# Traefik Middlewares for Keycloak (namespace: sso) # # Middleware names follow the pattern referenced in ingress.yaml annotations: # sso-keycloak-rate-limit@kubernetescrd # sso-keycloak-admin-allowlist@kubernetescrd # sso-keycloak-hsts@kubernetescrd # # Traefik API version: # Traefik v3 (K3s >= 1.30): traefik.io/v1alpha1 # Traefik v2 (K3s < 1.30): traefik.containo.us/v1alpha1 # Check: kubectl get middleware -n sso -o yaml | grep apiVersion # Update all documents below if you need the v2 apiVersion. # ── Rate limit — all KC endpoints ──────────────────────────────────────────── # 100 requests/minute per client IP; burst of 20 allowed. # Higher than privacyIDEA because OIDC discovery + JS app calls are bursty. # The /realms/{realm}/.well-known/openid-configuration call alone counts. apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: keycloak-rate-limit namespace: sso labels: app.kubernetes.io/part-of: net-kingdom-sso-mfa net-kingdom/component: sso spec: rateLimit: average: 100 period: 1m burst: 20 --- # ── Admin console allowlist — restrict /admin to VPN/office IPs ────────────── # Applied to the /admin Ingress (see ingress.yaml — separate Ingress for /admin/). # # ADJUST sourceRange to your actual VPN / office CIDR(s) before going live. # Leaving RFC-1918 ranges here is only a dev/staging default. # # Traefik v3 uses ipAllowList; Traefik v2 uses ipWhiteList. apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: keycloak-admin-allowlist namespace: sso labels: app.kubernetes.io/part-of: net-kingdom-sso-mfa net-kingdom/component: sso spec: ipAllowList: # EDIT: replace with your VPN/office CIDRs (see CONFIG.md for the pattern). sourceRange: - "10.0.0.0/8" - "172.16.0.0/12" - "192.168.0.0/16" --- # ── HSTS — HTTP Strict Transport Security ──────────────────────────────────── # Keycloak docs recommend HSTS for all deployments. # Traefik terminates TLS; Keycloak runs HTTP internally. # This header is injected by Traefik on all HTTPS responses. apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: keycloak-hsts namespace: sso labels: app.kubernetes.io/part-of: net-kingdom-sso-mfa net-kingdom/component: sso spec: headers: stsSeconds: 31536000 # 1 year stsIncludeSubdomains: true stsPreload: true