coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
1d94652ba1e97c66f0a093e12e0c7834ba47c5d1
net-kingdom/CONFIG.md
Bernd Worsch 1d94652ba1 feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04) 
Deploy privacyIDEA (MFA core) in the mfa namespace:
- pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi)
- configmap.yaml: pi.cfg reading secrets from env vars
- deployment.yaml: Deployment + ClusterIP Service (port 8080)
- middleware.yaml: Traefik RateLimit + admin IP AllowList
- ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service)
- create-secrets.sh: creates privacyidea-config Secret
- enckey-bootstrap.sh: post-deploy key extraction + DR Secrets
- bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret
- verify-t04.sh: 8-section done-criteria checker

Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003
(pink-account.coulomb.social) registered in CONFIG.md.

pink = PrivacyIDEA Net Knights (project mnemonic).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 01:22:41 +00:00

86 lines
3.1 KiB
Markdown
Raw Blame History

# Config Point Registry
## Philosophy
net-kingdom is opinionated: defaults, conventions, and automation are preferred at every
level. A config point in this file is a **conscious exception** — a value that cannot be
derived from the system's topology, naming conventions, component defaults, or available
automation.
**Minimizing this list is a design goal.** Before adding a config point, ask:
- Can the value be derived from a naming convention or topology fact?
- Can it be auto-generated (e.g. from the Linux user identity, like Local Identity does)?
- Is the default provided by the upstream component safe to accept?
If yes to any of the above, don't add it here.
---
## Summary
| ID | Name | Value | Location(s) |
|----|------|-------|-------------|
| CP-NK-001 | ACME contact email | `bernd.worsch+netkingdom@gmail.com` | `sso-mfa/k8s/cert-manager/issuers.yaml:38` |
| CP-NK-002 | privacyIDEA portal hostname | `pink.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` |
| CP-NK-003 | privacyIDEA self-service hostname | `pink-account.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` |
---
## CP-NK-002 — privacyIDEA portal hostname
**Value:** `pink.coulomb.social`
**Set:** 2026-03-19
**Set by:** worsch
**Location(s):**
- `sso-mfa/k8s/privacyidea/ingress.yaml` — all three Ingress `host` fields
**Why non-default:** Subdomain prefix must be chosen by the operator; no naming
convention existed in the repo before T04. `pink` = **P**rivacy**I**DEA
**N**et **K**nights (project-specific mnemonic).
**Scope:** TLS certificate, Traefik routing, and all references to the
privacyIDEA public URL (including Keycloak Provider config in T05/T06).
---
## CP-NK-003 — privacyIDEA self-service portal hostname
**Value:** `pink-account.coulomb.social`
**Set:** 2026-03-19
**Set by:** worsch
**Location(s):**
- `sso-mfa/k8s/privacyidea/ingress.yaml``privacyidea-account` Ingress `host` field
**Why non-default:** Separate hostname for the self-service portal allows
different firewall/allowlist rules from the admin portal. Follows the
`<service>-account` naming convention used in the workplan design.
**Scope:** TLS certificate and Traefik routing for the user-facing
self-service token enrolment portal.
---
## CP-NK-001 — ACME contact email
**Value:** `bernd.worsch+netkingdom@gmail.com`
**Set:** 2026-03-02
**Set by:** worsch
**Location(s):**
- `sso-mfa/k8s/cert-manager/issuers.yaml:38``spec.acme.email` on the
`letsencrypt-prod` ClusterIssuer
**Why non-default:** ACME (Let's Encrypt) requires a contact address for certificate
lifecycle notifications — expiry warnings, rate-limit alerts, policy announcements.
There is no system-level default that qualifies: this must be a real, monitored inbox.
**Why not automated:** The Linux user GECOS email (via Local Identity) would be a
natural source. However, that introduces a runtime dependency between cluster
provisioning and the local-identity tool. Deferred; revisit when Local Identity
gains a structured "operator contact" concept.
**Scope:** All TLS certificates issued by the `letsencrypt-prod` ClusterIssuer across
the entire cluster.
Reference in New Issue View Git Blame Copy Permalink