coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0ed7d9cd66ccb60a6a4a59e8cd3878073671cb7
net-kingdom/CONFIG.md
Bernd Worsch d0ed7d9cd6 feat(sso-mfa): T05 Keycloak manifests (NK-WP-0001-T05) 
Deploys Keycloak (SSO core) in the sso namespace.

Files:
  sso-mfa/k8s/keycloak/pvc.yaml          — keycloak-data PVC (build cache)
  sso-mfa/k8s/keycloak/middleware.yaml   — rate-limit, admin-allowlist, HSTS
  sso-mfa/k8s/keycloak/deployment.yaml   — Deployment + Service; init container
                                           downloads privacyIDEA provider JAR
  sso-mfa/k8s/keycloak/ingress.yaml      — Ingress for kc.coulomb.social (CP-NK-004)
  sso-mfa/k8s/keycloak/create-secrets.sh — keycloak-config Secret
  sso-mfa/k8s/keycloak/bootstrap-realm.sh— hardens master realm, creates net-kingdom realm
  sso-mfa/k8s/keycloak/README.md         — apply order, custom image guide, DR
  sso-mfa/k8s/verify-t05.sh              — T05 done-criteria verification script

Config points added: CP-NK-004 (kc.coulomb.social), CP-NK-005 (provider JAR URL).
CP-NK-005 must be set before applying deployment.yaml.

Pending: apply to live cluster, set CP-NK-005, run bootstrap-realm.sh, verify-t05.sh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 02:00:51 +00:00

5.0 KiB
Raw Blame History

Config Point Registry

Philosophy

net-kingdom is opinionated: defaults, conventions, and automation are preferred at every level. A config point in this file is a conscious exception — a value that cannot be derived from the system's topology, naming conventions, component defaults, or available automation.

Minimizing this list is a design goal. Before adding a config point, ask:

  • Can the value be derived from a naming convention or topology fact?
  • Can it be auto-generated (e.g. from the Linux user identity, like Local Identity does)?
  • Is the default provided by the upstream component safe to accept?

If yes to any of the above, don't add it here.

Summary

ID Name Value Location(s)
CP-NK-001 ACME contact email bernd.worsch+netkingdom@gmail.com sso-mfa/k8s/cert-manager/issuers.yaml:38
CP-NK-002 privacyIDEA portal hostname pink.coulomb.social sso-mfa/k8s/privacyidea/ingress.yaml
CP-NK-003 privacyIDEA self-service hostname pink-account.coulomb.social sso-mfa/k8s/privacyidea/ingress.yaml
CP-NK-004 Keycloak SSO hostname kc.coulomb.social sso-mfa/k8s/keycloak/deployment.yaml, sso-mfa/k8s/keycloak/ingress.yaml
CP-NK-005 privacyIDEA Keycloak Provider JAR URL (not set — edit before apply) sso-mfa/k8s/keycloak/deployment.yaml

CP-NK-002 — privacyIDEA portal hostname

Value: pink.coulomb.social Set: 2026-03-19 Set by: worsch

Location(s):

  • sso-mfa/k8s/privacyidea/ingress.yaml — all three Ingress host fields

Why non-default: Subdomain prefix must be chosen by the operator; no naming convention existed in the repo before T04. pink = PrivacyIDEA Net Knights (project-specific mnemonic).

Scope: TLS certificate, Traefik routing, and all references to the privacyIDEA public URL (including Keycloak Provider config in T05/T06).

CP-NK-003 — privacyIDEA self-service portal hostname

Value: pink-account.coulomb.social Set: 2026-03-19 Set by: worsch

Location(s):

  • sso-mfa/k8s/privacyidea/ingress.yamlprivacyidea-account Ingress host field

Why non-default: Separate hostname for the self-service portal allows different firewall/allowlist rules from the admin portal. Follows the <service>-account naming convention used in the workplan design.

Scope: TLS certificate and Traefik routing for the user-facing self-service token enrolment portal.

CP-NK-001 — ACME contact email

Value: bernd.worsch+netkingdom@gmail.com Set: 2026-03-02 Set by: worsch

Location(s):

  • sso-mfa/k8s/cert-manager/issuers.yaml:38spec.acme.email on the letsencrypt-prod ClusterIssuer

Why non-default: ACME (Let's Encrypt) requires a contact address for certificate lifecycle notifications — expiry warnings, rate-limit alerts, policy announcements. There is no system-level default that qualifies: this must be a real, monitored inbox.

Why not automated: The Linux user GECOS email (via Local Identity) would be a natural source. However, that introduces a runtime dependency between cluster provisioning and the local-identity tool. Deferred; revisit when Local Identity gains a structured "operator contact" concept.

Scope: All TLS certificates issued by the letsencrypt-prod ClusterIssuer across the entire cluster.

CP-NK-004 — Keycloak SSO hostname

Value: kc.coulomb.social Set: 2026-03-19 Set by: worsch

Location(s):

  • sso-mfa/k8s/keycloak/deployment.yamlKC_HOSTNAME env var
  • sso-mfa/k8s/keycloak/ingress.yaml — both Ingress host fields

Why non-default: Subdomain prefix must be chosen by the operator. kc = Keycloak, consistent with the service-initial naming pattern.

Scope: TLS certificate, Traefik routing, Keycloak's internal hostname strictness check, and all OIDC/SAML redirect URIs registered in this realm. Changing this hostname after clients are registered requires updating all registered redirect URIs.

CP-NK-005 — privacyIDEA Keycloak Provider JAR URL

Value: (not set — operator must edit before applying T05) Set:Set by:

Location(s):

  • sso-mfa/k8s/keycloak/deployment.yamlPROVIDER_JAR_URL env var in the install-privacyidea-provider init container

Why non-default: The JAR URL depends on the chosen release version, which must be verified for compatibility with the deployed Keycloak image version. There is no stable "latest" URL suitable for automation.

How to set:

  1. Browse https://github.com/privacyIDEA/keycloak-provider/releases
  2. Choose a release compatible with the Keycloak image version in deployment.yaml.
  3. Edit deployment.yaml: replace EDIT_BEFORE_APPLY with the .jar download URL.
  4. Update this entry with the chosen URL and version.

Scope: Keycloak init container only. If switching to a custom Keycloak image (see T05 README "Custom image" section), this config point becomes obsolete and can be removed.

Reference in New Issue View Git Blame Copy Permalink