|
|
0754dc32e6
|
feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05)
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.
Stack:
kc.coulomb.social — KeyCape OIDC server (stateless, custom Go)
auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
lldap.coulomb.social — LLDAP admin UI (IP-restricted)
pink.coulomb.social — privacyIDEA MFA engine (unchanged)
Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-03-19 08:31:51 +00:00 |
|
|
|
c5761884f4
|
feat(sso-mfa): Phase 0a bootstrap tooling (NK-WP-0001-T01)
- sso-mfa/bootstrap/gen-secrets.sh: generates all pre-cluster secrets
(PI_SECRET_KEY, PI_PEPPER, DB passwords, Keycloak admin, break-glass)
into a structured secrets/ directory; prints summary with truncated values.
PI_ENCFILE deferred — must be generated inside the privacyIDEA container.
- sso-mfa/bootstrap/pack-bundle.sh: age-encrypts the secrets directory into
an offsite ops bundle.
- sso-mfa/bootstrap/README.md: KeePassXC group/entry structure, full workflow
(generate → KeePassXC → bundle → shred → PI_ENCFILE post-deploy).
- .gitignore: add sso-mfa/bootstrap/secrets/, *.age, *.kdbx.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
2026-03-02 09:01:50 +01:00 |
|
