# Ingress — privacyIDEA (namespace: mfa) # # pink.coulomb.social — main portal (login, self-service, API) # pink-account.coulomb.social — self-service token portal # # Both hostnames resolve to the same privacyIDEA Service. # privacyIDEA serves the self-service portal at /account/ when the # "privacyideaserver" policy for self-service is enabled (configured # in bootstrap-admin.sh / T04 README). # # TLS: cert-manager issues certificates via the letsencrypt-prod ClusterIssuer # (T02). Public DNS for both hostnames must resolve to the cluster's external IP # before cert-manager can complete the ACME HTTP-01 challenge. # # Rate limiting: the privacyidea-rate-limit middleware (middleware.yaml) is # applied to pink.coulomb.social. Admin paths are further restricted by # privacyidea-admin-allowlist applied in the separate /admin Ingress below. # # Config points (see CONFIG.md): # CP-NK-002 pink.coulomb.social # CP-NK-003 pink-account.coulomb.social # ── Main portal — pink.coulomb.social ──────────────────────────────────────── apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: privacyidea namespace: mfa labels: app.kubernetes.io/name: privacyidea app.kubernetes.io/part-of: net-kingdom-sso-mfa net-kingdom/component: mfa annotations: cert-manager.io/cluster-issuer: letsencrypt-prod # Rate-limit middleware (Traefik v3 format; see middleware.yaml for v2 note). traefik.ingress.kubernetes.io/router.middlewares: "mfa-privacyidea-rate-limit@kubernetescrd" spec: ingressClassName: traefik rules: - host: pink.coulomb.social http: paths: - path: / pathType: Prefix backend: service: name: privacyidea port: number: 8080 tls: - secretName: pink-tls hosts: - pink.coulomb.social --- # ── Admin WebUI — pink.coulomb.social/admin — restricted to VPN/office IPs ── # Separate Ingress so the admin-allowlist middleware applies only to /admin/*. # The main Ingress above already handles / (which includes /admin/ by prefix); # this Ingress's more-specific /admin path takes precedence in Traefik routing. apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: privacyidea-admin namespace: mfa labels: app.kubernetes.io/name: privacyidea app.kubernetes.io/part-of: net-kingdom-sso-mfa net-kingdom/component: mfa annotations: cert-manager.io/cluster-issuer: letsencrypt-prod # Both rate-limit AND IP allowlist for admin paths. traefik.ingress.kubernetes.io/router.middlewares: >- mfa-privacyidea-rate-limit@kubernetescrd, mfa-privacyidea-admin-allowlist@kubernetescrd spec: ingressClassName: traefik rules: - host: pink.coulomb.social http: paths: - path: /admin pathType: Prefix backend: service: name: privacyidea port: number: 8080 tls: - secretName: pink-tls hosts: - pink.coulomb.social --- # ── Self-service portal — pink-account.coulomb.social ──────────────────────── apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: privacyidea-account namespace: mfa labels: app.kubernetes.io/name: privacyidea app.kubernetes.io/part-of: net-kingdom-sso-mfa net-kingdom/component: mfa annotations: cert-manager.io/cluster-issuer: letsencrypt-prod traefik.ingress.kubernetes.io/router.middlewares: "mfa-privacyidea-rate-limit@kubernetescrd" spec: ingressClassName: traefik rules: - host: pink-account.coulomb.social http: paths: - path: / pathType: Prefix backend: service: name: privacyidea port: number: 8080 tls: - secretName: pink-account-tls hosts: - pink-account.coulomb.social