viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[ci skip] add graceful degradation to CrowdSec bouncer middleware

Browse source 
P0: Set updateMaxFailure=-1 (fail-open)
  Previously defaulted to 0 which blocked ALL traffic on first LAPI
  failure. Now serves from cached decisions when LAPI is unreachable.

P1: Enable Redis cache for CrowdSec decisions
  Decisions are now shared across all 3 Traefik replicas and survive
  pod restarts. redisCacheUnreachableBlock=false prevents Redis from
  becoming another SPOF.

P1: Add clientTrustedIPs for internal cluster traffic
  Node CIDR (10.0.20.0/24) and pod CIDR (10.10.0.0/16) bypass
  CrowdSec entirely, preventing internal cascade failures.
This commit is contained in:
Viktor Barzin 2026-03-01 02:36:53 +00:00
parent cd5d76fb33
commit a76c72042e
No known key found for this signature in database
GPG key ID: 0EB088298288D958
3 changed files with 10 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
stacks/platform/main.tf
View file

@ -162,6 +162,7 @@ module "traefik" {
source = "./modules/traefik"
tier = local.tiers.core
crowdsec_api_key = var.ingress_crowdsec_api_key
redis_host = var.redis_host
tls_secret_name = var.tls_secret_name
}