C
CrowdSec2w ago
Pierrick

Strungling with Bouncer Middleware in Traefik 3 on kubernetes.

Hy everyone, i wondering if someone allready have trouble to deploy bouncer middleware on traefik 3 ? - Security engine is registered - traefik3 is deployed on kubenetes. Everything look ok but when i activate crowdsec middleware on HTTProute. The subject is wide but it is upon activation of the middleware nothing will appear on console. The plugin is however well installed, everything seems green on the traefik side.
No description
6 Replies
CrowdSec
CrowdSec2w ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
Pierrick
PierrickOP2w ago
Or traefik Helm value deployment: 
ports:
  # Defines the HTTP entry point named 'web'
  web:
    port: 8000
    nodePort: 30000

  # Defines the HTTPS entry point named 'websecure'
  websecure:
    port: 8443
    nodePort: 30001

# add load balancer service from outscale to get an externalIP
service:
  enabled: true
  type: LoadBalancer
  ports:
    web:
      nodePort: 30000
    websecure:
      nodePort: 30001


# Enables the dashboard in InSecure Mode
api:
  dashboard: true
  insecure: true 

ingressRoute:
  dashboard:
    enabled: true
    entryPoints:
      - web

# We will route with Gateway API instead.
ingressClass:
  enabled: false

providers:
  kubernetesIngress:
     enabled: true #mandatory to use middleware https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/gateway-api/#using-traefik-middleware-as-httproute-filter
  kubernetesGateway:
    enabled: true
  kubernetesCRD:
    enabled: true #helm chart publish traefik dashboard through CRDs

gateway:
  namespacePolicy: All
  listeners:
    web:           # HTTP listener that matches entryPoint `web`
      port: 8000
      protocol: HTTP

    websecure:         # HTTPS listener that matches entryPoint `websecure`
      port: 8443
      protocol: HTTPS  # TLS terminates inside Traefik
      mode: Terminate
      certificateRefs:    
        - kind: Secret
          name: local-selfsigned-tls  # the Secret we created before the installation
          group: ""

experimental:
  # -- Enable experimental plugins
  plugins:
    crowdsec-bouncer:
      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      version: "v1.4.4"

# Enable Observability
logs:
  general:
    level: INFO
  # This enables access logs, outputting them to Traefik's standard output by default. The [Access Logs Documentation](https://doc.traefik.io/traefik/observability/access-logs/) covers formatting, filtering, and output options.
  access:
    enabled: true
    addInternals: true
ports:
  # Defines the HTTP entry point named 'web'
  web:
    port: 8000
    nodePort: 30000

  # Defines the HTTPS entry point named 'websecure'
  websecure:
    port: 8443
    nodePort: 30001

# add load balancer service from outscale to get an externalIP
service:
  enabled: true
  type: LoadBalancer
  ports:
    web:
      nodePort: 30000
    websecure:
      nodePort: 30001


# Enables the dashboard in InSecure Mode
api:
  dashboard: true
  insecure: true 

ingressRoute:
  dashboard:
    enabled: true
    entryPoints:
      - web

# We will route with Gateway API instead.
ingressClass:
  enabled: false

providers:
  kubernetesIngress:
     enabled: true #mandatory to use middleware https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/gateway-api/#using-traefik-middleware-as-httproute-filter
  kubernetesGateway:
    enabled: true
  kubernetesCRD:
    enabled: true #helm chart publish traefik dashboard through CRDs

gateway:
  namespacePolicy: All
  listeners:
    web:           # HTTP listener that matches entryPoint `web`
      port: 8000
      protocol: HTTP

    websecure:         # HTTPS listener that matches entryPoint `websecure`
      port: 8443
      protocol: HTTPS  # TLS terminates inside Traefik
      mode: Terminate
      certificateRefs:    
        - kind: Secret
          name: local-selfsigned-tls  # the Secret we created before the installation
          group: ""

experimental:
  # -- Enable experimental plugins
  plugins:
    crowdsec-bouncer:
      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      version: "v1.4.4"

# Enable Observability
logs:
  general:
    level: INFO
  # This enables access logs, outputting them to Traefik's standard output by default. The [Access Logs Documentation](https://doc.traefik.io/traefik/observability/access-logs/) covers formatting, filtering, and output options.
  access:
    enabled: true
    addInternals: true
Pierrick
PierrickOP2w ago
Traefik refer that IngressRoute is mandatory for middleware but how to mix everything ? (ingressClass, KubernetesCRD and GatewayAPI). https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/gateway-api/#using-traefik-middleware-as-httproute-filter We use CRD to define a namespaced middleware: 
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: crowdsec-bouncer
  namespace: default # middleware ressource is NAMESPACED
spec:
  plugin:
    crowdsec-bouncer:
      enabled: true
      crowdsecAppsecEnabled: true
      crowdsecAppsecHost: crowdsec-appsec-service:7422
      crowdsecAppsecFailureBlock: true
      crowdsecAppsecUnreachableBlock: true
      crowdsecMode: stream
      crowdsecLapiScheme: http
      crowdsecLapiHost: crowdsec-service.default.svc.cluster.local:8080
      crowdsecLapiKey: XXXXXXXXXXXXXXXXXXXXxw 
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: crowdsec-bouncer
  namespace: default # middleware ressource is NAMESPACED
spec:
  plugin:
    crowdsec-bouncer:
      enabled: true
      crowdsecAppsecEnabled: true
      crowdsecAppsecHost: crowdsec-appsec-service:7422
      crowdsecAppsecFailureBlock: true
      crowdsecAppsecUnreachableBlock: true
      crowdsecMode: stream
      crowdsecLapiScheme: http
      crowdsecLapiHost: crowdsec-service.default.svc.cluster.local:8080
      crowdsecLapiKey: XXXXXXXXXXXXXXXXXXXXxw
Gateway CRD to define a traefik's gatewayAPI: 
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: traefik-gateway
  namespace: default
spec:
  gatewayClassName: traefik

  # Only Routes from the same namespace are allowed.
  listeners:
    - allowedRoutes:
        namespaces:
          from: Same
      name: web
      port: 8000
      protocol: HTTP
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: traefik-gateway
  namespace: default
spec:
  gatewayClassName: traefik

  # Only Routes from the same namespace are allowed.
  listeners:
    - allowedRoutes:
        namespaces:
          from: Same
      name: web
      port: 8000
      protocol: HTTP
And HTTProute to create the route: 
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: xxx-dashboard
  namespace: default
spec:
  parentRefs:
    - name: traefik-gateway
  hostnames:
    - "xx.xx.xxx.xxx"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: xx-xx-xx-myservice
          port: 7280
      filters:
        - type: ExtensionRef
          extensionRef:
            group: traefik.io
            kind: Middleware
            name: crowdsec-bouncer
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: xxx-dashboard
  namespace: default
spec:
  parentRefs:
    - name: traefik-gateway
  hostnames:
    - "xx.xx.xxx.xxx"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: xx-xx-xx-myservice
          port: 7280
      filters:
        - type: ExtensionRef
          extensionRef:
            group: traefik.io
            kind: Middleware
            name: crowdsec-bouncer
Doest someone as a working setup like this ?
Traefik Kubernetes Gateway - Traefik
The Kubernetes Gateway API can be used as a provider for routing and load balancing in Traefik Proxy. View examples in the technical documentation.
Pierrick
PierrickOP2w ago
Remediation component look empty
Pierrick
PierrickOP2w ago
No description
Pierrick
PierrickOP2w ago
every bouncer are well registered and looks functionnal from local CLI
No description

Did you find this page helpful?