traefik/crowdsec: remove dead Yaegi-plugin middleware reference (PR1/2)

The Traefik CrowdSec (Yaegi) bouncer plugin enforces nothing on Traefik 3.7.5 (handler never invoked) and is fully superseded by the cs-firewall-bouncer (in-kernel nftables drop on direct hosts) + the Cloudflare IP-List/WAF rule (proxied hosts). Drop the `traefik-crowdsec@kubernetescrd` middleware from the ingress_factory chain and the 8 explicit `exclude_crowdsec = true` call sites, and delete the now-unused `exclude_crowdsec` variable. This is PR1 of a 2-phase removal: the reference is removed FIRST (a shared-module change → full-cluster apply re-renders every ingress without the middleware) so that PR2 can delete the `crowdsec` Middleware CRD + the plugin itself WITHOUT leaving any ingress pointing at a missing middleware (which would error those routers). PR2 MUST NOT land until this has fully applied and zero live ingresses reference traefik-crowdsec@kubernetescrd. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-21 00:15:12 +00:00 · 2026-06-21 00:15:12 +00:00 · 84a18a5529
commit 84a18a5529
parent 9774ae3d19
7 changed files with 15 additions and 34 deletions
--- a/stacks/authentik/guest.tf
+++ b/stacks/authentik/guest.tf
@ -211,7 +211,6 @@ module "ingress_public_outpost" {
  tls_secret_name  = var.tls_secret_name
  dns_type         = "proxied"
  anti_ai_scraping = false
-  exclude_crowdsec = true
  homepage_enabled = false
  depends_on       = [authentik_outpost.public]
 }
--- a/stacks/authentik/modules/authentik/main.tf
+++ b/stacks/authentik/modules/authentik/main.tf
@ -82,13 +82,6 @@ module "ingress" {
  service_name     = "goauthentik-server"
  tls_secret_name  = var.tls_secret_name
  anti_ai_scraping = false
-  # Never let the in-cluster CrowdSec bouncer serve a Turnstile/captcha
-  # interstitial or 403 on Authentik's own login + WebAuthn XHR endpoints — that
-  # walls users out of the very gate they authenticate through (a CrowdSec hit
-  # would break the passkey ceremony / session refresh mid-flow). Auth keeps
-  # Traefik rate-limiting; the Cloudflare edge WAF also carves out this host
-  # (stacks/rybbit/crowdsec_edge.tf). 2026-06-20.
-  exclude_crowdsec = true
  extra_annotations = {
    "gethomepage.dev/enabled"      = "true"
    "gethomepage.dev/name"         = "Authentik"
@ -116,7 +109,6 @@ module "ingress-outpost" {
  ingress_path     = ["/outpost.goauthentik.io"]
  tls_secret_name  = var.tls_secret_name
  anti_ai_scraping = false
-  exclude_crowdsec = true
 }

 # Immutable caching for the flow-executor static assets. Authentik serves