viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

traefik/crowdsec: remove dead Yaegi-plugin middleware reference (PR1/2)

Browse source 
The Traefik CrowdSec (Yaegi) bouncer plugin enforces nothing on Traefik 3.7.5
(handler never invoked) and is fully superseded by the cs-firewall-bouncer
(in-kernel nftables drop on direct hosts) + the Cloudflare IP-List/WAF rule
(proxied hosts). Drop the `traefik-crowdsec@kubernetescrd` middleware from the
ingress_factory chain and the 8 explicit `exclude_crowdsec = true` call sites,
and delete the now-unused `exclude_crowdsec` variable.

This is PR1 of a 2-phase removal: the reference is removed FIRST (a shared-module
change → full-cluster apply re-renders every ingress without the middleware) so
that PR2 can delete the `crowdsec` Middleware CRD + the plugin itself WITHOUT
leaving any ingress pointing at a missing middleware (which would error those
routers). PR2 MUST NOT land until this has fully applied and zero live ingresses
reference traefik-crowdsec@kubernetescrd.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-21 00:15:12 +00:00
parent 9774ae3d19
commit 84a18a5529
7 changed files with 15 additions and 34 deletions
Download patch file Download diff file Expand all files Collapse all files

5
modules/kubernetes/ingress_factory/main.tf
View file

@ -107,10 +107,6 @@ variable "custom_content_security_policy" {
type = string type = string
default = null default = null
} }
variable "exclude_crowdsec" {
type = bool
default = false
}
variable "full_host" { variable "full_host" {
type = string type = string
default = null default = null
@ -310,7 +306,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
"traefik-error-pages@kubernetescrd", "traefik-error-pages@kubernetescrd",
var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd", var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null, var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null, local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null, local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
local.auth_middleware, local.auth_middleware,

1
stacks/authentik/guest.tf
View file

@ -211,7 +211,6 @@ module "ingress_public_outpost" {
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
dns_type = "proxied" dns_type = "proxied"
anti_ai_scraping = false anti_ai_scraping = false
exclude_crowdsec = true
homepage_enabled = false homepage_enabled = false
depends_on = [authentik_outpost.public] depends_on = [authentik_outpost.public]
} }

8
stacks/authentik/modules/authentik/main.tf
View file

@ -82,13 +82,6 @@ module "ingress" {
service_name = "goauthentik-server" service_name = "goauthentik-server"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
anti_ai_scraping = false anti_ai_scraping = false
# Never let the in-cluster CrowdSec bouncer serve a Turnstile/captcha
# interstitial or 403 on Authentik's own login + WebAuthn XHR endpoints that
# walls users out of the very gate they authenticate through (a CrowdSec hit
# would break the passkey ceremony / session refresh mid-flow). Auth keeps
# Traefik rate-limiting; the Cloudflare edge WAF also carves out this host
# (stacks/rybbit/crowdsec_edge.tf). 2026-06-20.
exclude_crowdsec = true
extra_annotations = { extra_annotations = {
"gethomepage.dev/enabled" = "true" "gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Authentik" "gethomepage.dev/name" = "Authentik"
@ -116,7 +109,6 @@ module "ingress-outpost" {
ingress_path = ["/outpost.goauthentik.io"] ingress_path = ["/outpost.goauthentik.io"]
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
anti_ai_scraping = false anti_ai_scraping = false
exclude_crowdsec = true
} }
# Immutable caching for the flow-executor static assets. Authentik serves # Immutable caching for the flow-executor static assets. Authentik serves

16
stacks/beads-server/main.tf
View file

@ -527,8 +527,7 @@ module "ingress" {
name = "dolt-workbench" name = "dolt-workbench"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
# auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress. # auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress.
auth = "none" auth = "none"
exclude_crowdsec = true
extra_annotations = { extra_annotations = {
"gethomepage.dev/enabled" = "true" "gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Dolt Workbench" "gethomepage.dev/name" = "Dolt Workbench"
@ -792,13 +791,12 @@ resource "kubernetes_service" "beadboard" {
} }
module "beadboard_ingress" { module "beadboard_ingress" {
source = "../../modules/kubernetes/ingress_factory" source = "../../modules/kubernetes/ingress_factory"
dns_type = "proxied" dns_type = "proxied"
namespace = kubernetes_namespace.beads.metadata[0].name namespace = kubernetes_namespace.beads.metadata[0].name
name = "beadboard" name = "beadboard"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
auth = "required" auth = "required"
exclude_crowdsec = true
extra_annotations = { extra_annotations = {
"gethomepage.dev/enabled" = "true" "gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "BeadBoard" "gethomepage.dev/name" = "BeadBoard"

13
stacks/crowdsec/modules/crowdsec/main.tf
View file

@ -303,13 +303,12 @@ resource "kubernetes_service" "crowdsec-web" {
} }
} }
module "ingress" { module "ingress" {
source = "../../../../modules/kubernetes/ingress_factory" source = "../../../../modules/kubernetes/ingress_factory"
dns_type = "proxied" dns_type = "proxied"
namespace = kubernetes_namespace.crowdsec.metadata[0].name namespace = kubernetes_namespace.crowdsec.metadata[0].name
name = "crowdsec-web" name = "crowdsec-web"
auth = "required" auth = "required"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
exclude_crowdsec = true
} }
# CronJob to import public blocklists into CrowdSec # CronJob to import public blocklists into CrowdSec

1
stacks/f1-stream/main.tf
View file

@ -301,7 +301,6 @@ module "ingress" {
service_name = module.anubis.service_name service_name = module.anubis.service_name
port = module.anubis.service_port port = module.anubis.service_port
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
exclude_crowdsec = true
anti_ai_scraping = false anti_ai_scraping = false
extra_middlewares = ["traefik-x402@kubernetescrd"] extra_middlewares = ["traefik-x402@kubernetescrd"]
extra_annotations = { extra_annotations = {

5
stacks/poison-fountain/main.tf
View file

@ -9,8 +9,8 @@ resource "kubernetes_namespace" "poison_fountain" {
metadata { metadata {
name = "poison-fountain" name = "poison-fountain"
labels = { labels = {
"istio-injection" = "disabled" "istio-injection" = "disabled"
tier = local.tiers.cluster tier = local.tiers.cluster
"keel.sh/enrolled" = "true" "keel.sh/enrolled" = "true"
} }
} }
@ -228,7 +228,6 @@ module "ingress" {
port = 8080 port = 8080
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
skip_default_rate_limit = true skip_default_rate_limit = true
exclude_crowdsec = true
anti_ai_scraping = false anti_ai_scraping = false
# Deployment is scaled to 0 (see replicas above). Opt the ingress out of # Deployment is scaled to 0 (see replicas above). Opt the ingress out of
# Uptime Kuma external monitoring so the sync CronJob deletes the orphaned # Uptime Kuma external monitoring so the sync CronJob deletes the orphaned