coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
004a8d6e6b8f994cb72c77a4e534cb91f2e8d926
net-kingdom/wiki/WorkplanOneChatgpt.md
tegwick 004a8d6e6b Add CLAUDE.md, wiki protoplans, and NK-WP-0001 workplan 
Initialises the net-kingdom project structure:
- README.md: updated title and description
- CLAUDE.md: project instructions and State Hub integration config
- wiki/: three reference docs (NetKingdom overview, ChatGPT and Grok
  protoplans for the SSO/MFA platform)
- workplans/NK-WP-0001-sso-mfa-platform.md: combined workplan (8 phases,
  8 tasks) synthesised from the two protoplans; registered in the
  Custodian State Hub (workstream 39263c4b)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-28 17:21:51 +01:00

274 lines
9.1 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
WorkplanOneChatgpt
*How to start according to chatgpt*
This is a protoplan not to be implemented directly but used as inspiration for an actual plan for implemenation!
Below is an integrated, Kubernetes-focused workplan that keeps the **“single private credential” bootstrap** idea, then rapidly evolves to **MFA-first admin access**, **least-privilege service accounts**, and **Keycloak SSO (OIDC/SAML) with privacyIDEA as the MFA engine**—exactly the combination privacyIDEA recommends. ([PrivacyIDEA][1])
---
## Architecture (Kubernetes target state)
**Ingress (TLS)**
* `keycloak.yourdomain.com` → Keycloak (SSO / sessions / OIDC+SAML)
* `pi.yourdomain.com` → privacyIDEA (MFA policies + token mgmt)
* optional: `pi-account.yourdomain.com` → privacyIDEA self-service portal
**Data**
* Keycloak DB (PostgreSQL)
* privacyIDEA DB (PostgreSQL or MariaDB; Postgres is a common choice)
* privacyIDEA encryption + audit key material stored as **K8s Secrets** (backed up securely)
**Integration**
* Keycloak runs the login flow
* privacyIDEA provides MFA via the **privacyIDEA Keycloak Provider** (JAR) ([GitHub][2])
---
## Workplan (phased deployment on Kubernetes)
### Phase 0 — Prereqs and “single private credential” rule
1. **Pick your one private credential**
Use it to unlock a vault (recommended), not as a daily admin password. The vault stores:
* initial privacyIDEA admin password (typed once)
* privacyIDEA crypto secrets (encryption/audit keys)
* Keycloak admin bootstrap secret
* DB credentials
2. Cluster prerequisites
* Ingress Controller (nginx / Traefik)
* `cert-manager` for TLS (Lets Encrypt or internal CA)
* StorageClass for persistent volumes
* (Optional but recommended) External Secrets Operator + real vault
---
### Phase 1 — Create namespaces, storage, network boundaries
1. Namespaces
* `sso` (Keycloak)
* `mfa` (privacyIDEA)
* `databases` (if you want shared DB ops)
2. NetworkPolicies (recommended)
* Only ingress controller can reach Keycloak/privacyIDEA services
* Only Keycloak pods can call privacyIDEA API endpoints needed for MFA
* Only app pods (or ingress) can reach Keycloak
This prevents lateral movement if any pod is compromised.
---
### Phase 2 — Deploy databases (prod-grade)
**Recommended**: PostgreSQL via a battle-tested chart/operator (CloudNativePG / Zalando / Bitnami Postgres chart).
1. Create DBs and users:
* `keycloak_db`, user `keycloak`
* `privacyidea_db`, user `privacyidea`
2. Store DB credentials as K8s Secrets (or ExternalSecrets).
3. Backups:
* Enable automated DB backups to object storage (S3/MinIO/etc.)
* Test restore early
---
### Phase 3 — Deploy privacyIDEA on Kubernetes (MFA core)
You have two common routes:
**Route A: Helm chart**
* There are community Helm approaches (example repo exists, but treat it as a starting point you should review/harden for production). ([GitHub][3])
**Route B: Roll your own manifests**
* Deployment + Service + Ingress + PVC + Secrets
* Often preferred for security review & long-term ownership
#### privacyIDEA critical secrets (do this before first real use)
privacyIDEA relies on secrets like `SECRET_KEY`, `PI_PEPPER`, and an encryption key file (`PI_ENCFILE`) / related key material. Generate once, mount as Secrets, back up carefully. ([GitHub][4])
(Those secrets are “if you lose them, you may lose access to encrypted token data”-class.)
**Work items**
1. Create K8s Secrets:
* `privacyidea-config` (env or ini fragments)
* `privacyidea-enckey` (encryption key material)
* `privacyidea-auditkeys` (audit signing/encryption keys)
2. Deploy privacyIDEA pods (Deployment) + Service
3. Add Ingress + TLS (`pi.yourdomain.com`)
4. Add rate limiting / WAF features at ingress (recommended)
#### Bootstrap: “single private credential”
1. Exec into the privacyIDEA pod and run the one-time admin creation (or equivalent `pi-manage` command).
2. That admin password is the **only password you ever manually type**.
3. Immediately log into WebUI and **enroll MFA for that admin** (TOTP/hardware token).
4. Immediately create:
* a **limited “trigger-admin”** service account used by Keycloak provider with *only* the `triggerchallenge`-type permission (least privilege)
* policies requiring MFA for admin actions
This aligns with the second opinion: bootstrap by one password, then transition to MFA + least privilege.
---
### Phase 4 — Deploy Keycloak on Kubernetes (SSO core)
Two common options:
**Option A: KeycloakX Helm chart (codecentric)**
* Widely used Helm chart for a StatefulSet-based Keycloak deployment. ([Artifact Hub][5])
**Option B: Keycloak Operator**
* Good for CRD-based lifecycle management; if your org prefers operators.
**Work items**
1. Deploy Keycloak pointing at `keycloak_db`
2. Configure Ingress + TLS (`keycloak.yourdomain.com`)
3. Bootstrap Keycloak admin secret (stored in vault / K8s Secret)
4. Set production settings:
* hostname strictness
* proxy mode
* metrics/logging
* realm import strategy (GitOps-friendly)
---
### Phase 5 — Add the privacyIDEA Keycloak Provider (JAR) in Kubernetes
The privacyIDEA provider is published on GitHub releases and needs to match your Keycloak version. ([GitHub][2])
**Kubernetes-friendly pattern**
1. Build a **custom Keycloak image**:
* Start from Keycloak base image
* Copy the provider JAR into `/opt/keycloak/providers/`
* Run `kc.sh build`
2. Deploy that image via Helm values (or operator spec)
This avoids “kubectl cp into running pods” and is the clean GitOps approach.
---
### Phase 6 — Configure the MFA flow (Keycloak → privacyIDEA)
**Work items**
1. In Keycloak:
* Create/choose realm
* Configure users source of truth (Keycloak internal or LDAP/AD)
2. Create Authentication Flow “privacyIDEA Browser”
* Add privacyIDEA execution step (REQUIRED)
* Configure:
* privacyIDEA base URL: `https://pi.yourdomain.com`
* service account: `trigger-admin` + secret (from K8s Secret)
* optional bypass group (“break-glass”) with strong restrictions & alerts
3. Set this flow as the default browser flow
4. Test:
* normal user MFA
* admin console MFA
* failure modes (OTP wrong, token missing, privacyIDEA down)
The providers releases/changelog track features like passkey handling and flow behavior—use the matching release notes when selecting versions. ([GitHub][2])
---
### Phase 7 — User management & token lifecycle (make it operable)
privacyIDEA 3.12 introduced a **Keycloak user resolver** (and Entra ID resolver), which can simplify identity alignment depending on your setup. ([NetKnights][6])
**Work items**
1. Decide identity source of truth:
* simplest: Keycloak internal users → privacyIDEA resolver (Keycloak resolver if you want that pattern)
* enterprise: LDAP/AD shared by both
2. Enable self-service portal where appropriate
3. Define policies:
* allowed token types
* enrollment rules
* admin rights separation (super-admin vs helpdesk-admin)
4. Add auditing / log shipping (privacyIDEA audit logs + Keycloak events)
---
### Phase 8 — Backups, DR, upgrades, and break-glass
**Backups**
* DB backups (Keycloak + privacyIDEA)
* privacyIDEA encryption/audit keys Secrets (encrypted export)
* realm exports (Keycloak) as code / git
**Disaster recovery drill**
* restore DB + keys into a fresh namespace
* verify token validation still works (this catches key/secret mistakes)
**Break-glass**
* keep a *disabled-by-default* Keycloak admin path or group exemption
* store break-glass credentials offline + vault
* alert on every use
---
## Deliverables checklist (what “done” looks like)
* [ ] `mfa` + `sso` namespaces deployed via GitOps/Helm
* [ ] TLS everywhere (cert-manager)
* [ ] privacyIDEA secrets generated, mounted, backed up
* [ ] privacyIDEA admin created once (single typed password), MFA enrolled immediately
* [ ] `trigger-admin` exists with minimal rights
* [ ] Keycloak runs from custom image including privacyIDEA provider JAR
* [ ] Keycloak “privacyIDEA Browser” flow enforced
* [ ] DB backups + restore tested
* [ ] NetworkPolicies in place
---
If you tell me **which Kubernetes flavor** youre using (k3s / AKS / EKS / GKE / OpenShift) and whether you want **Postgres operator vs Helm**, Ill turn this into a concrete, copy-pastable “repo plan” (folders, Helm values skeletons, Secrets/ExternalSecrets layout, and the exact build steps for the custom Keycloak image) without adding unnecessary complexity.
[1]: https://www.privacyidea.org/?feed=&utm_source=chatgpt.com "privacyIDEA 3.12 is available"
[2]: https://github.com/privacyidea/keycloak-provider/releases?utm_source=chatgpt.com "Releases · privacyidea/keycloak-provider"
[3]: https://github.com/gpappsoft/privacyidea-helm?utm_source=chatgpt.com "A helm chart to install a privacyIDEA stack"
[4]: https://github.com/privacyidea/privacyidea?utm_source=chatgpt.com "privacyidea/privacyidea: :closed_lock_with_key"
[5]: https://artifacthub.io/packages/helm/codecentric/keycloakx?utm_source=chatgpt.com "keycloakx 7.1.8"
[6]: https://netknights.it/en/press/multi-faktor-authentifizierung-privacyidea-in-version-3-12-erschienen/?utm_source=chatgpt.com "Multi-Factor Authentication privacyIDEA version 3.12 released"
xxx
Reference in New Issue View Git Blame Copy Permalink