3.9 KiB
id, type, title, domain, repo, status, owner, topic_slug, planning_priority, planning_order, created, updated, depends_on, state_hub_workstream_id
| id | type | title | domain | repo | status | owner | topic_slug | planning_priority | planning_order | created | updated | depends_on | state_hub_workstream_id | |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| NK-WP-0009 | workplan | NetKingdom Security Pattern Tutorials | netkingdom | net-kingdom | proposed | codex | netkingdom | medium | 9 | 2026-05-17 | 2026-05-17 |
|
66c9f1e9-6b2f-454b-a6d4-04e5fe42385a |
NK-WP-0009 - NetKingdom Security Pattern Tutorials
Goal
Build practical tutorials that show operators and developers how to implement canonical NetKingdom security architecture patterns in NetKingdom-enabled IT infrastructures.
Where NK-WP-0008 is the pattern library, this workplan is the hands-on path: runnable examples, checklists, commands, manifests, verification steps, and failure-mode exercises.
Context
The platform needs more than architecture statements. A new deployment should be able to answer:
- How do I issue identity tokens in lightweight mode versus expanded mode?
- How do I ask flex-auth for a resource decision?
- How do I vend temporary object-storage credentials?
- How do I deploy OpenBao and avoid secret zero traps?
- How do I use short-lived SSH certificates for agents and automations?
- How do I verify audit records and break-glass behavior?
Tutorials turn canonical patterns into repeatable implementation practice without forcing every application repo to rediscover the same steps.
Scope
In scope:
- tutorial structure and style guide
- runnable or copy-pasteable examples
- local/dev and production variants where appropriate
- verification and rollback steps
- integration references to key-cape, flex-auth, ops-warden, ops-bridge, railiance-platform, and artifact-store
Out of scope:
- deploying live services directly from this repo
- replacing repo-specific operator runbooks
- hiding provider-specific security differences behind one generic command
Tasks
id: NK-WP-0009-T1
status: todo
priority: high
state_hub_task_id: "79150b07-f25d-4407-a118-e08b6e588d37"
Create a tutorial template with prerequisites, architecture context, commands, manifests, verification, rollback, threat checks, and cross-repo ownership notes.
id: NK-WP-0009-T2
status: todo
priority: high
state_hub_task_id: "07647ba6-90e1-4569-947a-ebccce7a2d5e"
Write the first tutorial: "Vend temporary S3 credentials from a NetKingdom identity token", covering key-cape/Keycloak identity, flex-auth authorization, object-store STS exchange, and SDK consumer configuration.
id: NK-WP-0009-T3
status: todo
priority: high
state_hub_task_id: "0f34eda3-f1f3-4c49-9eba-36167b6c5ea9"
Write "Deploy OpenBao as the canonical secrets manager for a NetKingdom-enabled Railiance platform", linking to the Railiance Platform workplan and covering auth methods, secret engines, CSI/ESO integration, leases, unseal, backup, and break-glass.
id: NK-WP-0009-T4
status: todo
priority: medium
state_hub_task_id: "3c17d1ac-3232-43b4-b541-ea6538da2afb"
Write "Use short-lived SSH credentials for admins, agents, and automations", using ops-warden and ops-bridge as the reference implementation.
id: NK-WP-0009-T5
status: todo
priority: medium
state_hub_task_id: "aff82173-0b8e-4216-855a-887ac68b63e0"
Write "Add a protected system to flex-auth", covering resource manifests, action vocabulary, claim envelopes, policy packages, decision envelopes, and delegated PDP options.
id: NK-WP-0009-T6
status: todo
priority: medium
state_hub_task_id: "df427aa3-233f-4479-aed9-706676f8e87d"
Add tutorial verification fixtures or checklists so each tutorial has a clear "done when" outcome and does not become prose-only guidance.
Acceptance Criteria
- Tutorials are grouped under a stable docs path with a repeatable format.
- Each tutorial maps back to one or more NK-WP-0008 patterns.
- Tutorials name the owning repo for every concrete implementation step.
- Tutorials include verification and rollback guidance, not just happy path commands.