feat(local-identity): add NK-WP-0002 workplan and LocalIdentity.md

Follows resolved decisions D4 and D5 (2026-03-01, Tegwick):

D4 — ESO chosen as secret injection strategy. NK-WP-0001 T01 Phase 0b
updated to specify ESO; T01 done-criteria updated to require a working ESO
test injection.

D5 — Local Identity implemented in-repo (not a separate repo). Four
deliverables:
- docs/LocalIdentity.md: capability overview, design principles, user
  schema, OIDC provider description, risk mitigations, scope boundaries
- workplans/NK-WP-0002-local-identity.md: four-stage implementation plan
  (core file store, bootstrap integration, minimal OIDC, security hardening)
  with State Hub task IDs
- NK-WP-0001 updated: D2/D4/D5 rows resolved, T07 bootstrap section now
  references NK-WP-0002 and documents the export→Keycloak migration path,
  Open Questions condensed to two remaining artefacts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-01 23:49:06 +01:00
parent 873fbcf052
commit 6ed0061962
3 changed files with 416 additions and 24 deletions

View File

@@ -45,10 +45,10 @@ Two are pending and require further investigation (see Open Questions).
| ID | Decision | Status | Outcome / Notes |
|----|----------|--------|-----------------|
| D1 | Vault backend | **Resolved** | KeePassXC pre-cluster → HashiCorp Vault in-cluster. |
| D2 | Identity source of truth | **Resolved** | Hybrid: Keycloak-internal + LDAP/Entra for enterprise tier. File-based bootstrap user store deferred pending D5. |
| D2 | Identity source of truth | **Resolved** | Hybrid: Keycloak-internal + LDAP/Entra for enterprise tier. File-based bootstrap user store → Local Identity (NK-WP-0002). |
| D3 | GitOps tooling | **Resolved** | Plain Helm first, upgrade to Flux when warranted. AI-first philosophy (TDD, API-first, MCP, CLI; UI separate repos) — ecosystem ADR requested from custodian. |
| D4 | Secret injection: ESO vs Vault Agent Injector | **Pending** | Gates T01 Phase 0b. Tegwick to investigate. |
| D5 | File-based bootstrap user store: separate repo vs defer vs existing tool | **Pending** | Full SWOT in State Hub. Preliminary recommendation: evaluate Keycloak Docker Compose first. |
| D4 | Secret injection: ESO vs Vault Agent Injector | **Resolved** | **ESO.** GitOps-aligned; standard K8s Secrets consumable by plain Helm. Monitor dynamic-secret gaps; revisit if needed. |
| D5 | File-based bootstrap user store | **Resolved** | **Implement in-repo as `local-identity`.** Staged workplan: NK-WP-0002. See `docs/LocalIdentity.md`. |
## Architecture
@@ -118,15 +118,16 @@ manifests). Store offsite.
**Phase 0b — HashiCorp Vault in-cluster (after T02, once K3s is running):**
Deploy HashiCorp Vault in the cluster (Helm chart). Migrate secrets from
KeePassXC into Vault. Enable K8s encryption-at-rest. Choose and implement
secret injection strategy: External Secrets Operator + Vault backend, or
Vault Agent Injector (ESO preferred for GitOps alignment). KeePassXC
remains the source of truth for dev/test/sandbox systems that do not connect
to the cluster Vault.
KeePassXC into Vault. Enable K8s encryption-at-rest. Deploy External Secrets
Operator (ESO) — **decided D4**: ESO reconciles Vault secrets into standard
K8s Secrets, compatible with plain Helm charts without Vault-specific
annotations. KeePassXC remains the source of truth for dev/test/sandbox
systems that do not connect to the cluster Vault.
**Done when:** KeePassXC created and all secrets generated (0a). Vault
deployed in-cluster, secrets migrated, injection strategy operational (0b).
Encrypted ops bundle exported and stored offsite.
deployed in-cluster, secrets migrated, ESO operational and injecting secrets
into at least one test workload (0b). Encrypted ops bundle exported and
stored offsite.
---
@@ -326,14 +327,13 @@ Configure auditing and log shipping: privacyIDEA audit logs + Keycloak
events → centralized logging (ELK/Loki or equivalent). Token lifecycle
policies: enrollment, revocation, re-enrollment on device loss.
**Bootstrap user management (D2 extension — scope TBD):**
D2 also specifies a file-based lightweight user store for pre-Keycloak
systems (dev/test/sandbox that do not connect to the cluster). Users stored
as files in a secure subdirectory of the Linux home directory; auto-generates
two test users with `N` / `+testN` username and email suffixes. Test users
must not spill over into other systems; a mapping mechanism from sandbox
identities to production should be provided. This scope is not yet captured
in a task — see Open Questions.
**Bootstrap user management (D2 + D5 — Local Identity):**
The pre-Keycloak user store is implemented as the `local-identity` capability.
See [NK-WP-0002](NK-WP-0002-local-identity.md) and
[docs/LocalIdentity.md](../docs/LocalIdentity.md). NK-WP-0002 Stage 2
produces Keycloak-compatible user exports (`local-identity export --all`)
that feed the realm bulk-import during T06. Once T06 is operational,
Local Identity should be explicitly migrated away from for that instance.
**Done when:** policies documented and applied, self-service portal live,
audit logs flowing, Keycloak resolver configured.
@@ -402,9 +402,10 @@ documented and tested, HSTS and NetworkPolicies verified.
See `DECISIONS.md` for the three resolved decisions (D1D3).
Two pending decisions have been raised; see State Hub for full detail.
| # | Item | State Hub artefact | Status |
|---|------|--------------------|--------|
| D4 | Secret injection: ESO vs Vault Agent Injector | Decision `aca69951` | Pending — Tegwick to investigate |
| D5 | File-based bootstrap user store | Decision `d74e2b11` (full SWOT) | Pending — evaluate Keycloak Docker Compose first |
| — | AI-first ecosystem ADR | Task `007415ef` → [repo:custodian] | Recommended; custodian to create |
| EP-NK-001 | LDAP/AD/Entra federation | Extension point `513a7644` | Open; enterprise tier |
All five decisions are now resolved. See `DECISIONS.md` for D1D3 rationale;
State Hub decisions `aca69951` (D4) and `d74e2b11` (D5) for the full records.
| Artefact | Item | Status |
|----------|------|--------|
| Task `007415ef` → [repo:custodian] | Create ecosystem ADR for AI-first principles (D3) | Open; custodian to action |
| EP-NK-001 (`513a7644`) | LDAP/AD/Entra federation | Open; enterprise tier |