generated from coulomb/repo-seed
feat(local-identity): add NK-WP-0002 workplan and LocalIdentity.md
Follows resolved decisions D4 and D5 (2026-03-01, Tegwick): D4 — ESO chosen as secret injection strategy. NK-WP-0001 T01 Phase 0b updated to specify ESO; T01 done-criteria updated to require a working ESO test injection. D5 — Local Identity implemented in-repo (not a separate repo). Four deliverables: - docs/LocalIdentity.md: capability overview, design principles, user schema, OIDC provider description, risk mitigations, scope boundaries - workplans/NK-WP-0002-local-identity.md: four-stage implementation plan (core file store, bootstrap integration, minimal OIDC, security hardening) with State Hub task IDs - NK-WP-0001 updated: D2/D4/D5 rows resolved, T07 bootstrap section now references NK-WP-0002 and documents the export→Keycloak migration path, Open Questions condensed to two remaining artefacts Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -45,10 +45,10 @@ Two are pending and require further investigation (see Open Questions).
|
||||
| ID | Decision | Status | Outcome / Notes |
|
||||
|----|----------|--------|-----------------|
|
||||
| D1 | Vault backend | **Resolved** | KeePassXC pre-cluster → HashiCorp Vault in-cluster. |
|
||||
| D2 | Identity source of truth | **Resolved** | Hybrid: Keycloak-internal + LDAP/Entra for enterprise tier. File-based bootstrap user store deferred pending D5. |
|
||||
| D2 | Identity source of truth | **Resolved** | Hybrid: Keycloak-internal + LDAP/Entra for enterprise tier. File-based bootstrap user store → Local Identity (NK-WP-0002). |
|
||||
| D3 | GitOps tooling | **Resolved** | Plain Helm first, upgrade to Flux when warranted. AI-first philosophy (TDD, API-first, MCP, CLI; UI separate repos) — ecosystem ADR requested from custodian. |
|
||||
| D4 | Secret injection: ESO vs Vault Agent Injector | **Pending** | Gates T01 Phase 0b. Tegwick to investigate. |
|
||||
| D5 | File-based bootstrap user store: separate repo vs defer vs existing tool | **Pending** | Full SWOT in State Hub. Preliminary recommendation: evaluate Keycloak Docker Compose first. |
|
||||
| D4 | Secret injection: ESO vs Vault Agent Injector | **Resolved** | **ESO.** GitOps-aligned; standard K8s Secrets consumable by plain Helm. Monitor dynamic-secret gaps; revisit if needed. |
|
||||
| D5 | File-based bootstrap user store | **Resolved** | **Implement in-repo as `local-identity`.** Staged workplan: NK-WP-0002. See `docs/LocalIdentity.md`. |
|
||||
|
||||
## Architecture
|
||||
|
||||
@@ -118,15 +118,16 @@ manifests). Store offsite.
|
||||
**Phase 0b — HashiCorp Vault in-cluster (after T02, once K3s is running):**
|
||||
|
||||
Deploy HashiCorp Vault in the cluster (Helm chart). Migrate secrets from
|
||||
KeePassXC into Vault. Enable K8s encryption-at-rest. Choose and implement
|
||||
secret injection strategy: External Secrets Operator + Vault backend, or
|
||||
Vault Agent Injector (ESO preferred for GitOps alignment). KeePassXC
|
||||
remains the source of truth for dev/test/sandbox systems that do not connect
|
||||
to the cluster Vault.
|
||||
KeePassXC into Vault. Enable K8s encryption-at-rest. Deploy External Secrets
|
||||
Operator (ESO) — **decided D4**: ESO reconciles Vault secrets into standard
|
||||
K8s Secrets, compatible with plain Helm charts without Vault-specific
|
||||
annotations. KeePassXC remains the source of truth for dev/test/sandbox
|
||||
systems that do not connect to the cluster Vault.
|
||||
|
||||
**Done when:** KeePassXC created and all secrets generated (0a). Vault
|
||||
deployed in-cluster, secrets migrated, injection strategy operational (0b).
|
||||
Encrypted ops bundle exported and stored offsite.
|
||||
deployed in-cluster, secrets migrated, ESO operational and injecting secrets
|
||||
into at least one test workload (0b). Encrypted ops bundle exported and
|
||||
stored offsite.
|
||||
|
||||
---
|
||||
|
||||
@@ -326,14 +327,13 @@ Configure auditing and log shipping: privacyIDEA audit logs + Keycloak
|
||||
events → centralized logging (ELK/Loki or equivalent). Token lifecycle
|
||||
policies: enrollment, revocation, re-enrollment on device loss.
|
||||
|
||||
**Bootstrap user management (D2 extension — scope TBD):**
|
||||
D2 also specifies a file-based lightweight user store for pre-Keycloak
|
||||
systems (dev/test/sandbox that do not connect to the cluster). Users stored
|
||||
as files in a secure subdirectory of the Linux home directory; auto-generates
|
||||
two test users with `N` / `+testN` username and email suffixes. Test users
|
||||
must not spill over into other systems; a mapping mechanism from sandbox
|
||||
identities to production should be provided. This scope is not yet captured
|
||||
in a task — see Open Questions.
|
||||
**Bootstrap user management (D2 + D5 — Local Identity):**
|
||||
The pre-Keycloak user store is implemented as the `local-identity` capability.
|
||||
See [NK-WP-0002](NK-WP-0002-local-identity.md) and
|
||||
[docs/LocalIdentity.md](../docs/LocalIdentity.md). NK-WP-0002 Stage 2
|
||||
produces Keycloak-compatible user exports (`local-identity export --all`)
|
||||
that feed the realm bulk-import during T06. Once T06 is operational,
|
||||
Local Identity should be explicitly migrated away from for that instance.
|
||||
|
||||
**Done when:** policies documented and applied, self-service portal live,
|
||||
audit logs flowing, Keycloak resolver configured.
|
||||
@@ -402,9 +402,10 @@ documented and tested, HSTS and NetworkPolicies verified.
|
||||
See `DECISIONS.md` for the three resolved decisions (D1–D3).
|
||||
Two pending decisions have been raised; see State Hub for full detail.
|
||||
|
||||
| # | Item | State Hub artefact | Status |
|
||||
|---|------|--------------------|--------|
|
||||
| D4 | Secret injection: ESO vs Vault Agent Injector | Decision `aca69951` | Pending — Tegwick to investigate |
|
||||
| D5 | File-based bootstrap user store | Decision `d74e2b11` (full SWOT) | Pending — evaluate Keycloak Docker Compose first |
|
||||
| — | AI-first ecosystem ADR | Task `007415ef` → [repo:custodian] | Recommended; custodian to create |
|
||||
| EP-NK-001 | LDAP/AD/Entra federation | Extension point `513a7644` | Open; enterprise tier |
|
||||
All five decisions are now resolved. See `DECISIONS.md` for D1–D3 rationale;
|
||||
State Hub decisions `aca69951` (D4) and `d74e2b11` (D5) for the full records.
|
||||
|
||||
| Artefact | Item | Status |
|
||||
|----------|------|--------|
|
||||
| Task `007415ef` → [repo:custodian] | Create ecosystem ADR for AI-first principles (D3) | Open; custodian to action |
|
||||
| EP-NK-001 (`513a7644`) | LDAP/AD/Entra federation | Open; enterprise tier |
|
||||
|
||||
Reference in New Issue
Block a user