From 84a18a55297adad20bedd587e55fe9eeae35cbc0 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 21 Jun 2026 00:15:12 +0000 Subject: [PATCH] traefik/crowdsec: remove dead Yaegi-plugin middleware reference (PR1/2) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Traefik CrowdSec (Yaegi) bouncer plugin enforces nothing on Traefik 3.7.5 (handler never invoked) and is fully superseded by the cs-firewall-bouncer (in-kernel nftables drop on direct hosts) + the Cloudflare IP-List/WAF rule (proxied hosts). Drop the `traefik-crowdsec@kubernetescrd` middleware from the ingress_factory chain and the 8 explicit `exclude_crowdsec = true` call sites, and delete the now-unused `exclude_crowdsec` variable. This is PR1 of a 2-phase removal: the reference is removed FIRST (a shared-module change → full-cluster apply re-renders every ingress without the middleware) so that PR2 can delete the `crowdsec` Middleware CRD + the plugin itself WITHOUT leaving any ingress pointing at a missing middleware (which would error those routers). PR2 MUST NOT land until this has fully applied and zero live ingresses reference traefik-crowdsec@kubernetescrd. Co-Authored-By: Claude Opus 4.8 --- modules/kubernetes/ingress_factory/main.tf | 5 ----- stacks/authentik/guest.tf | 1 - stacks/authentik/modules/authentik/main.tf | 8 -------- stacks/beads-server/main.tf | 16 +++++++--------- stacks/crowdsec/modules/crowdsec/main.tf | 13 ++++++------- stacks/f1-stream/main.tf | 1 - stacks/poison-fountain/main.tf | 5 ++--- 7 files changed, 15 insertions(+), 34 deletions(-) diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf index 0f239fb4..fc9bc9f5 100644 --- a/modules/kubernetes/ingress_factory/main.tf +++ b/modules/kubernetes/ingress_factory/main.tf @@ -107,10 +107,6 @@ variable "custom_content_security_policy" { type = string default = null } -variable "exclude_crowdsec" { - type = bool - default = false -} variable "full_host" { type = string default = null @@ -310,7 +306,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { "traefik-error-pages@kubernetescrd", var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd", var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null, - var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd", local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null, local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null, local.auth_middleware, diff --git a/stacks/authentik/guest.tf b/stacks/authentik/guest.tf index 63724ab4..66fb406c 100644 --- a/stacks/authentik/guest.tf +++ b/stacks/authentik/guest.tf @@ -211,7 +211,6 @@ module "ingress_public_outpost" { tls_secret_name = var.tls_secret_name dns_type = "proxied" anti_ai_scraping = false - exclude_crowdsec = true homepage_enabled = false depends_on = [authentik_outpost.public] } diff --git a/stacks/authentik/modules/authentik/main.tf b/stacks/authentik/modules/authentik/main.tf index 38584114..3ae6d7c6 100644 --- a/stacks/authentik/modules/authentik/main.tf +++ b/stacks/authentik/modules/authentik/main.tf @@ -82,13 +82,6 @@ module "ingress" { service_name = "goauthentik-server" tls_secret_name = var.tls_secret_name anti_ai_scraping = false - # Never let the in-cluster CrowdSec bouncer serve a Turnstile/captcha - # interstitial or 403 on Authentik's own login + WebAuthn XHR endpoints — that - # walls users out of the very gate they authenticate through (a CrowdSec hit - # would break the passkey ceremony / session refresh mid-flow). Auth keeps - # Traefik rate-limiting; the Cloudflare edge WAF also carves out this host - # (stacks/rybbit/crowdsec_edge.tf). 2026-06-20. - exclude_crowdsec = true extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "Authentik" @@ -116,7 +109,6 @@ module "ingress-outpost" { ingress_path = ["/outpost.goauthentik.io"] tls_secret_name = var.tls_secret_name anti_ai_scraping = false - exclude_crowdsec = true } # Immutable caching for the flow-executor static assets. Authentik serves diff --git a/stacks/beads-server/main.tf b/stacks/beads-server/main.tf index 7ef9d6a0..0b9a84f2 100644 --- a/stacks/beads-server/main.tf +++ b/stacks/beads-server/main.tf @@ -527,8 +527,7 @@ module "ingress" { name = "dolt-workbench" tls_secret_name = var.tls_secret_name # auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress. - auth = "none" - exclude_crowdsec = true + auth = "none" extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "Dolt Workbench" @@ -792,13 +791,12 @@ resource "kubernetes_service" "beadboard" { } module "beadboard_ingress" { - source = "../../modules/kubernetes/ingress_factory" - dns_type = "proxied" - namespace = kubernetes_namespace.beads.metadata[0].name - name = "beadboard" - tls_secret_name = var.tls_secret_name - auth = "required" - exclude_crowdsec = true + source = "../../modules/kubernetes/ingress_factory" + dns_type = "proxied" + namespace = kubernetes_namespace.beads.metadata[0].name + name = "beadboard" + tls_secret_name = var.tls_secret_name + auth = "required" extra_annotations = { "gethomepage.dev/enabled" = "true" "gethomepage.dev/name" = "BeadBoard" diff --git a/stacks/crowdsec/modules/crowdsec/main.tf b/stacks/crowdsec/modules/crowdsec/main.tf index 86b8c3ab..b126805e 100644 --- a/stacks/crowdsec/modules/crowdsec/main.tf +++ b/stacks/crowdsec/modules/crowdsec/main.tf @@ -303,13 +303,12 @@ resource "kubernetes_service" "crowdsec-web" { } } module "ingress" { - source = "../../../../modules/kubernetes/ingress_factory" - dns_type = "proxied" - namespace = kubernetes_namespace.crowdsec.metadata[0].name - name = "crowdsec-web" - auth = "required" - tls_secret_name = var.tls_secret_name - exclude_crowdsec = true + source = "../../../../modules/kubernetes/ingress_factory" + dns_type = "proxied" + namespace = kubernetes_namespace.crowdsec.metadata[0].name + name = "crowdsec-web" + auth = "required" + tls_secret_name = var.tls_secret_name } # CronJob to import public blocklists into CrowdSec diff --git a/stacks/f1-stream/main.tf b/stacks/f1-stream/main.tf index 11ff8cd4..0fe6bacf 100644 --- a/stacks/f1-stream/main.tf +++ b/stacks/f1-stream/main.tf @@ -301,7 +301,6 @@ module "ingress" { service_name = module.anubis.service_name port = module.anubis.service_port tls_secret_name = var.tls_secret_name - exclude_crowdsec = true anti_ai_scraping = false extra_middlewares = ["traefik-x402@kubernetescrd"] extra_annotations = { diff --git a/stacks/poison-fountain/main.tf b/stacks/poison-fountain/main.tf index 16fd20c9..6872a5c0 100644 --- a/stacks/poison-fountain/main.tf +++ b/stacks/poison-fountain/main.tf @@ -9,8 +9,8 @@ resource "kubernetes_namespace" "poison_fountain" { metadata { name = "poison-fountain" labels = { - "istio-injection" = "disabled" - tier = local.tiers.cluster + "istio-injection" = "disabled" + tier = local.tiers.cluster "keel.sh/enrolled" = "true" } } @@ -228,7 +228,6 @@ module "ingress" { port = 8080 tls_secret_name = var.tls_secret_name skip_default_rate_limit = true - exclude_crowdsec = true anti_ai_scraping = false # Deployment is scaled to 0 (see replicas above). Opt the ingress out of # Uptime Kuma external monitoring so the sync CronJob deletes the orphaned