[ci skip] Fix Technitium DNS client IP logging: bypass Traefik L4 proxy

DNS queries were going through Traefik's IngressRouteUDP, replacing real client IPs with Traefik pod IPs (10.10.169.150) in Technitium logs. Changed Technitium DNS service from NodePort to LoadBalancer with externalTrafficPolicy: Local, removed dns-udp entrypoint and IngressRouteUDP from Traefik, and updated CoreDNS to forward .lan queries to Technitium's LoadBalancer IP directly.
2026-02-16 21:16:16 +00:00 · 2026-02-16 21:16:16 +00:00 · 205eb2704b
commit 205eb2704b
parent 3d4cdf3203
2 changed files with 45 additions and 46 deletions
--- a/modules/kubernetes/traefik/main.tf
+++ b/modules/kubernetes/traefik/main.tf
@ -29,6 +29,27 @@ resource "helm_release" "traefik" {
        "diun.enable"       = "true"
        "diun.include_tags" = "^v\\d+(?:\\.\\d+)?(?:\\.\\d+)?.*$"
      }
+      initContainers = [{
+        name  = "download-plugins"
+        image = "alpine:3"
+        command = ["sh", "-c", join("", [
+          "set -e; ",
+          "STORAGE=/plugins-storage; ",
+          "mkdir -p \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\"; ",
+          "mkdir -p \"$STORAGE/archives/github.com/packruler/rewrite-body\"; ",
+          "wget -q -T 30 -O \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/v1.4.2.zip\" ",
+          "\"https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/archive/refs/tags/v1.4.2.zip\"; ",
+          "wget -q -T 30 -O \"$STORAGE/archives/github.com/packruler/rewrite-body/v1.2.0.zip\" ",
+          "\"https://github.com/packruler/rewrite-body/archive/refs/tags/v1.2.0.zip\"; ",
+          "printf '{\"github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\":\"v1.4.2\",\"github.com/packruler/rewrite-body\":\"v1.2.0\"}' ",
+          "> \"$STORAGE/archives/state.json\"; ",
+          "echo \"Plugins pre-downloaded successfully\"",
+        ])]
+        volumeMounts = [{
+          name      = "plugins"
+          mountPath = "/plugins-storage"
+        }]
+      }]
    }

    updateStrategy = {
@ -91,12 +112,6 @@ resource "helm_release" "traefik" {
          advertisedPort = 443
        }
      }
-      dns-udp = {
-        port        = 5353
-        exposedPort = 53
-        protocol    = "UDP"
-        expose      = { default = true }
-      }
      whisper-tcp = {
        port        = 10300
        exposedPort = 10300
@ -120,7 +135,6 @@ resource "helm_release" "traefik" {
    service = {
      type = "LoadBalancer"
      annotations = {
-        # Temporary IP during migration; will move to nginx's 10.0.20.202 once nginx is removed
        "metallb.universe.tf/loadBalancerIPs" = "10.0.20.202"
      }
      spec = {
@ -189,30 +203,6 @@ resource "helm_release" "traefik" {
  })]
 }

-# DNS UDP passthrough to Technitium
-resource "kubernetes_manifest" "dns_udp_ingressroute" {
-  manifest = {
-    apiVersion = "traefik.io/v1alpha1"
-    kind       = "IngressRouteUDP"
-    metadata = {
-      name      = "dns-udp"
-      namespace = kubernetes_namespace.traefik.metadata[0].name
-    }
-    spec = {
-      entryPoints = ["dns-udp"]
-      routes = [{
-        services = [{
-          name      = "technitium-dns"
-          namespace = "technitium"
-          port      = 53
-        }]
-      }]
-    }
-  }
-
-  depends_on = [helm_release.traefik]
-}
-
 # Dashboard resources
 module "tls_secret" {
  source          = "../setup_tls_secret"