viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

traefik/crowdsec: remove dead plugin middleware reference (PR1/2) #8

Merged
viktor merged 2 commits from wizard/cs-deplugin-refs into master 2026-06-21 00:17:52 +00:00
Conversation 0 Commits 2 Files changed 12 +26 -46
viktor commented 2026-06-21 00:15:32 +00:00
Owner
Copy link

PR1 of 2: drop the dead crowdsec middleware reference from ingress_factory + 8 call sites + the unused variable. Triggers a full-cluster apply re-rendering every ingress. PR2 (delete the middleware CRD + plugin) must wait until this fully applies and zero live ingresses reference traefik-crowdsec@kubernetescrd.

PR1 of 2: drop the dead crowdsec middleware reference from ingress_factory + 8 call sites + the unused variable. Triggers a full-cluster apply re-rendering every ingress. PR2 (delete the middleware CRD + plugin) must wait until this fully applies and zero live ingresses reference traefik-crowdsec@kubernetescrd.
viktor added 1 commit 2026-06-21 00:15:32 +00:00 
The Traefik CrowdSec (Yaegi) bouncer plugin enforces nothing on Traefik 3.7.5
(handler never invoked) and is fully superseded by the cs-firewall-bouncer
(in-kernel nftables drop on direct hosts) + the Cloudflare IP-List/WAF rule
(proxied hosts). Drop the `traefik-crowdsec@kubernetescrd` middleware from the
ingress_factory chain and the 8 explicit `exclude_crowdsec = true` call sites,
and delete the now-unused `exclude_crowdsec` variable.

This is PR1 of a 2-phase removal: the reference is removed FIRST (a shared-module
change → full-cluster apply re-renders every ingress without the middleware) so
that PR2 can delete the `crowdsec` Middleware CRD + the plugin itself WITHOUT
leaving any ingress pointing at a missing middleware (which would error those
routers). PR2 MUST NOT land until this has fully applied and zero live ingresses
reference traefik-crowdsec@kubernetescrd.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
viktor added 1 commit 2026-06-21 00:17:42 +00:00 
The first PR1 commit only dropped the ingress_factory reference + the 8
exclude_crowdsec call sites. But the crowdsec middleware is ALSO hard-coded
(not via the variable) in 6 more ingresses that build their middleware chain by
hand: owntracks, the monitoring Helm values (grafana + prometheus +
alertmanager), and the reverse-proxy module + its own separate ingress factory.
Remove all 6 so that after the full-cluster apply NO live ingress references
traefik-crowdsec@kubernetescrd — the precondition for PR2 deleting the CRD.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
viktor merged commit a091689603 into master 2026-06-21 00:17:52 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: viktor/infra#8
No description provided.
Delete branch "wizard/cs-deplugin-refs"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?