Files
net-kingdom/sso-mfa/k8s/keycloak/middleware.yaml
Bernd Worsch d0ed7d9cd6 feat(sso-mfa): T05 Keycloak manifests (NK-WP-0001-T05)
Deploys Keycloak (SSO core) in the sso namespace.

Files:
  sso-mfa/k8s/keycloak/pvc.yaml          — keycloak-data PVC (build cache)
  sso-mfa/k8s/keycloak/middleware.yaml   — rate-limit, admin-allowlist, HSTS
  sso-mfa/k8s/keycloak/deployment.yaml   — Deployment + Service; init container
                                           downloads privacyIDEA provider JAR
  sso-mfa/k8s/keycloak/ingress.yaml      — Ingress for kc.coulomb.social (CP-NK-004)
  sso-mfa/k8s/keycloak/create-secrets.sh — keycloak-config Secret
  sso-mfa/k8s/keycloak/bootstrap-realm.sh— hardens master realm, creates net-kingdom realm
  sso-mfa/k8s/keycloak/README.md         — apply order, custom image guide, DR
  sso-mfa/k8s/verify-t05.sh              — T05 done-criteria verification script

Config points added: CP-NK-004 (kc.coulomb.social), CP-NK-005 (provider JAR URL).
CP-NK-005 must be set before applying deployment.yaml.

Pending: apply to live cluster, set CP-NK-005, run bootstrap-realm.sh, verify-t05.sh.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 02:00:51 +00:00

72 lines
2.5 KiB
YAML

# Traefik Middlewares for Keycloak (namespace: sso)
#
# Middleware names follow the pattern referenced in ingress.yaml annotations:
# sso-keycloak-rate-limit@kubernetescrd
# sso-keycloak-admin-allowlist@kubernetescrd
# sso-keycloak-hsts@kubernetescrd
#
# Traefik API version:
# Traefik v3 (K3s >= 1.30): traefik.io/v1alpha1
# Traefik v2 (K3s < 1.30): traefik.containo.us/v1alpha1
# Check: kubectl get middleware -n sso -o yaml | grep apiVersion
# Update all documents below if you need the v2 apiVersion.
# ── Rate limit — all KC endpoints ────────────────────────────────────────────
# 100 requests/minute per client IP; burst of 20 allowed.
# Higher than privacyIDEA because OIDC discovery + JS app calls are bursty.
# The /realms/{realm}/.well-known/openid-configuration call alone counts.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: keycloak-rate-limit
namespace: sso
labels:
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
rateLimit:
average: 100
period: 1m
burst: 20
---
# ── Admin console allowlist — restrict /admin to VPN/office IPs ──────────────
# Applied to the /admin Ingress (see ingress.yaml — separate Ingress for /admin/).
#
# ADJUST sourceRange to your actual VPN / office CIDR(s) before going live.
# Leaving RFC-1918 ranges here is only a dev/staging default.
#
# Traefik v3 uses ipAllowList; Traefik v2 uses ipWhiteList.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: keycloak-admin-allowlist
namespace: sso
labels:
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
ipAllowList:
# EDIT: replace with your VPN/office CIDRs (see CONFIG.md for the pattern).
sourceRange:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
---
# ── HSTS — HTTP Strict Transport Security ────────────────────────────────────
# Keycloak docs recommend HSTS for all deployments.
# Traefik terminates TLS; Keycloak runs HTTP internally.
# This header is injected by Traefik on all HTTPS responses.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: keycloak-hsts
namespace: sso
labels:
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: sso
spec:
headers:
stsSeconds: 31536000 # 1 year
stsIncludeSubdomains: true
stsPreload: true