From bee0936d5d307711aae9b22eb0e99ca03bf5cfc3 Mon Sep 17 00:00:00 2001 From: Bernd Worsch Date: Fri, 20 Mar 2026 07:33:47 +0000 Subject: [PATCH] docs(sso-mfa): fix stale Keycloak refs and add T04 apply section to WORKPLAN MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - README.md: ipAllowList → ipWhiteList (match Traefik v2 fix) - verify-t04.sh: update success message (Keycloak → LLDAP+Authelia+KeyCape) - WORKPLAN.md: add full T04 section with deliverables, pending steps, done-criteria Co-Authored-By: Claude Sonnet 4.6 --- sso-mfa/WORKPLAN.md | 31 +++++++++++++++++++++++++++++++ sso-mfa/k8s/privacyidea/README.md | 2 +- sso-mfa/k8s/verify-t04.sh | 2 +- 3 files changed, 33 insertions(+), 2 deletions(-) diff --git a/sso-mfa/WORKPLAN.md b/sso-mfa/WORKPLAN.md index 403da73..b779730 100644 --- a/sso-mfa/WORKPLAN.md +++ b/sso-mfa/WORKPLAN.md @@ -27,6 +27,37 @@ Hostnames: kc.coulomb.social (KeyCape), auth.coulomb.social (Authelia), lldap.co | T07 — User mgmt & self-service | c7cf902a | **in-progress** | See below | | T08 — Backups, DR, break-glass | 9cbd1d89 | **in-progress** | See below | +## T04 — privacyIDEA + +### Deliverables (already authored) +- [x] `k8s/privacyidea/pvc.yaml` — privacyidea-data and privacyidea-logs PVCs +- [x] `k8s/privacyidea/configmap.yaml` — pi.cfg template (secrets injected at runtime) +- [x] `k8s/privacyidea/create-secrets.sh` — privacyidea-config Secret +- [x] `k8s/privacyidea/deployment.yaml` — Deployment + Service (port 8080) +- [x] `k8s/privacyidea/middleware.yaml` — rate-limit + admin IP allowlist (ipWhiteList, Traefik v2) +- [x] `k8s/privacyidea/ingress.yaml` — pink.coulomb.social + pink-account.coulomb.social +- [x] `k8s/privacyidea/enckey-bootstrap.sh` — extract enckey + audit keys post-start +- [x] `k8s/privacyidea/bootstrap-admin.sh` — create pi-admin + trigger-admin +- [x] `k8s/verify-t04.sh` — verify pod, service, middlewares, ingresses, TLS, secrets, PVCs + +### Pending (needs live cluster) +- [ ] `./create-secrets.sh` — create privacyidea-config Secret in mfa namespace +- [ ] `kubectl apply -f pvc.yaml configmap.yaml middleware.yaml deployment.yaml ingress.yaml` +- [ ] Wait for pod Running/Ready (up to 3 min — DB migrations run on first boot) +- [ ] `./enckey-bootstrap.sh` — extract enckey+auditkeys, store in KeePassXC, create DR Secrets +- [ ] `./bootstrap-admin.sh` — create pi-admin and trigger-admin +- [ ] Log in to pink.coulomb.social, enroll TOTP for pi-admin, verify MFA challenge +- [ ] Run `../verify-t04.sh` — 0 FAILs +- [ ] Commit and mark T04 done + +### Done-criteria for T04 +- privacyIDEA pod Running+Ready in mfa namespace +- pink.coulomb.social and pink-account.coulomb.social reachable with valid TLS +- pi-admin and trigger-admin accounts exist +- pi-admin has enrolled a TOTP token and MFA challenge fires on login +- privacyidea-enckey and privacyidea-auditkeys Secrets exist (DR copies) +- verify-t04.sh: 0 FAILs + ## T05 — SSO Core (new stack: LLDAP + Authelia + KeyCape) ### Done diff --git a/sso-mfa/k8s/privacyidea/README.md b/sso-mfa/k8s/privacyidea/README.md index 10bdb9f..a0b7cdf 100644 --- a/sso-mfa/k8s/privacyidea/README.md +++ b/sso-mfa/k8s/privacyidea/README.md @@ -149,7 +149,7 @@ cluster-internal and not subject to the Ingress middleware. ### Admin WebUI IP restriction -Update `middleware.yaml` `privacyidea-admin-allowlist.spec.ipAllowList.sourceRange` +Update `middleware.yaml` `privacyidea-admin-allowlist.spec.ipWhiteList.sourceRange` to your actual VPN/office CIDRs and reapply: ```bash diff --git a/sso-mfa/k8s/verify-t04.sh b/sso-mfa/k8s/verify-t04.sh index 1d1f287..9a3f541 100755 --- a/sso-mfa/k8s/verify-t04.sh +++ b/sso-mfa/k8s/verify-t04.sh @@ -212,6 +212,6 @@ elif [[ "$WARN" -gt 0 ]]; then echo " Result: PARTIAL — T04 core is up; WARN items should be resolved before T05" exit 0 else - echo " Result: COMPLETE — T04 done-criteria met; proceed to T05 (Keycloak)" + echo " Result: COMPLETE — T04 done-criteria met; proceed to T05 (SSO core: LLDAP+Authelia+KeyCape)" exit 0 fi