From 0c01adac951932efe5d917377ab3db9feff41f9c Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 30 May 2026 08:09:37 +0000 Subject: [PATCH] traefik: dedicate LB IP 10.0.20.203 + externalTrafficPolicy=Local MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Gives direct (non-proxied) apps real client IPs for CrowdSec (were SNAT'd to the node IP under ETP=Cluster) and working QUIC. Companion change (NOT in TF — remote cloudflared tunnel config, done via CF API): tunnel ingress repointed from https://10.0.20.200:443 to https://traefik.traefik.svc.cluster.local:443 so proxied apps are decoupled from the LB IP. pfSense 443 NAT -> traefik_lb alias (.203). See docs/plans/2026-05-30-traefik-dedicated-ip-etp-local-*. Co-Authored-By: Claude Opus 4.7 --- stacks/traefik/modules/traefik/main.tf | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf index b3ba958b..1826448d 100644 --- a/stacks/traefik/modules/traefik/main.tf +++ b/stacks/traefik/modules/traefik/main.tf @@ -165,11 +165,14 @@ resource "helm_release" "traefik" { service = { type = "LoadBalancer" annotations = { - "metallb.io/loadBalancerIPs" = "10.0.20.200" - "metallb.io/allow-shared-ip" = "shared" + # Dedicated IP + ETP=Local so direct-app clients keep their real source + # IP (CrowdSec) and QUIC handshakes pin to one pod. Proxied apps are + # unaffected — cloudflared targets the in-cluster Traefik Service + # (traefik.traefik.svc), not this LB IP, so the LB IP can move freely. + "metallb.io/loadBalancerIPs" = "10.0.20.203" } spec = { - externalTrafficPolicy = "Cluster" + externalTrafficPolicy = "Local" } }