fix(privacyidea): correct image to ghcr.io/gpappsoft, port 5001→8080

privacyidea/privacyidea:3.12 and privacyidea/otpserver:3.12.2 do not
exist on Docker Hub. Correct image is ghcr.io/gpappsoft/privacyidea-docker:3.12.2
which listens on port 8080.

Update all port references: deployment, service, ingress, netpol-mfa,
netpol-sso (keycape→privacyIDEA egress rule).

Also: creds-bootstrap-agent.sh — restart privacyIDEA deployment after
applying new secrets so the pod picks up updated env vars.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-21 09:37:38 +00:00
parent bcae4bc6dd
commit bececac7b8
5 changed files with 31 additions and 21 deletions

View File

@@ -188,8 +188,17 @@ if [[ "$DRY_RUN" == false ]]; then
fi fi
done done
[[ "$ALL_OK" == true ]] || die "One or more required secrets are missing — check creds-apply output above" [[ "$ALL_OK" == true ]] || die "One or more required secrets are missing — check creds-apply output above"
# Restart privacyIDEA if the deployment exists, so it picks up the newly
# generated secrets. Without this, a running pod would have stale env vars.
if kubectl get deployment privacyidea -n mfa &>/dev/null 2>&1; then
log "restarting privacyIDEA deployment to pick up new secrets..."
kubectl rollout restart deployment/privacyidea -n mfa
ok "privacyIDEA restart triggered"
fi
else else
echo " [dry-run] would verify K8s secrets" echo " [dry-run] would verify K8s secrets"
echo " [dry-run] would restart privacyIDEA if deployment exists"
fi fi
# ── Phase 5: Post-apply bootstrap — wait for privacyIDEA ────────────────────── # ── Phase 5: Post-apply bootstrap — wait for privacyIDEA ──────────────────────

View File

@@ -1,8 +1,8 @@
# NetworkPolicies for the mfa namespace (privacyIDEA) # NetworkPolicies for the mfa namespace (privacyIDEA)
# #
# Allowed paths: # Allowed paths:
# INGRESS: Traefik (kube-system) → privacyIDEA :5001 (user-facing portal) # INGRESS: Traefik (kube-system) → privacyIDEA :8080 (user-facing portal)
# INGRESS: KeyCape (sso) → privacyIDEA :5001 (Provider API calls) # INGRESS: KeyCape (sso) → privacyIDEA :8080 (Provider API calls)
# EGRESS: privacyIDEA → databases :5432 (PostgreSQL) # EGRESS: privacyIDEA → databases :5432 (PostgreSQL)
# EGRESS: all pods → kube-dns :53 (UDP+TCP) # EGRESS: all pods → kube-dns :53 (UDP+TCP)
# #
@@ -42,7 +42,7 @@ spec:
matchLabels: matchLabels:
app.kubernetes.io/name: traefik app.kubernetes.io/name: traefik
ports: ports:
- port: 5001 - port: 8080
protocol: TCP protocol: TCP
--- ---
# ── Allow ingress from KeyCape (Provider API calls) ────────────────────────── # ── Allow ingress from KeyCape (Provider API calls) ──────────────────────────
@@ -66,7 +66,7 @@ spec:
matchLabels: matchLabels:
app.kubernetes.io/name: keycape app.kubernetes.io/name: keycape
ports: ports:
- port: 5001 - port: 8080
protocol: TCP protocol: TCP
--- ---
# ── Allow egress to PostgreSQL ─────────────────────────────────────────────── # ── Allow egress to PostgreSQL ───────────────────────────────────────────────

View File

@@ -13,7 +13,7 @@
# Allowed egress paths: # Allowed egress paths:
# keycape → authelia :9091 (OIDC callback orchestration) # keycape → authelia :9091 (OIDC callback orchestration)
# keycape → lldap :3890 (LDAP user lookups) # keycape → lldap :3890 (LDAP user lookups)
# keycape → mfa :5001 (privacyIDEA MFA check and token validation) # keycape → mfa :8080 (privacyIDEA MFA check and token validation)
# authelia → lldap :3890 (LDAP authentication backend) # authelia → lldap :3890 (LDAP authentication backend)
# all pods → kube-dns :53 (DNS resolution) # all pods → kube-dns :53 (DNS resolution)
# #
@@ -201,7 +201,7 @@ spec:
- port: 3890 - port: 3890
protocol: TCP protocol: TCP
--- ---
# ── KeyCape egress → privacyIDEA (mfa namespace) :5001 ─────────────────────── # ── KeyCape egress → privacyIDEA (mfa namespace) :8080 ───────────────────────
# KeyCape calls privacyIDEA to check and validate MFA tokens. # KeyCape calls privacyIDEA to check and validate MFA tokens.
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: NetworkPolicy kind: NetworkPolicy
@@ -220,7 +220,7 @@ spec:
matchLabels: matchLabels:
net-kingdom/component: mfa net-kingdom/component: mfa
ports: ports:
- port: 5001 - port: 8080
protocol: TCP protocol: TCP
--- ---
# ── Authelia egress → LLDAP (within sso namespace) ─────────────────────────── # ── Authelia egress → LLDAP (within sso namespace) ───────────────────────────

View File

@@ -10,8 +10,8 @@
# 5. enckey-bootstrap.sh — extract enckey + audit keys, create DR Secrets # 5. enckey-bootstrap.sh — extract enckey + audit keys, create DR Secrets
# 6. bootstrap-admin.sh — create pi-admin (+ MFA enrolment) and trigger-admin # 6. bootstrap-admin.sh — create pi-admin (+ MFA enrolment) and trigger-admin
# #
# Container port: 5001. # Container port: 8080.
# privacyidea/otpserver listens on port 5001 internally. # ghcr.io/gpappsoft/privacyidea-docker listens on port 8080 (gunicorn).
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
@@ -53,14 +53,15 @@ spec:
containers: containers:
- name: privacyidea - name: privacyidea
# Pin to a specific release; update via image update policy. # Pin to a specific release; update via image update policy.
# Official image: https://hub.docker.com/r/privacyidea/otpserver # Official image: https://github.com/gpappsoft/privacyidea-docker
# privacyidea/privacyidea:3.12 does not exist — correct repo is otpserver. # privacyidea/privacyidea:3.12 and privacyidea/otpserver:3.12.2 do not exist.
image: privacyidea/otpserver:3.12.2 # Correct image: ghcr.io/gpappsoft/privacyidea-docker:3.12.2 (port 8080)
image: ghcr.io/gpappsoft/privacyidea-docker:3.12.2
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
ports: ports:
- name: http - name: http
containerPort: 5001 containerPort: 8080
protocol: TCP protocol: TCP
# ── Environment — sensitive values from Secret ────────────────── # ── Environment — sensitive values from Secret ──────────────────
@@ -86,20 +87,20 @@ spec:
# Startup probe: give PI up to 3 min to run DB migrations on first boot. # Startup probe: give PI up to 3 min to run DB migrations on first boot.
startupProbe: startupProbe:
tcpSocket: tcpSocket:
port: 5001 port: 8080
initialDelaySeconds: 15 initialDelaySeconds: 15
periodSeconds: 10 periodSeconds: 10
failureThreshold: 18 # 18 × 10s = 3 min failureThreshold: 18 # 18 × 10s = 3 min
livenessProbe: livenessProbe:
tcpSocket: tcpSocket:
port: 5001 port: 8080
initialDelaySeconds: 0 initialDelaySeconds: 0
periodSeconds: 15 periodSeconds: 15
failureThreshold: 3 failureThreshold: 3
readinessProbe: readinessProbe:
httpGet: httpGet:
path: /token/ path: /token/
port: 5001 port: 8080
initialDelaySeconds: 0 initialDelaySeconds: 0
periodSeconds: 10 periodSeconds: 10
failureThreshold: 3 failureThreshold: 3
@@ -143,6 +144,6 @@ spec:
app.kubernetes.io/name: privacyidea app.kubernetes.io/name: privacyidea
ports: ports:
- name: http - name: http
port: 5001 port: 8080
targetPort: 5001 targetPort: 8080
protocol: TCP protocol: TCP

View File

@@ -46,7 +46,7 @@ spec:
service: service:
name: privacyidea name: privacyidea
port: port:
number: 5001 number: 8080
tls: tls:
- secretName: pink-tls - secretName: pink-tls
hosts: hosts:
@@ -83,7 +83,7 @@ spec:
service: service:
name: privacyidea name: privacyidea
port: port:
number: 5001 number: 8080
tls: tls:
- secretName: pink-tls - secretName: pink-tls
hosts: hosts:
@@ -114,7 +114,7 @@ spec:
service: service:
name: privacyidea name: privacyidea
port: port:
number: 5001 number: 8080
tls: tls:
- secretName: pink-account-tls - secretName: pink-account-tls
hosts: hosts: