traefik/crowdsec: remove dead Yaegi-plugin middleware reference (PR1/2)
The Traefik CrowdSec (Yaegi) bouncer plugin enforces nothing on Traefik 3.7.5 (handler never invoked) and is fully superseded by the cs-firewall-bouncer (in-kernel nftables drop on direct hosts) + the Cloudflare IP-List/WAF rule (proxied hosts). Drop the `traefik-crowdsec@kubernetescrd` middleware from the ingress_factory chain and the 8 explicit `exclude_crowdsec = true` call sites, and delete the now-unused `exclude_crowdsec` variable. This is PR1 of a 2-phase removal: the reference is removed FIRST (a shared-module change → full-cluster apply re-renders every ingress without the middleware) so that PR2 can delete the `crowdsec` Middleware CRD + the plugin itself WITHOUT leaving any ingress pointing at a missing middleware (which would error those routers). PR2 MUST NOT land until this has fully applied and zero live ingresses reference traefik-crowdsec@kubernetescrd. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
9774ae3d19
commit
84a18a5529
7 changed files with 15 additions and 34 deletions
|
|
@ -211,7 +211,6 @@ module "ingress_public_outpost" {
|
|||
tls_secret_name = var.tls_secret_name
|
||||
dns_type = "proxied"
|
||||
anti_ai_scraping = false
|
||||
exclude_crowdsec = true
|
||||
homepage_enabled = false
|
||||
depends_on = [authentik_outpost.public]
|
||||
}
|
||||
|
|
|
|||
|
|
@ -82,13 +82,6 @@ module "ingress" {
|
|||
service_name = "goauthentik-server"
|
||||
tls_secret_name = var.tls_secret_name
|
||||
anti_ai_scraping = false
|
||||
# Never let the in-cluster CrowdSec bouncer serve a Turnstile/captcha
|
||||
# interstitial or 403 on Authentik's own login + WebAuthn XHR endpoints — that
|
||||
# walls users out of the very gate they authenticate through (a CrowdSec hit
|
||||
# would break the passkey ceremony / session refresh mid-flow). Auth keeps
|
||||
# Traefik rate-limiting; the Cloudflare edge WAF also carves out this host
|
||||
# (stacks/rybbit/crowdsec_edge.tf). 2026-06-20.
|
||||
exclude_crowdsec = true
|
||||
extra_annotations = {
|
||||
"gethomepage.dev/enabled" = "true"
|
||||
"gethomepage.dev/name" = "Authentik"
|
||||
|
|
@ -116,7 +109,6 @@ module "ingress-outpost" {
|
|||
ingress_path = ["/outpost.goauthentik.io"]
|
||||
tls_secret_name = var.tls_secret_name
|
||||
anti_ai_scraping = false
|
||||
exclude_crowdsec = true
|
||||
}
|
||||
|
||||
# Immutable caching for the flow-executor static assets. Authentik serves
|
||||
|
|
|
|||
|
|
@ -527,8 +527,7 @@ module "ingress" {
|
|||
name = "dolt-workbench"
|
||||
tls_secret_name = var.tls_secret_name
|
||||
# auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress.
|
||||
auth = "none"
|
||||
exclude_crowdsec = true
|
||||
auth = "none"
|
||||
extra_annotations = {
|
||||
"gethomepage.dev/enabled" = "true"
|
||||
"gethomepage.dev/name" = "Dolt Workbench"
|
||||
|
|
@ -792,13 +791,12 @@ resource "kubernetes_service" "beadboard" {
|
|||
}
|
||||
|
||||
module "beadboard_ingress" {
|
||||
source = "../../modules/kubernetes/ingress_factory"
|
||||
dns_type = "proxied"
|
||||
namespace = kubernetes_namespace.beads.metadata[0].name
|
||||
name = "beadboard"
|
||||
tls_secret_name = var.tls_secret_name
|
||||
auth = "required"
|
||||
exclude_crowdsec = true
|
||||
source = "../../modules/kubernetes/ingress_factory"
|
||||
dns_type = "proxied"
|
||||
namespace = kubernetes_namespace.beads.metadata[0].name
|
||||
name = "beadboard"
|
||||
tls_secret_name = var.tls_secret_name
|
||||
auth = "required"
|
||||
extra_annotations = {
|
||||
"gethomepage.dev/enabled" = "true"
|
||||
"gethomepage.dev/name" = "BeadBoard"
|
||||
|
|
|
|||
|
|
@ -303,13 +303,12 @@ resource "kubernetes_service" "crowdsec-web" {
|
|||
}
|
||||
}
|
||||
module "ingress" {
|
||||
source = "../../../../modules/kubernetes/ingress_factory"
|
||||
dns_type = "proxied"
|
||||
namespace = kubernetes_namespace.crowdsec.metadata[0].name
|
||||
name = "crowdsec-web"
|
||||
auth = "required"
|
||||
tls_secret_name = var.tls_secret_name
|
||||
exclude_crowdsec = true
|
||||
source = "../../../../modules/kubernetes/ingress_factory"
|
||||
dns_type = "proxied"
|
||||
namespace = kubernetes_namespace.crowdsec.metadata[0].name
|
||||
name = "crowdsec-web"
|
||||
auth = "required"
|
||||
tls_secret_name = var.tls_secret_name
|
||||
}
|
||||
|
||||
# CronJob to import public blocklists into CrowdSec
|
||||
|
|
|
|||
|
|
@ -301,7 +301,6 @@ module "ingress" {
|
|||
service_name = module.anubis.service_name
|
||||
port = module.anubis.service_port
|
||||
tls_secret_name = var.tls_secret_name
|
||||
exclude_crowdsec = true
|
||||
anti_ai_scraping = false
|
||||
extra_middlewares = ["traefik-x402@kubernetescrd"]
|
||||
extra_annotations = {
|
||||
|
|
|
|||
|
|
@ -9,8 +9,8 @@ resource "kubernetes_namespace" "poison_fountain" {
|
|||
metadata {
|
||||
name = "poison-fountain"
|
||||
labels = {
|
||||
"istio-injection" = "disabled"
|
||||
tier = local.tiers.cluster
|
||||
"istio-injection" = "disabled"
|
||||
tier = local.tiers.cluster
|
||||
"keel.sh/enrolled" = "true"
|
||||
}
|
||||
}
|
||||
|
|
@ -228,7 +228,6 @@ module "ingress" {
|
|||
port = 8080
|
||||
tls_secret_name = var.tls_secret_name
|
||||
skip_default_rate_limit = true
|
||||
exclude_crowdsec = true
|
||||
anti_ai_scraping = false
|
||||
# Deployment is scaled to 0 (see replicas above). Opt the ingress out of
|
||||
# Uptime Kuma external monitoring so the sync CronJob deletes the orphaned
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue