generated from coulomb/repo-seed
feat(sso-mfa): T05 Keycloak manifests (NK-WP-0001-T05)
Deploys Keycloak (SSO core) in the sso namespace.
Files:
sso-mfa/k8s/keycloak/pvc.yaml — keycloak-data PVC (build cache)
sso-mfa/k8s/keycloak/middleware.yaml — rate-limit, admin-allowlist, HSTS
sso-mfa/k8s/keycloak/deployment.yaml — Deployment + Service; init container
downloads privacyIDEA provider JAR
sso-mfa/k8s/keycloak/ingress.yaml — Ingress for kc.coulomb.social (CP-NK-004)
sso-mfa/k8s/keycloak/create-secrets.sh — keycloak-config Secret
sso-mfa/k8s/keycloak/bootstrap-realm.sh— hardens master realm, creates net-kingdom realm
sso-mfa/k8s/keycloak/README.md — apply order, custom image guide, DR
sso-mfa/k8s/verify-t05.sh — T05 done-criteria verification script
Config points added: CP-NK-004 (kc.coulomb.social), CP-NK-005 (provider JAR URL).
CP-NK-005 must be set before applying deployment.yaml.
Pending: apply to live cluster, set CP-NK-005, run bootstrap-realm.sh, verify-t05.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
71
sso-mfa/k8s/keycloak/middleware.yaml
Normal file
71
sso-mfa/k8s/keycloak/middleware.yaml
Normal file
@@ -0,0 +1,71 @@
|
||||
# Traefik Middlewares for Keycloak (namespace: sso)
|
||||
#
|
||||
# Middleware names follow the pattern referenced in ingress.yaml annotations:
|
||||
# sso-keycloak-rate-limit@kubernetescrd
|
||||
# sso-keycloak-admin-allowlist@kubernetescrd
|
||||
# sso-keycloak-hsts@kubernetescrd
|
||||
#
|
||||
# Traefik API version:
|
||||
# Traefik v3 (K3s >= 1.30): traefik.io/v1alpha1
|
||||
# Traefik v2 (K3s < 1.30): traefik.containo.us/v1alpha1
|
||||
# Check: kubectl get middleware -n sso -o yaml | grep apiVersion
|
||||
# Update all documents below if you need the v2 apiVersion.
|
||||
|
||||
# ── Rate limit — all KC endpoints ────────────────────────────────────────────
|
||||
# 100 requests/minute per client IP; burst of 20 allowed.
|
||||
# Higher than privacyIDEA because OIDC discovery + JS app calls are bursty.
|
||||
# The /realms/{realm}/.well-known/openid-configuration call alone counts.
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: keycloak-rate-limit
|
||||
namespace: sso
|
||||
labels:
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: sso
|
||||
spec:
|
||||
rateLimit:
|
||||
average: 100
|
||||
period: 1m
|
||||
burst: 20
|
||||
---
|
||||
# ── Admin console allowlist — restrict /admin to VPN/office IPs ──────────────
|
||||
# Applied to the /admin Ingress (see ingress.yaml — separate Ingress for /admin/).
|
||||
#
|
||||
# ADJUST sourceRange to your actual VPN / office CIDR(s) before going live.
|
||||
# Leaving RFC-1918 ranges here is only a dev/staging default.
|
||||
#
|
||||
# Traefik v3 uses ipAllowList; Traefik v2 uses ipWhiteList.
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: keycloak-admin-allowlist
|
||||
namespace: sso
|
||||
labels:
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: sso
|
||||
spec:
|
||||
ipAllowList:
|
||||
# EDIT: replace with your VPN/office CIDRs (see CONFIG.md for the pattern).
|
||||
sourceRange:
|
||||
- "10.0.0.0/8"
|
||||
- "172.16.0.0/12"
|
||||
- "192.168.0.0/16"
|
||||
---
|
||||
# ── HSTS — HTTP Strict Transport Security ────────────────────────────────────
|
||||
# Keycloak docs recommend HSTS for all deployments.
|
||||
# Traefik terminates TLS; Keycloak runs HTTP internally.
|
||||
# This header is injected by Traefik on all HTTPS responses.
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: keycloak-hsts
|
||||
namespace: sso
|
||||
labels:
|
||||
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
||||
net-kingdom/component: sso
|
||||
spec:
|
||||
headers:
|
||||
stsSeconds: 31536000 # 1 year
|
||||
stsIncludeSubdomains: true
|
||||
stsPreload: true
|
||||
Reference in New Issue
Block a user