coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(sso-mfa): commit T02–T06 fixes and workplan status updates

Browse Source 
- authelia: users_filter uid→{username_attribute}, OIDC client secret
  moved from env var to inline bcrypt hash in configmap (4.38 limitation)
- authelia: remove unsupported CLIENTS_0_SECRET_FILE env var
- lldap: drop runAsNonRoot/runAsUser (image init requires root)
- verify-t02: keycloak→keycape NetworkPolicy check rename
- workplan: T02/T03/T05/T06 marked done with notes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Bernd Worsch
2026-03-21 20:25:03 +00:00
parent a60f4fc834
commit f2f07871eb
5 changed files with 24 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
workplans/NK-WP-0003-keycape-privacyidea-cluster-deployment.md
View File

@@ -82,9 +82,12 @@ cluster, and delivers the emergency bundle. No KeePassXC steps required.
```task
id: NK-WP-0003-T02
status: todo
status: done
priority: high
state_hub_task_id: "a14e3a6b-18ee-4172-8a47-bd531f21e55a"
note: Verified 2026-03-21 — all namespaces, NetworkPolicies, cert-manager, and ClusterIssuers
already applied (35h+ ago). verify-t02.sh 22/22 passed. Fixed stale keycloak→keycape
check in verify script.
```
Apply the K8s infrastructure foundations. All manifests already committed.
@@ -105,9 +108,12 @@ cert-manager pods Running.
```task
id: NK-WP-0003-T03
status: todo
status: done
priority: high
state_hub_task_id: "19e375d0-66bd-4cf0-9c2d-59d5c0d5989e"
note: Verified 2026-03-21 — CNPG cluster net-kingdom-pg healthy (1/1 Ready), privacyidea_db exists.
LLDAP and Authelia use SQLite (PVC), no additional PG databases needed.
verify-t03.sh: 8 PASS, 2 WARN (superuser secret + backup — both expected at this stage).
```
Deploy the shared database cluster with three databases:
@@ -157,9 +163,13 @@ Once `pink.coulomb.social` resolves to the cluster IP and TLS cert is issued:
```task
id: NK-WP-0003-T05
status: todo
status: done
priority: high
state_hub_task_id: "82fc90f7-8eb4-4718-b02a-dfd5fa39e5bc"
note: Deployed 2026-03-21. securityContext fix: removed runAsNonRoot/runAsUser (lldap image
initialises as root). Pod 1/1 Running. Groups net-kingdom-users + net-kingdom-admins created
via API (plaintext secrets dir cleaned up by agent; used K8s secret directly).
ACME solver running for lldap.coulomb.social.
```
Deploy LLDAP into the `sso` namespace.
@@ -179,9 +189,13 @@ Verify pod Running and LDAP bind works on `ldap.coulomb.social`.
```task
id: NK-WP-0003-T06
status: todo
status: done
priority: high
state_hub_task_id: "3a28ff10-fbfa-443b-a64d-bbfe6153c544"
note: Deployed 2026-03-21. Two config fixes: (1) users_filter changed uid→{username_attribute}={input};
(2) OIDC client secret moved from unsupported env var to inline bcrypt hash in configmap
(4.38 does not support CLIENTS_0_SECRET_FILE indexed env vars). Pod 1/1 Running,
"Startup complete". Remaining deprecation warnings are auto-mapped and non-fatal.
```
Deploy Authelia into the `sso` namespace.