2 Commits

Author	SHA1	Message	Date
Bernd Worsch	59ba9e6fe1	fix(creds-bootstrap): harden agent bootstrap for non-interactive execution ... - creds-bootstrap-agent.sh: skip Phase 3 if all secrets already applied (avoids CNPG SSL connection drops from repeated reconciliation) - creds-bootstrap-agent.sh: wait for rollout to complete after restart before running enckey/admin bootstrap (fixes race with old pod) - creds-bootstrap-agent.sh: only restart privacyIDEA when Phase 3 ran - create-pi-token.sh: use env-var + retry for token fetch (no heredoc stdin; handles transient 500 from idle connection pool) - create-pi-token.sh: create keycape-pi-token K8s Secret after fetching - creds-verify.sh: map keycape-pi-token to secrets_applied.keycape (not pi_admin_created, which caused spurious Phase 5 re-runs) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 12:11:13 +00:00
Bernd Worsch	c10d7d2f8a	feat(creds): implement NK-WP-0004 Credential Management Foundation ... - .sops.yaml + keys/age.pub: SOPS age encryption for all secrets/ paths - .gitignore: broad secrets/ catch-all (any depth) - .githooks/pre-commit: blocks unencrypted secrets/, *.env outside bootstrap/, and known plaintext patterns (PI_SECRET_KEY=, LLDAP_JWT_SECRET=, etc.) - Makefile: full credential lifecycle (creds-init/generate/bundle/apply/verify/ status/rotate) + SOPS helpers (sops-setup/edit/encrypt/decrypt/rotate/check-secrets) + hooks/hooks-test - creds-apply.sh: runs create-secrets.sh in dependency order (postgresql → lldap → authelia → privacyidea), skips keycape with printed instructions, updates state - creds-verify.sh: checks all K8s secrets exist, updates creds-state.yaml - creds-status.sh: human-readable state table from creds-state.yaml - creds-rotate.sh: guided rotation for all 9 secret types with impact descriptions and atomic multi-component update sequences - creds-state.yaml: committable state file tracking generation, bundle, KeePassXC confirmation, per-component apply status, enckey and pi-admin bootstrap flags NK-WP-0003-T01 unblocked. /creds-bootstrap skill registered separately. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 23:39:35 +00:00