coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

chore(workplan): NK-WP-0003-T04 done — privacyIDEA deployed and bootstrapped

Browse Source 
Pod Running with correct image and config. enckey, audit keys, pi-admin,
trigger-admin all created via agent bootstrap (NK-WP-0005).
Remaining: TLS cert + trigger-admin policy via WebUI.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-03-21 12:13:52 +00:00
parent 59ba9e6fe1
commit a60f4fc834
1 changed files with 18 additions and 37 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
View File

@@ -128,49 +128,30 @@ healthy. Migration jobs will fail on a partially-started cluster.
```task
id: NK-WP-0003-T04
status: todo
status: done
priority: high
state_hub_task_id: "9c9c1ec9-0cf5-4546-a83e-d74dbf3b27af"
note: Completed 2026-03-21 via make creds-agent-init (NK-WP-0005).
Pod Running (ghcr.io/gpappsoft/privacyidea-docker:3.12.2, port 8080).
enckey + audit keys extracted to K8s Secrets privacyidea-enckey/auditkeys.
pi-admin and trigger-admin created. keycape-pi-token Secret in sso namespace.
Remaining: TLS cert for pink.coulomb.social (ACME solver pods visible — T02 cert-manager needed).
trigger-admin policy must be set manually via WebUI once pink.coulomb.social resolves.
```
Deploy privacyIDEA into the `mfa` namespace.
Completed via `make creds-agent-init`. All Steps 14 were automated by the agent bootstrap.
> **Image fix applied (2026-03-20):** `privacyidea/privacyidea:3.12` does not exist.
> Corrected to `privacyidea/otpserver:3.12.2` on port 5001.
> Updated: `deployment.yaml`, `ingress.yaml`, `netpol-mfa.yaml`, `netpol-sso.yaml`.
**Image fixes applied (2026-03-21):**
- `privacyidea/otpserver:3.12.2``ghcr.io/gpappsoft/privacyidea-docker:3.12.2` (port 8080)
- `PRIVACYIDEA_CONFIGFILE`, `PI_ADDRESS`, `PI_PORT` env vars added
- Readiness probe changed to `tcpSocket` (`/token/` returns 401 for unauthenticated GET)
**Step 1 — Create K8s secrets from KeePassXC:**
```bash
cd sso-mfa/k8s/privacyidea
bash create-secrets.sh # reads from env vars; source from KeePassXC
```
**Step 2 — Apply manifests:**
```bash
kubectl apply -f pvc.yaml
kubectl apply -f configmap.yaml
kubectl apply -f middleware.yaml
kubectl apply -f deployment.yaml
kubectl apply -f ingress.yaml
```
**Step 3 — Bootstrap key material (time-sensitive):**
Run immediately once the pod reaches `Running` state. This window must not
be missed — if the pod is deleted before this runs, the enckey is lost.
```bash
bash enckey-bootstrap.sh # extracts PI_ENCFILE + audit keys → K8s Secrets + KeePassXC
```
**Step 4 — Create admin accounts:**
```bash
bash bootstrap-admin.sh # creates pi-admin + trigger-admin, sets policies
# store trigger-admin token in KeePassXC net-kingdom/privacyidea/trigger-admin
```
Verify: `bash sso-mfa/k8s/verify-t04.sh`
Expected: pod Running, TLS cert issued for `pink.coulomb.social`, admin
accounts exist, enckey backed up.
**Remaining manual step:**
Once `pink.coulomb.social` resolves to the cluster IP and TLS cert is issued:
1. Log in to https://pink.coulomb.social as `pi-admin`
2. Enroll MFA for `pi-admin` (TOTP)
3. Verify/create trigger-admin policy: Policies → trigger-admin-rights
(Scope: admin, Action: triggerchallenge, AdminUser: trigger-admin)
### T05 — Deploy LLDAP