coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0ed7d9cd66ccb60a6a4a59e8cd3878073671cb7
net-kingdom/sso-mfa/k8s
History
Bernd Worsch d0ed7d9cd6 feat(sso-mfa): T05 Keycloak manifests (NK-WP-0001-T05) 
Deploys Keycloak (SSO core) in the sso namespace.

Files:
  sso-mfa/k8s/keycloak/pvc.yaml          — keycloak-data PVC (build cache)
  sso-mfa/k8s/keycloak/middleware.yaml   — rate-limit, admin-allowlist, HSTS
  sso-mfa/k8s/keycloak/deployment.yaml   — Deployment + Service; init container
                                           downloads privacyIDEA provider JAR
  sso-mfa/k8s/keycloak/ingress.yaml      — Ingress for kc.coulomb.social (CP-NK-004)
  sso-mfa/k8s/keycloak/create-secrets.sh — keycloak-config Secret
  sso-mfa/k8s/keycloak/bootstrap-realm.sh— hardens master realm, creates net-kingdom realm
  sso-mfa/k8s/keycloak/README.md         — apply order, custom image guide, DR
  sso-mfa/k8s/verify-t05.sh              — T05 done-criteria verification script

Config points added: CP-NK-004 (kc.coulomb.social), CP-NK-005 (provider JAR URL).
CP-NK-005 must be set before applying deployment.yaml.

Pending: apply to live cluster, set CP-NK-005, run bootstrap-realm.sh, verify-t05.sh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 02:00:51 +00:00
..
cert-manager
custodian integration and some cleanuo
2026-03-04 23:31:28 +01:00
keycloak
feat(sso-mfa): T05 Keycloak manifests (NK-WP-0001-T05)
2026-03-19 02:00:51 +00:00
namespaces
feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02)
2026-03-02 09:49:39 +01:00
network-policies
feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04)
2026-03-19 01:22:41 +00:00
postgresql
feat(sso-mfa): T03 PostgreSQL manifests (NK-WP-0001-T03)
2026-03-05 09:22:13 +01:00
privacyidea
feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04)
2026-03-19 01:22:41 +00:00
storage
feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02)
2026-03-02 09:49:39 +01:00
README.md
feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02)
2026-03-02 09:49:39 +01:00
verify-t02.sh
feat(sso-mfa): T02 K8s foundations manifests (NK-WP-0001-T02)
2026-03-02 09:49:39 +01:00
verify-t03.sh
feat(sso-mfa): T03 PostgreSQL manifests (NK-WP-0001-T03)
2026-03-05 09:22:13 +01:00
verify-t04.sh
feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04)
2026-03-19 01:22:41 +00:00
verify-t05.sh
feat(sso-mfa): T05 Keycloak manifests (NK-WP-0001-T05)
2026-03-19 02:00:51 +00:00

README.md

T02 — K8s Foundations

Phase 1 of NK-WP-0001: namespaces, NetworkPolicies, cert-manager, StorageClass.

Prerequisites

  • K3s cluster running (ThreePhoenix HA or single-node dev)
  • T01 Phase 0a complete (KeePassXC vault populated, ops bundle exported)
  • kubectl configured with cluster access

Apply order

# 1. Install cert-manager (if not already on cluster)
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager --create-namespace \
  --set crds.enabled=true

# Wait for cert-manager to be ready
kubectl rollout status deployment/cert-manager -n cert-manager

# 2. Create namespaces
kubectl apply -f namespaces/namespaces.yaml

# 3. Apply NetworkPolicies
kubectl apply -f network-policies/netpol-sso.yaml
kubectl apply -f network-policies/netpol-mfa.yaml
kubectl apply -f network-policies/netpol-databases.yaml

# 4. Create ClusterIssuers
#    Edit issuers.yaml first: replace ACME_EMAIL with your address
kubectl apply -f cert-manager/issuers.yaml

# 5. Verify cert-manager with test certificate
kubectl apply -f cert-manager/test-certificate.yaml
kubectl wait --for=condition=Ready certificate/selfsigned-test \
  -n cert-manager-test --timeout=60s
kubectl delete namespace cert-manager-test

# 6. Verify StorageClass
kubectl apply -f storage/verify-pvc.yaml
kubectl wait --for=condition=Ready pod/storage-test \
  -n storage-test --timeout=60s
kubectl logs -n storage-test storage-test
kubectl delete namespace storage-test

# 7. Run the full verification script
chmod +x verify-t02.sh
./verify-t02.sh

NetworkPolicy design

All three namespaces follow a default-deny-all posture. Only the minimal required paths are opened:

Source Destination Port Purpose
Traefik (kube-system) Keycloak (sso) 8080 OIDC/SAML ingress
Traefik (kube-system) privacyIDEA (mfa) 8080 MFA portal ingress
Keycloak (sso) privacyIDEA (mfa) 8080 Provider API calls
Keycloak (sso) PostgreSQL (databases) 5432 DB
privacyIDEA (mfa) PostgreSQL (databases) 5432 DB
CNPG operator (cnpg-system) PostgreSQL (databases) 5432/9187 Operator + metrics
All pods kube-dns (kube-system) 53 DNS resolution
CNPG pods K8s API 6443 Status updates

Verifying denied paths (manual)

After applying NetworkPolicies, confirm that illegal paths are blocked:

# Test: Keycloak → databases direct (should be ALLOWED)
kubectl run test-allowed -n sso --rm -it --image=busybox --restart=Never \
  -- nc -zv net-kingdom-pg-rw.databases.svc.cluster.local 5432

# Test: mfa → sso (should be DENIED — privacyIDEA must not reach Keycloak directly)
kubectl run test-denied -n mfa --rm -it --image=busybox --restart=Never \
  -- nc -zv -w3 keycloak.sso.svc.cluster.local 8080

# Test: databases → sso (should be DENIED — DB pods must not initiate connections)
kubectl run test-denied2 -n databases --rm -it --image=busybox --restart=Never \
  -- nc -zw3 keycloak.sso.svc.cluster.local 8080

Notes

  • net-kingdom/component labels on namespaces are used by NetworkPolicy namespaceSelector rules. Do not remove them.
  • cnpg.io/cluster: net-kingdom-pg in netpol-databases.yaml must match the name of the CloudNativePG Cluster CR you create in T03.
  • The letsencrypt-prod ClusterIssuer requires public DNS and port 80 open to Let's Encrypt servers. Update ACME_EMAIL before applying.
Reference in New Issue View Git Blame Copy Permalink