feat(sso-mfa): T05 Keycloak manifests (NK-WP-0001-T05)

Deploys Keycloak (SSO core) in the sso namespace. Files: sso-mfa/k8s/keycloak/pvc.yaml — keycloak-data PVC (build cache) sso-mfa/k8s/keycloak/middleware.yaml — rate-limit, admin-allowlist, HSTS sso-mfa/k8s/keycloak/deployment.yaml — Deployment + Service; init container downloads privacyIDEA provider JAR sso-mfa/k8s/keycloak/ingress.yaml — Ingress for kc.coulomb.social (CP-NK-004) sso-mfa/k8s/keycloak/create-secrets.sh — keycloak-config Secret sso-mfa/k8s/keycloak/bootstrap-realm.sh— hardens master realm, creates net-kingdom realm sso-mfa/k8s/keycloak/README.md — apply order, custom image guide, DR sso-mfa/k8s/verify-t05.sh — T05 done-criteria verification script Config points added: CP-NK-004 (kc.coulomb.social), CP-NK-005 (provider JAR URL). CP-NK-005 must be set before applying deployment.yaml. Pending: apply to live cluster, set CP-NK-005, run bootstrap-realm.sh, verify-t05.sh. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 02:00:51 +00:00
parent 1d94652ba1
commit d0ed7d9cd6
9 changed files with 1116 additions and 0 deletions
--- a/CONFIG.md
+++ b/CONFIG.md
@@ -23,6 +23,8 @@ If yes to any of the above, don't add it here.
 | CP-NK-001 | ACME contact email | `bernd.worsch+netkingdom@gmail.com` | `sso-mfa/k8s/cert-manager/issuers.yaml:38` |
 | CP-NK-002 | privacyIDEA portal hostname | `pink.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` |
 | CP-NK-003 | privacyIDEA self-service hostname | `pink-account.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` |
+| CP-NK-004 | Keycloak SSO hostname | `kc.coulomb.social` | `sso-mfa/k8s/keycloak/deployment.yaml`, `sso-mfa/k8s/keycloak/ingress.yaml` |
+| CP-NK-005 | privacyIDEA Keycloak Provider JAR URL | *(not set — edit before apply)* | `sso-mfa/k8s/keycloak/deployment.yaml` |

 ---

@@ -83,3 +85,48 @@ gains a structured "operator contact" concept.

 **Scope:** All TLS certificates issued by the `letsencrypt-prod` ClusterIssuer across
 the entire cluster.
+
+---
+
+## CP-NK-004 — Keycloak SSO hostname
+
+**Value:** `kc.coulomb.social`
+**Set:** 2026-03-19
+**Set by:** worsch
+
+**Location(s):**
+- `sso-mfa/k8s/keycloak/deployment.yaml` — `KC_HOSTNAME` env var
+- `sso-mfa/k8s/keycloak/ingress.yaml` — both Ingress `host` fields
+
+**Why non-default:** Subdomain prefix must be chosen by the operator. `kc` =
+**K**ey**c**loak, consistent with the service-initial naming pattern.
+
+**Scope:** TLS certificate, Traefik routing, Keycloak's internal hostname strictness
+check, and all OIDC/SAML redirect URIs registered in this realm. Changing this
+hostname after clients are registered requires updating all registered redirect URIs.
+
+---
+
+## CP-NK-005 — privacyIDEA Keycloak Provider JAR URL
+
+**Value:** *(not set — operator must edit before applying T05)*
+**Set:** —
+**Set by:** —
+
+**Location(s):**
+- `sso-mfa/k8s/keycloak/deployment.yaml` — `PROVIDER_JAR_URL` env var in the
+  `install-privacyidea-provider` init container
+
+**Why non-default:** The JAR URL depends on the chosen release version, which must
+be verified for compatibility with the deployed Keycloak image version. There is no
+stable "latest" URL suitable for automation.
+
+**How to set:**
+1. Browse https://github.com/privacyIDEA/keycloak-provider/releases
+2. Choose a release compatible with the Keycloak image version in `deployment.yaml`.
+3. Edit `deployment.yaml`: replace `EDIT_BEFORE_APPLY` with the `.jar` download URL.
+4. Update this entry with the chosen URL and version.
+
+**Scope:** Keycloak init container only. If switching to a custom Keycloak image
+(see T05 README "Custom image" section), this config point becomes obsolete and
+can be removed.