generated from coulomb/repo-seed
Deploys Keycloak (SSO core) in the sso namespace.
Files:
sso-mfa/k8s/keycloak/pvc.yaml — keycloak-data PVC (build cache)
sso-mfa/k8s/keycloak/middleware.yaml — rate-limit, admin-allowlist, HSTS
sso-mfa/k8s/keycloak/deployment.yaml — Deployment + Service; init container
downloads privacyIDEA provider JAR
sso-mfa/k8s/keycloak/ingress.yaml — Ingress for kc.coulomb.social (CP-NK-004)
sso-mfa/k8s/keycloak/create-secrets.sh — keycloak-config Secret
sso-mfa/k8s/keycloak/bootstrap-realm.sh— hardens master realm, creates net-kingdom realm
sso-mfa/k8s/keycloak/README.md — apply order, custom image guide, DR
sso-mfa/k8s/verify-t05.sh — T05 done-criteria verification script
Config points added: CP-NK-004 (kc.coulomb.social), CP-NK-005 (provider JAR URL).
CP-NK-005 must be set before applying deployment.yaml.
Pending: apply to live cluster, set CP-NK-005, run bootstrap-realm.sh, verify-t05.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
88 lines
2.7 KiB
YAML
88 lines
2.7 KiB
YAML
# Ingress — Keycloak (namespace: sso)
|
|
#
|
|
# kc.coulomb.social — SSO portal, OIDC/SAML endpoints, user login
|
|
#
|
|
# TLS: cert-manager issues the certificate via the letsencrypt-prod ClusterIssuer
|
|
# (T02). Public DNS for kc.coulomb.social must resolve to the cluster's external
|
|
# IP before cert-manager can complete the ACME HTTP-01 challenge.
|
|
#
|
|
# Middlewares:
|
|
# keycloak-rate-limit — 100 req/min per IP (all paths)
|
|
# keycloak-admin-allowlist — restrict /admin/* to VPN/office IPs (see middleware.yaml)
|
|
# keycloak-hsts — inject HSTS header on all HTTPS responses
|
|
#
|
|
# Config points (see CONFIG.md):
|
|
# CP-NK-004 kc.coulomb.social
|
|
|
|
# ── Main portal — kc.coulomb.social ──────────────────────────────────────────
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: keycloak
|
|
namespace: sso
|
|
labels:
|
|
app.kubernetes.io/name: keycloak
|
|
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
|
net-kingdom/component: sso
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
traefik.ingress.kubernetes.io/router.middlewares: >-
|
|
sso-keycloak-rate-limit@kubernetescrd,
|
|
sso-keycloak-hsts@kubernetescrd
|
|
spec:
|
|
ingressClassName: traefik
|
|
rules:
|
|
- host: kc.coulomb.social
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: keycloak
|
|
port:
|
|
number: 8080
|
|
tls:
|
|
- secretName: kc-tls
|
|
hosts:
|
|
- kc.coulomb.social
|
|
---
|
|
# ── Admin console — kc.coulomb.social/admin — restricted to VPN/office IPs ──
|
|
# Separate Ingress so the admin-allowlist middleware applies only to /admin/*.
|
|
# Traefik prefers the more-specific /admin prefix over the / prefix above.
|
|
#
|
|
# The admin console path in Keycloak 20+ is /admin/.
|
|
# Realm-specific admin REST API is at /admin/realms/{realm}/...
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: keycloak-admin
|
|
namespace: sso
|
|
labels:
|
|
app.kubernetes.io/name: keycloak
|
|
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
|
net-kingdom/component: sso
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
traefik.ingress.kubernetes.io/router.middlewares: >-
|
|
sso-keycloak-rate-limit@kubernetescrd,
|
|
sso-keycloak-admin-allowlist@kubernetescrd,
|
|
sso-keycloak-hsts@kubernetescrd
|
|
spec:
|
|
ingressClassName: traefik
|
|
rules:
|
|
- host: kc.coulomb.social
|
|
http:
|
|
paths:
|
|
- path: /admin
|
|
pathType: Prefix
|
|
backend:
|
|
service:
|
|
name: keycloak
|
|
port:
|
|
number: 8080
|
|
tls:
|
|
- secretName: kc-tls
|
|
hosts:
|
|
- kc.coulomb.social
|