coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bee0936d5d307711aae9b22eb0e99ca03bf5cfc3
net-kingdom/sso-mfa/WORKPLAN.md
Bernd Worsch bee0936d5d docs(sso-mfa): fix stale Keycloak refs and add T04 apply section to WORKPLAN 
- README.md: ipAllowList → ipWhiteList (match Traefik v2 fix)
- verify-t04.sh: update success message (Keycloak → LLDAP+Authelia+KeyCape)
- WORKPLAN.md: add full T04 section with deliverables, pending steps, done-criteria

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 07:33:47 +00:00

7.6 KiB
Raw Blame History

SSO-MFA Platform — Stack Migration Workplan

NK-WP-0001 — Keycloak → Authelia + LLDAP + KeyCape

Updated: 2026-03-19 (T06 pending cluster; T07/T08 manifests complete) Workstream: sso-mfa-platform (39263c4b-ef70-4053-b782-350834b7e1be)

Stack Decision

Keycloak + privacyIDEA replaced by:

  • LLDAP — lightweight LDAP directory (user store)
  • Authelia — authentication frontend (password auth + OIDC upstream)
  • KeyCape — OIDC orchestration layer (auth code flow + MFA via privacyIDEA adapter)
  • privacyIDEA — MFA engine (unchanged, still in mfa namespace)

Hostnames: kc.coulomb.social (KeyCape), auth.coulomb.social (Authelia), lldap.coulomb.social (LLDAP admin)

Task Status

Task ID (hub) Status Notes
T01 — Vault & secret bootstrap 7992528c done
T02 — K8s foundations 721ca6b2 done Manifests authored; pending live cluster
T03 — PostgreSQL 7fa60004 done Manifests authored; pending live cluster
T04 — privacyIDEA 6ad1296a todo Manifests exist in k8s/privacyidea/; pending cluster
T05 — SSO core (new stack) b9f73aa6 done commit 0754dc3
T06 — Realm config & MFA flow 3b6379a4 in-progress See below
T07 — User mgmt & self-service c7cf902a in-progress See below
T08 — Backups, DR, break-glass 9cbd1d89 in-progress See below

T04 — privacyIDEA

Deliverables (already authored)

  • k8s/privacyidea/pvc.yaml — privacyidea-data and privacyidea-logs PVCs
  • k8s/privacyidea/configmap.yaml — pi.cfg template (secrets injected at runtime)
  • k8s/privacyidea/create-secrets.sh — privacyidea-config Secret
  • k8s/privacyidea/deployment.yaml — Deployment + Service (port 8080)
  • k8s/privacyidea/middleware.yaml — rate-limit + admin IP allowlist (ipWhiteList, Traefik v2)
  • k8s/privacyidea/ingress.yaml — pink.coulomb.social + pink-account.coulomb.social
  • k8s/privacyidea/enckey-bootstrap.sh — extract enckey + audit keys post-start
  • k8s/privacyidea/bootstrap-admin.sh — create pi-admin + trigger-admin
  • k8s/verify-t04.sh — verify pod, service, middlewares, ingresses, TLS, secrets, PVCs

Pending (needs live cluster)

  • ./create-secrets.sh — create privacyidea-config Secret in mfa namespace
  • kubectl apply -f pvc.yaml configmap.yaml middleware.yaml deployment.yaml ingress.yaml
  • Wait for pod Running/Ready (up to 3 min — DB migrations run on first boot)
  • ./enckey-bootstrap.sh — extract enckey+auditkeys, store in KeePassXC, create DR Secrets
  • ./bootstrap-admin.sh — create pi-admin and trigger-admin
  • Log in to pink.coulomb.social, enroll TOTP for pi-admin, verify MFA challenge
  • Run ../verify-t04.sh — 0 FAILs
  • Commit and mark T04 done

Done-criteria for T04

  • privacyIDEA pod Running+Ready in mfa namespace
  • pink.coulomb.social and pink-account.coulomb.social reachable with valid TLS
  • pi-admin and trigger-admin accounts exist
  • pi-admin has enrolled a TOTP token and MFA challenge fires on login
  • privacyidea-enckey and privacyidea-auditkeys Secrets exist (DR copies)
  • verify-t04.sh: 0 FAILs

T05 — SSO Core (new stack: LLDAP + Authelia + KeyCape)

Done

  • LLDAP manifests: pvc.yaml, deployment.yaml, middleware.yaml, ingress.yaml, create-secrets.sh
  • Authelia manifests: pvc.yaml, configmap.yaml, deployment.yaml, ingress.yaml, create-secrets.sh
  • KeyCape manifests: deployment.yaml, middleware.yaml, ingress.yaml, create-secrets.sh
  • NetworkPolicy: netpol-sso.yaml updated for new components
  • Keycloak manifests staged for deletion

In Progress (this session)

  • keycape/create-pi-token.sh
  • lldap/README.md
  • authelia/README.md
  • keycape/README.md
  • Update CONFIG.md (fixed CP-NK-004, removed old CP-NK-005, added CP-NK-005 auth., CP-NK-006 lldap.)
  • Update bootstrap/gen-secrets.sh (removed Keycloak, added LLDAP/Authelia/KeyCape sections)
  • Update k8s/README.md (network policy table)
  • Replace verify-t05.sh (Keycloak → LLDAP+Authelia+KeyCape checks)
  • Commit all changes — commit 0754dc3
  • Update state hub tasks — T05 marked done, milestone event logged

Done-criteria for T05

  • All manifests present and consistent
  • gen-secrets.sh generates correct secrets for new stack
  • verify-t05.sh checks all three components
  • Committed to main

T06 — Realm config & MFA flow (KeyCape → privacyIDEA)

Deliverables

  • k8s/privacyidea/bootstrap-realm.sh — creates LLDAP resolver, "netkingdom" realm, enrollment + passthru policies
  • k8s/verify-t06.sh — verifies realm, resolver, KeyCape→PI token, connectivity

In Progress (this session)

  • Run bootstrap-realm.sh on live cluster (requires T04 applied)
  • Run keycape/create-pi-token.sh then keycape/create-secrets.sh (inject real PI token)
  • Restart KeyCape with updated keycape-config
  • Enroll a TOTP token for pi-admin via pink-account.coulomb.social
  • Test end-to-end login via kc.coulomb.social
  • Run verify-t06.sh — all checks pass
  • Commit and mark T06 done

Done-criteria for T06

  • privacyIDEA "netkingdom" realm exists with LLDAP resolver
  • LDAP resolver resolves users from LLDAP
  • keycape-pi-token contains a real (non-placeholder) JWT
  • KeyCape→privacyIDEA token list API returns status=True
  • At least one user has enrolled a TOTP token
  • verify-t06.sh: 0 FAILs

T07 — User mgmt & self-service

Deliverables

  • k8s/lldap/bootstrap-users.sh — creates net-kingdom-users and net-kingdom-admins groups in LLDAP via GraphQL API
  • k8s/lldap/break-glass.sh — creates the break-glass bypass account and assigns to net-kingdom-admins
  • k8s/verify-t07.sh — verifies groups, break-glass user, self-service portal, OIDC client registrations

Pending (needs live cluster)

  • Run lldap/bootstrap-users.sh to create groups
  • Run lldap/break-glass.sh to create break-glass account
  • Add first real user via LLDAP WebUI (lldap.coulomb.social)
  • Register first OIDC client in keycape/create-secrets.sh (clients: block)
  • User self-enrolls TOTP at pink-account.coulomb.social
  • Run verify-t07.sh — 0 FAILs

Done-criteria for T07

  • Groups net-kingdom-users and net-kingdom-admins exist in LLDAP
  • break-glass user exists and is in net-kingdom-admins
  • At least one regular user exists
  • At least one OIDC client registered in KeyCape
  • verify-t07.sh: 0 FAILs

T08 — Backups, DR, break-glass

Deliverables

  • k8s/backup/cronjob-sqlite-backups.yaml — daily SQLite backup CronJobs for LLDAP, Authelia, privacyIDEA; RBAC for Authelia scale-down/up
  • k8s/backup/DR-RUNBOOK.md — full restore runbook: scenarios, restore order, node rebuild procedure, offsite export
  • k8s/verify-t08.sh — verifies CronJobs, RBAC, backup files on PVCs, DR runbook presence

Pending (needs live cluster)

  • Apply backup/cronjob-sqlite-backups.yaml
  • Trigger each CronJob manually once to verify they run clean: kubectl create job -n sso --from=cronjob/lldap-backup lldap-backup-test kubectl create job -n sso --from=cronjob/authelia-backup authelia-backup-test kubectl create job -n mfa --from=cronjob/privacyidea-backup pi-backup-test
  • Confirm backup files appear on PVCs
  • Run offsite export: pull backup files, encrypt with age, store offsite
  • Run verify-t08.sh — 0 FAILs

Done-criteria for T08

  • All three backup CronJobs deployed and have ≥1 successful run
  • Backup files confirmed on PVCs
  • DR-RUNBOOK.md reviewed by operator
  • Offsite ops bundle current (pack-bundle.sh run after all secrets finalised)
  • verify-t08.sh: 0 FAILs
Reference in New Issue View Git Blame Copy Permalink