crowdsec: register the Traefik bouncer with LAPI (fix fail-open)
All checks were successful
ci/woodpecker/push/default Pipeline was successful
All checks were successful
ci/woodpecker/push/default Pipeline was successful
The Traefik bouncer plugin's API key was never registered with LAPI — the crowdsec stack reads many keys from Vault but not ingress_crowdsec_api_key, and the chart registers no bouncer. So LAPI returned 403 to the plugin, which with updateMaxFailure=-1 failed open and enforced NOTHING: no community-blocklist bans, and the (now-Turnstile-wired) captcha never fired. cscli bouncers list was empty; the registration was likely lost in the MySQL->PostgreSQL DB migration with no IaC to recreate it. Seed the bouncer at LAPI startup via BOUNCER_KEY_traefik, valued from the same Vault key the middleware presents — so they match by construction, and the bouncer re-registers automatically on every LAPI start (survives DB wipes). - stacks/crowdsec/main.tf: read ingress_crowdsec_api_key, pass to module. - module main.tf: new sensitive var + thread into the values templatefile. - values.yaml: BOUNCER_KEY_traefik on lapi.env. - docs/architecture/security.md: document registration + fail-open history and the proxied-app coverage caveat. Activates enforcement (community blocklist bans + captcha) on non-proxied apps; internal IPs stay bypassed (clientTrustedIPs), fail-open-on-LAPI-down preserved. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin
parent
56dadda453
commit
a5bb4db9c5
4 changed files with 28 additions and 1 deletions
|
|
@ -126,6 +126,15 @@ lapi:
|
|||
secretKeyRef:
|
||||
name: crowdsec-lapi-secrets
|
||||
key: dbPassword
|
||||
# Register the Traefik bouncer at LAPI startup with the SAME API key the
|
||||
# traefik-stack middleware uses (Vault `ingress_crowdsec_api_key`). Before
|
||||
# this the bouncer was never registered → LAPI returned 403 → the plugin
|
||||
# failed open (updateMaxFailure=-1) and enforced NOTHING (no bans, no
|
||||
# captcha). Idempotent across the 3 LAPI replicas / restarts, and
|
||||
# re-registers automatically if the LAPI DB is ever wiped (the root cause:
|
||||
# the prior manual registration was lost in the MySQL→PostgreSQL migration).
|
||||
- name: BOUNCER_KEY_traefik
|
||||
value: "${INGRESS_CROWDSEC_API_KEY}"
|
||||
dashboard:
|
||||
enabled: true
|
||||
env:
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue