Bernd Worsch
1d94652ba1
Deploy privacyIDEA (MFA core) in the mfa namespace: - pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi) - configmap.yaml: pi.cfg reading secrets from env vars - deployment.yaml: Deployment + ClusterIP Service (port 8080) - middleware.yaml: Traefik RateLimit + admin IP AllowList - ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service) - create-secrets.sh: creates privacyidea-config Secret - enckey-bootstrap.sh: post-deploy key extraction + DR Secrets - bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret - verify-t04.sh: 8-section done-criteria checker Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003 (pink-account.coulomb.social) registered in CONFIG.md. pink = PrivacyIDEA Net Knights (project mnemonic). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
3.1 KiB
Config Point Registry
Philosophy
net-kingdom is opinionated: defaults, conventions, and automation are preferred at every level. A config point in this file is a conscious exception — a value that cannot be derived from the system's topology, naming conventions, component defaults, or available automation.
Minimizing this list is a design goal. Before adding a config point, ask:
- Can the value be derived from a naming convention or topology fact?
- Can it be auto-generated (e.g. from the Linux user identity, like Local Identity does)?
- Is the default provided by the upstream component safe to accept?
If yes to any of the above, don't add it here.
Summary
| ID | Name | Value | Location(s) |
|---|---|---|---|
| CP-NK-001 | ACME contact email | bernd.worsch+netkingdom@gmail.com |
sso-mfa/k8s/cert-manager/issuers.yaml:38 |
| CP-NK-002 | privacyIDEA portal hostname | pink.coulomb.social |
sso-mfa/k8s/privacyidea/ingress.yaml |
| CP-NK-003 | privacyIDEA self-service hostname | pink-account.coulomb.social |
sso-mfa/k8s/privacyidea/ingress.yaml |
CP-NK-002 — privacyIDEA portal hostname
Value: pink.coulomb.social
Set: 2026-03-19
Set by: worsch
Location(s):
sso-mfa/k8s/privacyidea/ingress.yaml— all three Ingresshostfields
Why non-default: Subdomain prefix must be chosen by the operator; no naming
convention existed in the repo before T04. pink = PrivacyIDEA
Net Knights (project-specific mnemonic).
Scope: TLS certificate, Traefik routing, and all references to the privacyIDEA public URL (including Keycloak Provider config in T05/T06).
CP-NK-003 — privacyIDEA self-service portal hostname
Value: pink-account.coulomb.social
Set: 2026-03-19
Set by: worsch
Location(s):
sso-mfa/k8s/privacyidea/ingress.yaml—privacyidea-accountIngresshostfield
Why non-default: Separate hostname for the self-service portal allows
different firewall/allowlist rules from the admin portal. Follows the
<service>-account naming convention used in the workplan design.
Scope: TLS certificate and Traefik routing for the user-facing self-service token enrolment portal.
CP-NK-001 — ACME contact email
Value: bernd.worsch+netkingdom@gmail.com
Set: 2026-03-02
Set by: worsch
Location(s):
sso-mfa/k8s/cert-manager/issuers.yaml:38—spec.acme.emailon theletsencrypt-prodClusterIssuer
Why non-default: ACME (Let's Encrypt) requires a contact address for certificate lifecycle notifications — expiry warnings, rate-limit alerts, policy announcements. There is no system-level default that qualifies: this must be a real, monitored inbox.
Why not automated: The Linux user GECOS email (via Local Identity) would be a natural source. However, that introduces a runtime dependency between cluster provisioning and the local-identity tool. Deferred; revisit when Local Identity gains a structured "operator contact" concept.
Scope: All TLS certificates issued by the letsencrypt-prod ClusterIssuer across
the entire cluster.