coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
24 Commits 1 Branch 0 Tags
d0ed7d9cd66ccb60a6a4a59e8cd3878073671cb7
Commit Graph

3 Commits

Author SHA1 Message Date
Bernd Worsch
d0ed7d9cd6 feat(sso-mfa): T05 Keycloak manifests (NK-WP-0001-T05) 
Deploys Keycloak (SSO core) in the sso namespace.

Files:
  sso-mfa/k8s/keycloak/pvc.yaml          — keycloak-data PVC (build cache)
  sso-mfa/k8s/keycloak/middleware.yaml   — rate-limit, admin-allowlist, HSTS
  sso-mfa/k8s/keycloak/deployment.yaml   — Deployment + Service; init container
                                           downloads privacyIDEA provider JAR
  sso-mfa/k8s/keycloak/ingress.yaml      — Ingress for kc.coulomb.social (CP-NK-004)
  sso-mfa/k8s/keycloak/create-secrets.sh — keycloak-config Secret
  sso-mfa/k8s/keycloak/bootstrap-realm.sh— hardens master realm, creates net-kingdom realm
  sso-mfa/k8s/keycloak/README.md         — apply order, custom image guide, DR
  sso-mfa/k8s/verify-t05.sh              — T05 done-criteria verification script

Config points added: CP-NK-004 (kc.coulomb.social), CP-NK-005 (provider JAR URL).
CP-NK-005 must be set before applying deployment.yaml.

Pending: apply to live cluster, set CP-NK-005, run bootstrap-realm.sh, verify-t05.sh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-19 02:00:51 +00:00
Bernd Worsch
1d94652ba1 feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04) 
Deploy privacyIDEA (MFA core) in the mfa namespace:
- pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi)
- configmap.yaml: pi.cfg reading secrets from env vars
- deployment.yaml: Deployment + ClusterIP Service (port 8080)
- middleware.yaml: Traefik RateLimit + admin IP AllowList
- ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service)
- create-secrets.sh: creates privacyidea-config Secret
- enckey-bootstrap.sh: post-deploy key extraction + DR Secrets
- bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret
- verify-t04.sh: 8-section done-criteria checker

Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003
(pink-account.coulomb.social) registered in CONFIG.md.

pink = PrivacyIDEA Net Knights (project mnemonic).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-19 01:22:41 +00:00
tegwick
7c3cde06b5 docs: introduce CONFIG.md config point registry (CP-NK-001) 
Establishes the local config point registry pattern. A config point is an
explicit non-default value that cannot be derived from topology, naming
convention, component defaults, or automation. Minimizing the list is a
design goal — absence of an entry means "accepting the upstream default".

CP-NK-001: ACME contact email (bernd.worsch+netkingdom@gmail.com)
  Location: sso-mfa/k8s/cert-manager/issuers.yaml:38
  Why non-default: ACME requires a real monitored inbox; no system default
  qualifies. Automation via Local Identity GECOS email is deferred.

State-hub extension point EP 8e1cda6a registered in custodian domain:
  "Config point registry: centralized view of explicit non-default
  configuration values" — proposes ConfigPoint entity type + MCP tools
  + cross-domain minimization metric.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-02 11:47:14 +01:00