net-kingdom/sso-mfa/k8s/privacyidea/ingress.yaml

# Ingress — privacyIDEA (namespace: mfa)
#
# pink.coulomb.social       — main portal (login, self-service, API)
# pink-account.coulomb.social — self-service token portal
#
# Both hostnames resolve to the same privacyIDEA Service.
# privacyIDEA serves the self-service portal at /account/ when the
# "privacyideaserver" policy for self-service is enabled (configured
# in bootstrap-admin.sh / T04 README).
#
# TLS: cert-manager issues certificates via the letsencrypt-prod ClusterIssuer
# (T02). Public DNS for both hostnames must resolve to the cluster's external IP
# before cert-manager can complete the ACME HTTP-01 challenge.
#
# Rate limiting: the privacyidea-rate-limit middleware (middleware.yaml) is
# applied to pink.coulomb.social. Admin paths are further restricted by
# privacyidea-admin-allowlist applied in the separate /admin Ingress below.
#
# Config points (see CONFIG.md):
#   CP-NK-002  pink.coulomb.social
#   CP-NK-003  pink-account.coulomb.social

# ── Main portal — pink.coulomb.social ────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: privacyidea
  namespace: mfa
  labels:
    app.kubernetes.io/name: privacyidea
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: mfa
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    # Rate-limit middleware (Traefik v3 format; see middleware.yaml for v2 note).
    traefik.ingress.kubernetes.io/router.middlewares: "mfa-privacyidea-rate-limit@kubernetescrd"
spec:
  ingressClassName: traefik
  rules:
    - host: pink.coulomb.social
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: privacyidea
                port:
                  number: 8080
  tls:
    - secretName: pink-tls
      hosts:
        - pink.coulomb.social
---
# ── Admin WebUI — pink.coulomb.social/admin — restricted to VPN/office IPs ──
# Separate Ingress so the admin-allowlist middleware applies only to /admin/*.
# The main Ingress above already handles / (which includes /admin/ by prefix);
# this Ingress's more-specific /admin path takes precedence in Traefik routing.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: privacyidea-admin
  namespace: mfa
  labels:
    app.kubernetes.io/name: privacyidea
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: mfa
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    # Both rate-limit AND IP allowlist for admin paths.
    traefik.ingress.kubernetes.io/router.middlewares: >-
      mfa-privacyidea-rate-limit@kubernetescrd,
      mfa-privacyidea-admin-allowlist@kubernetescrd
spec:
  ingressClassName: traefik
  rules:
    - host: pink.coulomb.social
      http:
        paths:
          - path: /admin
            pathType: Prefix
            backend:
              service:
                name: privacyidea
                port:
                  number: 8080
  tls:
    - secretName: pink-tls
      hosts:
        - pink.coulomb.social
---
# ── Self-service portal — pink-account.coulomb.social ────────────────────────
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: privacyidea-account
  namespace: mfa
  labels:
    app.kubernetes.io/name: privacyidea
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: mfa
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.middlewares: "mfa-privacyidea-rate-limit@kubernetescrd"
spec:
  ingressClassName: traefik
  rules:
    - host: pink-account.coulomb.social
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: privacyidea
                port:
                  number: 8080
  tls:
    - secretName: pink-account-tls
      hosts:
        - pink-account.coulomb.social