From dd029ca7fbcd6973236b5dbdea1a7f237bfe0a3c Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 19 Jun 2026 17:43:30 +0000
Subject: [PATCH] traefik/crowdsec: switch bouncer to live mode (stream cache
 doesn't enforce under Yaegi)

After bumping to v1.6.0 (stream goroutine runs) and disabling redis (in-memory
cache), the plugin logs `handleStreamCache:updated` but still does NOT enforce:
a ban present in the LAPI stream AND pulled by the plugin still let the banned IP
through. Stream-mode decision matching is unreliable under Traefik's Yaegi
interpreter here. Switch crowdsecMode stream->live: the plugin queries LAPI
synchronously per request (result cached per-IP for defaultDecisionSeconds), which
enforces reliably and picks up new decisions immediately. LAPI is 3-replica +
in-cluster so per-request latency is small; fail-open preserved (updateMaxFailure=-1).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 stacks/traefik/modules/traefik/middleware.tf | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/stacks/traefik/modules/traefik/middleware.tf b/stacks/traefik/modules/traefik/middleware.tf
index 1837a794..9b9709c7 100644
--- a/stacks/traefik/modules/traefik/middleware.tf
+++ b/stacks/traefik/modules/traefik/middleware.tf
@@ -197,8 +197,16 @@ resource "kubernetes_manifest" "middleware_crowdsec" {
         crowdsec-bouncer = {
           crowdsecLapiKey            = var.crowdsec_api_key
           crowdsecLapiHost           = "crowdsec-service.crowdsec.svc.cluster.local:8080"
-          crowdsecMode               = "stream"
-          updateMaxFailure           = -1 # fail-open: serve from cache when LAPI is unreachable
+          # LIVE mode (synchronous per-request LAPI query), not stream: under
+          # Traefik's Yaegi interpreter the plugin's stream cache updates (it logs
+          # `handleStreamCache:updated`) but does NOT enforce the cached decisions
+          # — verified by a ban that was present in the LAPI stream AND pulled by
+          # the plugin yet still let the banned IP through. Live mode queries LAPI
+          # per request (result cached per-IP for defaultDecisionSeconds), enforces
+          # reliably, and picks up new decisions immediately. LAPI is 3-replica +
+          # in-cluster; fail-open preserved via updateMaxFailure=-1.
+          crowdsecMode               = "live"
+          updateMaxFailure           = -1 # fail-open if LAPI is unreachable
           # Redis cache DISABLED: the plugin's redis client does not work under
           # Traefik's Yaegi interpreter — it logs `cache:unreachable` even though
           # redis-master is reachable+writable from the traefik ns (verified). With