[BUG] Applying the plugin results in connection refused

Question

[BUG] Applying the plugin results in connection refused

timbastin opened this issue 5 months ago · comments

Describe the bug 🐛
I am installing the plugin using this in my traefik values.yaml:

# Traefik experimental features
experimental:
  # This value is no longer used, set the image.tag to a semver higher than 3.0, e.g. "v3.0.0-beta3"
  # v3:
  # -- Enable traefik version 3
  #  enabled: false
  plugins: 
    # -- Enable traefik experimental plugins
      crowdsec-bouncer-traefik-plugin:
        moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
        version: "v1.1.16"

Besides that, i have the following middleware:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
    name: bouncer
    namespace: default
spec:
    plugin:
        crowdsec-bouncer-traefik-plugin:
            CrowdsecLapiKey: xxxx
            Enabled: false     # I even disabled this
            LogLevel: DEBUG
            CrowdsecMode: stream
            CrowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
            CrowdsecLapiScheme: http
            HTTPTimeoutSeconds: 5

I am trying to apply the plugin as a default middleware. Therefore i added those inside my values.yaml for traefik

additionalArguments:
  - "--entrypoints.web.http.middlewares=default-bouncer@kubernetescrd"
  - "--entrypoints.websecure.http.middlewares=default-bouncer@kubernetescrd"

Expected behavior 👀
I was expecting not to see anything. Basically the plugin is disabled, therefore everything should function.

Context 🔎
I tried log level debug, but there are no logs from the plugin.

Version (please complete the following information):
I am using kubernetes.

OS: Kubernetes
Traefik version: 2.10.6
Plugin version: 1.1.6

To Reproduce
The behaviour does not seem to be deterministically. This configuration did work on another kubernetes setup.

mathieuHa · Answer 1 · Sun Feb 11 2024 19:03:39 GMT+0800 (China Standard Time)

Hi,

Thanks for opening this issue, I'll take a look and maybe ask you some more info if needed.

mathieuHa · Answer 2 · Mon Feb 19 2024 04:20:46 GMT+0800 (China Standard Time)

Hello,

I spent some time now to try to reproduce this.
I followed my documentation which is not up to date : https://github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin/tree/main/examples/kubernetes

Traefik Helm Chart has updated between version 24 and 26.

In the v26, there is an error when you use

experimental:
  plugins:
    enabled: true

However there is an error then in the plugin in the dashboard and the logs with version 25,26:

time="2024-02-18T20:17:10Z" level=error msg="invalid middleware \"traefik-bouncer@kubernetescrd\" configuration: invalid middleware type or middleware does not exist" entryPointName=web routerName=traefik-whoami@kubernetes

I tried version 24 of the helm chart with the old syntax mentionned in my doc and its working well.

In the meantime that I find what is the new "correct syntax", you can use the following:

helm upgrade --version v24.0.0 --inst
all --namespace=traefik     --values=./traefik/values.yml     traefik traefik/traefik

mathieuHa · Answer 3 · Tue Feb 20 2024 01:15:26 GMT+0800 (China Standard Time)

This "traefik/traefik-helm-chart@e7ce1b4" could be interesting

mathieuHa · Answer 4 · Tue Feb 20 2024 02:09:25 GMT+0800 (China Standard Time)

Hey @timbastin

So I managed to get it working with helm chart version 26.1.0.

I used this values.yml:

image:
  tag: v2.11

logs:
  general:
    level: DEBUG
  access:
    enabled: true
    fields:
      headers: 
        defaultmode: keep

# experimental:
#   plugins:
#     enabled: true

experimental:
  plugins:
    bouncer:
      moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
      version: "v1.1.16"

# additionalArguments:
#   - "--experimental.plugins.bouncer.modulename=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
#   - "--experimental.plugins.bouncer.version=v1.2.0"

helm update
helm upgrade --version v26.1.0 --install --namespace=traefik     --values=./traefik/values.yml     traefik traefik/traefik

I could watch logs with:

kubectl get pod --namespace traefik
kubectl logs $(kubectl get pods --namespace=traefik --selector "app.kubernetes.io/name=traefik" --output=name) --namespace traefik -f

My plugin is configured like this plugin.yml:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
    name: bouncer
    namespace: traefik
spec:
    plugin:
        bouncer:
            CrowdsecLapiKey: 40796d93c2958f9e58345514e67740e5
            Enabled: "true"
            logLevel: DEBUG
            crowdsecMode: live
            crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
            crowdsecLapiScheme: http

You should see in the logs the following:

DEBUG: CrowdsecBouncerTraefikPlugin: 2024/02/19 17:59:12 No IP provided for ForwardedHeadersTrustedIPs
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/02/19 17:59:12 No IP provided for ClientTrustedIPs
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/02/19 17:59:12 getTLSConfigCrowdsec:CrowdsecLapiScheme https:no
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/02/19 17:59:12 cache:New initialized isRedis:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/02/19 17:59:12 New initialized mode:live
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/02/19 17:59:48 ServeHTTP ip:127.0.0.1 isTrusted:false
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/02/19 17:59:48 cache:GetDecision ip:127.0.0.1
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/02/19 17:59:48 ServeHTTP:getDecision ip:127.0.0.1 isBanned:false cache:miss
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/02/19 17:59:48 cache:SetDecision ip:127.0.0.1 isBanned:false duration:60s
DEBUG: CrowdsecBouncerTraefikPlugin: 2024/02/19 17:59:48 ServeHTTP:handleNoStreamCache ip:127.0.0.1 isBanned:false

I will update the example for kubernetes so you can test on your side

Please let me know if you get it working