net-kingdom

coulomb/net-kingdom

Fork 0

generated from coulomb/repo-seed

Commit Graph

Author	SHA1	Message	Date
Bernd Worsch	a375b3814d	fix(sso-mfa): use ipWhiteList for Traefik v2 in LLDAP and privacyIDEA middleware Traefik 2.10 (K3s 1.30 bundle) requires ipWhiteList, not ipAllowList. Updated both middleware files and clarified comments to match cluster version. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 07:28:06 +00:00
Bernd Worsch	69e900ddb1	feat(sso-mfa): T06 realm config & MFA flow manifests (NK-WP-0001-T06) - k8s/privacyidea/bootstrap-realm.sh: creates LLDAP resolver "lldap-netkingdom", the "netkingdom" default realm, TOTP self-enrollment policy, and passthru authentication policy (phase-1 rollout). - k8s/verify-t06.sh: verifies realm, resolver, LDAP user resolution, KeyCape→privacyIDEA admin token, API connectivity, and policies. - WORKPLAN.md: mark T05 done, add T06 section with done-criteria. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-19 09:04:07 +00:00
Bernd Worsch	1d94652ba1	feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04) Deploy privacyIDEA (MFA core) in the mfa namespace: - pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi) - configmap.yaml: pi.cfg reading secrets from env vars - deployment.yaml: Deployment + ClusterIP Service (port 8080) - middleware.yaml: Traefik RateLimit + admin IP AllowList - ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service) - create-secrets.sh: creates privacyidea-config Secret - enckey-bootstrap.sh: post-deploy key extraction + DR Secrets - bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret - verify-t04.sh: 8-section done-criteria checker Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003 (pink-account.coulomb.social) registered in CONFIG.md. pink = PrivacyIDEA Net Knights (project mnemonic). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-19 01:22:41 +00:00

Author

SHA1

Message

Date

Bernd Worsch

a375b3814d

fix(sso-mfa): use ipWhiteList for Traefik v2 in LLDAP and privacyIDEA middleware

Traefik 2.10 (K3s 1.30 bundle) requires ipWhiteList, not ipAllowList.
Updated both middleware files and clarified comments to match cluster version.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-20 07:28:06 +00:00

Bernd Worsch

69e900ddb1

feat(sso-mfa): T06 realm config & MFA flow manifests (NK-WP-0001-T06)

- k8s/privacyidea/bootstrap-realm.sh: creates LLDAP resolver
  "lldap-netkingdom", the "netkingdom" default realm, TOTP self-enrollment
  policy, and passthru authentication policy (phase-1 rollout).
- k8s/verify-t06.sh: verifies realm, resolver, LDAP user resolution,
  KeyCape→privacyIDEA admin token, API connectivity, and policies.
- WORKPLAN.md: mark T05 done, add T06 section with done-criteria.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-19 09:04:07 +00:00

Bernd Worsch

1d94652ba1

feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04)

Deploy privacyIDEA (MFA core) in the mfa namespace:
- pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi)
- configmap.yaml: pi.cfg reading secrets from env vars
- deployment.yaml: Deployment + ClusterIP Service (port 8080)
- middleware.yaml: Traefik RateLimit + admin IP AllowList
- ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service)
- create-secrets.sh: creates privacyidea-config Secret
- enckey-bootstrap.sh: post-deploy key extraction + DR Secrets
- bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret
- verify-t04.sh: 8-section done-criteria checker

Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003
(pink-account.coulomb.social) registered in CONFIG.md.

pink = PrivacyIDEA Net Knights (project mnemonic).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-19 01:22:41 +00:00

3 Commits