feat(openbao): enable bao.coulomb.social ingress and Traefik middlewares
Expose OpenBao UI via TLS ingress with rate-limit and HSTS middlewares. Track netkingdom OIDC mount in authenticated verify checks.
This commit is contained in:
38
helm/openbao-middleware.yaml
Normal file
38
helm/openbao-middleware.yaml
Normal file
@@ -0,0 +1,38 @@
|
||||
# Traefik middlewares for OpenBao browser UI/API exposure.
|
||||
#
|
||||
# These names are referenced by helm/openbao-values.yaml as:
|
||||
# openbao-openbao-rate-limit@kubernetescrd
|
||||
# openbao-openbao-hsts@kubernetescrd
|
||||
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: openbao-rate-limit
|
||||
namespace: openbao
|
||||
labels:
|
||||
app.kubernetes.io/name: openbao
|
||||
app.kubernetes.io/part-of: railiance-platform
|
||||
railiance-platform/component: secrets
|
||||
spec:
|
||||
rateLimit:
|
||||
# The OpenBao browser UI performs a burst of API calls on load, including
|
||||
# repeated /v1/sys/health checks. Keep this high enough for normal admin
|
||||
# use while still bounding runaway clients.
|
||||
average: 600
|
||||
period: 1m
|
||||
burst: 180
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: openbao-hsts
|
||||
namespace: openbao
|
||||
labels:
|
||||
app.kubernetes.io/name: openbao
|
||||
app.kubernetes.io/part-of: railiance-platform
|
||||
railiance-platform/component: secrets
|
||||
spec:
|
||||
headers:
|
||||
stsSeconds: 31536000
|
||||
stsIncludeSubdomains: true
|
||||
stsPreload: true
|
||||
Reference in New Issue
Block a user