diff --git a/stacks/platform/main.tf b/stacks/platform/main.tf index 7f6cd28b..5f5c4e3b 100644 --- a/stacks/platform/main.tf +++ b/stacks/platform/main.tf @@ -162,6 +162,7 @@ module "traefik" { source = "./modules/traefik" tier = local.tiers.core crowdsec_api_key = var.ingress_crowdsec_api_key + redis_host = var.redis_host tls_secret_name = var.tls_secret_name } diff --git a/stacks/platform/modules/traefik/main.tf b/stacks/platform/modules/traefik/main.tf index d7a9da5a..ccd1cbce 100644 --- a/stacks/platform/modules/traefik/main.tf +++ b/stacks/platform/modules/traefik/main.tf @@ -1,5 +1,6 @@ variable "tier" { type = string } variable "crowdsec_api_key" { type = string } +variable "redis_host" { type = string } variable "tls_secret_name" {} resource "kubernetes_namespace" "traefik" { diff --git a/stacks/platform/modules/traefik/middleware.tf b/stacks/platform/modules/traefik/middleware.tf index 0a5481b6..499a11fe 100644 --- a/stacks/platform/modules/traefik/middleware.tf +++ b/stacks/platform/modules/traefik/middleware.tf @@ -150,9 +150,14 @@ resource "kubernetes_manifest" "middleware_crowdsec" { spec = { plugin = { crowdsec-bouncer = { - crowdsecLapiKey = var.crowdsec_api_key - crowdsecLapiHost = "crowdsec-service.crowdsec.svc.cluster.local:8080" - crowdsecMode = "stream" + crowdsecLapiKey = var.crowdsec_api_key + crowdsecLapiHost = "crowdsec-service.crowdsec.svc.cluster.local:8080" + crowdsecMode = "stream" + updateMaxFailure = -1 # fail-open: serve from cache when LAPI is unreachable + redisCacheEnabled = true + redisCacheHost = var.redis_host + redisCacheUnreachableBlock = false # don't block traffic if Redis is also unreachable + clientTrustedIPs = ["10.0.20.0/24", "10.10.0.0/16"] # node + pod CIDRs bypass CrowdSec } } }