coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
31 Commits 1 Branch 0 Tags
a375b3814d429bbb2bf93a34fd8a5a71edcd7e0f
Commit Graph

31 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Bernd Worsch
a375b3814d fix(sso-mfa): use ipWhiteList for Traefik v2 in LLDAP and privacyIDEA middleware 
Traefik 2.10 (K3s 1.30 bundle) requires ipWhiteList, not ipAllowList.
Updated both middleware files and clarified comments to match cluster version.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-20 07:28:06 +00:00
Bernd Worsch
6d25d088d7 feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03) 
- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow
  replaces KeePassXC dependency; encrypted .env.age files committed to repo
- Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey
- Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext
- Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack
- Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug
- Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only
- Update postgresql/create-secrets.sh: remove keycloak secret
- Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API
- T02 COMPLETE: namespaces, network policies, cert-manager issuers applied
- T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-20 02:57:41 +00:00
tegwick
0d5d12cb67 Added provided capabilities section 2026-03-20 01:01:52 +01:00
Bernd Worsch
6c062e1295 feat(sso-mfa): T07/T08 user mgmt, backups, DR & break-glass (NK-WP-0001-T07/T08) 
T07 — User management & self-service:
- k8s/lldap/bootstrap-users.sh: creates net-kingdom-users and net-kingdom-admins
  groups in LLDAP via GraphQL API; idempotent.
- k8s/lldap/break-glass.sh: creates break-glass bypass account in LLDAP,
  sets BREAKGLASS_PASSWORD, assigns to net-kingdom-admins.
- k8s/verify-t07.sh: 6 checks — groups, break-glass, self-service portal,
  KeyCape OIDC client registrations.

T08 — Backups, DR, break-glass:
- k8s/backup/cronjob-sqlite-backups.yaml: daily CronJobs for LLDAP SQLite,
  Authelia SQLite (with scale-down/up RBAC), and privacyIDEA enckey backup.
  7-day retention, 03:00/03:15/03:30 UTC staggered schedule.
- k8s/backup/DR-RUNBOOK.md: full restore runbook — scenarios, restore order,
  LLDAP/Authelia/PI SQLite restore procedure, full node rebuild sequence,
  offsite age-encrypted export.
- k8s/verify-t08.sh: 9 checks — CronJobs, RBAC, run history, backup files
  on PVCs, DR runbook presence, offsite backup (manual confirmation).
- WORKPLAN.md: T07/T08 sections with done-criteria added.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-19 09:17:03 +00:00
Bernd Worsch
69e900ddb1 feat(sso-mfa): T06 realm config & MFA flow manifests (NK-WP-0001-T06) 
- k8s/privacyidea/bootstrap-realm.sh: creates LLDAP resolver
  "lldap-netkingdom", the "netkingdom" default realm, TOTP self-enrollment
  policy, and passthru authentication policy (phase-1 rollout).
- k8s/verify-t06.sh: verifies realm, resolver, LDAP user resolution,
  KeyCape→privacyIDEA admin token, API connectivity, and policies.
- WORKPLAN.md: mark T05 done, add T06 section with done-criteria.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-19 09:04:07 +00:00
Bernd Worsch
c0e17611cc chore(sso-mfa): mark T05 complete in WORKPLAN.md 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-19 08:32:35 +00:00
Bernd Worsch
0754dc32e6 feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05) 
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.

Stack:
  kc.coulomb.social   — KeyCape OIDC server (stateless, custom Go)
  auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
  lldap.coulomb.social — LLDAP admin UI (IP-restricted)
  pink.coulomb.social — privacyIDEA MFA engine (unchanged)

Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-19 08:31:51 +00:00
Bernd Worsch
d0ed7d9cd6 feat(sso-mfa): T05 Keycloak manifests (NK-WP-0001-T05) 
Deploys Keycloak (SSO core) in the sso namespace.

Files:
  sso-mfa/k8s/keycloak/pvc.yaml          — keycloak-data PVC (build cache)
  sso-mfa/k8s/keycloak/middleware.yaml   — rate-limit, admin-allowlist, HSTS
  sso-mfa/k8s/keycloak/deployment.yaml   — Deployment + Service; init container
                                           downloads privacyIDEA provider JAR
  sso-mfa/k8s/keycloak/ingress.yaml      — Ingress for kc.coulomb.social (CP-NK-004)
  sso-mfa/k8s/keycloak/create-secrets.sh — keycloak-config Secret
  sso-mfa/k8s/keycloak/bootstrap-realm.sh— hardens master realm, creates net-kingdom realm
  sso-mfa/k8s/keycloak/README.md         — apply order, custom image guide, DR
  sso-mfa/k8s/verify-t05.sh              — T05 done-criteria verification script

Config points added: CP-NK-004 (kc.coulomb.social), CP-NK-005 (provider JAR URL).
CP-NK-005 must be set before applying deployment.yaml.

Pending: apply to live cluster, set CP-NK-005, run bootstrap-realm.sh, verify-t05.sh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-19 02:00:51 +00:00
Bernd Worsch
1d94652ba1 feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04) 
Deploy privacyIDEA (MFA core) in the mfa namespace:
- pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi)
- configmap.yaml: pi.cfg reading secrets from env vars
- deployment.yaml: Deployment + ClusterIP Service (port 8080)
- middleware.yaml: Traefik RateLimit + admin IP AllowList
- ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service)
- create-secrets.sh: creates privacyidea-config Secret
- enckey-bootstrap.sh: post-deploy key extraction + DR Secrets
- bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret
- verify-t04.sh: 8-section done-criteria checker

Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003
(pink-account.coulomb.social) registered in CONFIG.md.

pink = PrivacyIDEA Net Knights (project mnemonic).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-19 01:22:41 +00:00
tegwick
87d85261ca docs: add SCOPE.md for rapid orientation 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-17 23:10:45 +01:00
tegwick
8929bf65bc feat(sso-mfa): T03 PostgreSQL manifests (NK-WP-0001-T03) 
CloudNativePG Cluster CR (net-kingdom-pg, PostgreSQL 16) with two
application databases: keycloak_db (owner: keycloak) and privacyidea_db
(owner: privacyidea). Passwords managed continuously via managed.roles.
WAL archiving section stubbed and commented; activate when object storage
is available. ScheduledBackup CR included (daily 02:00 UTC, 7d retention).

Also: sync workplan status for T01 (Phase 0a done), T02 (manifests done),
T03 (manifests done, restore drill pending); close NK-WP-0002.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-05 09:22:13 +01:00
tegwick
2ebb231f19 custodian integration and some cleanuo 2026-03-04 23:31:28 +01:00
tegwick
7c3cde06b5 docs: introduce CONFIG.md config point registry (CP-NK-001) 
Establishes the local config point registry pattern. A config point is an
explicit non-default value that cannot be derived from topology, naming
convention, component defaults, or automation. Minimizing the list is a
design goal — absence of an entry means "accepting the upstream default".

CP-NK-001: ACME contact email (bernd.worsch+netkingdom@gmail.com)
  Location: sso-mfa/k8s/cert-manager/issuers.yaml:38
  Why non-default: ACME requires a real monitored inbox; no system default
  qualifies. Automation via Local Identity GECOS email is deferred.

State-hub extension point EP 8e1cda6a registered in custodian domain:
  "Config point registry: centralized view of explicit non-default
  configuration values" — proposes ConfigPoint entity type + MCP tools
  + cross-domain minimization metric.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 11:47:14 +01:00
tegwick
ee794a61ab feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02) 
namespaces/namespaces.yaml:
  - sso, mfa, databases with net-kingdom/component labels for NetworkPolicy selectors

network-policies/{netpol-sso,netpol-mfa,netpol-databases}.yaml:
  - Default-deny-all posture on all three namespaces
  - sso: ingress from Traefik; egress to databases:5432 and mfa:8080
  - mfa: ingress from Traefik + Keycloak; egress to databases:5432
  - databases: ingress from sso/mfa + CNPG operator; egress to kube-dns + K8s API
  - DNS (kube-system:53) allowed for all pods in all namespaces

cert-manager/issuers.yaml:
  - selfsigned-issuer (ClusterIssuer) for internal/test use
  - letsencrypt-prod (ClusterIssuer, HTTP-01/Traefik) — fill ACME_EMAIL before apply
cert-manager/test-certificate.yaml:
  - 24h self-signed cert to smoke-test cert-manager

storage/verify-pvc.yaml:
  - Test PVC + Pod to confirm default StorageClass provisioning

verify-t02.sh:
  - Full verification script: namespaces, NetworkPolicies, issuers, certs, StorageClass

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 09:49:39 +01:00
tegwick
c5761884f4 feat(sso-mfa): Phase 0a bootstrap tooling (NK-WP-0001-T01) 
- sso-mfa/bootstrap/gen-secrets.sh: generates all pre-cluster secrets
  (PI_SECRET_KEY, PI_PEPPER, DB passwords, Keycloak admin, break-glass)
  into a structured secrets/ directory; prints summary with truncated values.
  PI_ENCFILE deferred — must be generated inside the privacyIDEA container.
- sso-mfa/bootstrap/pack-bundle.sh: age-encrypts the secrets directory into
  an offsite ops bundle.
- sso-mfa/bootstrap/README.md: KeePassXC group/entry structure, full workflow
  (generate → KeePassXC → bundle → shred → PI_ENCFILE post-deploy).
- .gitignore: add sso-mfa/bootstrap/secrets/, *.age, *.kdbx.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 09:01:50 +01:00
tegwick
52d44daec2 refactor(local-identity): post-Stage4 cleanups and micro-fixes 
- audit: chmod only on file creation, not every append (TOCTOU fix)
- jwt_utils: add extract_unverified_payload() helper
- cli: use extract_unverified_payload + JWTError instead of inline decode
- keys: extract _public_key_bytes() helper, import _b64url from jwt_utils
- security: FileNotFoundError try/except instead of path.exists() (TOCTOU fix)
- serve: cache JWK response at server init instead of per-request recompute

138 tests passing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 08:25:21 +01:00
tegwick
3890dca25d chore(workplan): mark NK-WP-0002 fully complete (all 4 stages done) 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 08:07:20 +01:00
tegwick
e7bafd69fc feat(local-identity): Stage 4 — security hardening (NK-WP-0002-T04) 
Permission enforcement on startup: enforce_permissions() checks store dir
(700), user files (600), signing key, TLS key, audit.log, revoked.json.
CLI and run_server() call it before any sensitive operation.

New modules:
  security.py  check_store(), enforce_permissions(), print_security_check()
  audit.py     log_event() — append-only TSV audit log (mode 600)
  revoke.py    revoke(jti), is_revoked(jti) — revocation list (mode 600)

New CLI commands:
  security-check          Print per-check pass/warn/fail report; exit 1 on failure
  revoke-token <jti|jwt>  Add JTI to revocation list; accepts raw JTI or full JWT

Serve integration:
  Audit log written for auth request, token issuance, and userinfo calls
  Revocation checked at /userinfo; revoked tokens return 401

Docs: security model section in LocalIdentity.md — threat model,
assumptions, non-guarantees, SELinux/AppArmor guidance, revocation usage.

138 tests passing (34 new for Stage 4).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 08:06:56 +01:00
tegwick
ae348d0e54 docs(decisions): record D4 (ESO) and D5 (local-identity in-repo) 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 01:06:58 +01:00
tegwick
ec4626fb84 chore(workplan): mark NK-WP-0002-T03 done, record commit hash 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 01:06:01 +01:00
tegwick
d35823df08 feat(local-identity): Stage 3 — minimal native OIDC provider (NK-WP-0002-T03) 
Add local-identity serve command: a minimal Authorization Code flow OIDC
server backed by file-store users.  Implemented natively with no heavy
OIDC library — only stdlib http.server and the cryptography package.

New modules:
  keys.py      RSA-2048 signing key generation + JWKS helpers
  tls.py       Self-signed TLS certificate (localhost/127.0.0.1 SANs)
  jwt_utils.py RS256 JWT creation and verification
  serve.py     OIDCHandler + make_handler() factory + run_server()

Endpoints: /.well-known/openid-configuration, /jwks, /auth, /token,
/userinfo.  Server binds to 127.0.0.1 only; tokens carry iss: local-identity
which production Keycloak rejects by design.

104 tests passing (16 new for Stage 3).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 01:05:50 +01:00
tegwick
25c92863cf chore(workplan): mark NK-WP-0002-T02 done, record commit hash 2026-03-02 00:24:04 +01:00
tegwick
dad8365e6a feat(local-identity): Stage 2 — Keycloak export & bootstrap integration (NK-WP-0002-T02) 
export.py:
  - split_fullname(): last-token strategy (Bernd Worsch → firstName/lastName)
  - _deterministic_id(): uuid5(DNS, "local-identity.{realm}.{username}") for stable,
    re-import-idempotent Keycloak IDs
  - user_to_keycloak(): full Keycloak Admin REST API user representation;
    production_identity mapping applied to username + realm; isolation attributes
    (local_identity_environment, local_identity_generated) always present;
    validate_keycloak_user() called on every conversion to catch schema drift
  - bulk_export_body(): partial import body (ifResourceExists/realm/users)

cli.py: add `export` subcommand
  - export <username>         single user, prints Keycloak JSON
  - export (no args)          bulk; primary users only; stderr note on skipped test users
  - export --include-test     bulk; all users including generated
  - --realm / --if-resource-exists flags

docs/LocalIdentity.md: add two new sections
  - Keycloak import procedure: export → partialImport API → password reset → retire
  - Isolation guarantee: attribute schema, Keycloak Condition authenticator config,
    production_identity mapping walkthrough

tests/test_export.py: 34 new tests (88 total, all passing)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 00:23:39 +01:00
tegwick
666a56f4ed feat(local-identity): add --username and --fullname overrides to init 
Resolves the system identity mismatch between the Linux username (worsch)
and the bootstrap identity (tegwick / Bernd Worsch / custom email).

Resolution order for all three fields: flag > config > system derivation.
Config is updated on every init so --force reinits are idempotent without
repeating the flags.

- cli.py: extract _resolve_init_params(); add --username / --fullname args;
  persist all three fields to config.yaml on init
- tests/test_cli.py: 13 new tests covering flag priority, config fallback,
  system derivation, config persistence, idempotent --force reinit

54 tests passing.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 00:11:04 +01:00
tegwick
45cba35054 chore(workplan): mark NK-WP-0002-T01 done (Stage 1 complete) 
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 00:02:40 +01:00
tegwick
4491beaffe feat(local-identity): implement Stage 1 — core file store (NK-WP-0002-T01) 
Deliverables:
- src/local_identity/gecos.py: /etc/passwd GECOS parsing, current_username()
- src/local_identity/user.py: UserRecord dataclass, ProductionIdentity, make_test_user()
  - Pure test-user derivation: <user>N / +testN email alias / source_user tracking
- src/local_identity/store.py: file store CRUD backed by LOCAL_IDENTITY_HOME
  - ~/.local-identity/ mode 700, user files mode 600
  - All path lookups dynamic (env-var override enables clean test isolation)
- src/local_identity/cli.py: init/list/show commands; email from flag > config > prompt
- pyproject.toml + uv.lock: pyyaml dep, local-identity script entry point

Tests (41 passing):
- test_gecos.py: 9 tests — simple/comma/empty/non-ASCII/whitespace GECOS, fallback
- test_user.py: 14 tests — test-user derivation, YAML roundtrip, non-ASCII, idempotency
- test_store.py: 18 tests — dir creation, permissions (700/600), CRUD, list, config,
  idempotency (reinit with --force produces identical users)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 00:01:54 +01:00
tegwick
6ed0061962 feat(local-identity): add NK-WP-0002 workplan and LocalIdentity.md 
Follows resolved decisions D4 and D5 (2026-03-01, Tegwick):

D4 — ESO chosen as secret injection strategy. NK-WP-0001 T01 Phase 0b
updated to specify ESO; T01 done-criteria updated to require a working ESO
test injection.

D5 — Local Identity implemented in-repo (not a separate repo). Four
deliverables:
- docs/LocalIdentity.md: capability overview, design principles, user
  schema, OIDC provider description, risk mitigations, scope boundaries
- workplans/NK-WP-0002-local-identity.md: four-stage implementation plan
  (core file store, bootstrap integration, minimal OIDC, security hardening)
  with State Hub task IDs
- NK-WP-0001 updated: D2/D4/D5 rows resolved, T07 bootstrap section now
  references NK-WP-0002 and documents the export→Keycloak migration path,
  Open Questions condensed to two remaining artefacts

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-01 23:49:06 +01:00
tegwick
873fbcf052 docs(workplan): add D4/D5 decisions, T02 prerequisite, EP-NK-001 reference 
- Extend decisions table with D4 (secret injection, pending) and D5
  (file-based bootstrap user store, pending with SWOT)
- Add explicit prerequisite block to T02: T01 Phase 0a must complete first
- Update T07: reference EP-NK-001 (LDAP/Entra extension point) by ID
- Condense Open Questions into a reference table pointing to State Hub artefacts
- Ecosystem ADR recommendation recorded as [repo:custodian] task in hub

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-01 23:11:51 +01:00
tegwick
534906d509 docs(workplan): update NK-WP-0001 with resolved decisions D1/D2/D3 
- Add Decisions table summarising D1 (KeePassXC→Vault), D2 (Keycloak-internal
  hybrid + file-based bootstrap), D3 (plain Helm, AI-first philosophy)
- Split T01 into Phase 0a (pre-cluster KeePassXC) and Phase 0b (in-cluster
  Vault transition) per D1
- Update T05 to explicitly reference D3 (plain Helm first)
- Update T06 to state the D2 identity decision rather than re-opening it
- Update T07: remove "decide" language, implement decided approach, add
  D2 bootstrap user management scope note
- Update T08: add Vault unseal key backup to the backup list
- Replace Open Questions with remaining unresolved items (5 items)
- Add DECISIONS.md (decision log auto-generated by State Hub)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-01 22:51:11 +01:00
tegwick
004a8d6e6b Add CLAUDE.md, wiki protoplans, and NK-WP-0001 workplan 
Initialises the net-kingdom project structure:
- README.md: updated title and description
- CLAUDE.md: project instructions and State Hub integration config
- wiki/: three reference docs (NetKingdom overview, ChatGPT and Grok
  protoplans for the SSO/MFA platform)
- workplans/NK-WP-0001-sso-mfa-platform.md: combined workplan (8 phases,
  8 tasks) synthesised from the two protoplans; registered in the
  Custodian State Hub (workstream 39263c4b)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-02-28 17:21:51 +01:00
Coulomb Social
a852627f0c Initial commit 2026-02-28 09:41:41 +00:00