feat: enable CrowdSec Traefik bouncer on all ingresses

- Add Traefik plugin via HelmChartConfig (crowdsec-bouncer-traefik-plugin) - Create bouncer Middleware in stream mode - Apply bouncer to all public ingresses - IPs flagged by CrowdSec will now be blocked at Traefik level
2026-02-19 23:53:00 +00:00
parent d628dd2c67
commit d19ede0559
6 changed files with 34 additions and 5 deletions
--- a/clusters/lab/apps/gatus.yaml
+++ b/clusters/lab/apps/gatus.yaml
@@ -43,7 +43,7 @@ spec:
      ingressClassName: traefik
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-prod
-        traefik.ingress.kubernetes.io/router.middlewares: default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
+        traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
      hosts:
      - status.davidepiu.xyz
      tls:
--- a/clusters/lab/apps/podinfo.yaml
+++ b/clusters/lab/apps/podinfo.yaml
@@ -47,7 +47,7 @@ metadata:
  namespace: podinfo
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
-    traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-redirect-https@kubernetescrd
 spec:
  ingressClassName: traefik
  rules:
--- a/clusters/lab/apps/vaultwarden.yaml
+++ b/clusters/lab/apps/vaultwarden.yaml
@@ -45,7 +45,7 @@ spec:
      nginxIngressAnnotations: false
      additionalAnnotations:
        cert-manager.io/cluster-issuer: letsencrypt-prod
-        traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+        traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-redirect-https@kubernetescrd
      hostname: vault.davidepiu.xyz
      tls: true
      tlsSecret: vaultwarden-tls
--- a/clusters/lab/infrastructure/traefik-crowdsec.yaml
+++ b/clusters/lab/infrastructure/traefik-crowdsec.yaml
@@ -0,0 +1,29 @@
 ---
 apiVersion: helm.cattle.io/v1
 kind: HelmChartConfig
 metadata:
  name: traefik
  namespace: kube-system
 spec:
  valuesContent: |-
    experimental:
      plugins:
        crowdsec-bouncer:
          moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
          version: v1.4.5
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: crowdsec-bouncer
  namespace: default
 spec:
  plugin:
    crowdsec-bouncer:
      enabled: true
      crowdsecMode: stream
      updateIntervalSeconds: 15
      defaultDecisionSeconds: 60
      crowdsecLapiHost: crowdsec-crowdsec-lapi.crowdsec.svc.cluster.local:8080
      crowdsecLapiKey: mDDWNQz36B/PPTbsN/QlqSmylJjW+poyWWu3Ws8GVoM
      crowdsecLapiScheme: http
--- a/clusters/lab/infrastructure/weave-gitops.yaml
+++ b/clusters/lab/infrastructure/weave-gitops.yaml
@@ -64,7 +64,7 @@ metadata:
  namespace: flux-system
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
-    traefik.ingress.kubernetes.io/router.middlewares: default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
 spec:
  ingressClassName: traefik
  rules:
--- a/clusters/lab/security/authelia.yaml
+++ b/clusters/lab/security/authelia.yaml
@@ -53,7 +53,7 @@ spec:
      className: traefik
      annotations:
        cert-manager.io/cluster-issuer: letsencrypt-prod
-        traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+        traefik.ingress.kubernetes.io/router.middlewares: default-crowdsec-bouncer@kubernetescrd,default-redirect-https@kubernetescrd
      tls:
        enabled: true
        secret: authelia-tls