coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs(sso-mfa): fix stale Keycloak refs and add T04 apply section to WORKPLAN

Browse Source 
- README.md: ipAllowList → ipWhiteList (match Traefik v2 fix)
- verify-t04.sh: update success message (Keycloak → LLDAP+Authelia+KeyCape)
- WORKPLAN.md: add full T04 section with deliverables, pending steps, done-criteria

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-03-20 07:33:47 +00:00
parent a375b3814d
commit bee0936d5d
3 changed files with 33 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
sso-mfa/WORKPLAN.md
View File

@@ -27,6 +27,37 @@ Hostnames: kc.coulomb.social (KeyCape), auth.coulomb.social (Authelia), lldap.co
| T07 — User mgmt & self-service | c7cf902a | **in-progress** | See below |
| T08 — Backups, DR, break-glass | 9cbd1d89 | **in-progress** | See below |
## T04 — privacyIDEA
### Deliverables (already authored)
- [x] `k8s/privacyidea/pvc.yaml` — privacyidea-data and privacyidea-logs PVCs
- [x] `k8s/privacyidea/configmap.yaml` — pi.cfg template (secrets injected at runtime)
- [x] `k8s/privacyidea/create-secrets.sh` — privacyidea-config Secret
- [x] `k8s/privacyidea/deployment.yaml` — Deployment + Service (port 8080)
- [x] `k8s/privacyidea/middleware.yaml` — rate-limit + admin IP allowlist (ipWhiteList, Traefik v2)
- [x] `k8s/privacyidea/ingress.yaml` — pink.coulomb.social + pink-account.coulomb.social
- [x] `k8s/privacyidea/enckey-bootstrap.sh` — extract enckey + audit keys post-start
- [x] `k8s/privacyidea/bootstrap-admin.sh` — create pi-admin + trigger-admin
- [x] `k8s/verify-t04.sh` — verify pod, service, middlewares, ingresses, TLS, secrets, PVCs
### Pending (needs live cluster)
- [ ] `./create-secrets.sh` — create privacyidea-config Secret in mfa namespace
- [ ] `kubectl apply -f pvc.yaml configmap.yaml middleware.yaml deployment.yaml ingress.yaml`
- [ ] Wait for pod Running/Ready (up to 3 min — DB migrations run on first boot)
- [ ] `./enckey-bootstrap.sh` — extract enckey+auditkeys, store in KeePassXC, create DR Secrets
- [ ] `./bootstrap-admin.sh` — create pi-admin and trigger-admin
- [ ] Log in to pink.coulomb.social, enroll TOTP for pi-admin, verify MFA challenge
- [ ] Run `../verify-t04.sh` — 0 FAILs
- [ ] Commit and mark T04 done
### Done-criteria for T04
- privacyIDEA pod Running+Ready in mfa namespace
- pink.coulomb.social and pink-account.coulomb.social reachable with valid TLS
- pi-admin and trigger-admin accounts exist
- pi-admin has enrolled a TOTP token and MFA challenge fires on login
- privacyidea-enckey and privacyidea-auditkeys Secrets exist (DR copies)
- verify-t04.sh: 0 FAILs
## T05 — SSO Core (new stack: LLDAP + Authelia + KeyCape)
### Done

2
sso-mfa/k8s/privacyidea/README.md
View File

@@ -149,7 +149,7 @@ cluster-internal and not subject to the Ingress middleware.
### Admin WebUI IP restriction
Update `middleware.yaml` `privacyidea-admin-allowlist.spec.ipAllowList.sourceRange`
Update `middleware.yaml` `privacyidea-admin-allowlist.spec.ipWhiteList.sourceRange`
to your actual VPN/office CIDRs and reapply:
```bash

2
sso-mfa/k8s/verify-t04.sh
View File

@@ -212,6 +212,6 @@ elif [[ "$WARN" -gt 0 ]]; then
echo " Result: PARTIAL — T04 core is up; WARN items should be resolved before T05"
exit 0
else
echo " Result: COMPLETE — T04 done-criteria met; proceed to T05 (Keycloak)"
echo " Result: COMPLETE — T04 done-criteria met; proceed to T05 (SSO core: LLDAP+Authelia+KeyCape)"
exit 0
fi