feat(sso-mfa): Phase 0a bootstrap tooling (NK-WP-0001-T01)

- sso-mfa/bootstrap/gen-secrets.sh: generates all pre-cluster secrets
  (PI_SECRET_KEY, PI_PEPPER, DB passwords, Keycloak admin, break-glass)
  into a structured secrets/ directory; prints summary with truncated values.
  PI_ENCFILE deferred — must be generated inside the privacyIDEA container.
- sso-mfa/bootstrap/pack-bundle.sh: age-encrypts the secrets directory into
  an offsite ops bundle.
- sso-mfa/bootstrap/README.md: KeePassXC group/entry structure, full workflow
  (generate → KeePassXC → bundle → shred → PI_ENCFILE post-deploy).
- .gitignore: add sso-mfa/bootstrap/secrets/, *.age, *.kdbx.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-02 09:01:50 +01:00
parent 52d44daec2
commit c5761884f4
4 changed files with 307 additions and 0 deletions

5
.gitignore vendored
View File

@@ -1,3 +1,8 @@
# ── Secrets (never commit) ─────────────────────────────────────────────────────
sso-mfa/bootstrap/secrets/
*.age
*.kdbx
# ---> Python
# Byte-compiled / optimized / DLL files
__pycache__/