generated from coulomb/repo-seed
feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04)
Deploy privacyIDEA (MFA core) in the mfa namespace: - pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi) - configmap.yaml: pi.cfg reading secrets from env vars - deployment.yaml: Deployment + ClusterIP Service (port 8080) - middleware.yaml: Traefik RateLimit + admin IP AllowList - ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service) - create-secrets.sh: creates privacyidea-config Secret - enckey-bootstrap.sh: post-deploy key extraction + DR Secrets - bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret - verify-t04.sh: 8-section done-criteria checker Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003 (pink-account.coulomb.social) registered in CONFIG.md. pink = PrivacyIDEA Net Knights (project mnemonic). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
56
sso-mfa/k8s/privacyidea/middleware.yaml
Normal file
56
sso-mfa/k8s/privacyidea/middleware.yaml
Normal file
@@ -0,0 +1,56 @@
|
||||
# Traefik Middlewares for privacyIDEA (namespace: mfa)
|
||||
#
|
||||
# Middleware names follow the pattern referenced in ingress.yaml annotations:
|
||||
# mfa-privacyidea-rate-limit@kubernetescrd
|
||||
# mfa-privacyidea-admin-allowlist@kubernetescrd
|
||||
#
|
||||
# Traefik API version:
|
||||
# Traefik v3 (K3s >= 1.30): traefik.io/v1alpha1
|
||||
# Traefik v2 (K3s < 1.30): traefik.containo.us/v1alpha1
|
||||
# Check: kubectl get middleware -n mfa -o yaml | grep apiVersion
|
||||
# Update both documents below if you need the v2 apiVersion.
|
||||
|
||||
# ── Rate limit — all PI endpoints ────────────────────────────────────────────
|
||||
# Applies globally to pink.coulomb.social.
|
||||
# Primary protection for /validate/check (OTP verification) and /auth.
|
||||
# 20 requests/minute per client IP; burst of 5 allowed.
|
||||
# Adjust average/burst upward if legitimate automation (e.g. Keycloak Provider)
|
||||
# triggers false positives — or exclude the Keycloak source IP at network level.
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: privacyidea-rate-limit
|
||||
namespace: mfa
|
||||
labels:
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: mfa
|
||||
spec:
|
||||
rateLimit:
|
||||
average: 20
|
||||
period: 1m
|
||||
burst: 5
|
||||
---
|
||||
# ── Admin path allowlist — restrict WebUI to internal/VPN IPs ────────────────
|
||||
# Applied to the /admin/* Ingress (see ingress.yaml — separate Ingress for /admin/).
|
||||
#
|
||||
# ADJUST sourceRange to your actual VPN / office CIDR(s) before going live.
|
||||
# Leaving RFC-1918 ranges here is only a dev/staging default.
|
||||
#
|
||||
# Traefik v3 uses ipAllowList; Traefik v2 uses ipWhiteList.
|
||||
# Check your Traefik version and update accordingly.
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: privacyidea-admin-allowlist
|
||||
namespace: mfa
|
||||
labels:
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: mfa
|
||||
spec:
|
||||
ipAllowList:
|
||||
# EDIT: replace with your VPN/office CIDRs (see CONFIG.md for the pattern).
|
||||
# Example VPN: "10.8.0.0/24"
|
||||
sourceRange:
|
||||
- "10.0.0.0/8"
|
||||
- "172.16.0.0/12"
|
||||
- "192.168.0.0/16"
|
||||
Reference in New Issue
Block a user