coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
246 Commits 1 Branch 0 Tags
3764ea03ed2bc9eb644cdee8de9aaf22ea7f41bf
Commit Graph

20 Commits

Author SHA1 Message Date
tegwick
3875d546bc Expose OIDC auth mounts to unauthenticated OpenBao UI listing 
Set listing_visibility=unauth on netkingdom and keycape during OIDC configure
so the browser login mask can select KeyCape instead of falling back to token.
 2026-06-19 21:04:31 +02:00
tegwick
efbdab4652 feat(keycape): add netkingdom OIDC mount and bao.coulomb.social callbacks 
Configure OpenBao auth for both netkingdom and keycape mounts with browser
redirect URIs; update verify scripts and runtime architecture notes.
 2026-06-18 01:23:02 +02:00
tegwick
8a3d7a8aff chore: make T06 verify scripts executable (chmod +x for check-mfa and keycape-verify used in dry-run evidence) 2026-06-03 02:03:03 +02:00
tegwick
c48e076429 Close OpenBao OIDC admin bootstrap path 2026-06-01 21:20:53 +02:00
tegwick
7ce5f5bab0 Simplify KeyCape MFA token refresh 2026-05-29 03:21:58 +02:00
tegwick
ed991860fa Fix interactive MFA repair prompt 2026-05-29 03:18:44 +02:00
tegwick
c7b82df267 Add KeyCape privacyIDEA token repair flow 2026-05-29 03:07:17 +02:00
tegwick
cac59a37c1 openbao and itsec tooling integration 2026-05-27 18:56:30 +02:00
tegwick
1edcfbb17d Use helper for OpenBao OIDC auth setup 2026-05-26 03:02:08 +02:00
tegwick
a47c707a9a Verify KeyCape discovery without container wget 2026-05-26 02:47:01 +02:00
tegwick
59c924bc18 Patch KeyCape OpenBao client without bootstrap secrets 2026-05-26 02:36:04 +02:00
tegwick
1267df148a Harden KeyCape OpenBao client action 2026-05-26 02:22:24 +02:00
tegwick
f3c8d70270 Split OpenBao admin identity tasks 2026-05-26 02:13:55 +02:00
tegwick
dc70cd9fab Configure KeyCape LLDAP people OU 2026-05-25 00:32:43 +02:00
tegwick
5af876eb8c Enable KeyCape bootstrap MFA mode 2026-05-25 00:16:05 +02:00
tegwick
4cc22bec9e Record Railiance KeyCape rollout 2026-05-24 18:12:41 +02:00
tegwick
d555a33695 bootstrapping guidance ui and missing stuff 2026-05-24 17:04:15 +02:00
Bernd Worsch
880f89bf98 fix(keycape): NK-WP-0003-T07 — fix deployment image + add demo-app client 
- deployment.yaml: image → 92.205.130.254:32166/coulomb/key-cape:latest
  (Gitea OCI registry, delivered by KEY-WP-0002; imagePullPolicy: Always)
- k3s insecure registry hosts.toml: fixed server endpoint to http:// so
  containerd does not attempt HTTPS against the plain-HTTP Gitea NodePort
- create-secrets.sh: add demo-app OIDC client (required for KeyCape to
  start; also needed for T08 acceptance tests)
- keycape-config Secret updated in-place (no re-bootstrap needed)

KeyCape pod 1/1 Running; /healthz OK; OIDC discovery live at
https://kc.coulomb.social/.well-known/openid-configuration

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-22 00:30:58 +00:00
Bernd Worsch
59ba9e6fe1 fix(creds-bootstrap): harden agent bootstrap for non-interactive execution 
- creds-bootstrap-agent.sh: skip Phase 3 if all secrets already applied
  (avoids CNPG SSL connection drops from repeated reconciliation)
- creds-bootstrap-agent.sh: wait for rollout to complete after restart
  before running enckey/admin bootstrap (fixes race with old pod)
- creds-bootstrap-agent.sh: only restart privacyIDEA when Phase 3 ran
- create-pi-token.sh: use env-var + retry for token fetch (no heredoc
  stdin; handles transient 500 from idle connection pool)
- create-pi-token.sh: create keycape-pi-token K8s Secret after fetching
- creds-verify.sh: map keycape-pi-token to secrets_applied.keycape
  (not pi_admin_created, which caused spurious Phase 5 re-runs)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-21 12:11:13 +00:00
Bernd Worsch
0754dc32e6 feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05) 
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.

Stack:
  kc.coulomb.social   — KeyCape OIDC server (stateless, custom Go)
  auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
  lldap.coulomb.social — LLDAP admin UI (IP-restricted)
  pink.coulomb.social — privacyIDEA MFA engine (unchanged)

Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-19 08:31:51 +00:00