traefik/crowdsec: remove dead plugin middleware reference (PR1/2) #8
12 changed files with 26 additions and 46 deletions
|
|
@ -107,10 +107,6 @@ variable "custom_content_security_policy" {
|
||||||
type = string
|
type = string
|
||||||
default = null
|
default = null
|
||||||
}
|
}
|
||||||
variable "exclude_crowdsec" {
|
|
||||||
type = bool
|
|
||||||
default = false
|
|
||||||
}
|
|
||||||
variable "full_host" {
|
variable "full_host" {
|
||||||
type = string
|
type = string
|
||||||
default = null
|
default = null
|
||||||
|
|
@ -310,7 +306,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
|
||||||
"traefik-error-pages@kubernetescrd",
|
"traefik-error-pages@kubernetescrd",
|
||||||
var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
|
var.skip_default_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
|
||||||
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
|
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
|
||||||
var.exclude_crowdsec ? null : "traefik-crowdsec@kubernetescrd",
|
|
||||||
local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
|
local.effective_anti_ai ? "traefik-ai-bot-block@kubernetescrd" : null,
|
||||||
local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
|
local.effective_anti_ai ? "traefik-anti-ai-headers@kubernetescrd" : null,
|
||||||
local.auth_middleware,
|
local.auth_middleware,
|
||||||
|
|
|
||||||
|
|
@ -211,7 +211,6 @@ module "ingress_public_outpost" {
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
dns_type = "proxied"
|
dns_type = "proxied"
|
||||||
anti_ai_scraping = false
|
anti_ai_scraping = false
|
||||||
exclude_crowdsec = true
|
|
||||||
homepage_enabled = false
|
homepage_enabled = false
|
||||||
depends_on = [authentik_outpost.public]
|
depends_on = [authentik_outpost.public]
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -82,13 +82,6 @@ module "ingress" {
|
||||||
service_name = "goauthentik-server"
|
service_name = "goauthentik-server"
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
anti_ai_scraping = false
|
anti_ai_scraping = false
|
||||||
# Never let the in-cluster CrowdSec bouncer serve a Turnstile/captcha
|
|
||||||
# interstitial or 403 on Authentik's own login + WebAuthn XHR endpoints — that
|
|
||||||
# walls users out of the very gate they authenticate through (a CrowdSec hit
|
|
||||||
# would break the passkey ceremony / session refresh mid-flow). Auth keeps
|
|
||||||
# Traefik rate-limiting; the Cloudflare edge WAF also carves out this host
|
|
||||||
# (stacks/rybbit/crowdsec_edge.tf). 2026-06-20.
|
|
||||||
exclude_crowdsec = true
|
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
"gethomepage.dev/enabled" = "true"
|
"gethomepage.dev/enabled" = "true"
|
||||||
"gethomepage.dev/name" = "Authentik"
|
"gethomepage.dev/name" = "Authentik"
|
||||||
|
|
@ -116,7 +109,6 @@ module "ingress-outpost" {
|
||||||
ingress_path = ["/outpost.goauthentik.io"]
|
ingress_path = ["/outpost.goauthentik.io"]
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
anti_ai_scraping = false
|
anti_ai_scraping = false
|
||||||
exclude_crowdsec = true
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Immutable caching for the flow-executor static assets. Authentik serves
|
# Immutable caching for the flow-executor static assets. Authentik serves
|
||||||
|
|
|
||||||
|
|
@ -528,7 +528,6 @@ module "ingress" {
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
# auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress.
|
# auth = "none": Dolt Workbench is client-side encrypted task database; no backend user auth required; Anubis PoW fronts ingress.
|
||||||
auth = "none"
|
auth = "none"
|
||||||
exclude_crowdsec = true
|
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
"gethomepage.dev/enabled" = "true"
|
"gethomepage.dev/enabled" = "true"
|
||||||
"gethomepage.dev/name" = "Dolt Workbench"
|
"gethomepage.dev/name" = "Dolt Workbench"
|
||||||
|
|
@ -798,7 +797,6 @@ module "beadboard_ingress" {
|
||||||
name = "beadboard"
|
name = "beadboard"
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
auth = "required"
|
auth = "required"
|
||||||
exclude_crowdsec = true
|
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
"gethomepage.dev/enabled" = "true"
|
"gethomepage.dev/enabled" = "true"
|
||||||
"gethomepage.dev/name" = "BeadBoard"
|
"gethomepage.dev/name" = "BeadBoard"
|
||||||
|
|
|
||||||
|
|
@ -309,7 +309,6 @@ module "ingress" {
|
||||||
name = "crowdsec-web"
|
name = "crowdsec-web"
|
||||||
auth = "required"
|
auth = "required"
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
exclude_crowdsec = true
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# CronJob to import public blocklists into CrowdSec
|
# CronJob to import public blocklists into CrowdSec
|
||||||
|
|
|
||||||
|
|
@ -301,7 +301,6 @@ module "ingress" {
|
||||||
service_name = module.anubis.service_name
|
service_name = module.anubis.service_name
|
||||||
port = module.anubis.service_port
|
port = module.anubis.service_port
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
exclude_crowdsec = true
|
|
||||||
anti_ai_scraping = false
|
anti_ai_scraping = false
|
||||||
extra_middlewares = ["traefik-x402@kubernetescrd"]
|
extra_middlewares = ["traefik-x402@kubernetescrd"]
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
|
|
|
||||||
|
|
@ -32,7 +32,7 @@ ingress:
|
||||||
enabled: "true"
|
enabled: "true"
|
||||||
ingressClassName: "traefik"
|
ingressClassName: "traefik"
|
||||||
annotations:
|
annotations:
|
||||||
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||||
gethomepage.dev/enabled: "true"
|
gethomepage.dev/enabled: "true"
|
||||||
gethomepage.dev/name: "Grafana"
|
gethomepage.dev/name: "Grafana"
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@ alertmanager:
|
||||||
enabled: true
|
enabled: true
|
||||||
ingressClassName: "traefik"
|
ingressClassName: "traefik"
|
||||||
annotations:
|
annotations:
|
||||||
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||||
gethomepage.dev/enabled: "true"
|
gethomepage.dev/enabled: "true"
|
||||||
gethomepage.dev/name: "Alertmanager"
|
gethomepage.dev/name: "Alertmanager"
|
||||||
|
|
@ -399,7 +399,7 @@ server:
|
||||||
enabled: true
|
enabled: true
|
||||||
ingressClassName: "traefik"
|
ingressClassName: "traefik"
|
||||||
annotations:
|
annotations:
|
||||||
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
traefik.ingress.kubernetes.io/router.middlewares: "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||||
|
|
||||||
gethomepage.dev/enabled: "true"
|
gethomepage.dev/enabled: "true"
|
||||||
|
|
|
||||||
|
|
@ -249,7 +249,7 @@ module "ingress" {
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
port = 80
|
port = 80
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
"traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
|
"traefik.ingress.kubernetes.io/router.middlewares" = "owntracks-basic-auth@kubernetescrd,traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd"
|
||||||
"gethomepage.dev/enabled" = "true"
|
"gethomepage.dev/enabled" = "true"
|
||||||
"gethomepage.dev/name" = "OwnTracks"
|
"gethomepage.dev/name" = "OwnTracks"
|
||||||
"gethomepage.dev/description" = "Location tracking"
|
"gethomepage.dev/description" = "Location tracking"
|
||||||
|
|
|
||||||
|
|
@ -228,7 +228,6 @@ module "ingress" {
|
||||||
port = 8080
|
port = 8080
|
||||||
tls_secret_name = var.tls_secret_name
|
tls_secret_name = var.tls_secret_name
|
||||||
skip_default_rate_limit = true
|
skip_default_rate_limit = true
|
||||||
exclude_crowdsec = true
|
|
||||||
anti_ai_scraping = false
|
anti_ai_scraping = false
|
||||||
# Deployment is scaled to 0 (see replicas above). Opt the ingress out of
|
# Deployment is scaled to 0 (see replicas above). Opt the ingress out of
|
||||||
# Uptime Kuma external monitoring so the sync CronJob deletes the orphaned
|
# Uptime Kuma external monitoring so the sync CronJob deletes the orphaned
|
||||||
|
|
|
||||||
|
|
@ -211,7 +211,6 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
|
||||||
"traefik-retry@kubernetescrd",
|
"traefik-retry@kubernetescrd",
|
||||||
var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
|
var.skip_global_rate_limit ? null : "traefik-rate-limit@kubernetescrd",
|
||||||
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
|
var.custom_content_security_policy == null ? "traefik-csp-headers@kubernetescrd" : null,
|
||||||
"traefik-crowdsec@kubernetescrd",
|
|
||||||
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
|
var.protected ? "traefik-authentik-forward-auth@kubernetescrd" : null,
|
||||||
var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
|
var.strip_auth_headers ? "traefik-strip-auth-headers@kubernetescrd" : null,
|
||||||
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
|
var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
|
||||||
|
|
|
||||||
|
|
@ -163,7 +163,7 @@ module "docker-registry-ui" {
|
||||||
depends_on = [kubernetes_namespace.reverse-proxy]
|
depends_on = [kubernetes_namespace.reverse-proxy]
|
||||||
extra_annotations = {
|
extra_annotations = {
|
||||||
# Override middleware chain to remove rate-limit; the UI fires many API calls to list repos/tags
|
# Override middleware chain to remove rate-limit; the UI fires many API calls to list repos/tags
|
||||||
"traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
"traefik.ingress.kubernetes.io/router.middlewares" = "traefik-csp-headers@kubernetescrd,traefik-authentik-forward-auth@kubernetescrd"
|
||||||
"gethomepage.dev/enabled" = "true"
|
"gethomepage.dev/enabled" = "true"
|
||||||
"gethomepage.dev/name" = "Docker Registry"
|
"gethomepage.dev/name" = "Docker Registry"
|
||||||
"gethomepage.dev/description" = "Container registry"
|
"gethomepage.dev/description" = "Container registry"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue