coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0ed7d9cd66ccb60a6a4a59e8cd3878073671cb7
net-kingdom/sso-mfa/k8s/privacyidea/middleware.yaml
Bernd Worsch 1d94652ba1 feat(sso-mfa): T04 privacyIDEA manifests (NK-WP-0001-T04) 
Deploy privacyIDEA (MFA core) in the mfa namespace:
- pvc.yaml: privacyidea-data (5Gi) and privacyidea-logs (2Gi)
- configmap.yaml: pi.cfg reading secrets from env vars
- deployment.yaml: Deployment + ClusterIP Service (port 8080)
- middleware.yaml: Traefik RateLimit + admin IP AllowList
- ingress.yaml: pink.coulomb.social (portal + admin), pink-account.coulomb.social (self-service)
- create-secrets.sh: creates privacyidea-config Secret
- enckey-bootstrap.sh: post-deploy key extraction + DR Secrets
- bootstrap-admin.sh: pi-admin, trigger-admin, privacyidea-trigger-admin Secret
- verify-t04.sh: 8-section done-criteria checker

Config points CP-NK-002 (pink.coulomb.social) and CP-NK-003
(pink-account.coulomb.social) registered in CONFIG.md.

pink = PrivacyIDEA Net Knights (project mnemonic).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-19 01:22:41 +00:00

57 lines
2.1 KiB
YAML
Raw Blame History

# Traefik Middlewares for privacyIDEA (namespace: mfa)
#
# Middleware names follow the pattern referenced in ingress.yaml annotations:
# mfa-privacyidea-rate-limit@kubernetescrd
# mfa-privacyidea-admin-allowlist@kubernetescrd
#
# Traefik API version:
# Traefik v3 (K3s >= 1.30): traefik.io/v1alpha1
# Traefik v2 (K3s < 1.30): traefik.containo.us/v1alpha1
# Check: kubectl get middleware -n mfa -o yaml | grep apiVersion
# Update both documents below if you need the v2 apiVersion.
# ── Rate limit — all PI endpoints ────────────────────────────────────────────
# Applies globally to pink.coulomb.social.
# Primary protection for /validate/check (OTP verification) and /auth.
# 20 requests/minute per client IP; burst of 5 allowed.
# Adjust average/burst upward if legitimate automation (e.g. Keycloak Provider)
# triggers false positives — or exclude the Keycloak source IP at network level.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: privacyidea-rate-limit
namespace: mfa
labels:
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: mfa
spec:
rateLimit:
average: 20
period: 1m
burst: 5
---
# ── Admin path allowlist — restrict WebUI to internal/VPN IPs ────────────────
# Applied to the /admin/* Ingress (see ingress.yaml — separate Ingress for /admin/).
#
# ADJUST sourceRange to your actual VPN / office CIDR(s) before going live.
# Leaving RFC-1918 ranges here is only a dev/staging default.
#
# Traefik v3 uses ipAllowList; Traefik v2 uses ipWhiteList.
# Check your Traefik version and update accordingly.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: privacyidea-admin-allowlist
namespace: mfa
labels:
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: mfa
spec:
ipAllowList:
# EDIT: replace with your VPN/office CIDRs (see CONFIG.md for the pattern).
# Example VPN: "10.8.0.0/24"
sourceRange:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
Reference in New Issue View Git Blame Copy Permalink