coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df09dd42f4e7f05ab1121b5603f2fdf875e91194
net-kingdom/sso-mfa/k8s/privacyidea/configmap.yaml
Bernd Worsch 1d94652ba1 feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04) 
Deploy privacyIDEA (MFA core) in the mfa namespace:
- pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi)
- configmap.yaml: pi.cfg reading secrets from env vars
- deployment.yaml: Deployment + ClusterIP Service (port 8080)
- middleware.yaml: Traefik RateLimit + admin IP AllowList
- ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service)
- create-secrets.sh: creates privacyidea-config Secret
- enckey-bootstrap.sh: post-deploy key extraction + DR Secrets
- bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret
- verify-t04.sh: 8-section done-criteria checker

Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003
(pink-account.coulomb.social) registered in CONFIG.md.

pink = PrivacyIDEA Net Knights (project mnemonic).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 01:22:41 +00:00

46 lines
1.6 KiB
YAML
Raw Blame History

# ConfigMap: privacyidea-cfg
#
# Provides /etc/privacyidea/pi.cfg (the privacyIDEA Python config file).
# Mounted as a subPath into the privacyidea-data PVC, so it overlays just
# that one file while the rest of /etc/privacyidea/ remains on the PVC.
#
# Sensitive values (SECRET_KEY, PI_PEPPER, SQLALCHEMY_DATABASE_URI) are
# injected as environment variables from the privacyidea-config Secret.
apiVersion: v1
kind: ConfigMap
metadata:
name: privacyidea-cfg
namespace: mfa
labels:
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: mfa
data:
pi.cfg: |
# /etc/privacyidea/pi.cfg
# Sensitive values injected via environment (privacyidea-config Secret).
import os
# Flask session secret — never type this; comes from vault/KeePassXC.
SECRET_KEY = os.environ["PI_SECRET_KEY"]
# Password hashing pepper — added to all hashed passwords.
PI_PEPPER = os.environ["PI_PEPPER"]
# Encryption key for token secrets (auto-generated on first start if missing).
PI_ENCFILE = "/etc/privacyidea/enckey"
# Audit log RSA signing keys (generated by pi-manage create_audit_keys).
PI_AUDIT_KEY_PRIVATE = "/etc/privacyidea/private.pem"
PI_AUDIT_KEY_PUBLIC = "/etc/privacyidea/public.pem"
# Database connection (full URI, password from vault/KeePassXC).
SQLALCHEMY_DATABASE_URI = os.environ["PI_SQLALCHEMY_DATABASE_URI"]
# Application logging.
PI_LOGFILE = "/var/log/privacyidea/privacyidea.log"
PI_LOGLEVEL = 20 # 10=DEBUG 20=INFO 30=WARNING 40=ERROR
# Scripts folder for event handlers (leave default unless customising).
PI_SCRIPT_FOLDER = "/etc/privacyidea/scripts"
Reference in New Issue View Git Blame Copy Permalink