generated from coulomb/repo-seed
feat(sso-mfa): T05 Keycloak manifests (NK-WP-0001-T05)
Deploys Keycloak (SSO core) in the sso namespace.
Files:
sso-mfa/k8s/keycloak/pvc.yaml — keycloak-data PVC (build cache)
sso-mfa/k8s/keycloak/middleware.yaml — rate-limit, admin-allowlist, HSTS
sso-mfa/k8s/keycloak/deployment.yaml — Deployment + Service; init container
downloads privacyIDEA provider JAR
sso-mfa/k8s/keycloak/ingress.yaml — Ingress for kc.coulomb.social (CP-NK-004)
sso-mfa/k8s/keycloak/create-secrets.sh — keycloak-config Secret
sso-mfa/k8s/keycloak/bootstrap-realm.sh— hardens master realm, creates net-kingdom realm
sso-mfa/k8s/keycloak/README.md — apply order, custom image guide, DR
sso-mfa/k8s/verify-t05.sh — T05 done-criteria verification script
Config points added: CP-NK-004 (kc.coulomb.social), CP-NK-005 (provider JAR URL).
CP-NK-005 must be set before applying deployment.yaml.
Pending: apply to live cluster, set CP-NK-005, run bootstrap-realm.sh, verify-t05.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
87
sso-mfa/k8s/keycloak/ingress.yaml
Normal file
87
sso-mfa/k8s/keycloak/ingress.yaml
Normal file
@@ -0,0 +1,87 @@
|
||||
# Ingress — Keycloak (namespace: sso)
|
||||
#
|
||||
# kc.coulomb.social — SSO portal, OIDC/SAML endpoints, user login
|
||||
#
|
||||
# TLS: cert-manager issues the certificate via the letsencrypt-prod ClusterIssuer
|
||||
# (T02). Public DNS for kc.coulomb.social must resolve to the cluster's external
|
||||
# IP before cert-manager can complete the ACME HTTP-01 challenge.
|
||||
#
|
||||
# Middlewares:
|
||||
# keycloak-rate-limit — 100 req/min per IP (all paths)
|
||||
# keycloak-admin-allowlist — restrict /admin/* to VPN/office IPs (see middleware.yaml)
|
||||
# keycloak-hsts — inject HSTS header on all HTTPS responses
|
||||
#
|
||||
# Config points (see CONFIG.md):
|
||||
# CP-NK-004 kc.coulomb.social
|
||||
|
||||
# ── Main portal — kc.coulomb.social ──────────────────────────────────────────
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: keycloak
|
||||
namespace: sso
|
||||
labels:
|
||||
app.kubernetes.io/name: keycloak
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: sso
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
traefik.ingress.kubernetes.io/router.middlewares: >-
|
||||
sso-keycloak-rate-limit@kubernetescrd,
|
||||
sso-keycloak-hsts@kubernetescrd
|
||||
spec:
|
||||
ingressClassName: traefik
|
||||
rules:
|
||||
- host: kc.coulomb.social
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: keycloak
|
||||
port:
|
||||
number: 8080
|
||||
tls:
|
||||
- secretName: kc-tls
|
||||
hosts:
|
||||
- kc.coulomb.social
|
||||
---
|
||||
# ── Admin console — kc.coulomb.social/admin — restricted to VPN/office IPs ──
|
||||
# Separate Ingress so the admin-allowlist middleware applies only to /admin/*.
|
||||
# Traefik prefers the more-specific /admin prefix over the / prefix above.
|
||||
#
|
||||
# The admin console path in Keycloak 20+ is /admin/.
|
||||
# Realm-specific admin REST API is at /admin/realms/{realm}/...
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: keycloak-admin
|
||||
namespace: sso
|
||||
labels:
|
||||
app.kubernetes.io/name: keycloak
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: sso
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||
traefik.ingress.kubernetes.io/router.middlewares: >-
|
||||
sso-keycloak-rate-limit@kubernetescrd,
|
||||
sso-keycloak-admin-allowlist@kubernetescrd,
|
||||
sso-keycloak-hsts@kubernetescrd
|
||||
spec:
|
||||
ingressClassName: traefik
|
||||
rules:
|
||||
- host: kc.coulomb.social
|
||||
http:
|
||||
paths:
|
||||
- path: /admin
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: keycloak
|
||||
port:
|
||||
number: 8080
|
||||
tls:
|
||||
- secretName: kc-tls
|
||||
hosts:
|
||||
- kc.coulomb.social
|
||||
Reference in New Issue
Block a user