# Traefik Middlewares for KeyCape (namespace: sso)
#
# Middleware names referenced in ingress.yaml:
#   sso-keycape-rate-limit@kubernetescrd
#   sso-keycape-hsts@kubernetescrd

# ── Rate limit — all OIDC endpoints ──────────────────────────────────────────
# OIDC discovery + JS app calls are bursty; keep limit generous.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: keycape-rate-limit
  namespace: sso
  labels:
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: sso
spec:
  rateLimit:
    average: 100
    period: 1m
    burst: 20
---
# ── HSTS ─────────────────────────────────────────────────────────────────────
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: keycape-hsts
  namespace: sso
  labels:
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: sso
spec:
  headers:
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    stsPreload: true