traefik: dedicate LB IP 10.0.20.203 + externalTrafficPolicy=Local

Gives direct (non-proxied) apps real client IPs for CrowdSec (were SNAT'd to the node IP under ETP=Cluster) and working QUIC. Companion change (NOT in TF — remote cloudflared tunnel config, done via CF API): tunnel ingress repointed from https://10.0.20.200:443 to https://traefik.traefik.svc.cluster.local:443 so proxied apps are decoupled from the LB IP. pfSense 443 NAT -> traefik_lb alias (.203). See docs/plans/2026-05-30-traefik-dedicated-ip-etp-local-*. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 08:09:37 +00:00 · 2026-05-30 08:09:37 +00:00 · 0c01adac95
commit 0c01adac95
parent d6a61f00ad
1 changed files with 6 additions and 3 deletions
--- a/stacks/traefik/modules/traefik/main.tf
+++ b/stacks/traefik/modules/traefik/main.tf
@ -165,11 +165,14 @@ resource "helm_release" "traefik" {
    service = {
      type = "LoadBalancer"
      annotations = {
-        "metallb.io/loadBalancerIPs" = "10.0.20.200"
-        "metallb.io/allow-shared-ip" = "shared"
+        # Dedicated IP + ETP=Local so direct-app clients keep their real source
+        # IP (CrowdSec) and QUIC handshakes pin to one pod. Proxied apps are
+        # unaffected — cloudflared targets the in-cluster Traefik Service
+        # (traefik.traefik.svc), not this LB IP, so the LB IP can move freely.
+        "metallb.io/loadBalancerIPs" = "10.0.20.203"
      }
      spec = {
-        externalTrafficPolicy = "Cluster"
+        externalTrafficPolicy = "Local"
      }
    }