net-kingdom

coulomb/net-kingdom

Fork 0

generated from coulomb/repo-seed

Commit Graph

Author	SHA1	Message	Date
Bernd Worsch	f2f07871eb	fix(sso-mfa): commit T02–T06 fixes and workplan status updates - authelia: users_filter uid→{username_attribute}, OIDC client secret moved from env var to inline bcrypt hash in configmap (4.38 limitation) - authelia: remove unsupported CLIENTS_0_SECRET_FILE env var - lldap: drop runAsNonRoot/runAsUser (image init requires root) - verify-t02: keycloak→keycape NetworkPolicy check rename - workplan: T02/T03/T05/T06 marked done with notes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-21 20:25:03 +00:00
Bernd Worsch	6d25d088d7	feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03) - Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow replaces KeePassXC dependency; encrypted .env.age files committed to repo - Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey - Fix .gitignore: allow secrets.enc/*/.age while blocking plaintext - Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack - Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug - Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only - Update postgresql/create-secrets.sh: remove keycloak secret - Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API - T02 COMPLETE: namespaces, network policies, cert-manager issuers applied - T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-20 02:57:41 +00:00
tegwick	ee794a61ab	feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02) namespaces/namespaces.yaml: - sso, mfa, databases with net-kingdom/component labels for NetworkPolicy selectors network-policies/{netpol-sso,netpol-mfa,netpol-databases}.yaml: - Default-deny-all posture on all three namespaces - sso: ingress from Traefik; egress to databases:5432 and mfa:8080 - mfa: ingress from Traefik + Keycloak; egress to databases:5432 - databases: ingress from sso/mfa + CNPG operator; egress to kube-dns + K8s API - DNS (kube-system:53) allowed for all pods in all namespaces cert-manager/issuers.yaml: - selfsigned-issuer (ClusterIssuer) for internal/test use - letsencrypt-prod (ClusterIssuer, HTTP-01/Traefik) — fill ACME_EMAIL before apply cert-manager/test-certificate.yaml: - 24h self-signed cert to smoke-test cert-manager storage/verify-pvc.yaml: - Test PVC + Pod to confirm default StorageClass provisioning verify-t02.sh: - Full verification script: namespaces, NetworkPolicies, issuers, certs, StorageClass Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-03-02 09:49:39 +01:00

Author

SHA1

Message

Date

Bernd Worsch

f2f07871eb

fix(sso-mfa): commit T02–T06 fixes and workplan status updates

- authelia: users_filter uid→{username_attribute}, OIDC client secret
  moved from env var to inline bcrypt hash in configmap (4.38 limitation)
- authelia: remove unsupported CLIENTS_0_SECRET_FILE env var
- lldap: drop runAsNonRoot/runAsUser (image init requires root)
- verify-t02: keycloak→keycape NetworkPolicy check rename
- workplan: T02/T03/T05/T06 marked done with notes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-21 20:25:03 +00:00

Bernd Worsch

6d25d088d7

feat(sso-mfa): T02/T03 live apply — age-encrypted secrets, CNPG cluster (NK-WP-0001-T02/T03)

- Add encrypt-secrets.sh / decrypt-secrets.sh: age-based secrets workflow
  replaces KeePassXC dependency; encrypted .env.age files committed to repo
- Add bootstrap/secrets.enc/: all component secrets encrypted to age pubkey
- Fix .gitignore: allow secrets.enc/**/*.age while blocking plaintext
- Fix verify-t02.sh: update netpol names for Authelia+LLDAP+KeyCape stack
- Fix verify-t03.sh: remove keycloak_db/role checks; fix ((PASS++)) set-e bug
- Update postgresql/cluster.yaml: drop keycloak_db, bootstrap privacyidea_db only
- Update postgresql/create-secrets.sh: remove keycloak secret
- Fix netpol-databases.yaml: add port 8000 for CNPG instance manager HTTP API
- T02 COMPLETE: namespaces, network policies, cert-manager issuers applied
- T03 COMPLETE: CNPG operator installed, net-kingdom-pg cluster healthy

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-20 02:57:41 +00:00

tegwick

ee794a61ab

feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02)

namespaces/namespaces.yaml:
  - sso, mfa, databases with net-kingdom/component labels for NetworkPolicy selectors

network-policies/{netpol-sso,netpol-mfa,netpol-databases}.yaml:
  - Default-deny-all posture on all three namespaces
  - sso: ingress from Traefik; egress to databases:5432 and mfa:8080
  - mfa: ingress from Traefik + Keycloak; egress to databases:5432
  - databases: ingress from sso/mfa + CNPG operator; egress to kube-dns + K8s API
  - DNS (kube-system:53) allowed for all pods in all namespaces

cert-manager/issuers.yaml:
  - selfsigned-issuer (ClusterIssuer) for internal/test use
  - letsencrypt-prod (ClusterIssuer, HTTP-01/Traefik) — fill ACME_EMAIL before apply
cert-manager/test-certificate.yaml:
  - 24h self-signed cert to smoke-test cert-manager

storage/verify-pvc.yaml:
  - Test PVC + Pod to confirm default StorageClass provisioning

verify-t02.sh:
  - Full verification script: namespaces, NetworkPolicies, issuers, certs, StorageClass

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-03-02 09:49:39 +01:00

3 Commits