From a375b3814d429bbb2bf93a34fd8a5a71edcd7e0f Mon Sep 17 00:00:00 2001 From: Bernd Worsch Date: Fri, 20 Mar 2026 07:28:06 +0000 Subject: [PATCH] fix(sso-mfa): use ipWhiteList for Traefik v2 in LLDAP and privacyIDEA middleware Traefik 2.10 (K3s 1.30 bundle) requires ipWhiteList, not ipAllowList. Updated both middleware files and clarified comments to match cluster version. Co-Authored-By: Claude Sonnet 4.6 --- sso-mfa/k8s/lldap/middleware.yaml | 2 +- sso-mfa/k8s/privacyidea/middleware.yaml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/sso-mfa/k8s/lldap/middleware.yaml b/sso-mfa/k8s/lldap/middleware.yaml index 925d6b9..c3bf970 100644 --- a/sso-mfa/k8s/lldap/middleware.yaml +++ b/sso-mfa/k8s/lldap/middleware.yaml @@ -17,7 +17,7 @@ metadata: app.kubernetes.io/part-of: net-kingdom-sso-mfa net-kingdom/component: sso spec: - ipAllowList: + ipWhiteList: # EDIT: replace with your VPN/office CIDRs. sourceRange: - "10.0.0.0/8" diff --git a/sso-mfa/k8s/privacyidea/middleware.yaml b/sso-mfa/k8s/privacyidea/middleware.yaml index caa4ce6..7117a6e 100644 --- a/sso-mfa/k8s/privacyidea/middleware.yaml +++ b/sso-mfa/k8s/privacyidea/middleware.yaml @@ -36,8 +36,8 @@ spec: # ADJUST sourceRange to your actual VPN / office CIDR(s) before going live. # Leaving RFC-1918 ranges here is only a dev/staging default. # -# Traefik v3 uses ipAllowList; Traefik v2 uses ipWhiteList. -# Check your Traefik version and update accordingly. +# Traefik v2 uses ipWhiteList; Traefik v3 uses ipAllowList. +# This cluster runs Traefik 2.10 (K3s 1.30 bundle) — ipWhiteList required. apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: @@ -47,7 +47,7 @@ metadata: app.kubernetes.io/part-of: net-kingdom-sso-mfa net-kingdom/component: mfa spec: - ipAllowList: + ipWhiteList: # EDIT: replace with your VPN/office CIDRs (see CONFIG.md for the pattern). # Example VPN: "10.8.0.0/24" sourceRange: