59ba9e6fe1
fix(creds-bootstrap): harden agent bootstrap for non-interactive execution
...
- creds-bootstrap-agent.sh: skip Phase 3 if all secrets already applied
(avoids CNPG SSL connection drops from repeated reconciliation)
- creds-bootstrap-agent.sh: wait for rollout to complete after restart
before running enckey/admin bootstrap (fixes race with old pod)
- creds-bootstrap-agent.sh: only restart privacyIDEA when Phase 3 ran
- create-pi-token.sh: use env-var + retry for token fetch (no heredoc
stdin; handles transient 500 from idle connection pool)
- create-pi-token.sh: create keycape-pi-token K8s Secret after fetching
- creds-verify.sh: map keycape-pi-token to secrets_applied.keycape
(not pi_admin_created, which caused spurious Phase 5 re-runs)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-21 12:11:13 +00:00
56036cd4be
chore(creds): bootstrap complete [agent NK-WP-0005]
2026-03-21 12:10:53 +00:00
329f086743
chore(creds): encrypted secrets [agent NK-WP-0005]
2026-03-21 12:09:53 +00:00
aa0edabb81
chore(creds): encrypted secrets [agent NK-WP-0005]
2026-03-21 11:43:02 +00:00
49ded70e4b
chore(creds): encrypted secrets [agent NK-WP-0005]
2026-03-21 11:37:13 +00:00
eb7c21a00c
chore(creds): encrypted secrets [agent NK-WP-0005]
2026-03-21 11:34:50 +00:00
152c2aac72
chore(creds): encrypted secrets [agent NK-WP-0005]
2026-03-21 11:24:38 +00:00
daeeb863cb
chore(creds): encrypted secrets [agent NK-WP-0005]
2026-03-21 11:22:53 +00:00
ca853a84b7
chore(creds): encrypted secrets [agent NK-WP-0005]
2026-03-21 10:59:13 +00:00
5d032db3dd
chore(creds): encrypted secrets [agent NK-WP-0005]
2026-03-21 10:51:47 +00:00
0ea05b302c
chore(creds): encrypted secrets [agent NK-WP-0005]
2026-03-21 10:50:22 +00:00
963a4700ef
chore(creds): encrypted secrets [agent NK-WP-0005]
2026-03-21 10:44:37 +00:00
33b9b93dba
chore(creds): encrypted secrets [agent NK-WP-0005]
2026-03-21 10:42:39 +00:00
bececac7b8
fix(privacyidea): correct image to ghcr.io/gpappsoft, port 5001→8080
...
privacyidea/privacyidea:3.12 and privacyidea/otpserver:3.12.2 do not
exist on Docker Hub. Correct image is ghcr.io/gpappsoft/privacyidea-docker:3.12.2
which listens on port 8080.
Update all port references: deployment, service, ingress, netpol-mfa,
netpol-sso (keycape→privacyIDEA egress rule).
Also: creds-bootstrap-agent.sh — restart privacyIDEA deployment after
applying new secrets so the pod picks up updated env vars.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-21 09:37:38 +00:00
95656f2324
feat(creds): NK-WP-0005 — agent-driven credential bootstrap
...
Implements all 7 tasks from NK-WP-0005:
T01: creds-state.yaml → schema_version: 2, agent_mode: true
Replaces keepass_confirmed with emergency_bundle_delivered,
adds phase tracking fields for fully automated flow.
T02: creds-bootstrap-agent.sh — single entrypoint for autonomous
bootstrap. 10 phases, idempotent re-runs via state file.
Only human touchpoint: emergency bundle confirmation gate.
T03: emergency-bundle.sh — assembles and displays emergency bundle
(age key + break-glass passwords + ops bundle location).
Writes temp file, shreds on confirmation, clears screen.
Supports --reprint for re-delivery.
T04: ~/.claude/commands/creds-init.md — /creds-init skill replaces
/creds-bootstrap. Fully autonomous execution via the agent.
T05: Makefile — creds-agent-init, creds-agent-status,
creds-emergency-reprint targets.
T06: creds-rotate.sh — --non-interactive flag for agent-driven
rotation. Auto-confirms all gates; tracks last_rotated_<key>
in creds-state.yaml. LLDAP web UI step prints warning in
non-interactive mode.
T07: canon/standards/credential-management_v0.2.md — updated
standard: KeePassXC removed from operational path, agent
bootstrap as Phase 0, emergency bundle section, prohibited
patterns updated.
Also: creds-status.sh handles both schema v1 (legacy) and v2.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-21 08:38:52 +00:00
6fdfe8a669
chore
2026-03-21 00:15:58 +00:00
c10d7d2f8a
feat(creds): implement NK-WP-0004 Credential Management Foundation
...
- .sops.yaml + keys/age.pub: SOPS age encryption for all secrets/ paths
- .gitignore: broad secrets/ catch-all (any depth)
- .githooks/pre-commit: blocks unencrypted secrets/, *.env outside bootstrap/,
and known plaintext patterns (PI_SECRET_KEY=, LLDAP_JWT_SECRET=, etc.)
- Makefile: full credential lifecycle (creds-init/generate/bundle/apply/verify/
status/rotate) + SOPS helpers (sops-setup/edit/encrypt/decrypt/rotate/check-secrets)
+ hooks/hooks-test
- creds-apply.sh: runs create-secrets.sh in dependency order (postgresql → lldap →
authelia → privacyidea), skips keycape with printed instructions, updates state
- creds-verify.sh: checks all K8s secrets exist, updates creds-state.yaml
- creds-status.sh: human-readable state table from creds-state.yaml
- creds-rotate.sh: guided rotation for all 9 secret types with impact descriptions
and atomic multi-component update sequences
- creds-state.yaml: committable state file tracking generation, bundle, KeePassXC
confirmation, per-component apply status, enckey and pi-admin bootstrap flags
NK-WP-0003-T01 unblocked. /creds-bootstrap skill registered separately.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-20 23:39:35 +00:00
6d25d088d7
feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03)
...
- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow
replaces KeePassXC dependency; encrypted .env.age files committed to repo
- Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey
- Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext
- Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack
- Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug
- Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only
- Update postgresql/create-secrets.sh: remove keycloak secret
- Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API
- T02 COMPLETE: namespaces, network policies, cert-manager issuers applied
- T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-20 02:57:41 +00:00
0754dc32e6
feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05)
...
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.
Stack:
kc.coulomb.social — KeyCape OIDC server (stateless, custom Go)
auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
lldap.coulomb.social — LLDAP admin UI (IP-restricted)
pink.coulomb.social — privacyIDEA MFA engine (unchanged)
Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-19 08:31:51 +00:00
c5761884f4
feat(sso-mfa): Phase 0a bootstrap tooling (NK-WP-0001-T01)
...
- sso-mfa/bootstrap/gen-secrets.sh: generates all pre-cluster secrets
(PI_SECRET_KEY, PI_PEPPER, DB passwords, Keycloak admin, break-glass)
into a structured secrets/ directory; prints summary with truncated values.
PI_ENCFILE deferred — must be generated inside the privacyIDEA container.
- sso-mfa/bootstrap/pack-bundle.sh: age-encrypts the secrets directory into
an offsite ops bundle.
- sso-mfa/bootstrap/README.md: KeePassXC group/entry structure, full workflow
(generate → KeePassXC → bundle → shred → PI_ENCFILE post-deploy).
- .gitignore: add sso-mfa/bootstrap/secrets/, *.age, *.kdbx.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-02 09:01:50 +01:00
