generated from coulomb/repo-seed
fix(privacyidea): bootstrap-realm scope fixes + netpol for PI→LLDAP
bootstrap-realm.sh: - Remove Content-Type header from GET requests (Werkzeug 3.x BadRequest fix) - Fix resolver type check — result path is result.value.<name>.type, not .data - Fix self-enrollment policy scope: 'user' not 'enrollment' (PI 3.12) NetworkPolicies: - allow-egress-to-lldap (mfa ns): privacyIDEA → LLDAP :3890 - allow-privacyidea-to-lldap (sso ns): ingress from mfa/privacyIDEA → LLDAP :3890 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -173,6 +173,33 @@ spec:
|
||||
- port: 3890
|
||||
protocol: TCP
|
||||
---
|
||||
# ── privacyIDEA (mfa ns) → LLDAP :3890 ──────────────────────────────────────
|
||||
# privacyIDEA's LDAP resolver binds to LLDAP to resolve users in the coulomb realm.
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: allow-privacyidea-to-lldap
|
||||
namespace: sso
|
||||
labels:
|
||||
net-kingdom/component: sso
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: lldap
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- namespaceSelector:
|
||||
matchLabels:
|
||||
net-kingdom/component: mfa
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: privacyidea
|
||||
ports:
|
||||
- port: 3890
|
||||
protocol: TCP
|
||||
---
|
||||
# ── KeyCape egress → Authelia + LLDAP (within sso namespace) ─────────────────
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
|
||||
Reference in New Issue
Block a user