diff --git a/sso-mfa/k8s/authelia/configmap.yaml b/sso-mfa/k8s/authelia/configmap.yaml index e369fc3..4aa845b 100644 --- a/sso-mfa/k8s/authelia/configmap.yaml +++ b/sso-mfa/k8s/authelia/configmap.yaml @@ -50,7 +50,7 @@ data: base_dn: dc=netkingdom,dc=local username_attribute: uid additional_users_dn: ou=people - users_filter: "(&(uid={input})(objectClass=inetOrgPerson))" + users_filter: "(&({username_attribute}={input})(objectClass=inetOrgPerson))" additional_groups_dn: ou=groups groups_filter: "(member={dn})" group_name_attribute: cn @@ -99,7 +99,8 @@ data: clients: - id: keycape description: "KeyCape IAM Orchestration Layer" - # secret (bcrypt hash): injected via AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE + # bcrypt hash of the KeyCape OIDC client secret (hash is not sensitive — safe in ConfigMap) + secret: "$2b$12$W/ct2nasY4wruQrFVh33UO5qgoxYTBNVvTBqfZHMwBVll13ZeCli." public: false authorization_policy: one_factor consent_mode: implicit diff --git a/sso-mfa/k8s/authelia/deployment.yaml b/sso-mfa/k8s/authelia/deployment.yaml index 80d78f7..88c07d1 100644 --- a/sso-mfa/k8s/authelia/deployment.yaml +++ b/sso-mfa/k8s/authelia/deployment.yaml @@ -67,8 +67,6 @@ spec: value: /run/secrets/authelia/oidc_hmac_secret - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE value: /run/secrets/authelia/oidc_issuer_private_key - - name: AUTHELIA_IDENTITY_PROVIDERS_OIDC_CLIENTS_0_SECRET_FILE - value: /run/secrets/authelia/keycape_client_secret_hash volumeMounts: # Config from ConfigMap diff --git a/sso-mfa/k8s/lldap/deployment.yaml b/sso-mfa/k8s/lldap/deployment.yaml index d694511..775430d 100644 --- a/sso-mfa/k8s/lldap/deployment.yaml +++ b/sso-mfa/k8s/lldap/deployment.yaml @@ -37,8 +37,8 @@ spec: net-kingdom/component: sso spec: securityContext: - runAsNonRoot: true - runAsUser: 1000 + # lldap/lldap:stable initialises /app as root then drops privileges + # internally — runAsNonRoot/runAsUser would prevent that init step. fsGroup: 1000 containers: diff --git a/sso-mfa/k8s/verify-t02.sh b/sso-mfa/k8s/verify-t02.sh index 063b9e7..a110531 100755 --- a/sso-mfa/k8s/verify-t02.sh +++ b/sso-mfa/k8s/verify-t02.sh @@ -65,7 +65,7 @@ done check "allow-traefik-to-keycape in sso" $KUBECTL get networkpolicy allow-traefik-to-keycape -n sso check "allow-keycape-egress-to-privacyidea in sso" $KUBECTL get networkpolicy allow-keycape-egress-to-privacyidea -n sso check "allow-ingress-from-traefik in mfa" $KUBECTL get networkpolicy allow-ingress-from-traefik -n mfa -check "allow-ingress-from-keycloak in mfa" $KUBECTL get networkpolicy allow-ingress-from-keycloak -n mfa +check "allow-ingress-from-keycape in mfa" $KUBECTL get networkpolicy allow-ingress-from-keycape -n mfa check "allow-egress-to-postgres in mfa" $KUBECTL get networkpolicy allow-egress-to-postgres -n mfa check "allow-ingress-from-keycloak in databases" $KUBECTL get networkpolicy allow-ingress-from-keycloak -n databases check "allow-ingress-from-privacyidea in databases" $KUBECTL get networkpolicy allow-ingress-from-privacyidea -n databases diff --git a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md index 8eb78b1..5050e42 100644 --- a/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md +++ b/workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md @@ -82,9 +82,12 @@ cluster, and delivers the emergency bundle. No KeePassXC steps required. ```task id: NK-WP-0003-T02 -status: todo +status: done priority: high state_hub_task_id: "a14e3a6b-18ee-4172-8a47-bd531f21e55a" +note: Verified 2026-03-21 — all namespaces, NetworkPolicies, cert-manager, and ClusterIssuers + already applied (35h+ ago). verify-t02.sh 22/22 passed. Fixed stale keycloak→keycape + check in verify script. ``` Apply the K8s infrastructure foundations. All manifests already committed. @@ -105,9 +108,12 @@ cert-manager pods Running. ```task id: NK-WP-0003-T03 -status: todo +status: done priority: high state_hub_task_id: "19e375d0-66bd-4cf0-9c2d-59d5c0d5989e" +note: Verified 2026-03-21 — CNPG cluster net-kingdom-pg healthy (1/1 Ready), privacyidea_db exists. + LLDAP and Authelia use SQLite (PVC), no additional PG databases needed. + verify-t03.sh: 8 PASS, 2 WARN (superuser secret + backup — both expected at this stage). ``` Deploy the shared database cluster with three databases: @@ -157,9 +163,13 @@ Once `pink.coulomb.social` resolves to the cluster IP and TLS cert is issued: ```task id: NK-WP-0003-T05 -status: todo +status: done priority: high state_hub_task_id: "82fc90f7-8eb4-4718-b02a-dfd5fa39e5bc" +note: Deployed 2026-03-21. securityContext fix: removed runAsNonRoot/runAsUser (lldap image + initialises as root). Pod 1/1 Running. Groups net-kingdom-users + net-kingdom-admins created + via API (plaintext secrets dir cleaned up by agent; used K8s secret directly). + ACME solver running for lldap.coulomb.social. ``` Deploy LLDAP into the `sso` namespace. @@ -179,9 +189,13 @@ Verify pod Running and LDAP bind works on `ldap.coulomb.social`. ```task id: NK-WP-0003-T06 -status: todo +status: done priority: high state_hub_task_id: "3a28ff10-fbfa-443b-a64d-bbfe6153c544" +note: Deployed 2026-03-21. Two config fixes: (1) users_filter changed uid→{username_attribute}={input}; + (2) OIDC client secret moved from unsupported env var to inline bcrypt hash in configmap + (4.38 does not support CLIENTS_0_SECRET_FILE indexed env vars). Pod 1/1 Running, + "Startup complete". Remaining deprecation warnings are auto-mapped and non-fatal. ``` Deploy Authelia into the `sso` namespace.