coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8db000e5f03bc2bd80c19c99aedb993da0d68a63
net-kingdom/sso-mfa/k8s/keycape/create-pi-token.sh
Bernd Worsch 0754dc32e6 feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05) 
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.

Stack:
  kc.coulomb.social   — KeyCape OIDC server (stateless, custom Go)
  auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
  lldap.coulomb.social — LLDAP admin UI (IP-restricted)
  pink.coulomb.social — privacyIDEA MFA engine (unchanged)

Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 08:31:51 +00:00

97 lines
3.6 KiB
Bash
Raw Blame History

#!/usr/bin/env bash
# create-pi-token.sh — fetch a privacyIDEA admin JWT and store it for KeyCape
#
# Usage:
# ./create-pi-token.sh [secrets-dir]
#
# Run this script AFTER T04 bootstrap (privacyIDEA admin account created).
# It authenticates to the privacyIDEA API, fetches a long-lived admin JWT,
# and writes it to secrets/keycape/pi_admin_token.
#
# After running this script, re-run create-secrets.sh to update the
# keycape-config K8s Secret with the real token, then restart KeyCape:
# ./create-secrets.sh
# kubectl rollout restart deployment/keycape -n sso
#
# The privacyIDEA admin token does NOT expire by default (it is a permanent
# service account token). Store it in KeePassXC as:
# net-kingdom/KeyCape/pi-admin-token
#
# Requires: kubectl, curl, jq
set -euo pipefail
SECRETS_DIR="${1:-../../bootstrap/secrets}"
PI_ENV="$SECRETS_DIR/privacyidea/secrets.env"
TOKEN_FILE="$SECRETS_DIR/keycape/pi_admin_token"
if [[ ! -f "$PI_ENV" ]]; then
echo "ERROR: $PI_ENV not found — run sso-mfa/bootstrap/gen-secrets.sh first." >&2
exit 1
fi
read_env() { bash -c "source '$1' 2>/dev/null; echo \${$2}"; }
PI_ADMIN_PASSWORD=$(read_env "$PI_ENV" PI_ADMIN_PASSWORD)
if [[ -z "$PI_ADMIN_PASSWORD" ]]; then
echo "ERROR: PI_ADMIN_PASSWORD is empty in $PI_ENV" >&2
exit 1
fi
# Determine privacyIDEA base URL — use cluster-internal URL if kubectl is available
# and we can reach the service, otherwise fall back to the public hostname.
PI_BASE_URL=""
if kubectl get service privacyidea -n mfa &>/dev/null 2>&1; then
# Prefer running a one-shot pod inside the cluster to avoid needing
# public TLS to be up during bootstrap.
PI_BASE_URL="http://privacyidea.mfa.svc.cluster.local:8080"
USE_CLUSTER=true
else
PI_BASE_URL="https://pink.coulomb.social"
USE_CLUSTER=false
fi
echo "Fetching privacyIDEA admin token from: $PI_BASE_URL"
if [[ "$USE_CLUSTER" == "true" ]]; then
# Run curl inside the cluster (avoids needing public TLS to be live)
TOKEN=$(kubectl run -n mfa --rm -i --restart=Never pi-token-fetch \
--image=curlimages/curl:8 --quiet \
-- curl -sf \
-X POST "$PI_BASE_URL/auth" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=pi-admin&password=${PI_ADMIN_PASSWORD}" \
2>/dev/null \
| python3 -c "import sys,json; data=json.load(sys.stdin); print(data['result']['value']['token'])" \
2>/dev/null || echo "")
else
TOKEN=$(curl -sf \
-X POST "$PI_BASE_URL/auth" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "username=pi-admin&password=${PI_ADMIN_PASSWORD}" \
| python3 -c "import sys,json; data=json.load(sys.stdin); print(data['result']['value']['token'])" \
2>/dev/null || echo "")
fi
if [[ -z "$TOKEN" ]]; then
echo "ERROR: failed to fetch token from privacyIDEA." >&2
echo " Verify that privacyIDEA is Running and the pi-admin account exists." >&2
echo " Check: kubectl logs -n mfa \$(kubectl get pod -n mfa -l app.kubernetes.io/name=privacyidea -o name | head -1)" >&2
exit 1
fi
mkdir -p "$(dirname "$TOKEN_FILE")"
echo -n "$TOKEN" > "$TOKEN_FILE"
chmod 600 "$TOKEN_FILE"
echo ""
echo "Token written to: $TOKEN_FILE"
echo "Token preview : ${TOKEN:0:32}"
echo ""
echo "IMPORTANT: Store this token in KeePassXC → net-kingdom/KeyCape/pi-admin-token"
echo " as a password entry. It cannot be recovered without re-authenticating."
echo ""
echo "Next steps:"
echo " 1. Re-run create-secrets.sh to update keycape-config with the real token."
echo " 2. Restart KeyCape: kubectl rollout restart deployment/keycape -n sso"
Reference in New Issue View Git Blame Copy Permalink