traefik/crowdsec: switch bouncer to live mode (stream cache doesn't enforce under Yaegi)

After bumping to v1.6.0 (stream goroutine runs) and disabling redis (in-memory cache), the plugin logs `handleStreamCache:updated` but still does NOT enforce: a ban present in the LAPI stream AND pulled by the plugin still let the banned IP through. Stream-mode decision matching is unreliable under Traefik's Yaegi interpreter here. Switch crowdsecMode stream->live: the plugin queries LAPI synchronously per request (result cached per-IP for defaultDecisionSeconds), which enforces reliably and picks up new decisions immediately. LAPI is 3-replica + in-cluster so per-request latency is small; fail-open preserved (updateMaxFailure=-1). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
traefik/crowdsec: disable bouncer redis cache (broken under Yaegi → in-memory)
2026-06-19 17:49:26 +00:00 · 2026-06-19 17:49:26 +00:00 · 2026-06-19 17:49:26 +00:00
2 changed files with 23 additions and 9 deletions
--- a/stacks/traefik/modules/traefik/main.tf
+++ b/stacks/traefik/modules/traefik/main.tf
@ -101,12 +101,12 @@ resource "helm_release" "traefik" {
          "set -e; ",
          "STORAGE=/plugins-storage; ",
          "mkdir -p \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\"; ",
-          "wget -q -T 30 -O \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/v1.4.2.zip\" ",
-          "\"https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/archive/refs/tags/v1.4.2.zip\"; ",
+          "wget -q -T 30 -O \"$STORAGE/archives/github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/v1.6.0.zip\" ",
+          "\"https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/archive/refs/tags/v1.6.0.zip\"; ",
          "mkdir -p \"$STORAGE/archives/github.com/Aetherinox/traefik-api-token-middleware\"; ",
          "wget -q -T 30 -O \"$STORAGE/archives/github.com/Aetherinox/traefik-api-token-middleware/v0.1.4.zip\" ",
          "\"https://github.com/Aetherinox/traefik-api-token-middleware/archive/refs/tags/v0.1.4.zip\"; ",
-          "printf '{\"github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\":\"v1.4.2\",\"github.com/Aetherinox/traefik-api-token-middleware\":\"v0.1.4\"}' ",
+          "printf '{\"github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin\":\"v1.6.0\",\"github.com/Aetherinox/traefik-api-token-middleware\":\"v0.1.4\"}' ",
          "> \"$STORAGE/archives/state.json\"; ",
          "echo \"Plugins pre-downloaded successfully\"",
        ])]
@ -232,7 +232,7 @@ resource "helm_release" "traefik" {
      plugins = {
        crowdsec-bouncer = {
          moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
-          version    = "v1.4.2"
+          version    = "v1.6.0"
        }
        # Static-token bearer/header auth middleware. Used by services that
        # need gateway-level API-key/bearer enforcement without app-layer auth
--- a/stacks/traefik/modules/traefik/middleware.tf
+++ b/stacks/traefik/modules/traefik/middleware.tf
@ -197,11 +197,25 @@ resource "kubernetes_manifest" "middleware_crowdsec" {
        crowdsec-bouncer = {
          crowdsecLapiKey            = var.crowdsec_api_key
          crowdsecLapiHost           = "crowdsec-service.crowdsec.svc.cluster.local:8080"
-          crowdsecMode               = "stream"
-          updateMaxFailure           = -1 # fail-open: serve from cache when LAPI is unreachable
-          redisCacheEnabled          = true
-          redisCacheHost             = var.redis_host
-          redisCacheUnreachableBlock = false                            # don't block traffic if Redis is also unreachable
+          # LIVE mode (synchronous per-request LAPI query), not stream: under
+          # Traefik's Yaegi interpreter the plugin's stream cache updates (it logs
+          # `handleStreamCache:updated`) but does NOT enforce the cached decisions
+          # — verified by a ban that was present in the LAPI stream AND pulled by
+          # the plugin yet still let the banned IP through. Live mode queries LAPI
+          # per request (result cached per-IP for defaultDecisionSeconds), enforces
+          # reliably, and picks up new decisions immediately. LAPI is 3-replica +
+          # in-cluster; fail-open preserved via updateMaxFailure=-1.
+          crowdsecMode               = "live"
+          updateMaxFailure           = -1 # fail-open if LAPI is unreachable
+          # Redis cache DISABLED: the plugin's redis client does not work under
+          # Traefik's Yaegi interpreter — it logs `cache:unreachable` even though
+          # redis-master is reachable+writable from the traefik ns (verified). With
+          # the redis cache enabled + redisCacheUnreachableBlock=false the bouncer
+          # therefore failed open and enforced nothing. In-memory cache (the
+          # default when disabled) holds the streamed decision set per-pod and
+          # works under Yaegi. Trade-off: captcha "already-solved" grace is
+          # per-pod across the 3 Traefik replicas (at worst an occasional re-solve).
+          redisCacheEnabled          = false
          clientTrustedIPs           = ["10.0.20.0/24", "10.10.0.0/16"] # node + pod CIDRs bypass CrowdSec
          # Captcha remediation: serve a Cloudflare Turnstile challenge for
          # `captcha`-type LAPI decisions instead of falling through to a 403