coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8a3d7a8aff021a453f636c3426d82ceef23a5845
net-kingdom/CONFIG.md
Bernd Worsch 0754dc32e6 feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05) 
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.

Stack:
  kc.coulomb.social   — KeyCape OIDC server (stateless, custom Go)
  auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
  lldap.coulomb.social — LLDAP admin UI (IP-restricted)
  pink.coulomb.social — privacyIDEA MFA engine (unchanged)

Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 08:31:51 +00:00

5.5 KiB
Raw Blame History

Config Point Registry

Philosophy

net-kingdom is opinionated: defaults, conventions, and automation are preferred at every level. A config point in this file is a conscious exception — a value that cannot be derived from the system's topology, naming conventions, component defaults, or available automation.

Minimizing this list is a design goal. Before adding a config point, ask:

  • Can the value be derived from a naming convention or topology fact?
  • Can it be auto-generated (e.g. from the Linux user identity, like Local Identity does)?
  • Is the default provided by the upstream component safe to accept?

If yes to any of the above, don't add it here.

Summary

ID Name Value Location(s)
CP-NK-001 ACME contact email bernd.worsch+netkingdom@gmail.com sso-mfa/k8s/cert-manager/issuers.yaml:38
CP-NK-002 privacyIDEA portal hostname pink.coulomb.social sso-mfa/k8s/privacyidea/ingress.yaml
CP-NK-003 privacyIDEA self-service hostname pink-account.coulomb.social sso-mfa/k8s/privacyidea/ingress.yaml
CP-NK-004 KeyCape OIDC hostname kc.coulomb.social sso-mfa/k8s/keycape/ingress.yaml, sso-mfa/k8s/authelia/configmap.yaml, sso-mfa/k8s/keycape/create-secrets.sh
CP-NK-005 Authelia login portal hostname auth.coulomb.social sso-mfa/k8s/authelia/ingress.yaml, sso-mfa/k8s/authelia/configmap.yaml
CP-NK-006 LLDAP admin web UI hostname lldap.coulomb.social sso-mfa/k8s/lldap/ingress.yaml

CP-NK-002 — privacyIDEA portal hostname

Value: pink.coulomb.social Set: 2026-03-19 Set by: worsch

Location(s):

  • sso-mfa/k8s/privacyidea/ingress.yaml — all three Ingress host fields

Why non-default: Subdomain prefix must be chosen by the operator; no naming convention existed in the repo before T04. pink = PrivacyIDEA Net Knights (project-specific mnemonic).

Scope: TLS certificate, Traefik routing, and all references to the privacyIDEA public URL (including Keycloak Provider config in T05/T06).

CP-NK-003 — privacyIDEA self-service portal hostname

Value: pink-account.coulomb.social Set: 2026-03-19 Set by: worsch

Location(s):

  • sso-mfa/k8s/privacyidea/ingress.yamlprivacyidea-account Ingress host field

Why non-default: Separate hostname for the self-service portal allows different firewall/allowlist rules from the admin portal. Follows the <service>-account naming convention used in the workplan design.

Scope: TLS certificate and Traefik routing for the user-facing self-service token enrolment portal.

CP-NK-001 — ACME contact email

Value: bernd.worsch+netkingdom@gmail.com Set: 2026-03-02 Set by: worsch

Location(s):

  • sso-mfa/k8s/cert-manager/issuers.yaml:38spec.acme.email on the letsencrypt-prod ClusterIssuer

Why non-default: ACME (Let's Encrypt) requires a contact address for certificate lifecycle notifications — expiry warnings, rate-limit alerts, policy announcements. There is no system-level default that qualifies: this must be a real, monitored inbox.

Why not automated: The Linux user GECOS email (via Local Identity) would be a natural source. However, that introduces a runtime dependency between cluster provisioning and the local-identity tool. Deferred; revisit when Local Identity gains a structured "operator contact" concept.

Scope: All TLS certificates issued by the letsencrypt-prod ClusterIssuer across the entire cluster.

CP-NK-004 — KeyCape OIDC hostname

Value: kc.coulomb.social Set: 2026-03-19 Set by: worsch

Location(s):

  • sso-mfa/k8s/keycape/ingress.yaml — Ingress host field
  • sso-mfa/k8s/authelia/configmap.yamlredirect_uris for the KeyCape OIDC client
  • sso-mfa/k8s/keycape/create-secrets.shissuer and redirectURI in config.yaml

Why non-default: Subdomain prefix must be chosen by the operator. kc is retained from the original design (kc = KeyCape) for DNS stability.

Scope: TLS certificate, Traefik routing, KeyCape's OIDC issuer claim, and all redirect URIs registered by downstream applications. Changing this hostname after clients are registered requires updating all registered redirect_uris.

CP-NK-005 — Authelia login portal hostname

Value: auth.coulomb.social Set: 2026-03-19 Set by: worsch

Location(s):

  • sso-mfa/k8s/authelia/ingress.yaml — Ingress host field
  • sso-mfa/k8s/authelia/configmap.yamlsession.domain parent domain comment

Why non-default: Subdomain prefix must be chosen by the operator. auth is the conventional prefix for authentication portals.

Scope: TLS certificate, Traefik routing, and the Authelia login page that users' browsers are redirected to during the OIDC flow. The session cookie domain is set to the parent domain (coulomb.social) so the cookie is valid across both auth.coulomb.social and kc.coulomb.social.

CP-NK-006 — LLDAP admin web UI hostname

Value: lldap.coulomb.social Set: 2026-03-19 Set by: worsch

Location(s):

  • sso-mfa/k8s/lldap/ingress.yaml — Ingress host field

Why non-default: Subdomain prefix must be chosen by the operator.

Scope: TLS certificate and Traefik routing for the LLDAP admin web UI. Access is IP-restricted by the lldap-admin-allowlist Traefik Middleware (VPN/office CIDRs only). The LDAP port (3890) is cluster-internal only and never exposed via Ingress.

Reference in New Issue View Git Blame Copy Permalink