generated from coulomb/repo-seed
Deploys Keycloak (SSO core) in the sso namespace.
Files:
sso-mfa/k8s/keycloak/pvc.yaml — keycloak-data PVC (build cache)
sso-mfa/k8s/keycloak/middleware.yaml — rate-limit, admin-allowlist, HSTS
sso-mfa/k8s/keycloak/deployment.yaml — Deployment + Service; init container
downloads privacyIDEA provider JAR
sso-mfa/k8s/keycloak/ingress.yaml — Ingress for kc.coulomb.social (CP-NK-004)
sso-mfa/k8s/keycloak/create-secrets.sh — keycloak-config Secret
sso-mfa/k8s/keycloak/bootstrap-realm.sh— hardens master realm, creates net-kingdom realm
sso-mfa/k8s/keycloak/README.md — apply order, custom image guide, DR
sso-mfa/k8s/verify-t05.sh — T05 done-criteria verification script
Config points added: CP-NK-004 (kc.coulomb.social), CP-NK-005 (provider JAR URL).
CP-NK-005 must be set before applying deployment.yaml.
Pending: apply to live cluster, set CP-NK-005, run bootstrap-realm.sh, verify-t05.sh.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
72 lines
2.5 KiB
YAML
72 lines
2.5 KiB
YAML
# Traefik Middlewares for Keycloak (namespace: sso)
|
|
#
|
|
# Middleware names follow the pattern referenced in ingress.yaml annotations:
|
|
# sso-keycloak-rate-limit@kubernetescrd
|
|
# sso-keycloak-admin-allowlist@kubernetescrd
|
|
# sso-keycloak-hsts@kubernetescrd
|
|
#
|
|
# Traefik API version:
|
|
# Traefik v3 (K3s >= 1.30): traefik.io/v1alpha1
|
|
# Traefik v2 (K3s < 1.30): traefik.containo.us/v1alpha1
|
|
# Check: kubectl get middleware -n sso -o yaml | grep apiVersion
|
|
# Update all documents below if you need the v2 apiVersion.
|
|
|
|
# ── Rate limit — all KC endpoints ────────────────────────────────────────────
|
|
# 100 requests/minute per client IP; burst of 20 allowed.
|
|
# Higher than privacyIDEA because OIDC discovery + JS app calls are bursty.
|
|
# The /realms/{realm}/.well-known/openid-configuration call alone counts.
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: keycloak-rate-limit
|
|
namespace: sso
|
|
labels:
|
|
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
|
net-kingdom/component: sso
|
|
spec:
|
|
rateLimit:
|
|
average: 100
|
|
period: 1m
|
|
burst: 20
|
|
---
|
|
# ── Admin console allowlist — restrict /admin to VPN/office IPs ──────────────
|
|
# Applied to the /admin Ingress (see ingress.yaml — separate Ingress for /admin/).
|
|
#
|
|
# ADJUST sourceRange to your actual VPN / office CIDR(s) before going live.
|
|
# Leaving RFC-1918 ranges here is only a dev/staging default.
|
|
#
|
|
# Traefik v3 uses ipAllowList; Traefik v2 uses ipWhiteList.
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: keycloak-admin-allowlist
|
|
namespace: sso
|
|
labels:
|
|
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
|
net-kingdom/component: sso
|
|
spec:
|
|
ipAllowList:
|
|
# EDIT: replace with your VPN/office CIDRs (see CONFIG.md for the pattern).
|
|
sourceRange:
|
|
- "10.0.0.0/8"
|
|
- "172.16.0.0/12"
|
|
- "192.168.0.0/16"
|
|
---
|
|
# ── HSTS — HTTP Strict Transport Security ────────────────────────────────────
|
|
# Keycloak docs recommend HSTS for all deployments.
|
|
# Traefik terminates TLS; Keycloak runs HTTP internally.
|
|
# This header is injected by Traefik on all HTTPS responses.
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: keycloak-hsts
|
|
namespace: sso
|
|
labels:
|
|
app.kubernetes.io/part-of: net-kingdom-sso-mfa
|
|
net-kingdom/component: sso
|
|
spec:
|
|
headers:
|
|
stsSeconds: 31536000 # 1 year
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|