From c8c6efbc553a80d2bf310493a019c99dd75b25a7 Mon Sep 17 00:00:00 2001 From: Bernd Worsch Date: Sun, 22 Mar 2026 00:32:45 +0000 Subject: [PATCH] =?UTF-8?q?chore(workplan):=20NK-WP-0003-T07=20done=20?= =?UTF-8?q?=E2=80=94=20KeyCape=20running?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- ...-keycape-privacyidea-cluster-deployment.md | 21 +++++++++++-------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md index b0baaa0..2762c07 100644 --- a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md +++ b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md @@ -214,17 +214,20 @@ Verify: `bash sso-mfa/k8s/verify-t05.sh` (covers LLDAP + Authelia together) ```task id: NK-WP-0003-T07 -status: blocked +status: done priority: high state_hub_task_id: "496a97c9-3e2a-486e-ba62-18449868c6cf" -note: Blocked 2026-03-21 — keycape:v0.1 image cannot be built on the k3s node (no Docker/Go). - Deployment applied; pod stuck in ImagePullBackOff. - Secrets keycape-config + keycape-pi-token already in cluster (both correct, real PI token). - Capability request filed: hub ID 0e0aefd7 (routed to railiance, direct msg sent to key-cape). - key-cape repo must deliver: - 1. .github/workflows/publish.yml — build+push to ghcr.io//keycape:v0.1 on main - 2. Update net-kingdom/sso-mfa/k8s/keycape/deployment.yaml image: to GHCR reference - Once image is published: kubectl rollout restart deployment/keycape -n sso +note: Completed 2026-03-22. KEY-WP-0002 delivered image to Gitea OCI registry + (92.205.130.254:32166/coulomb/key-cape:latest). Three issues fixed: + 1. deployment.yaml image ref updated to Gitea registry (correct namespace: coulomb) + 2. k3s hosts.toml fixed: server endpoint must be http:// for plain-HTTP Gitea NodePort + (k3s generated https:// by default → "http: server gave HTTP response to HTTPS client") + 3. keycape-config clients: [] → added demo-app client (required for startup + T08 tests) + Pod 1/1 Running; /healthz OK; OIDC discovery live. + Note: hosts.toml at /var/lib/rancher/k3s/agent/etc/containerd/certs.d/92.205.130.254:32166/ + is generated from /etc/rancher/k3s/registries.yaml — will revert on k3s restart. + Permanent fix: registries.yaml mirror config generates HTTPS server by default; + need to manually maintain hosts.toml or find k3s config that forces HTTP server. ``` Deploy KeyCape into the `sso` namespace.