# Traefik middlewares for OpenBao browser UI/API exposure.
#
# These names are referenced by helm/openbao-values.yaml as:
#   openbao-openbao-rate-limit@kubernetescrd
#   openbao-openbao-hsts@kubernetescrd

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: openbao-rate-limit
  namespace: openbao
  labels:
    app.kubernetes.io/name: openbao
    app.kubernetes.io/part-of: railiance-platform
    railiance-platform/component: secrets
spec:
  rateLimit:
    # The OpenBao browser UI performs a burst of API calls on load, including
    # repeated /v1/sys/health checks. Keep this high enough for normal admin
    # use while still bounding runaway clients.
    average: 600
    period: 1m
    burst: 180
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: openbao-hsts
  namespace: openbao
  labels:
    app.kubernetes.io/name: openbao
    app.kubernetes.io/part-of: railiance-platform
    railiance-platform/component: secrets
spec:
  headers:
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    stsPreload: true