generated from coulomb/repo-seed
Bernd Worsch
0754dc32e6
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine. Stack: kc.coulomb.social — KeyCape OIDC server (stateless, custom Go) auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape) lldap.coulomb.social — LLDAP admin UI (IP-restricted) pink.coulomb.social — privacyIDEA MFA engine (unchanged) Changes: - Remove sso-mfa/k8s/keycloak/ (7 files) - Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README) - Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README) - Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README) - Update network-policies/netpol-sso.yaml for new component topology - Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks) - Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP) - Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak - Update k8s/README.md: network policy table reflects new traffic paths - Add sso-mfa/WORKPLAN.md: resumable task checklist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
147 lines
5.5 KiB
Markdown
147 lines
5.5 KiB
Markdown
# Config Point Registry
|
|
|
|
## Philosophy
|
|
|
|
net-kingdom is opinionated: defaults, conventions, and automation are preferred at every
|
|
level. A config point in this file is a **conscious exception** — a value that cannot be
|
|
derived from the system's topology, naming conventions, component defaults, or available
|
|
automation.
|
|
|
|
**Minimizing this list is a design goal.** Before adding a config point, ask:
|
|
- Can the value be derived from a naming convention or topology fact?
|
|
- Can it be auto-generated (e.g. from the Linux user identity, like Local Identity does)?
|
|
- Is the default provided by the upstream component safe to accept?
|
|
|
|
If yes to any of the above, don't add it here.
|
|
|
|
---
|
|
|
|
## Summary
|
|
|
|
| ID | Name | Value | Location(s) |
|
|
|----|------|-------|-------------|
|
|
| CP-NK-001 | ACME contact email | `bernd.worsch+netkingdom@gmail.com` | `sso-mfa/k8s/cert-manager/issuers.yaml:38` |
|
|
| CP-NK-002 | privacyIDEA portal hostname | `pink.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` |
|
|
| CP-NK-003 | privacyIDEA self-service hostname | `pink-account.coulomb.social` | `sso-mfa/k8s/privacyidea/ingress.yaml` |
|
|
| CP-NK-004 | KeyCape OIDC hostname | `kc.coulomb.social` | `sso-mfa/k8s/keycape/ingress.yaml`, `sso-mfa/k8s/authelia/configmap.yaml`, `sso-mfa/k8s/keycape/create-secrets.sh` |
|
|
| CP-NK-005 | Authelia login portal hostname | `auth.coulomb.social` | `sso-mfa/k8s/authelia/ingress.yaml`, `sso-mfa/k8s/authelia/configmap.yaml` |
|
|
| CP-NK-006 | LLDAP admin web UI hostname | `lldap.coulomb.social` | `sso-mfa/k8s/lldap/ingress.yaml` |
|
|
|
|
---
|
|
|
|
## CP-NK-002 — privacyIDEA portal hostname
|
|
|
|
**Value:** `pink.coulomb.social`
|
|
**Set:** 2026-03-19
|
|
**Set by:** worsch
|
|
|
|
**Location(s):**
|
|
- `sso-mfa/k8s/privacyidea/ingress.yaml` — all three Ingress `host` fields
|
|
|
|
**Why non-default:** Subdomain prefix must be chosen by the operator; no naming
|
|
convention existed in the repo before T04. `pink` = **P**rivacy**I**DEA
|
|
**N**et **K**nights (project-specific mnemonic).
|
|
|
|
**Scope:** TLS certificate, Traefik routing, and all references to the
|
|
privacyIDEA public URL (including Keycloak Provider config in T05/T06).
|
|
|
|
---
|
|
|
|
## CP-NK-003 — privacyIDEA self-service portal hostname
|
|
|
|
**Value:** `pink-account.coulomb.social`
|
|
**Set:** 2026-03-19
|
|
**Set by:** worsch
|
|
|
|
**Location(s):**
|
|
- `sso-mfa/k8s/privacyidea/ingress.yaml` — `privacyidea-account` Ingress `host` field
|
|
|
|
**Why non-default:** Separate hostname for the self-service portal allows
|
|
different firewall/allowlist rules from the admin portal. Follows the
|
|
`<service>-account` naming convention used in the workplan design.
|
|
|
|
**Scope:** TLS certificate and Traefik routing for the user-facing
|
|
self-service token enrolment portal.
|
|
|
|
---
|
|
|
|
## CP-NK-001 — ACME contact email
|
|
|
|
**Value:** `bernd.worsch+netkingdom@gmail.com`
|
|
**Set:** 2026-03-02
|
|
**Set by:** worsch
|
|
|
|
**Location(s):**
|
|
- `sso-mfa/k8s/cert-manager/issuers.yaml:38` — `spec.acme.email` on the
|
|
`letsencrypt-prod` ClusterIssuer
|
|
|
|
**Why non-default:** ACME (Let's Encrypt) requires a contact address for certificate
|
|
lifecycle notifications — expiry warnings, rate-limit alerts, policy announcements.
|
|
There is no system-level default that qualifies: this must be a real, monitored inbox.
|
|
|
|
**Why not automated:** The Linux user GECOS email (via Local Identity) would be a
|
|
natural source. However, that introduces a runtime dependency between cluster
|
|
provisioning and the local-identity tool. Deferred; revisit when Local Identity
|
|
gains a structured "operator contact" concept.
|
|
|
|
**Scope:** All TLS certificates issued by the `letsencrypt-prod` ClusterIssuer across
|
|
the entire cluster.
|
|
|
|
---
|
|
|
|
## CP-NK-004 — KeyCape OIDC hostname
|
|
|
|
**Value:** `kc.coulomb.social`
|
|
**Set:** 2026-03-19
|
|
**Set by:** worsch
|
|
|
|
**Location(s):**
|
|
- `sso-mfa/k8s/keycape/ingress.yaml` — Ingress `host` field
|
|
- `sso-mfa/k8s/authelia/configmap.yaml` — `redirect_uris` for the KeyCape OIDC client
|
|
- `sso-mfa/k8s/keycape/create-secrets.sh` — `issuer` and `redirectURI` in config.yaml
|
|
|
|
**Why non-default:** Subdomain prefix must be chosen by the operator. `kc` is retained
|
|
from the original design (`kc` = **K**ey**C**ape) for DNS stability.
|
|
|
|
**Scope:** TLS certificate, Traefik routing, KeyCape's OIDC issuer claim, and all
|
|
redirect URIs registered by downstream applications. Changing this hostname after
|
|
clients are registered requires updating all registered `redirect_uris`.
|
|
|
|
---
|
|
|
|
## CP-NK-005 — Authelia login portal hostname
|
|
|
|
**Value:** `auth.coulomb.social`
|
|
**Set:** 2026-03-19
|
|
**Set by:** worsch
|
|
|
|
**Location(s):**
|
|
- `sso-mfa/k8s/authelia/ingress.yaml` — Ingress `host` field
|
|
- `sso-mfa/k8s/authelia/configmap.yaml` — `session.domain` parent domain comment
|
|
|
|
**Why non-default:** Subdomain prefix must be chosen by the operator. `auth` is the
|
|
conventional prefix for authentication portals.
|
|
|
|
**Scope:** TLS certificate, Traefik routing, and the Authelia login page that users'
|
|
browsers are redirected to during the OIDC flow. The session cookie `domain` is set
|
|
to the parent domain (`coulomb.social`) so the cookie is valid across both
|
|
`auth.coulomb.social` and `kc.coulomb.social`.
|
|
|
|
---
|
|
|
|
## CP-NK-006 — LLDAP admin web UI hostname
|
|
|
|
**Value:** `lldap.coulomb.social`
|
|
**Set:** 2026-03-19
|
|
**Set by:** worsch
|
|
|
|
**Location(s):**
|
|
- `sso-mfa/k8s/lldap/ingress.yaml` — Ingress `host` field
|
|
|
|
**Why non-default:** Subdomain prefix must be chosen by the operator.
|
|
|
|
**Scope:** TLS certificate and Traefik routing for the LLDAP admin web UI. Access
|
|
is IP-restricted by the `lldap-admin-allowlist` Traefik Middleware (VPN/office
|
|
CIDRs only). The LDAP port (3890) is cluster-internal only and never exposed
|
|
via Ingress.
|