Files
net-kingdom/sso-mfa/WORKPLAN.md
Bernd Worsch 69e900ddb1 feat(sso-mfa): T06 realm config & MFA flow manifests (NK-WP-0001-T06)
- k8s/privacyidea/bootstrap-realm.sh: creates LLDAP resolver
  "lldap-netkingdom", the "netkingdom" default realm, TOTP self-enrollment
  policy, and passthru authentication policy (phase-1 rollout).
- k8s/verify-t06.sh: verifies realm, resolver, LDAP user resolution,
  KeyCape→privacyIDEA admin token, API connectivity, and policies.
- WORKPLAN.md: mark T05 done, add T06 section with done-criteria.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 09:04:07 +00:00

3.6 KiB

SSO-MFA Platform — Stack Migration Workplan

NK-WP-0001 — Keycloak → Authelia + LLDAP + KeyCape

Updated: 2026-03-19 (T06 in progress) Workstream: sso-mfa-platform (39263c4b-ef70-4053-b782-350834b7e1be)

Stack Decision

Keycloak + privacyIDEA replaced by:

  • LLDAP — lightweight LDAP directory (user store)
  • Authelia — authentication frontend (password auth + OIDC upstream)
  • KeyCape — OIDC orchestration layer (auth code flow + MFA via privacyIDEA adapter)
  • privacyIDEA — MFA engine (unchanged, still in mfa namespace)

Hostnames: kc.coulomb.social (KeyCape), auth.coulomb.social (Authelia), lldap.coulomb.social (LLDAP admin)

Task Status

Task ID (hub) Status Notes
T01 — Vault & secret bootstrap 7992528c done
T02 — K8s foundations 721ca6b2 done Manifests authored; pending live cluster
T03 — PostgreSQL 7fa60004 done Manifests authored; pending live cluster
T04 — privacyIDEA 6ad1296a todo Manifests exist in k8s/privacyidea/; pending cluster
T05 — SSO core (new stack) b9f73aa6 done commit 0754dc3
T06 — Realm config & MFA flow 3b6379a4 in-progress See below
T07 — User mgmt & self-service c7cf902a todo
T08 — Backups, DR, break-glass 9cbd1d89 todo

T05 — SSO Core (new stack: LLDAP + Authelia + KeyCape)

Done

  • LLDAP manifests: pvc.yaml, deployment.yaml, middleware.yaml, ingress.yaml, create-secrets.sh
  • Authelia manifests: pvc.yaml, configmap.yaml, deployment.yaml, ingress.yaml, create-secrets.sh
  • KeyCape manifests: deployment.yaml, middleware.yaml, ingress.yaml, create-secrets.sh
  • NetworkPolicy: netpol-sso.yaml updated for new components
  • Keycloak manifests staged for deletion

In Progress (this session)

  • keycape/create-pi-token.sh
  • lldap/README.md
  • authelia/README.md
  • keycape/README.md
  • Update CONFIG.md (fixed CP-NK-004, removed old CP-NK-005, added CP-NK-005 auth., CP-NK-006 lldap.)
  • Update bootstrap/gen-secrets.sh (removed Keycloak, added LLDAP/Authelia/KeyCape sections)
  • Update k8s/README.md (network policy table)
  • Replace verify-t05.sh (Keycloak → LLDAP+Authelia+KeyCape checks)
  • Commit all changes — commit 0754dc3
  • Update state hub tasks — T05 marked done, milestone event logged

Done-criteria for T05

  • All manifests present and consistent
  • gen-secrets.sh generates correct secrets for new stack
  • verify-t05.sh checks all three components
  • Committed to main

T06 — Realm config & MFA flow (KeyCape → privacyIDEA)

Deliverables

  • k8s/privacyidea/bootstrap-realm.sh — creates LLDAP resolver, "netkingdom" realm, enrollment + passthru policies
  • k8s/verify-t06.sh — verifies realm, resolver, KeyCape→PI token, connectivity

In Progress (this session)

  • Run bootstrap-realm.sh on live cluster (requires T04 applied)
  • Run keycape/create-pi-token.sh then keycape/create-secrets.sh (inject real PI token)
  • Restart KeyCape with updated keycape-config
  • Enroll a TOTP token for pi-admin via pink-account.coulomb.social
  • Test end-to-end login via kc.coulomb.social
  • Run verify-t06.sh — all checks pass
  • Commit and mark T06 done

Done-criteria for T06

  • privacyIDEA "netkingdom" realm exists with LLDAP resolver
  • LDAP resolver resolves users from LLDAP
  • keycape-pi-token contains a real (non-placeholder) JWT
  • KeyCape→privacyIDEA token list API returns status=True
  • At least one user has enrolled a TOTP token
  • verify-t06.sh: 0 FAILs