feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02)

namespaces/namespaces.yaml:
  - sso, mfa, databases with net-kingdom/component labels for NetworkPolicy selectors

network-policies/{netpol-sso,netpol-mfa,netpol-databases}.yaml:
  - Default-deny-all posture on all three namespaces
  - sso: ingress from Traefik; egress to databases:5432 and mfa:8080
  - mfa: ingress from Traefik + Keycloak; egress to databases:5432
  - databases: ingress from sso/mfa + CNPG operator; egress to kube-dns + K8s API
  - DNS (kube-system:53) allowed for all pods in all namespaces

cert-manager/issuers.yaml:
  - selfsigned-issuer (ClusterIssuer) for internal/test use
  - letsencrypt-prod (ClusterIssuer, HTTP-01/Traefik) — fill ACME_EMAIL before apply
cert-manager/test-certificate.yaml:
  - 24h self-signed cert to smoke-test cert-manager

storage/verify-pvc.yaml:
  - Test PVC + Pod to confirm default StorageClass provisioning

verify-t02.sh:
  - Full verification script: namespaces, NetworkPolicies, issuers, certs, StorageClass

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-03-02 09:49:39 +01:00
parent c5761884f4
commit ee794a61ab
9 changed files with 731 additions and 0 deletions

View File

@@ -0,0 +1,44 @@
# cert-manager issuers for net-kingdom SSO/MFA
#
# Two issuers are defined:
# 1. selfsigned-issuer — self-signed CA for internal/test use
# 2. letsencrypt-prod — ACME (Let's Encrypt) for public-facing ingresses
#
# Apply order:
# kubectl apply -f issuers.yaml
# kubectl apply -f test-certificate.yaml # verify selfsigned-issuer works
#
# Prerequisites: cert-manager must be installed and its CRDs registered.
# On K3s: cert-manager is NOT installed by default — install via Helm:
# helm repo add jetstack https://charts.jetstack.io
# helm install cert-manager jetstack/cert-manager \
# --namespace cert-manager --create-namespace \
# --set crds.enabled=true
# ── Self-signed ClusterIssuer (test / internal CA) ───────────────────────────
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
# ── Let's Encrypt production ClusterIssuer ───────────────────────────────────
# Requires: public DNS pointing to the cluster, port 80 reachable by ACME.
# Traefik handles the HTTP-01 challenge automatically.
#
# Replace ACME_EMAIL with your address before applying.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: ACME_EMAIL # <-- replace before applying
privateKeySecretRef:
name: letsencrypt-prod-account-key
solvers:
- http01:
ingress:
ingressClassName: traefik

View File

@@ -0,0 +1,33 @@
# Test Certificate — verifies cert-manager + selfsigned-issuer are working.
#
# Apply:
# kubectl apply -f test-certificate.yaml
#
# Verify:
# kubectl get certificate -n cert-manager-test
# kubectl describe certificate selfsigned-test -n cert-manager-test
# # READY=True means cert-manager is operational.
#
# Clean up after verification:
# kubectl delete namespace cert-manager-test
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager-test
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-test
namespace: cert-manager-test
spec:
secretName: selfsigned-test-tls
duration: 24h
renewBefore: 1h
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
commonName: test.net-kingdom.internal
dnsNames:
- test.net-kingdom.internal