Files
net-kingdom/sso-mfa/k8s/keycloak/ingress.yaml
Bernd Worsch d0ed7d9cd6 feat(sso-mfa): T05 Keycloak manifests (NK-WP-0001-T05)
Deploys Keycloak (SSO core) in the sso namespace.

Files:
  sso-mfa/k8s/keycloak/pvc.yaml          — keycloak-data PVC (build cache)
  sso-mfa/k8s/keycloak/middleware.yaml   — rate-limit, admin-allowlist, HSTS
  sso-mfa/k8s/keycloak/deployment.yaml   — Deployment + Service; init container
                                           downloads privacyIDEA provider JAR
  sso-mfa/k8s/keycloak/ingress.yaml      — Ingress for kc.coulomb.social (CP-NK-004)
  sso-mfa/k8s/keycloak/create-secrets.sh — keycloak-config Secret
  sso-mfa/k8s/keycloak/bootstrap-realm.sh— hardens master realm, creates net-kingdom realm
  sso-mfa/k8s/keycloak/README.md         — apply order, custom image guide, DR
  sso-mfa/k8s/verify-t05.sh              — T05 done-criteria verification script

Config points added: CP-NK-004 (kc.coulomb.social), CP-NK-005 (provider JAR URL).
CP-NK-005 must be set before applying deployment.yaml.

Pending: apply to live cluster, set CP-NK-005, run bootstrap-realm.sh, verify-t05.sh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 02:00:51 +00:00

88 lines
2.7 KiB
YAML

# Ingress — Keycloak (namespace: sso)
#
# kc.coulomb.social — SSO portal, OIDC/SAML endpoints, user login
#
# TLS: cert-manager issues the certificate via the letsencrypt-prod ClusterIssuer
# (T02). Public DNS for kc.coulomb.social must resolve to the cluster's external
# IP before cert-manager can complete the ACME HTTP-01 challenge.
#
# Middlewares:
# keycloak-rate-limit — 100 req/min per IP (all paths)
# keycloak-admin-allowlist — restrict /admin/* to VPN/office IPs (see middleware.yaml)
# keycloak-hsts — inject HSTS header on all HTTPS responses
#
# Config points (see CONFIG.md):
# CP-NK-004 kc.coulomb.social
# ── Main portal — kc.coulomb.social ──────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak
namespace: sso
labels:
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.middlewares: >-
sso-keycloak-rate-limit@kubernetescrd,
sso-keycloak-hsts@kubernetescrd
spec:
ingressClassName: traefik
rules:
- host: kc.coulomb.social
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: keycloak
port:
number: 8080
tls:
- secretName: kc-tls
hosts:
- kc.coulomb.social
---
# ── Admin console — kc.coulomb.social/admin — restricted to VPN/office IPs ──
# Separate Ingress so the admin-allowlist middleware applies only to /admin/*.
# Traefik prefers the more-specific /admin prefix over the / prefix above.
#
# The admin console path in Keycloak 20+ is /admin/.
# Realm-specific admin REST API is at /admin/realms/{realm}/...
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: keycloak-admin
namespace: sso
labels:
app.kubernetes.io/name: keycloak
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.middlewares: >-
sso-keycloak-rate-limit@kubernetescrd,
sso-keycloak-admin-allowlist@kubernetescrd,
sso-keycloak-hsts@kubernetescrd
spec:
ingressClassName: traefik
rules:
- host: kc.coulomb.social
http:
paths:
- path: /admin
pathType: Prefix
backend:
service:
name: keycloak
port:
number: 8080
tls:
- secretName: kc-tls
hosts:
- kc.coulomb.social