net-kingdom

coulomb/net-kingdom

Fork 0

generated from coulomb/repo-seed

Commit Graph

Author	SHA1	Message	Date
Bernd Worsch	0754dc32e6	feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05) Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine. Stack: kc.coulomb.social — KeyCape OIDC server (stateless, custom Go) auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape) lldap.coulomb.social — LLDAP admin UI (IP-restricted) pink.coulomb.social — privacyIDEA MFA engine (unchanged) Changes: - Remove sso-mfa/k8s/keycloak/ (7 files) - Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README) - Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README) - Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README) - Update network-policies/netpol-sso.yaml for new component topology - Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks) - Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP) - Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak - Update k8s/README.md: network policy table reflects new traffic paths - Add sso-mfa/WORKPLAN.md: resumable task checklist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-19 08:31:51 +00:00
tegwick	ee794a61ab	feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02) namespaces/namespaces.yaml: - sso, mfa, databases with net-kingdom/component labels for NetworkPolicy selectors network-policies/{netpol-sso,netpol-mfa,netpol-databases}.yaml: - Default-deny-all posture on all three namespaces - sso: ingress from Traefik; egress to databases:5432 and mfa:8080 - mfa: ingress from Traefik + Keycloak; egress to databases:5432 - databases: ingress from sso/mfa + CNPG operator; egress to kube-dns + K8s API - DNS (kube-system:53) allowed for all pods in all namespaces cert-manager/issuers.yaml: - selfsigned-issuer (ClusterIssuer) for internal/test use - letsencrypt-prod (ClusterIssuer, HTTP-01/Traefik) — fill ACME_EMAIL before apply cert-manager/test-certificate.yaml: - 24h self-signed cert to smoke-test cert-manager storage/verify-pvc.yaml: - Test PVC + Pod to confirm default StorageClass provisioning verify-t02.sh: - Full verification script: namespaces, NetworkPolicies, issuers, certs, StorageClass Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-02 09:49:39 +01:00

Author

SHA1

Message

Date

Bernd Worsch

0754dc32e6

feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05)

Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.

Stack:
  kc.coulomb.social   — KeyCape OIDC server (stateless, custom Go)
  auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
  lldap.coulomb.social — LLDAP admin UI (IP-restricted)
  pink.coulomb.social — privacyIDEA MFA engine (unchanged)

Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-19 08:31:51 +00:00

tegwick

ee794a61ab

feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02)

namespaces/namespaces.yaml:
  - sso, mfa, databases with net-kingdom/component labels for NetworkPolicy selectors

network-policies/{netpol-sso,netpol-mfa,netpol-databases}.yaml:
  - Default-deny-all posture on all three namespaces
  - sso: ingress from Traefik; egress to databases:5432 and mfa:8080
  - mfa: ingress from Traefik + Keycloak; egress to databases:5432
  - databases: ingress from sso/mfa + CNPG operator; egress to kube-dns + K8s API
  - DNS (kube-system:53) allowed for all pods in all namespaces

cert-manager/issuers.yaml:
  - selfsigned-issuer (ClusterIssuer) for internal/test use
  - letsencrypt-prod (ClusterIssuer, HTTP-01/Traefik) — fill ACME_EMAIL before apply
cert-manager/test-certificate.yaml:
  - 24h self-signed cert to smoke-test cert-manager

storage/verify-pvc.yaml:
  - Test PVC + Pod to confirm default StorageClass provisioning

verify-t02.sh:
  - Full verification script: namespaces, NetworkPolicies, issuers, certs, StorageClass

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-02 09:49:39 +01:00

2 Commits