From d19ede0559d633e68f6d84db993ad04d73edf65e Mon Sep 17 00:00:00 2001
From: Davide Piu <davide@davidepiu.xyz>
Date: Thu, 19 Feb 2026 23:53:00 +0000
Subject: [PATCH] feat: enable CrowdSec Traefik bouncer on all ingresses

- Add Traefik plugin via HelmChartConfig (crowdsec-bouncer-traefik-plugin)
- Create bouncer Middleware in stream mode
- Apply bouncer to all public ingresses
- IPs flagged by CrowdSec will now be blocked at Traefik level
---
 clusters/lab/apps/gatus.yaml                  |  2 +-
 clusters/lab/apps/podinfo.yaml                |  2 +-
 clusters/lab/apps/vaultwarden.yaml            |  2 +-
 .../lab/infrastructure/traefik-crowdsec.yaml  | 29 +++++++++++++++++++
 clusters/lab/infrastructure/weave-gitops.yaml |  2 +-
 clusters/lab/security/authelia.yaml           |  2 +-
 6 files changed, 34 insertions(+), 5 deletions(-)
 create mode 100644 clusters/lab/infrastructure/traefik-crowdsec.yaml

diff --git a/clusters/lab/apps/gatus.yaml b/clusters/lab/apps/gatus.yaml
index 3cdcdf5..f96a52d 100644
--- a/clusters/lab/apps/gatus.yaml
+++ b/clusters/lab/apps/gatus.yaml
@@ -43,7 +43,7 @@ spec:
       ingressClassName: traefik
       annotations:
         cert-manager.io/cluster-issuer: letsencrypt-prod
-        traefik.ingress.kubernetes.io/router.middlewares: default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
+        traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
       hosts:
       - status.davidepiu.xyz
       tls:
diff --git a/clusters/lab/apps/podinfo.yaml b/clusters/lab/apps/podinfo.yaml
index 3f1b304..f16a90b 100644
--- a/clusters/lab/apps/podinfo.yaml
+++ b/clusters/lab/apps/podinfo.yaml
@@ -47,7 +47,7 @@ metadata:
   namespace: podinfo
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-redirect-https@kubernetescrd
 spec:
   ingressClassName: traefik
   rules:
diff --git a/clusters/lab/apps/vaultwarden.yaml b/clusters/lab/apps/vaultwarden.yaml
index 3a185f6..a47fb86 100644
--- a/clusters/lab/apps/vaultwarden.yaml
+++ b/clusters/lab/apps/vaultwarden.yaml
@@ -45,7 +45,7 @@ spec:
       nginxIngressAnnotations: false
       additionalAnnotations:
         cert-manager.io/cluster-issuer: letsencrypt-prod
-        traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+        traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-redirect-https@kubernetescrd
       hostname: vault.davidepiu.xyz
       tls: true
       tlsSecret: vaultwarden-tls
diff --git a/clusters/lab/infrastructure/traefik-crowdsec.yaml b/clusters/lab/infrastructure/traefik-crowdsec.yaml
new file mode 100644
index 0000000..f48a268
--- /dev/null
+++ b/clusters/lab/infrastructure/traefik-crowdsec.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    experimental:
+      plugins:
+        crowdsec-bouncer:
+          moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+          version: v1.4.5
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: crowdsec-bouncer
+  namespace: default
+spec:
+  plugin:
+    crowdsec-bouncer:
+      enabled: true
+      crowdsecMode: stream
+      updateIntervalSeconds: 15
+      defaultDecisionSeconds: 60
+      crowdsecLapiHost: crowdsec-crowdsec-lapi.crowdsec.svc.cluster.local:8080
+      crowdsecLapiKey: mDDWNQz36B/PPTbsN/QlqSmylJjW+poyWWu3Ws8GVoM
+      crowdsecLapiScheme: http
diff --git a/clusters/lab/infrastructure/weave-gitops.yaml b/clusters/lab/infrastructure/weave-gitops.yaml
index 44cf3f2..a5fc330 100644
--- a/clusters/lab/infrastructure/weave-gitops.yaml
+++ b/clusters/lab/infrastructure/weave-gitops.yaml
@@ -64,7 +64,7 @@ metadata:
   namespace: flux-system
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    traefik.ingress.kubernetes.io/router.middlewares: default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
 spec:
   ingressClassName: traefik
   rules:
diff --git a/clusters/lab/security/authelia.yaml b/clusters/lab/security/authelia.yaml
index d48074f..26f849d 100644
--- a/clusters/lab/security/authelia.yaml
+++ b/clusters/lab/security/authelia.yaml
@@ -53,7 +53,7 @@ spec:
       className: traefik
       annotations:
         cert-manager.io/cluster-issuer: letsencrypt-prod
-        traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+        traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-redirect-https@kubernetescrd
       tls:
         enabled: true
         secret: authelia-tls