net-kingdom

coulomb/net-kingdom

Fork 0

generated from coulomb/repo-seed

Commit Graph

Author	SHA1	Message	Date
Bernd Worsch	59ba9e6fe1	fix(creds-bootstrap): harden agent bootstrap for non-interactive execution - creds-bootstrap-agent.sh: skip Phase 3 if all secrets already applied (avoids CNPG SSL connection drops from repeated reconciliation) - creds-bootstrap-agent.sh: wait for rollout to complete after restart before running enckey/admin bootstrap (fixes race with old pod) - creds-bootstrap-agent.sh: only restart privacyIDEA when Phase 3 ran - create-pi-token.sh: use env-var + retry for token fetch (no heredoc stdin; handles transient 500 from idle connection pool) - create-pi-token.sh: create keycape-pi-token K8s Secret after fetching - creds-verify.sh: map keycape-pi-token to secrets_applied.keycape (not pi_admin_created, which caused spurious Phase 5 re-runs) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 12:11:13 +00:00
Bernd Worsch	bececac7b8	fix(privacyidea): correct image to ghcr.io/gpappsoft, port 5001→8080 privacyidea/privacyidea:3.12 and privacyidea/otpserver:3.12.2 do not exist on Docker Hub. Correct image is ghcr.io/gpappsoft/privacyidea-docker:3.12.2 which listens on port 8080. Update all port references: deployment, service, ingress, netpol-mfa, netpol-sso (keycape→privacyIDEA egress rule). Also: creds-bootstrap-agent.sh — restart privacyIDEA deployment after applying new secrets so the pod picks up updated env vars. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 09:37:38 +00:00
Bernd Worsch	95656f2324	feat(creds): NK-WP-0005 — agent-driven credential bootstrap Implements all 7 tasks from NK-WP-0005: T01: creds-state.yaml → schema_version: 2, agent_mode: true Replaces keepass_confirmed with emergency_bundle_delivered, adds phase tracking fields for fully automated flow. T02: creds-bootstrap-agent.sh — single entrypoint for autonomous bootstrap. 10 phases, idempotent re-runs via state file. Only human touchpoint: emergency bundle confirmation gate. T03: emergency-bundle.sh — assembles and displays emergency bundle (age key + break-glass passwords + ops bundle location). Writes temp file, shreds on confirmation, clears screen. Supports --reprint for re-delivery. T04: ~/.claude/commands/creds-init.md — /creds-init skill replaces /creds-bootstrap. Fully autonomous execution via the agent. T05: Makefile — creds-agent-init, creds-agent-status, creds-emergency-reprint targets. T06: creds-rotate.sh — --non-interactive flag for agent-driven rotation. Auto-confirms all gates; tracks last_rotated_<key> in creds-state.yaml. LLDAP web UI step prints warning in non-interactive mode. T07: canon/standards/credential-management_v0.2.md — updated standard: KeePassXC removed from operational path, agent bootstrap as Phase 0, emergency bundle section, prohibited patterns updated. Also: creds-status.sh handles both schema v1 (legacy) and v2. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 08:38:52 +00:00

Author

SHA1

Message

Date

Bernd Worsch

59ba9e6fe1

fix(creds-bootstrap): harden agent bootstrap for non-interactive execution

- creds-bootstrap-agent.sh: skip Phase 3 if all secrets already applied
  (avoids CNPG SSL connection drops from repeated reconciliation)
- creds-bootstrap-agent.sh: wait for rollout to complete after restart
  before running enckey/admin bootstrap (fixes race with old pod)
- creds-bootstrap-agent.sh: only restart privacyIDEA when Phase 3 ran
- create-pi-token.sh: use env-var + retry for token fetch (no heredoc
  stdin; handles transient 500 from idle connection pool)
- create-pi-token.sh: create keycape-pi-token K8s Secret after fetching
- creds-verify.sh: map keycape-pi-token to secrets_applied.keycape
  (not pi_admin_created, which caused spurious Phase 5 re-runs)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-21 12:11:13 +00:00

Bernd Worsch

bececac7b8

fix(privacyidea): correct image to ghcr.io/gpappsoft, port 5001→8080

privacyidea/privacyidea:3.12 and privacyidea/otpserver:3.12.2 do not
exist on Docker Hub. Correct image is ghcr.io/gpappsoft/privacyidea-docker:3.12.2
which listens on port 8080.

Update all port references: deployment, service, ingress, netpol-mfa,
netpol-sso (keycape→privacyIDEA egress rule).

Also: creds-bootstrap-agent.sh — restart privacyIDEA deployment after
applying new secrets so the pod picks up updated env vars.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-21 09:37:38 +00:00

Bernd Worsch

95656f2324

feat(creds): NK-WP-0005 — agent-driven credential bootstrap

Implements all 7 tasks from NK-WP-0005:

T01: creds-state.yaml → schema_version: 2, agent_mode: true
     Replaces keepass_confirmed with emergency_bundle_delivered,
     adds phase tracking fields for fully automated flow.

T02: creds-bootstrap-agent.sh — single entrypoint for autonomous
     bootstrap. 10 phases, idempotent re-runs via state file.
     Only human touchpoint: emergency bundle confirmation gate.

T03: emergency-bundle.sh — assembles and displays emergency bundle
     (age key + break-glass passwords + ops bundle location).
     Writes temp file, shreds on confirmation, clears screen.
     Supports --reprint for re-delivery.

T04: ~/.claude/commands/creds-init.md — /creds-init skill replaces
     /creds-bootstrap. Fully autonomous execution via the agent.

T05: Makefile — creds-agent-init, creds-agent-status,
     creds-emergency-reprint targets.

T06: creds-rotate.sh — --non-interactive flag for agent-driven
     rotation. Auto-confirms all gates; tracks last_rotated_<key>
     in creds-state.yaml. LLDAP web UI step prints warning in
     non-interactive mode.

T07: canon/standards/credential-management_v0.2.md — updated
     standard: KeePassXC removed from operational path, agent
     bootstrap as Phase 0, emergency bundle section, prohibited
     patterns updated.

Also: creds-status.sh handles both schema v1 (legacy) and v2.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-21 08:38:52 +00:00

3 Commits