coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df09dd42f4e7f05ab1121b5603f2fdf875e91194
net-kingdom/sso-mfa/k8s/authelia/README.md
Bernd Worsch 0754dc32e6 feat(sso-mfa): T05 SSO stack pivot — Keycloak → Authelia + LLDAP + KeyCape (NK-WP-0001-T05) 
Replaces the Keycloak+privacyIDEA SSO tier with the lightweight stack built
during KEY-WP-0001: Authelia (password frontend), LLDAP (directory), and
KeyCape (OIDC orchestration). privacyIDEA is retained as the MFA engine.

Stack:
  kc.coulomb.social   — KeyCape OIDC server (stateless, custom Go)
  auth.coulomb.social — Authelia login portal (password auth → Authelia OIDC → KeyCape)
  lldap.coulomb.social — LLDAP admin UI (IP-restricted)
  pink.coulomb.social — privacyIDEA MFA engine (unchanged)

Changes:
- Remove sso-mfa/k8s/keycloak/ (7 files)
- Add sso-mfa/k8s/lldap/ (pvc, deployment, middleware, ingress, create-secrets, README)
- Add sso-mfa/k8s/authelia/ (pvc, configmap, deployment, ingress, create-secrets, README)
- Add sso-mfa/k8s/keycape/ (deployment, middleware, ingress, create-secrets, create-pi-token, README)
- Update network-policies/netpol-sso.yaml for new component topology
- Update verify-t05.sh: checks LLDAP + Authelia + KeyCape (23 checks)
- Update CONFIG.md: fix CP-NK-004 (KeyCape), add CP-NK-005 (Authelia), CP-NK-006 (LLDAP)
- Update bootstrap/gen-secrets.sh: add LLDAP/Authelia/KeyCape sections, remove Keycloak
- Update k8s/README.md: network policy table reflects new traffic paths
- Add sso-mfa/WORKPLAN.md: resumable task checklist

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 08:31:51 +00:00

86 lines
3.2 KiB
Markdown
Raw Blame History

# T05b — Authelia (Authentication Frontend)
Authelia is the password-authentication frontend for the net-kingdom SSO stack.
It acts as an upstream OIDC provider for KeyCape: users are redirected here to
enter their password; Authelia validates credentials against LLDAP and returns
an authorization code to KeyCape, which then performs the MFA step via privacyIDEA.
**Important:** Authelia's access control policy is set to `one_factor` (password only).
MFA is handled exclusively by KeyCape + privacyIDEA. Do not change this to `two_factor`.
## Prerequisites
- T05a complete (LLDAP is Running and healthy, application groups created)
- `bootstrap/gen-secrets.sh` run and `secrets/authelia/secrets.env` populated in KeePassXC
- `kubectl` configured with cluster access
## Apply order
```bash
# 1. Create K8s Secret
cd sso-mfa/k8s/authelia
chmod +x create-secrets.sh
./create-secrets.sh
# 2. Apply manifests (order matters)
kubectl apply -f pvc.yaml
kubectl apply -f configmap.yaml
kubectl apply -f deployment.yaml
kubectl apply -f ingress.yaml
# 3. Wait for pod to be ready
# The startup probe allows 90 s for the initial LLDAP connection.
kubectl rollout status deployment/authelia -n sso --timeout=120s
```
## Configuration
All non-sensitive configuration is in `configmap.yaml` (mounted as `configuration.yml`).
Sensitive values are injected via `*_FILE` environment variables pointing to
Secret-mounted files (see `deployment.yaml` env section).
Key config points:
- `authentication_backend.ldap.url` — points to LLDAP cluster-internal service
- `identity_providers.oidc.clients[0].redirect_uris` — must match CP-NK-004 (`kc.coulomb.social`)
- `session.domain` — set to parent domain `coulomb.social` so cookies are valid across
both `auth.coulomb.social` and `kc.coulomb.social`
## Secrets managed
| Secret name | Keys | Purpose |
|-------------|------|---------|
| `authelia-secrets` | `jwt_secret` | Session JWT signing |
| | `session_secret` | Session cookie encryption |
| | `storage_encryption_key` | SQLite database encryption |
| | `ldap_password` | LDAP bind password (= `LLDAP_LDAP_USER_PASS`) |
| | `oidc_hmac_secret` | OIDC HMAC signing |
| | `oidc_issuer_private_key` | RSA-2048 private key for OIDC token signing |
| | `keycape_client_secret_hash` | Bcrypt hash of `AUTHELIA_KEYCAPE_CLIENT_SECRET` |
`create-secrets.sh` reads plaintext values from `secrets/authelia/secrets.env` and
`secrets/lldap/secrets.env`. It generates the bcrypt hash on the fly (requires
`python3+bcrypt` or `apache2-utils`). The RSA OIDC private key is generated
automatically if `AUTHELIA_OIDC_PRIVATE_KEY_FILE` is not set.
## Storage
`authelia-data` PVC (1 Gi, ReadWriteOnce) holds:
- `db.sqlite3` — SQLite database (user sessions, regulation data)
- `notification.txt` — notification log (filesystem notifier)
Back this PVC up alongside the LLDAP PVC.
## Verify
```bash
# Pod status
kubectl get pod -n sso -l app.kubernetes.io/name=authelia
# Health check
kubectl run -n sso --rm -it auth-test --image=busybox --restart=Never \
-- wget -qO- http://authelia.sso.svc.cluster.local:9091/api/health
# OIDC discovery (should return issuer + endpoints)
curl -s https://auth.coulomb.social/.well-known/openid-configuration | jq .
```
Reference in New Issue View Git Blame Copy Permalink