coulomb/net-kingdom
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
df09dd42f4e7f05ab1121b5603f2fdf875e91194
net-kingdom/sso-mfa/k8s/privacyidea/middleware.yaml
Bernd Worsch a375b3814d fix(sso-mfa): use ipWhiteList for Traefik v2 in LLDAP and privacyIDEA middleware 
Traefik 2.10 (K3s 1.30 bundle) requires ipWhiteList, not ipAllowList.
Updated both middleware files and clarified comments to match cluster version.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 07:28:06 +00:00

57 lines
2.1 KiB
YAML
Raw Blame History

# Traefik Middlewares for privacyIDEA (namespace: mfa)
#
# Middleware names follow the pattern referenced in ingress.yaml annotations:
# mfa-privacyidea-rate-limit@kubernetescrd
# mfa-privacyidea-admin-allowlist@kubernetescrd
#
# Traefik API version:
# Traefik v3 (K3s >= 1.30): traefik.io/v1alpha1
# Traefik v2 (K3s < 1.30): traefik.containo.us/v1alpha1
# Check: kubectl get middleware -n mfa -o yaml | grep apiVersion
# Update both documents below if you need the v2 apiVersion.
# ── Rate limit — all PI endpoints ────────────────────────────────────────────
# Applies globally to pink.coulomb.social.
# Primary protection for /validate/check (OTP verification) and /auth.
# 20 requests/minute per client IP; burst of 5 allowed.
# Adjust average/burst upward if legitimate automation (e.g. Keycloak Provider)
# triggers false positives — or exclude the Keycloak source IP at network level.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: privacyidea-rate-limit
namespace: mfa
labels:
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: mfa
spec:
rateLimit:
average: 20
period: 1m
burst: 5
---
# ── Admin path allowlist — restrict WebUI to internal/VPN IPs ────────────────
# Applied to the /admin/* Ingress (see ingress.yaml — separate Ingress for /admin/).
#
# ADJUST sourceRange to your actual VPN / office CIDR(s) before going live.
# Leaving RFC-1918 ranges here is only a dev/staging default.
#
# Traefik v2 uses ipWhiteList; Traefik v3 uses ipAllowList.
# This cluster runs Traefik 2.10 (K3s 1.30 bundle) — ipWhiteList required.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: privacyidea-admin-allowlist
namespace: mfa
labels:
app.kubernetes.io/part-of: net-kingdom-sso-mfa
net-kingdom/component: mfa
spec:
ipWhiteList:
# EDIT: replace with your VPN/office CIDRs (see CONFIG.md for the pattern).
# Example VPN: "10.8.0.0/24"
sourceRange:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/16"
Reference in New Issue View Git Blame Copy Permalink