#Strungling with Bouncer Middleware in Traefik 3 on kubernetes.

1 messages · Page 1 of 1 (latest)

gilded schooner
#

Hy everyone, i wondering if someone allready have trouble to deploy bouncer middleware on traefik 3 ?

  • Security engine is registered
  • traefik3 is deployed on kubenetes. Everything look ok but when i activate crowdsec middleware on HTTProute.

The subject is wide but it is upon activation of the middleware nothing will appear on console.

The plugin is however well installed, everything seems green on the traefik side.

image.png
delicate vaporBOT
#
Important Information

Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.

Log Files

If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.

Guide Followed (CrowdSec Official)

If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.

Screenshots

Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.

© Created By WhyAydan for CrowdSec ❤️ ·
gilded schooner
#

Or traefik Helm value deployment:

ports:
  # Defines the HTTP entry point named 'web'
  web:
    port: 8000
    nodePort: 30000

  # Defines the HTTPS entry point named 'websecure'
  websecure:
    port: 8443
    nodePort: 30001

# add load balancer service from outscale to get an externalIP
service:
  enabled: true
  type: LoadBalancer
  ports:
    web:
      nodePort: 30000
    websecure:
      nodePort: 30001


# Enables the dashboard in InSecure Mode
api:
  dashboard: true
  insecure: true 

ingressRoute:
  dashboard:
    enabled: true
    entryPoints:
      - web

# We will route with Gateway API instead.
ingressClass:
  enabled: false

providers:
  kubernetesIngress:
     enabled: true #mandatory to use middleware https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/gateway-api/#using-traefik-middleware-as-httproute-filter
  kubernetesGateway:
    enabled: true
  kubernetesCRD:
    enabled: true #helm chart publish traefik dashboard through CRDs

gateway:
  namespacePolicy: All
  listeners:
    web:           # HTTP listener that matches entryPoint `web`
      port: 8000
      protocol: HTTP

    websecure:         # HTTPS listener that matches entryPoint `websecure`
      port: 8443
      protocol: HTTPS  # TLS terminates inside Traefik
      mode: Terminate
      certificateRefs:    
        - kind: Secret
          name: local-selfsigned-tls  # the Secret we created before the installation
          group: ""

experimental:
  # -- Enable experimental plugins
  plugins:
    crowdsec-bouncer:
      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      version: "v1.4.4"

# Enable Observability
logs:
  general:
    level: INFO
  # This enables access logs, outputting them to Traefik's standard output by default. The [Access Logs Documentation](https://doc.traefik.io/traefik/observability/access-logs/) covers formatting, filtering, and output options.
  access:
    enabled: true
    addInternals: true
#

Traefik refer that IngressRoute is mandatory for middleware but how to mix everything ? (ingressClass, KubernetesCRD and GatewayAPI). https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/gateway-api/#using-traefik-middleware-as-httproute-filter

We use CRD to define a namespaced middleware:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: crowdsec-bouncer
  namespace: default # middleware ressource is NAMESPACED
spec:
  plugin:
    crowdsec-bouncer:
      enabled: true
      crowdsecAppsecEnabled: true
      crowdsecAppsecHost: crowdsec-appsec-service:7422
      crowdsecAppsecFailureBlock: true
      crowdsecAppsecUnreachableBlock: true
      crowdsecMode: stream
      crowdsecLapiScheme: http
      crowdsecLapiHost: crowdsec-service.default.svc.cluster.local:8080
      crowdsecLapiKey: XXXXXXXXXXXXXXXXXXXXxw

Gateway CRD to define a traefik's gatewayAPI:

---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: traefik-gateway
  namespace: default
spec:
  gatewayClassName: traefik

  # Only Routes from the same namespace are allowed.
  listeners:
    - allowedRoutes:
        namespaces:
          from: Same
      name: web
      port: 8000
      protocol: HTTP

And HTTProute to create the route:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: xxx-dashboard
  namespace: default
spec:
  parentRefs:
    - name: traefik-gateway
  hostnames:
    - "xx.xx.xxx.xxx"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: xx-xx-xx-myservice
          port: 7280
      filters:
        - type: ExtensionRef
          extensionRef:
            group: traefik.io
            kind: Middleware
            name: crowdsec-bouncer

Doest someone as a working setup like this ?

Traefik Kubernetes Gateway - Traefik

The Kubernetes Gateway API can be used as a provider for routing and load balancing in Traefik Proxy. View examples in the technical documentation.

gilded schooner
#

Remediation component look empty

gilded schooner