generated from coulomb/repo-seed
Bernd Worsch
0754dc32e6
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine. Stack: kc.coulomb.social — KeyCape OIDC server (stateless, custom Go) auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape) lldap.coulomb.social — LLDAP admin UI (IP-restricted) pink.coulomb.social — privacyIDEA MFA engine (unchanged) Changes: - Remove sso-mfa/k8s/keycloak/ (7 files) - Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README) - Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README) - Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README) - Update network-policies/netpol-sso.yaml for new component topology - Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks) - Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP) - Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak - Update k8s/README.md: network policy table reflects new traffic paths - Add sso-mfa/WORKPLAN.md: resumable task checklist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
137 lines
4.0 KiB
YAML
137 lines
4.0 KiB
YAML
# Deployment + Service — KeyCape (namespace: sso)
|
|
#
|
|
# KeyCape is the OIDC orchestration layer. It is stateless: all persistent
|
|
# state lives in Authelia (session), LLDAP (users), and privacyIDEA (MFA tokens).
|
|
# No PVC is required.
|
|
#
|
|
# Configuration is stored entirely in the keycape-config Secret, which holds
|
|
# a complete config.yaml and the RSA private key used to sign OIDC tokens
|
|
# issued to downstream applications.
|
|
#
|
|
# Prerequisites (apply in order):
|
|
# 1. keycape-config Secret — run keycape/create-secrets.sh
|
|
# 2. keycape-pi-token Secret — run keycape/create-pi-token.sh (after T04 bootstrap)
|
|
# 3. This file
|
|
# 4. middleware.yaml + ingress.yaml
|
|
#
|
|
# Container image:
|
|
# KeyCape has no published image. Build from ~/key-cape/ and push to a registry,
|
|
# or import directly into K3s (see README.md "Building the image").
|
|
# Image tag below is a placeholder — update before applying.
|
|
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: keycape
|
|
namespace: sso
|
|
labels:
|
|
app.kubernetes.io/name: keycape
|
|
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
|
net-kingdom/component: sso
|
|
spec:
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: keycape
|
|
strategy:
|
|
type: RollingUpdate # stateless — safe to roll
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app.kubernetes.io/name: keycape
|
|
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
|
net-kingdom/component: sso
|
|
spec:
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: 65534 # nobody — matches distroless static image
|
|
fsGroup: 65534
|
|
|
|
containers:
|
|
- name: keycape
|
|
# EDIT before applying — see README.md "Building the image".
|
|
# Option A (registry): docker build -t <registry>/keycape:v0.1 ~/key-cape/ && docker push ...
|
|
# Option B (K3s local): docker build -t keycape:v0.1 ~/key-cape/ &&
|
|
# docker save keycape:v0.1 | sudo k3s ctr images import -
|
|
# After Option B, set imagePullPolicy: Never.
|
|
image: keycape:v0.1
|
|
imagePullPolicy: IfNotPresent
|
|
|
|
ports:
|
|
- name: http
|
|
containerPort: 8080
|
|
protocol: TCP
|
|
|
|
env:
|
|
- name: KEYCAPE_CONFIG
|
|
value: /etc/keycape/config.yaml
|
|
|
|
volumeMounts:
|
|
# keycape-config Secret provides config.yaml and key.pem
|
|
- name: config-secret
|
|
mountPath: /etc/keycape
|
|
readOnly: true
|
|
|
|
startupProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 8080
|
|
initialDelaySeconds: 3
|
|
periodSeconds: 3
|
|
failureThreshold: 10
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 8080
|
|
initialDelaySeconds: 0
|
|
periodSeconds: 15
|
|
failureThreshold: 3
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /healthz
|
|
port: 8080
|
|
initialDelaySeconds: 0
|
|
periodSeconds: 10
|
|
failureThreshold: 3
|
|
|
|
resources:
|
|
requests:
|
|
cpu: "25m"
|
|
memory: "32Mi"
|
|
limits:
|
|
cpu: "200m"
|
|
memory: "128Mi"
|
|
|
|
volumes:
|
|
- name: config-secret
|
|
secret:
|
|
secretName: keycape-config
|
|
# Secret must contain two keys: config.yaml and key.pem
|
|
items:
|
|
- key: config.yaml
|
|
path: config.yaml
|
|
- key: key.pem
|
|
path: key.pem
|
|
mode: 0400 # key.pem is sensitive; restrict to owner read only
|
|
|
|
---
|
|
# Service — ClusterIP; Traefik reaches KeyCape via port 8080.
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: keycape
|
|
namespace: sso
|
|
labels:
|
|
app.kubernetes.io/name: keycape
|
|
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
|
net-kingdom/component: sso
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app.kubernetes.io/name: keycape
|
|
ports:
|
|
- name: http
|
|
port: 8080
|
|
targetPort: 8080
|
|
protocol: TCP
|