coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(sso-mfa): T03 PostgreSQL manifests (NK-WP-0001-T03)

Browse Source 
CloudNativePG Cluster CR (net-kingdom-pg, PostgreSQL 16) with two
application databases: keycloak_db (owner: keycloak) and privacyidea_db
(owner: privacyidea). Passwords managed continuously via managed.roles.
WAL archiving section stubbed and commented; activate when object storage
is available. ScheduledBackup CR included (daily 02:00 UTC, 7d retention).

Also: sync workplan status for T01 (Phase 0a done), T02 (manifests done),
T03 (manifests done, restore drill pending); close NK-WP-0002.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-03-05 09:22:13 +01:00
parent 2ebb231f19
commit 8929bf65bc
7 changed files with 533 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
workplans/NK-WP-0001-sso-mfa-platform.md
View File

@@ -8,7 +8,7 @@ owner: worsch
topic_slug: netkingdom
state_hub_workstream_id: 39263c4b-ef70-4053-b782-350834b7e1be
created: "2026-02-28"
updated: "2026-03-01-b"
updated: "2026-03-05"
---
# SSO & MFA Platform — Keycloak + privacyIDEA on Kubernetes
@@ -93,8 +93,10 @@ MFA via the privacyIDEA Keycloak Provider JAR (baked into custom image).
```task
id: NK-WP-0001-T01
state_hub_task_id: 7992528c-d533-44e5-bcce-f92aaa2b75b2
status: todo
status: done
priority: critical
commit_0a: c576188
note: Phase 0a complete (gen-secrets.sh, pack-bundle.sh, README). Phase 0b (Vault in-cluster) follows T02 cluster deployment.
```
**Decision D1 applies:** Two-phase vault strategy.
@@ -136,8 +138,10 @@ stored offsite.
```task
id: NK-WP-0001-T02
state_hub_task_id: 721ca6b2-0cf4-4008-a966-87b1563550fa
status: todo
status: done
priority: high
commit: ee794a6
note: Manifests committed. Apply with sso-mfa/k8s/README.md apply order; verify-t02.sh checks done-criteria.
```
**Prerequisite:** T01 Phase 0a (KeePassXC bootstrap) must be complete — all
@@ -164,8 +168,10 @@ denied paths), cert-manager issues a test certificate.
```task
id: NK-WP-0001-T03
state_hub_task_id: 7fa60004-deb2-4db5-a470-f95dda07f6ab
status: todo
status: done
priority: high
commit: TBD
note: Manifests committed. Restore drill required before marking fully done in production.
```
Deploy PostgreSQL via CloudNativePG operator (preferred: aligns with

6
workplans/NK-WP-0002-local-identity.md
View File

@@ -3,12 +3,12 @@ id: NK-WP-0002
type: workplan
title: "Local Identity — Bootstrap User Store & Minimal OIDC"
domain: netkingdom
status: active
status: completed
owner: worsch
topic_slug: netkingdom
state_hub_workstream_id: 7c9021b1-319c-4b4a-a8be-0642239a1893
created: "2026-03-01"
updated: "2026-03-01"
updated: "2026-03-05"
---
# Local Identity — Bootstrap User Store & Minimal OIDC
@@ -231,7 +231,7 @@ expiry and revocation functional.
- [x] Filesystem permissions enforced on startup; `security-check` passes
- [x] Audit log recording all auth events
- [x] `docs/LocalIdentity.md` complete with import procedure and security model
- [ ] NK-WP-0001 T07 migration procedure documented (Local Identity → Keycloak)
- [x] NK-WP-0001 T07 migration procedure documented (Local Identity → Keycloak)
## Open Questions