diff --git a/workplans/NK-WP-0001-sso-mfa-platform.md b/workplans/NK-WP-0001-sso-mfa-platform.md index cd23b4e..5e1a09f 100644 --- a/workplans/NK-WP-0001-sso-mfa-platform.md +++ b/workplans/NK-WP-0001-sso-mfa-platform.md @@ -8,7 +8,7 @@ owner: worsch topic_slug: netkingdom state_hub_workstream_id: 39263c4b-ef70-4053-b782-350834b7e1be created: "2026-02-28" -updated: "2026-03-01" +updated: "2026-03-01-b" --- # SSO & MFA Platform — Keycloak + privacyIDEA on Kubernetes @@ -38,14 +38,17 @@ this plan picks the most concrete and production-aligned choices from each: ## Decisions -All three pending decisions from the first session have been resolved +Three of five decisions for this workstream have been resolved (2026-03-01, decided by Tegwick). Full rationale in `DECISIONS.md`. +Two are pending and require further investigation (see Open Questions). -| ID | Decision | Outcome | -|----|----------|---------| -| D1 | Vault backend | **KeePassXC pre-cluster → HashiCorp Vault in-cluster.** Bootstrap on KeePassXC before a cluster is available; transition to Vault once K3s is operational. | -| D2 | Identity source of truth | **Hybrid: Keycloak-internal + LDAP/Entra federation** for enterprise tier. Plus a **file-based bootstrap** user store for pre-Keycloak dev/test/sandbox systems. | -| D3 | GitOps tooling | **Plain Helm to start, upgrade to Flux when warranted.** Development philosophy: AI-first (TDD, API-first/headless, MCP layer, CLI tooling; UI is low-priority and lives in separate repos). | +| ID | Decision | Status | Outcome / Notes | +|----|----------|--------|-----------------| +| D1 | Vault backend | **Resolved** | KeePassXC pre-cluster → HashiCorp Vault in-cluster. | +| D2 | Identity source of truth | **Resolved** | Hybrid: Keycloak-internal + LDAP/Entra for enterprise tier. File-based bootstrap user store deferred pending D5. | +| D3 | GitOps tooling | **Resolved** | Plain Helm first, upgrade to Flux when warranted. AI-first philosophy (TDD, API-first, MCP, CLI; UI separate repos) — ecosystem ADR requested from custodian. | +| D4 | Secret injection: ESO vs Vault Agent Injector | **Pending** | Gates T01 Phase 0b. Tegwick to investigate. | +| D5 | File-based bootstrap user store: separate repo vs defer vs existing tool | **Pending** | Full SWOT in State Hub. Preliminary recommendation: evaluate Keycloak Docker Compose first. | ## Architecture @@ -136,6 +139,9 @@ status: todo priority: high ``` +**Prerequisite:** T01 Phase 0a (KeePassXC bootstrap) must be complete — all +secrets generated and encrypted ops bundle exported before cluster work begins. + Create namespaces: `sso`, `mfa`, `databases`. Verify cert-manager is installed and functional on the K3s cluster (Traefik ingress). Define and apply NetworkPolicies to prevent lateral movement: @@ -305,8 +311,8 @@ the privacyIDEA Keycloak resolver. Implement (not decide): - Configure privacyIDEA 3.12+ Keycloak user resolver to align Keycloak users with privacyIDEA token ownership. -- LDAP/Entra federation: explicitly out of scope for this phase; tracked as - an enterprise-tier extension point. +- LDAP/Entra federation: out of scope for this phase. Registered as + extension point EP-NK-001 (State Hub) for future enterprise-tier work. Define policies in privacyIDEA: - Allowed token types: TOTP, hardware (YubiKey), passkey @@ -393,35 +399,12 @@ documented and tested, HSTS and NetworkPolicies verified. ## Open Questions -The three original pending decisions (D1 vault backend, D2 identity source -of truth, D3 GitOps tooling) have all been resolved. See `DECISIONS.md`. +See `DECISIONS.md` for the three resolved decisions (D1–D3). +Two pending decisions have been raised; see State Hub for full detail. -Remaining open items: - -1. **Secret injection strategy** — D1 resolves the vault backend (Vault - in-cluster) but the concrete injection mechanism is still open: External - Secrets Operator vs Vault Agent Injector. Should be decided and closed - in T01 Phase 0b. - -2. **File-based bootstrap user management (D2 extension)** — D2 specifies - a lightweight file-based user store for pre-Keycloak environments. This - is non-trivial scope (file format, test-user generation, isolation - controls, production-mapping mechanism) and is not captured in any - current task. Needs a decision: is this a task within this workplan, or - a separate workplan/repo? - -3. **AI-first / MCP layer (D3 extension)** — D3 establishes an AI-first - development philosophy (TDD, API-first/headless, MCP layer, CLI - tooling). This workplan currently covers only infrastructure deployment. - Should Keycloak/privacyIDEA operations (user management, policy CRUD, - token lifecycle) be wrapped in an MCP server or CLI? If so, this needs - a new task or workplan. - -4. **LDAP/Entra federation** — Explicitly deferred to the enterprise tier - (D2). Track as an extension point when the time comes. - -5. **Cluster target for dev/test** — D1 implies KeePassXC-based systems - run independently of the cluster. The plan assumes single-node k3s for - dev and ThreePhoenix for production. The sequencing between T01 Phase 0a - (pre-cluster) and Phase 0b (in-cluster) should be confirmed once the - Railiance cluster timeline is clearer. +| # | Item | State Hub artefact | Status | +|---|------|--------------------|--------| +| D4 | Secret injection: ESO vs Vault Agent Injector | Decision `aca69951` | Pending — Tegwick to investigate | +| D5 | File-based bootstrap user store | Decision `d74e2b11` (full SWOT) | Pending — evaluate Keycloak Docker Compose first | +| — | AI-first ecosystem ADR | Task `007415ef` → [repo:custodian] | Recommended; custodian to create | +| EP-NK-001 | LDAP/AD/Entra federation | Extension point `513a7644` | Open; enterprise tier |