coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df09dd42f4e7f05ab1121b5603f2fdf875e91194
net-kingdom/sso-mfa/k8s/keycape/deployment.yaml
Bernd Worsch 880f89bf98 fix(keycape): NK-WP-0003-T07 — fix deployment image + add demo-app client 
- deployment.yaml: image → 92.205.130.254:32166/coulomb/key-cape:latest
  (Gitea OCI registry, delivered by KEY-WP-0002; imagePullPolicy: Always)
- k3s insecure registry hosts.toml: fixed server endpoint to http:// so
  containerd does not attempt HTTPS against the plain-HTTP Gitea NodePort
- create-secrets.sh: add demo-app OIDC client (required for KeyCape to
  start; also needed for T08 acceptance tests)
- keycape-config Secret updated in-place (no re-bootstrap needed)

KeyCape pod 1/1 Running; /healthz OK; OIDC discovery live at
https://kc.coulomb.social/.well-known/openid-configuration

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-22 00:30:58 +00:00

134 lines
3.8 KiB
YAML
Raw Blame History

# Deployment + Service — KeyCape (namespace: sso)
#
# KeyCape is the OIDC orchestration layer. It is stateless: all persistent
# state lives in Authelia (session), LLDAP (users), and privacyIDEA (MFA tokens).
# No PVC is required.
#
# Configuration is stored entirely in the keycape-config Secret, which holds
# a complete config.yaml and the RSA private key used to sign OIDC tokens
# issued to downstream applications.
#
# Prerequisites (apply in order):
# 1. keycape-config Secret — run keycape/create-secrets.sh
# 2. keycape-pi-token Secret — run keycape/create-pi-token.sh (after T04 bootstrap)
# 3. This file
# 4. middleware.yaml + ingress.yaml
#
# Container image:
# KeyCape has no published image. Build from ~/key-cape/ and push to a registry,
# or import directly into K3s (see README.md "Building the image").
# Image tag below is a placeholder — update before applying.
apiVersion: apps/v1
kind: Deployment
metadata:
name: keycape
namespace: sso
labels:
app.kubernetes.io/name: keycape
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: keycape
strategy:
type: RollingUpdate # stateless — safe to roll
template:
metadata:
labels:
app.kubernetes.io/name: keycape
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
securityContext:
runAsNonRoot: true
runAsUser: 65534 # nobody — matches distroless static image
fsGroup: 65534
containers:
- name: keycape
# Image published to self-hosted Gitea OCI registry on CoulombCore (KEY-WP-0002).
# k3s insecure registry configured for 92.205.130.254:32166 — no pull secret needed.
image: 92.205.130.254:32166/coulomb/key-cape:latest
imagePullPolicy: Always
ports:
- name: http
containerPort: 8080
protocol: TCP
env:
- name: KEYCAPE_CONFIG
value: /etc/keycape/config.yaml
volumeMounts:
# keycape-config Secret provides config.yaml and key.pem
- name: config-secret
mountPath: /etc/keycape
readOnly: true
startupProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 3
periodSeconds: 3
failureThreshold: 10
livenessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 0
periodSeconds: 15
failureThreshold: 3
readinessProbe:
httpGet:
path: /healthz
port: 8080
initialDelaySeconds: 0
periodSeconds: 10
failureThreshold: 3
resources:
requests:
cpu: "25m"
memory: "32Mi"
limits:
cpu: "200m"
memory: "128Mi"
volumes:
- name: config-secret
secret:
secretName: keycape-config
# Secret must contain two keys: config.yaml and key.pem
items:
- key: config.yaml
path: config.yaml
- key: key.pem
path: key.pem
mode: 0400 # key.pem is sensitive; restrict to owner read only
---
# Service — ClusterIP; Traefik reaches KeyCape via port 8080.
apiVersion: v1
kind: Service
metadata:
name: keycape
namespace: sso
labels:
app.kubernetes.io/name: keycape
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: keycape
ports:
- name: http
port: 8080
targetPort: 8080
protocol: TCP
Reference in New Issue View Git Blame Copy Permalink