generated from coulomb/repo-seed
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine. Stack: kc.coulomb.social — KeyCape OIDC server (stateless, custom Go) auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape) lldap.coulomb.social — LLDAP admin UI (IP-restricted) pink.coulomb.social — privacyIDEA MFA engine (unchanged) Changes: - Remove sso-mfa/k8s/keycloak/ (7 files) - Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README) - Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README) - Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README) - Update network-policies/netpol-sso.yaml for new component topology - Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks) - Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP) - Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak - Update k8s/README.md: network policy table reflects new traffic paths - Add sso-mfa/WORKPLAN.md: resumable task checklist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2.4 KiB
2.4 KiB
SSO-MFA Platform — Stack Migration Workplan
NK-WP-0001 — Keycloak → Authelia + LLDAP + KeyCape
Updated: 2026-03-19 Workstream: sso-mfa-platform (39263c4b-ef70-4053-b782-350834b7e1be)
Stack Decision
Keycloak + privacyIDEA replaced by:
- LLDAP — lightweight LDAP directory (user store)
- Authelia — authentication frontend (password auth + OIDC upstream)
- KeyCape — OIDC orchestration layer (auth code flow + MFA via privacyIDEA adapter)
- privacyIDEA — MFA engine (unchanged, still in
mfanamespace)
Hostnames: kc.coulomb.social (KeyCape), auth.coulomb.social (Authelia), lldap.coulomb.social (LLDAP admin)
Task Status
| Task | ID (hub) | Status | Notes |
|---|---|---|---|
| T01 — Vault & secret bootstrap | 7992528c | done | |
| T02 — K8s foundations | 721ca6b2 | done | Manifests authored; pending live cluster |
| T03 — PostgreSQL | 7fa60004 | done | Manifests authored; pending live cluster |
| T04 — privacyIDEA | 6ad1296a | todo | Manifests exist in k8s/privacyidea/; pending cluster |
| T05 — SSO core (new stack) | b9f73aa6 | in-progress | See below |
| T06 — Realm config & MFA flow | 3b6379a4 | todo | |
| T07 — User mgmt & self-service | c7cf902a | todo | |
| T08 — Backups, DR, break-glass | 9cbd1d89 | todo |
T05 — SSO Core (new stack: LLDAP + Authelia + KeyCape)
Done
- LLDAP manifests: pvc.yaml, deployment.yaml, middleware.yaml, ingress.yaml, create-secrets.sh
- Authelia manifests: pvc.yaml, configmap.yaml, deployment.yaml, ingress.yaml, create-secrets.sh
- KeyCape manifests: deployment.yaml, middleware.yaml, ingress.yaml, create-secrets.sh
- NetworkPolicy: netpol-sso.yaml updated for new components
- Keycloak manifests staged for deletion
In Progress (this session)
- keycape/create-pi-token.sh
- lldap/README.md
- authelia/README.md
- keycape/README.md
- Update CONFIG.md (fixed CP-NK-004, removed old CP-NK-005, added CP-NK-005 auth., CP-NK-006 lldap.)
- Update bootstrap/gen-secrets.sh (removed Keycloak, added LLDAP/Authelia/KeyCape sections)
- Update k8s/README.md (network policy table)
- Replace verify-t05.sh (Keycloak → LLDAP+Authelia+KeyCape checks)
- Commit all changes
- Update state hub tasks
Done-criteria for T05
- All manifests present and consistent
- gen-secrets.sh generates correct secrets for new stack
- verify-t05.sh checks all three components
- Committed to main