net-kingdom

Author	SHA1	Message	Date
Bernd Worsch	2bbe328aec	docs(sso-mfa): record T04 blocker — wrong image reference (ImagePullBackOff) privacyidea/privacyidea:3.12 does not exist on Docker Hub. Pod is deployed but stuck. Correct image reference must be identified before proceeding. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 17:16:35 +00:00
Bernd Worsch	bee0936d5d	docs(sso-mfa): fix stale Keycloak refs and add T04 apply section to WORKPLAN - README.md: ipAllowList → ipWhiteList (match Traefik v2 fix) - verify-t04.sh: update success message (Keycloak → LLDAP+Authelia+KeyCape) - WORKPLAN.md: add full T04 section with deliverables, pending steps, done-criteria Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 07:33:47 +00:00
Bernd Worsch	6c062e1295	feat(sso-mfa): T07/T08 user mgmt, backups, DR & break-glass (NK-WP-0001-T07/T08) T07 — User management & self-service: - k8s/lldap/bootstrap-users.sh: creates net-kingdom-users and net-kingdom-admins groups in LLDAP via GraphQL API; idempotent. - k8s/lldap/break-glass.sh: creates break-glass bypass account in LLDAP, sets BREAKGLASS_PASSWORD, assigns to net-kingdom-admins. - k8s/verify-t07.sh: 6 checks — groups, break-glass, self-service portal, KeyCape OIDC client registrations. T08 — Backups, DR, break-glass: - k8s/backup/cronjob-sqlite-backups.yaml: daily CronJobs for LLDAP SQLite, Authelia SQLite (with scale-down/up RBAC), and privacyIDEA enckey backup. 7-day retention, 03:00/03:15/03:30 UTC staggered schedule. - k8s/backup/DR-RUNBOOK.md: full restore runbook — scenarios, restore order, LLDAP/Authelia/PI SQLite restore procedure, full node rebuild sequence, offsite age-encrypted export. - k8s/verify-t08.sh: 9 checks — CronJobs, RBAC, run history, backup files on PVCs, DR runbook presence, offsite backup (manual confirmation). - WORKPLAN.md: T07/T08 sections with done-criteria added. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-19 09:17:03 +00:00
Bernd Worsch	69e900ddb1	feat(sso-mfa): T06 realm config & MFA flow manifests (NK-WP-0001-T06) - k8s/privacyidea/bootstrap-realm.sh: creates LLDAP resolver "lldap-netkingdom", the "netkingdom" default realm, TOTP self-enrollment policy, and passthru authentication policy (phase-1 rollout). - k8s/verify-t06.sh: verifies realm, resolver, LDAP user resolution, KeyCape→privacyIDEA admin token, API connectivity, and policies. - WORKPLAN.md: mark T05 done, add T06 section with done-criteria. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-19 09:04:07 +00:00
Bernd Worsch	c0e17611cc	chore(sso-mfa): mark T05 complete in WORKPLAN.md Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-19 08:32:35 +00:00
Bernd Worsch	0754dc32e6	feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05) Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine. Stack: kc.coulomb.social — KeyCape OIDC server (stateless, custom Go) auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape) lldap.coulomb.social — LLDAP admin UI (IP-restricted) pink.coulomb.social — privacyIDEA MFA engine (unchanged) Changes: - Remove sso-mfa/k8s/keycloak/ (7 files) - Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README) - Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README) - Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README) - Update network-policies/netpol-sso.yaml for new component topology - Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks) - Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP) - Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak - Update k8s/README.md: network policy table reflects new traffic paths - Add sso-mfa/WORKPLAN.md: resumable task checklist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-19 08:31:51 +00:00

6 Commits