.sh
@@ -19,9 +21,9 @@ PASS=0
FAIL=0
WARN=0
pass() { echo " [PASS] $1"; ((PASS++)); }
fail() { echo " [FAIL] $1"; ((FAIL++)); }
warn() { echo " [WARN] $1"; ((WARN++)); }
pass() { echo " [PASS] $1"; PASS=$((PASS + 1)); }
fail() { echo " [FAIL] $1"; FAIL=$((FAIL + 1)); }
warn() { echo " [WARN] $1"; WARN=$((WARN + 1)); }
section() { echo ""; echo "── $1 ──────────────────────────────────────"; }
@@ -76,15 +78,9 @@ section "3. Databases"
if [[ -n "$PRIMARY_POD" ]]; then
DB_LIST=$(kubectl exec -n databases "$PRIMARY_POD" -- \
psql -U postgres -tAc "SELECT datname FROM pg_database WHERE datname IN ('keycloak_db','privacyidea_db') ORDER BY datname;" \
psql -U postgres -tAc "SELECT datname FROM pg_database WHERE datname = 'privacyidea_db';" \
2>/dev/null || echo "")
if echo "$DB_LIST" | grep -q "keycloak_db"; then
pass "keycloak_db exists"
else
fail "keycloak_db not found"
fi
if echo "$DB_LIST" | grep -q "privacyidea_db"; then
pass "privacyidea_db exists"
else
@@ -99,15 +95,9 @@ section "4. Database roles"
if [[ -n "$PRIMARY_POD" ]]; then
ROLE_LIST=$(kubectl exec -n databases "$PRIMARY_POD" -- \
psql -U postgres -tAc "SELECT rolname FROM pg_roles WHERE rolname IN ('keycloak','privacyidea') ORDER BY rolname;" \
psql -U postgres -tAc "SELECT rolname FROM pg_roles WHERE rolname = 'privacyidea';" \
2>/dev/null || echo "")
if echo "$ROLE_LIST" | grep -q "keycloak"; then
pass "role keycloak exists"
else
fail "role keycloak not found"
fi
if echo "$ROLE_LIST" | grep -q "privacyidea"; then
pass "role privacyidea exists"
else
@@ -120,7 +110,7 @@ fi
# ── 5. K8s Secrets ────────────────────────────────────────────────────────────
section "5. K8s Secrets (databases namespace)"
for secret in net-kingdom-pg-keycloak-app net-kingdom-pg-privacyidea-app; do
for secret in net-kingdom-pg-privacyidea-app; do
if kubectl get secret "$secret" -n databases &>/dev/null; then
pass "Secret $secret exists"
else