generated from coulomb/repo-seed
Add security architecture workplans
This commit is contained in:
143
workplans/NK-WP-0009-netkingdom-security-pattern-tutorials.md
Normal file
143
workplans/NK-WP-0009-netkingdom-security-pattern-tutorials.md
Normal file
@@ -0,0 +1,143 @@
|
||||
---
|
||||
id: NK-WP-0009
|
||||
type: workplan
|
||||
title: NetKingdom Security Pattern Tutorials
|
||||
domain: netkingdom
|
||||
repo: net-kingdom
|
||||
status: proposed
|
||||
owner: codex
|
||||
topic_slug: netkingdom
|
||||
planning_priority: medium
|
||||
planning_order: 9
|
||||
created: 2026-05-17
|
||||
updated: 2026-05-17
|
||||
depends_on:
|
||||
- NK-WP-0008
|
||||
state_hub_workstream_id: "66c9f1e9-6b2f-454b-a6d4-04e5fe42385a"
|
||||
---
|
||||
|
||||
# NK-WP-0009 - NetKingdom Security Pattern Tutorials
|
||||
|
||||
## Goal
|
||||
|
||||
Build practical tutorials that show operators and developers how to
|
||||
implement canonical NetKingdom security architecture patterns in
|
||||
NetKingdom-enabled IT infrastructures.
|
||||
|
||||
Where NK-WP-0008 is the pattern library, this workplan is the hands-on
|
||||
path: runnable examples, checklists, commands, manifests, verification
|
||||
steps, and failure-mode exercises.
|
||||
|
||||
## Context
|
||||
|
||||
The platform needs more than architecture statements. A new deployment
|
||||
should be able to answer:
|
||||
|
||||
- How do I issue identity tokens in lightweight mode versus expanded
|
||||
mode?
|
||||
- How do I ask flex-auth for a resource decision?
|
||||
- How do I vend temporary object-storage credentials?
|
||||
- How do I deploy OpenBao and avoid secret zero traps?
|
||||
- How do I use short-lived SSH certificates for agents and automations?
|
||||
- How do I verify audit records and break-glass behavior?
|
||||
|
||||
Tutorials turn canonical patterns into repeatable implementation
|
||||
practice without forcing every application repo to rediscover the same
|
||||
steps.
|
||||
|
||||
## Scope
|
||||
|
||||
In scope:
|
||||
|
||||
- tutorial structure and style guide
|
||||
- runnable or copy-pasteable examples
|
||||
- local/dev and production variants where appropriate
|
||||
- verification and rollback steps
|
||||
- integration references to key-cape, flex-auth, ops-warden,
|
||||
ops-bridge, railiance-platform, and artifact-store
|
||||
|
||||
Out of scope:
|
||||
|
||||
- deploying live services directly from this repo
|
||||
- replacing repo-specific operator runbooks
|
||||
- hiding provider-specific security differences behind one generic
|
||||
command
|
||||
|
||||
## Tasks
|
||||
|
||||
```task
|
||||
id: NK-WP-0009-T1
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "79150b07-f25d-4407-a118-e08b6e588d37"
|
||||
```
|
||||
|
||||
Create a tutorial template with prerequisites, architecture context,
|
||||
commands, manifests, verification, rollback, threat checks, and
|
||||
cross-repo ownership notes.
|
||||
|
||||
```task
|
||||
id: NK-WP-0009-T2
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "07647ba6-90e1-4569-947a-ebccce7a2d5e"
|
||||
```
|
||||
|
||||
Write the first tutorial: "Vend temporary S3 credentials from a
|
||||
NetKingdom identity token", covering key-cape/Keycloak identity,
|
||||
flex-auth authorization, object-store STS exchange, and SDK consumer
|
||||
configuration.
|
||||
|
||||
```task
|
||||
id: NK-WP-0009-T3
|
||||
status: todo
|
||||
priority: high
|
||||
state_hub_task_id: "0f34eda3-f1f3-4c49-9eba-36167b6c5ea9"
|
||||
```
|
||||
|
||||
Write "Deploy OpenBao as the canonical secrets manager for a
|
||||
NetKingdom-enabled Railiance platform", linking to the Railiance
|
||||
Platform workplan and covering auth methods, secret engines, CSI/ESO
|
||||
integration, leases, unseal, backup, and break-glass.
|
||||
|
||||
```task
|
||||
id: NK-WP-0009-T4
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "3c17d1ac-3232-43b4-b541-ea6538da2afb"
|
||||
```
|
||||
|
||||
Write "Use short-lived SSH credentials for admins, agents, and
|
||||
automations", using ops-warden and ops-bridge as the reference
|
||||
implementation.
|
||||
|
||||
```task
|
||||
id: NK-WP-0009-T5
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "aff82173-0b8e-4216-855a-887ac68b63e0"
|
||||
```
|
||||
|
||||
Write "Add a protected system to flex-auth", covering resource
|
||||
manifests, action vocabulary, claim envelopes, policy packages,
|
||||
decision envelopes, and delegated PDP options.
|
||||
|
||||
```task
|
||||
id: NK-WP-0009-T6
|
||||
status: todo
|
||||
priority: medium
|
||||
state_hub_task_id: "df427aa3-233f-4479-aed9-706676f8e87d"
|
||||
```
|
||||
|
||||
Add tutorial verification fixtures or checklists so each tutorial has a
|
||||
clear "done when" outcome and does not become prose-only guidance.
|
||||
|
||||
## Acceptance Criteria
|
||||
|
||||
- Tutorials are grouped under a stable docs path with a repeatable
|
||||
format.
|
||||
- Each tutorial maps back to one or more NK-WP-0008 patterns.
|
||||
- Tutorials name the owning repo for every concrete implementation
|
||||
step.
|
||||
- Tutorials include verification and rollback guidance, not just happy
|
||||
path commands.
|
||||
Reference in New Issue
Block a user