# Traefik Middlewares for privacyIDEA (namespace: mfa)
#
# Middleware names follow the pattern referenced in ingress.yaml annotations:
#   mfa-privacyidea-rate-limit@kubernetescrd
#   mfa-privacyidea-admin-allowlist@kubernetescrd
#
# Traefik API version:
#   Traefik v3 (K3s >= 1.30): traefik.io/v1alpha1
#   Traefik v2 (K3s <  1.30): traefik.containo.us/v1alpha1
# Check: kubectl get middleware -n mfa -o yaml | grep apiVersion
# Update both documents below if you need the v2 apiVersion.

# ── Rate limit — all PI endpoints ────────────────────────────────────────────
# Applies globally to pink.coulomb.social.
# Primary protection for /validate/check (OTP verification) and /auth.
# 20 requests/minute per client IP; burst of 5 allowed.
# Adjust average/burst upward if legitimate automation (e.g. Keycloak Provider)
# triggers false positives — or exclude the Keycloak source IP at network level.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: privacyidea-rate-limit
  namespace: mfa
  labels:
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: mfa
spec:
  rateLimit:
    average: 20
    period: 1m
    burst: 5
---
# ── Admin path allowlist — restrict WebUI to internal/VPN IPs ────────────────
# Applied to the /admin/* Ingress (see ingress.yaml — separate Ingress for /admin/).
#
# ADJUST sourceRange to your actual VPN / office CIDR(s) before going live.
# Leaving RFC-1918 ranges here is only a dev/staging default.
#
# Traefik v2 uses ipWhiteList; Traefik v3 uses ipAllowList.
# This cluster runs Traefik 2.10 (K3s 1.30 bundle) — ipWhiteList required.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: privacyidea-admin-allowlist
  namespace: mfa
  labels:
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: mfa
spec:
  ipWhiteList:
    # EDIT: replace with your VPN/office CIDRs (see CONFIG.md for the pattern).
    # Example VPN: "10.8.0.0/24"
    sourceRange:
      - "10.0.0.0/8"
      - "172.16.0.0/12"
      - "192.168.0.0/16"