coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(creds): implement NK-WP-0004 Credential Management Foundation

Browse Source 
- .sops.yaml + keys/age.pub: SOPS age encryption for all secrets/ paths
- .gitignore: broad secrets/ catch-all (any depth)
- .githooks/pre-commit: blocks unencrypted secrets/, *.env outside bootstrap/,
  and known plaintext patterns (PI_SECRET_KEY=, LLDAP_JWT_SECRET=, etc.)
- Makefile: full credential lifecycle (creds-init/generate/bundle/apply/verify/
  status/rotate) + SOPS helpers (sops-setup/edit/encrypt/decrypt/rotate/check-secrets)
  + hooks/hooks-test
- creds-apply.sh: runs create-secrets.sh in dependency order (postgresql → lldap →
  authelia → privacyidea), skips keycape with printed instructions, updates state
- creds-verify.sh: checks all K8s secrets exist, updates creds-state.yaml
- creds-status.sh: human-readable state table from creds-state.yaml
- creds-rotate.sh: guided rotation for all 9 secret types with impact descriptions
  and atomic multi-component update sequences
- creds-state.yaml: committable state file tracking generation, bundle, KeePassXC
  confirmation, per-component apply status, enckey and pi-admin bootstrap flags

NK-WP-0003-T01 unblocked. /creds-bootstrap skill registered separately.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-03-20 23:39:35 +00:00
parent a96d72193c
commit c10d7d2f8a
10 changed files with 885 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
sso-mfa/bootstrap/creds-state.yaml Normal file
View File

@@ -0,0 +1,26 @@
# Credential state — net-kingdom SSO/MFA stack
# This file is SAFE TO COMMIT. It contains no secrets.
# Updated automatically by make creds-* targets and sso-mfa/bootstrap/creds-verify.sh.
#
# keepass_confirmed is the only field that requires manual operator intervention.
# Set it to true after you have entered all generated secrets into KeePassXC.
generated_at: null
bundle_at: null
keepass_confirmed: false
secrets_applied:
postgres: false
lldap: false
authelia: false
privacyidea: false
# keycape requires PI_ADMIN_TOKEN from post-privacyIDEA T04 bootstrap.
# Run: sso-mfa/k8s/keycape/create-pi-token.sh, then re-run keycape/create-secrets.sh.
keycape: false
# enckey_bootstrapped: set by sso-mfa/k8s/privacyidea/enckey-bootstrap.sh
# This step is TIME-SENSITIVE — it must run while the privacyIDEA pod is live.
enckey_bootstrapped: false
# pi_admin_created: set after sso-mfa/k8s/privacyidea/bootstrap-admin.sh completes
pi_admin_created: false