generated from coulomb/repo-seed
- k8s/privacyidea/bootstrap-realm.sh: creates LLDAP resolver "lldap-netkingdom", the "netkingdom" default realm, TOTP self-enrollment policy, and passthru authentication policy (phase-1 rollout). - k8s/verify-t06.sh: verifies realm, resolver, LDAP user resolution, KeyCape→privacyIDEA admin token, API connectivity, and policies. - WORKPLAN.md: mark T05 done, add T06 section with done-criteria. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
79 lines
3.6 KiB
Markdown
79 lines
3.6 KiB
Markdown
# SSO-MFA Platform — Stack Migration Workplan
|
|
# NK-WP-0001 — Keycloak → Authelia + LLDAP + KeyCape
|
|
|
|
**Updated:** 2026-03-19 (T06 in progress)
|
|
**Workstream:** sso-mfa-platform (39263c4b-ef70-4053-b782-350834b7e1be)
|
|
|
|
## Stack Decision
|
|
|
|
Keycloak + privacyIDEA replaced by:
|
|
- **LLDAP** — lightweight LDAP directory (user store)
|
|
- **Authelia** — authentication frontend (password auth + OIDC upstream)
|
|
- **KeyCape** — OIDC orchestration layer (auth code flow + MFA via privacyIDEA adapter)
|
|
- **privacyIDEA** — MFA engine (unchanged, still in `mfa` namespace)
|
|
|
|
Hostnames: kc.coulomb.social (KeyCape), auth.coulomb.social (Authelia), lldap.coulomb.social (LLDAP admin)
|
|
|
|
## Task Status
|
|
|
|
| Task | ID (hub) | Status | Notes |
|
|
|------|----------|--------|-------|
|
|
| T01 — Vault & secret bootstrap | 7992528c | done | |
|
|
| T02 — K8s foundations | 721ca6b2 | done | Manifests authored; pending live cluster |
|
|
| T03 — PostgreSQL | 7fa60004 | done | Manifests authored; pending live cluster |
|
|
| T04 — privacyIDEA | 6ad1296a | **todo** | Manifests exist in k8s/privacyidea/; pending cluster |
|
|
| T05 — SSO core (new stack) | b9f73aa6 | done | commit 0754dc3 |
|
|
| T06 — Realm config & MFA flow | 3b6379a4 | **in-progress** | See below |
|
|
| T07 — User mgmt & self-service | c7cf902a | todo | |
|
|
| T08 — Backups, DR, break-glass | 9cbd1d89 | todo | |
|
|
|
|
## T05 — SSO Core (new stack: LLDAP + Authelia + KeyCape)
|
|
|
|
### Done
|
|
- [x] LLDAP manifests: pvc.yaml, deployment.yaml, middleware.yaml, ingress.yaml, create-secrets.sh
|
|
- [x] Authelia manifests: pvc.yaml, configmap.yaml, deployment.yaml, ingress.yaml, create-secrets.sh
|
|
- [x] KeyCape manifests: deployment.yaml, middleware.yaml, ingress.yaml, create-secrets.sh
|
|
- [x] NetworkPolicy: netpol-sso.yaml updated for new components
|
|
- [x] Keycloak manifests staged for deletion
|
|
|
|
### In Progress (this session)
|
|
- [x] keycape/create-pi-token.sh
|
|
- [x] lldap/README.md
|
|
- [x] authelia/README.md
|
|
- [x] keycape/README.md
|
|
- [x] Update CONFIG.md (fixed CP-NK-004, removed old CP-NK-005, added CP-NK-005 auth.*, CP-NK-006 lldap.*)
|
|
- [x] Update bootstrap/gen-secrets.sh (removed Keycloak, added LLDAP/Authelia/KeyCape sections)
|
|
- [x] Update k8s/README.md (network policy table)
|
|
- [x] Replace verify-t05.sh (Keycloak → LLDAP+Authelia+KeyCape checks)
|
|
- [x] Commit all changes — commit 0754dc3
|
|
- [x] Update state hub tasks — T05 marked done, milestone event logged
|
|
|
|
### Done-criteria for T05
|
|
- All manifests present and consistent
|
|
- gen-secrets.sh generates correct secrets for new stack
|
|
- verify-t05.sh checks all three components
|
|
- Committed to main
|
|
|
|
## T06 — Realm config & MFA flow (KeyCape → privacyIDEA)
|
|
|
|
### Deliverables
|
|
- [x] `k8s/privacyidea/bootstrap-realm.sh` — creates LLDAP resolver, "netkingdom" realm, enrollment + passthru policies
|
|
- [x] `k8s/verify-t06.sh` — verifies realm, resolver, KeyCape→PI token, connectivity
|
|
|
|
### In Progress (this session)
|
|
- [ ] Run `bootstrap-realm.sh` on live cluster (requires T04 applied)
|
|
- [ ] Run `keycape/create-pi-token.sh` then `keycape/create-secrets.sh` (inject real PI token)
|
|
- [ ] Restart KeyCape with updated keycape-config
|
|
- [ ] Enroll a TOTP token for pi-admin via pink-account.coulomb.social
|
|
- [ ] Test end-to-end login via kc.coulomb.social
|
|
- [ ] Run `verify-t06.sh` — all checks pass
|
|
- [ ] Commit and mark T06 done
|
|
|
|
### Done-criteria for T06
|
|
- privacyIDEA "netkingdom" realm exists with LLDAP resolver
|
|
- LDAP resolver resolves users from LLDAP
|
|
- keycape-pi-token contains a real (non-placeholder) JWT
|
|
- KeyCape→privacyIDEA token list API returns status=True
|
|
- At least one user has enrolled a TOTP token
|
|
- verify-t06.sh: 0 FAILs
|