coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
49be67f267c6cdce2e8a4f76fd36e879cf28855f
net-kingdom/sso-mfa/k8s/privacyidea/configmap.yaml
Bernd Worsch c0e330ee4e fix(privacyidea): disable response signing + raise rate limit to unblock login 
PI_NO_RESPONSE_SIGN=True works around Werkzeug 3.x crash where request.json
raises BadRequest on GET requests with empty bodies (sign_response path).

Rate limit raised from 20/5 to 200/100 req/min to allow the AngularJS UI's
burst of ~50 parallel static asset requests on each page load without being
throttled by Traefik. TODO: split tight /auth+/validate vs loose /static limits.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-25 11:49:26 +00:00

51 lines
1.9 KiB
YAML
Raw Blame History

# ConfigMap: privacyidea-cfg
#
# Provides /etc/privacyidea/pi.cfg (the privacyIDEA Python config file).
# Mounted as a subPath into the privacyidea-data PVC, so it overlays just
# that one file while the rest of /etc/privacyidea/ remains on the PVC.
#
# Sensitive values (SECRET_KEY, PI_PEPPER, SQLALCHEMY_DATABASE_URI) are
# injected as environment variables from the privacyidea-config Secret.
apiVersion: v1
kind: ConfigMap
metadata:
name: privacyidea-cfg
namespace: mfa
labels:
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: mfa
data:
pi.cfg: |
# /etc/privacyidea/pi.cfg
# Sensitive values injected via environment (privacyidea-config Secret).
import os
# Flask session secret — never type this; comes from vault/KeePassXC.
SECRET_KEY = os.environ["PI_SECRET_KEY"]
# Password hashing pepper — added to all hashed passwords.
PI_PEPPER = os.environ["PI_PEPPER"]
# Encryption key for token secrets (auto-generated on first start if missing).
PI_ENCFILE = "/etc/privacyidea/enckey"
# Audit log RSA signing keys (generated by pi-manage create_audit_keys).
PI_AUDIT_KEY_PRIVATE = "/etc/privacyidea/private.pem"
PI_AUDIT_KEY_PUBLIC = "/etc/privacyidea/public.pem"
# Database connection (full URI, password from vault/KeePassXC).
SQLALCHEMY_DATABASE_URI = os.environ["PI_SQLALCHEMY_DATABASE_URI"]
# Application logging.
PI_LOGFILE = "/var/log/privacyidea/privacyidea.log"
PI_LOGLEVEL = 20 # 10=DEBUG 20=INFO 30=WARNING 40=ERROR
# Scripts folder for event handlers (leave default unless customising).
PI_SCRIPT_FOLDER = "/etc/privacyidea/scripts"
# Disable response signing — sign_response crashes on GET requests with
# Werkzeug 3.x because request.json raises BadRequest for empty bodies.
# The audit keys are still used for audit log signing.
PI_NO_RESPONSE_SIGN = True
Reference in New Issue View Git Blame Copy Permalink