traefik/crowdsec: remove 6 hard-coded middleware refs the variable sweep missed (PR1/2)

The first PR1 commit only dropped the ingress_factory reference + the 8 exclude_crowdsec call sites. But the crowdsec middleware is ALSO hard-coded (not via the variable) in 6 more ingresses that build their middleware chain by hand: owntracks, the monitoring Helm values (grafana + prometheus + alertmanager), and the reverse-proxy module + its own separate ingress factory. Remove all 6 so that after the full-cluster apply NO live ingress references traefik-crowdsec@kubernetescrd — the precondition for PR2 deleting the CRD. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 00:17:40 +00:00 · 2026-06-21 00:17:40 +00:00 · 71d0af084e
commit 71d0af084e
parent 84a18a5529
5 changed files with 11 additions and 12 deletions
--- a/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml
+++ b/stacks/monitoring/modules/monitoring/grafana_chart_values.yaml
@ -32,7 +32,7 @@ ingress:
  enabled: "true"
  ingressClassName: "traefik"
  annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+    traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
    traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
    gethomepage.dev/enabled: "true"
    gethomepage.dev/name: "Grafana"
--- a/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
+++ b/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
@ -15,7 +15,7 @@ alertmanager:
    enabled: true
    ingressClassName: "traefik"
    annotations:
-      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
      traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
      gethomepage.dev/enabled: "true"
      gethomepage.dev/name: "Alertmanager"
@ -399,7 +399,7 @@ server:
    enabled: true
    ingressClassName: "traefik"
    annotations:
-      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+      traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
      traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
      gethomepage.dev/enabled: "true"
--- a/stacks/owntracks/main.tf
+++ b/stacks/owntracks/main.tf
@ -249,7 +249,7 @@ module "ingress" {
  tls_secret_name = var.tls_secret_name
  port            = 80
  extra_annotations = {
-    "traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
+    "traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd"
    "gethomepage.dev/enabled"                          = "true"
    "gethomepage.dev/name"                             = "OwnTracks"
    "gethomepage.dev/description"                      = "Location tracking"
--- a/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/factory/main.tf
@ -211,7 +211,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
        "traefik-retry@kubernetescrd",
        var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
        var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
        "traefik-crowdsec@kubernetescrd",
        var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
        var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
        var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
--- a/stacks/reverse-proxy/modules/reverse_proxy/main.tf
+++ b/stacks/reverse-proxy/modules/reverse_proxy/main.tf
@ -163,7 +163,7 @@ module "docker-registry-ui" {
  depends_on      = [kubernetes_namespace.reverse-proxy]
  extra_annotations = {
    # Override middleware chain to remove rate-limit; the UI fires many API calls to list repos/tags
-    "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
+    "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
    "gethomepage.dev/enabled"                          = "true"
    "gethomepage.dev/name"                             = "Docker Registry"
    "gethomepage.dev/description"                      = "Container registry"