tegwick
423eccc8e9
Expose OpenBao UI via TLS ingress with rate-limit and HSTS middlewares. Track netkingdom OIDC mount in authenticated verify checks.
39 lines
1.0 KiB
YAML
39 lines
1.0 KiB
YAML
# Traefik middlewares for OpenBao browser UI/API exposure.
|
|
#
|
|
# These names are referenced by helm/openbao-values.yaml as:
|
|
# openbao-openbao-rate-limit@kubernetescrd
|
|
# openbao-openbao-hsts@kubernetescrd
|
|
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: openbao-rate-limit
|
|
namespace: openbao
|
|
labels:
|
|
app.kubernetes.io/name: openbao
|
|
app.kubernetes.io/part-of: railiance-platform
|
|
railiance-platform/component: secrets
|
|
spec:
|
|
rateLimit:
|
|
# The OpenBao browser UI performs a burst of API calls on load, including
|
|
# repeated /v1/sys/health checks. Keep this high enough for normal admin
|
|
# use while still bounding runaway clients.
|
|
average: 600
|
|
period: 1m
|
|
burst: 180
|
|
---
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: Middleware
|
|
metadata:
|
|
name: openbao-hsts
|
|
namespace: openbao
|
|
labels:
|
|
app.kubernetes.io/name: openbao
|
|
app.kubernetes.io/part-of: railiance-platform
|
|
railiance-platform/component: secrets
|
|
spec:
|
|
headers:
|
|
stsSeconds: 31536000
|
|
stsIncludeSubdomains: true
|
|
stsPreload: true
|