generated from coulomb/repo-seed
Add security architecture workplans
This commit is contained in:
@@ -0,0 +1,136 @@
|
||||
---
|
||||
id: NK-WP-0008
|
||||
type: workplan
|
||||
title: IT Security Architecture Patterns Infospace
|
||||
domain: netkingdom
|
||||
repo: net-kingdom
|
||||
status: proposed
|
||||
owner: codex
|
||||
topic_slug: netkingdom
|
||||
planning_priority: high
|
||||
planning_order: 8
|
||||
created: 2026-05-17
|
||||
updated: 2026-05-17
|
||||
depends_on:
|
||||
- NK-WP-0006
|
||||
state_hub_workstream_id: "053c6d96-9396-40c9-a2e5-c36531e7810d"
|
||||
---
|
||||
|
||||
# NK-WP-0008 - IT Security Architecture Patterns Infospace
|
||||
|
||||
## Goal
|
||||
|
||||
Create a curated infospace of reusable IT security architecture patterns
|
||||
for NetKingdom-enabled infrastructures.
|
||||
|
||||
The infospace should be a reference library of patterns, tradeoffs,
|
||||
threats, implementation variants, and canonical NetKingdom mappings. It
|
||||
should help us recognize patterns such as STS credential vending,
|
||||
workload identity, secret zero avoidance, break-glass access, delegated
|
||||
authorization, short-lived certificates, and policy-as-code before they
|
||||
become scattered repo-local folklore.
|
||||
|
||||
## Context
|
||||
|
||||
The platform now spans identity, MFA, policy, SSH certificates, reverse
|
||||
tunnels, object storage, artifact storage, Kubernetes platform services,
|
||||
and secrets management. Several patterns repeat across repos:
|
||||
|
||||
- key-cape and Keycloak implement OIDC identity contracts.
|
||||
- flex-auth implements policy-as-code authorization decisions.
|
||||
- ops-warden issues short-lived SSH certificates.
|
||||
- ops-bridge consumes short-lived SSH credentials and records actor
|
||||
attribution.
|
||||
- artifact-store consumes object storage and needs temporary S3
|
||||
credential support.
|
||||
- Railiance platform services need a canonical secrets manager and
|
||||
object-storage integration.
|
||||
|
||||
An infospace makes these repeatable architectural patterns explicit,
|
||||
searchable, comparable, and teachable.
|
||||
|
||||
## Scope
|
||||
|
||||
In scope:
|
||||
|
||||
- define a pattern document template
|
||||
- create an infospace directory under `docs/security-patterns/`
|
||||
- capture initial patterns and their NetKingdom mapping
|
||||
- record source references and current product/tool options
|
||||
- connect patterns to implementation repos and workplans
|
||||
- distinguish canonical patterns from experiments and anti-patterns
|
||||
|
||||
Out of scope:
|
||||
|
||||
- implementing every pattern
|
||||
- replacing ADRs
|
||||
- duplicating vendor documentation
|
||||
- writing full tutorials; tutorials are handled by NK-WP-0009
|
||||
|
||||
## Tasks
|
||||
|
||||
```task
|
||||
id: NK-WP-0008-T1
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "d1b7213c-3315-49d2-90c9-efdf2bea3563"
|
||||
```
|
||||
|
||||
Define the security-pattern infospace structure and template:
|
||||
problem, forces, applicability, threat model, canonical NetKingdom
|
||||
mapping, implementation variants, operational checks, audit hooks,
|
||||
anti-patterns, and references.
|
||||
|
||||
```task
|
||||
id: NK-WP-0008-T2
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "59966187-27f1-4b9c-9dfc-e59d11ff115c"
|
||||
```
|
||||
|
||||
Create initial pattern entries for: STS credential vending, workload
|
||||
identity, secret zero avoidance, dynamic secrets, short-lived SSH
|
||||
certificates, delegated authorization, break-glass access, and
|
||||
policy-as-code.
|
||||
|
||||
```task
|
||||
id: NK-WP-0008-T3
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "927c08a5-1a7e-4634-a514-0f562e286708"
|
||||
```
|
||||
|
||||
Map each pattern to NetKingdom/Railiance repos and components:
|
||||
net-kingdom, key-cape, flex-auth, ops-warden, ops-bridge,
|
||||
railiance-platform, artifact-store, Keycloak, Authelia, LLDAP,
|
||||
privacyIDEA, OpenBao, Ceph RGW, and MinIO-compatible stores.
|
||||
|
||||
```task
|
||||
id: NK-WP-0008-T4
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "884626ea-243e-4806-9267-77ef643158b7"
|
||||
```
|
||||
|
||||
Create an index page with pattern status, maturity, owning repo,
|
||||
implementation links, and open decisions.
|
||||
|
||||
```task
|
||||
id: NK-WP-0008-T5
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "d3b29f3d-0da5-43b5-a93a-d95fb8a0ceef"
|
||||
```
|
||||
|
||||
Add review criteria for admitting new patterns: vendor neutrality,
|
||||
threat-model clarity, open-source/commercial implementation options,
|
||||
operability, auditability, and failure-mode behavior.
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- `docs/security-patterns/` exists with a repeatable pattern template.
|
||||
- Initial high-value security patterns are documented in a consistent
|
||||
shape.
|
||||
- Each pattern names the canonical NetKingdom mapping and the repos that
|
||||
own implementation.
|
||||
- The infospace distinguishes patterns, tutorials, ADRs, and vendor docs.
|
||||
Reference in New Issue
Block a user