# Ingress — LLDAP web UI (namespace: sso)
#
# lldap.coulomb.social — admin web UI for user/group management
#
# This hostname is VPN/office-only; the lldap-admin-allowlist middleware
# blocks all other source IPs at the Traefik layer.
#
# Config points (see CONFIG.md):
#   CP-NK-006  lldap.coulomb.social

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: lldap
  namespace: sso
  labels:
    app.kubernetes.io/name: lldap
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: sso
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.middlewares: "sso-lldap-admin-allowlist@kubernetescrd"
spec:
  ingressClassName: traefik
  rules:
    - host: lldap.coulomb.social
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: lldap
                port:
                  number: 17170
  tls:
    - secretName: lldap-tls
      hosts:
        - lldap.coulomb.social