coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(workplan): add D4/D5 decisions, T02 prerequisite, EP-NK-001 reference

Browse Source 
- Extend decisions table with D4 (secret injection, pending) and D5
  (file-based bootstrap user store, pending with SWOT)
- Add explicit prerequisite block to T02: T01 Phase 0a must complete first
- Update T07: reference EP-NK-001 (LDAP/Entra extension point) by ID
- Condense Open Questions into a reference table pointing to State Hub artefacts
- Ecosystem ADR recommendation recorded as [repo:custodian] task in hub

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-03-01 23:11:51 +01:00
parent 534906d509
commit 873fbcf052
1 changed files with 23 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
workplans/NK-WP-0001-sso-mfa-platform.md
View File

@@ -8,7 +8,7 @@ owner: worsch
topic_slug: netkingdom
state_hub_workstream_id: 39263c4b-ef70-4053-b782-350834b7e1be
created: "2026-02-28"
updated: "2026-03-01"
updated: "2026-03-01-b"
---
# SSO & MFA Platform — Keycloak + privacyIDEA on Kubernetes
@@ -38,14 +38,17 @@ this plan picks the most concrete and production-aligned choices from each:
## Decisions
All three pending decisions from the first session have been resolved
Three of five decisions for this workstream have been resolved
(2026-03-01, decided by Tegwick). Full rationale in `DECISIONS.md`.
Two are pending and require further investigation (see Open Questions).
| ID | Decision | Outcome |
|----|----------|---------|
| D1 | Vault backend | **KeePassXC pre-cluster → HashiCorp Vault in-cluster.** Bootstrap on KeePassXC before a cluster is available; transition to Vault once K3s is operational. |
| D2 | Identity source of truth | **Hybrid: Keycloak-internal + LDAP/Entra federation** for enterprise tier. Plus a **file-based bootstrap** user store for pre-Keycloak dev/test/sandbox systems. |
| D3 | GitOps tooling | **Plain Helm to start, upgrade to Flux when warranted.** Development philosophy: AI-first (TDD, API-first/headless, MCP layer, CLI tooling; UI is low-priority and lives in separate repos). |
| ID | Decision | Status | Outcome / Notes |
|----|----------|--------|-----------------|
| D1 | Vault backend | **Resolved** | KeePassXC pre-cluster → HashiCorp Vault in-cluster. |
| D2 | Identity source of truth | **Resolved** | Hybrid: Keycloak-internal + LDAP/Entra for enterprise tier. File-based bootstrap user store deferred pending D5. |
| D3 | GitOps tooling | **Resolved** | Plain Helm first, upgrade to Flux when warranted. AI-first philosophy (TDD, API-first, MCP, CLI; UI separate repos) — ecosystem ADR requested from custodian. |
| D4 | Secret injection: ESO vs Vault Agent Injector | **Pending** | Gates T01 Phase 0b. Tegwick to investigate. |
| D5 | File-based bootstrap user store: separate repo vs defer vs existing tool | **Pending** | Full SWOT in State Hub. Preliminary recommendation: evaluate Keycloak Docker Compose first. |
## Architecture
@@ -136,6 +139,9 @@ status: todo
priority: high
```
**Prerequisite:** T01 Phase 0a (KeePassXC bootstrap) must be complete — all
secrets generated and encrypted ops bundle exported before cluster work begins.
Create namespaces: `sso`, `mfa`, `databases`. Verify cert-manager is
installed and functional on the K3s cluster (Traefik ingress). Define and
apply NetworkPolicies to prevent lateral movement:
@@ -305,8 +311,8 @@ the privacyIDEA Keycloak resolver. Implement (not decide):
- Configure privacyIDEA 3.12+ Keycloak user resolver to align Keycloak
users with privacyIDEA token ownership.
- LDAP/Entra federation: explicitly out of scope for this phase; tracked as
an enterprise-tier extension point.
- LDAP/Entra federation: out of scope for this phase. Registered as
extension point EP-NK-001 (State Hub) for future enterprise-tier work.
Define policies in privacyIDEA:
- Allowed token types: TOTP, hardware (YubiKey), passkey
@@ -393,35 +399,12 @@ documented and tested, HSTS and NetworkPolicies verified.
## Open Questions
The three original pending decisions (D1 vault backend, D2 identity source
of truth, D3 GitOps tooling) have all been resolved. See `DECISIONS.md`.
See `DECISIONS.md` for the three resolved decisions (D1D3).
Two pending decisions have been raised; see State Hub for full detail.
Remaining open items:
1. **Secret injection strategy** — D1 resolves the vault backend (Vault
in-cluster) but the concrete injection mechanism is still open: External
Secrets Operator vs Vault Agent Injector. Should be decided and closed
in T01 Phase 0b.
2. **File-based bootstrap user management (D2 extension)** — D2 specifies
a lightweight file-based user store for pre-Keycloak environments. This
is non-trivial scope (file format, test-user generation, isolation
controls, production-mapping mechanism) and is not captured in any
current task. Needs a decision: is this a task within this workplan, or
a separate workplan/repo?
3. **AI-first / MCP layer (D3 extension)** — D3 establishes an AI-first
development philosophy (TDD, API-first/headless, MCP layer, CLI
tooling). This workplan currently covers only infrastructure deployment.
Should Keycloak/privacyIDEA operations (user management, policy CRUD,
token lifecycle) be wrapped in an MCP server or CLI? If so, this needs
a new task or workplan.
4. **LDAP/Entra federation** — Explicitly deferred to the enterprise tier
(D2). Track as an extension point when the time comes.
5. **Cluster target for dev/test** — D1 implies KeePassXC-based systems
run independently of the cluster. The plan assumes single-node k3s for
dev and ThreePhoenix for production. The sequencing between T01 Phase 0a
(pre-cluster) and Phase 0b (in-cluster) should be confirmed once the
Railiance cluster timeline is clearer.
| # | Item | State Hub artefact | Status |
|---|------|--------------------|--------|
| D4 | Secret injection: ESO vs Vault Agent Injector | Decision `aca69951` | Pending — Tegwick to investigate |
| D5 | File-based bootstrap user store | Decision `d74e2b11` (full SWOT) | Pending — evaluate Keycloak Docker Compose first |
| — | AI-first ecosystem ADR | Task `007415ef` → [repo:custodian] | Recommended; custodian to create |
| EP-NK-001 | LDAP/AD/Entra federation | Extension point `513a7644` | Open; enterprise tier |