# Traefik Middleware for LLDAP web UI (namespace: sso)
#
# The LLDAP web UI is admin-only and must never be accessible from the internet.
# This middleware restricts access to VPN/office IPs.
#
# Middleware name referenced in ingress.yaml:
#   sso-lldap-admin-allowlist@kubernetescrd
#
# ADJUST sourceRange to your actual VPN / office CIDR(s) before going live.

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: lldap-admin-allowlist
  namespace: sso
  labels:
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: sso
spec:
  ipWhiteList:
    # EDIT: replace with your VPN/office CIDRs.
    sourceRange:
      - "10.0.0.0/8"
      - "172.16.0.0/12"
      - "192.168.0.0/16"