some more improvements

Author: sabban

crowdsec-docs/docs/appsec/quickstart/traefik.mdx

@@ -325,7 +325,7 @@ http:
           crowdsecAppsecHost: crowdsec:7422
           crowdsecAppsecFailureBlock: true
           crowdsecAppsecUnreachableBlock: true
-          crowdsecLapiKey: privateKey-foo
+          crowdsecLapiKey: <your-shared-traefik-bouncer-key>
 ```
 
 
@@ -336,11 +336,30 @@ Instead if you define the configuration using labels on the containers you can a
       - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.enabled=true"
       - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecAppsecEnabled=true"
       - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecAppsecHost=crowdsec:7422"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecLapiKey=privateKey-foo"
+      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecLapiKey=<your-shared-traefik-bouncer-key>"
 ```
 </TabItem>
 <TabItem value="kubernetes">
-Here's a Traefik Middleware ressource you can apply with
+For Kubernetes, keep the Traefik bouncer key in a `Secret`, mount it into the
+Traefik pod, and reference it with `crowdsecLapiKeyFile`.
+
+Use a Traefik values file like this:
+
+```yaml title="traefik-values.yaml"
+experimental:
+  plugins:
+    bouncer:
+      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+      version: v1.4.5
+volumes:
+  - name: crowdsec-bouncer-key
+    mountPath: /etc/traefik/crowdsec
+    type: secret
+    secretName: crowdsec-bouncer-key
+```
+
+Then create a Traefik Middleware resource:
+
 ```bash
 kubectl apply -f traefik-middleware.yaml
 ```
@@ -358,7 +377,7 @@ spec:
       crowdsecMode: stream
       crowdsecLapiScheme: http
       crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
-      crowdsecLapiKey: <shadowed>
+      crowdsecLapiKeyFile: /etc/traefik/crowdsec/BOUNCER_KEY_traefik
       htttTimeoutSeconds: 60
       forwardedheaderstrustedips:
         - 10.0.0.0/8
@@ -371,6 +390,37 @@ spec:
       crowdsecAppsecUnreachableBlock: true
 ```
 
+<details>
+<summary>Show direct <code>crowdsecLapiKey</code> example</summary>
+
+```yaml values="traefik-middleware.yaml"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: crowdsec
+  namespace: traefik
+spec:
+  plugin:
+    crowdsec-bouncer-traefik-plugin:
+      enabled: true
+      crowdsecMode: stream
+      crowdsecLapiScheme: http
+      crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
+      crowdsecLapiKey: <your-shared-traefik-bouncer-key>
+      htttTimeoutSeconds: 60
+      forwardedheaderstrustedips:
+        - 10.0.0.0/8
+        - 192.168.0.0/16
+        - 134.209.137.94
+        - 2a03:b0c0:2:f0::f557:a001
+      crowdsecAppsecEnabled: false
+      crowdsecAppsecHost: crowdsec:7422
+      crowdsecAppsecFailureBlock: true
+      crowdsecAppsecUnreachableBlock: true
+```
+
+</details>
+
 You can still add some route configuration through
 [IngressRoute](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/crd/http/ingressroute/)
 and attach the middleware to those routes.

crowdsec-docs/unversioned/bouncers/traefik.mdx

@@ -33,7 +33,17 @@ import RemediationSupportBadges from "@site/src/components/remediation-support-b
 
 <RemediationSupportBadges Prometheus MTLS />
 
-# CrowdSec Remediation QuickStart for Traefik
+:::tip AppSec Support
+This bouncer supports the [AppSec Component](/docs/next/appsec/intro) for
+real-time WAF protection. Enable `crowdsecAppsecEnabled: true` in your
+middleware configuration to get virtual patching and defense against known
+CVEs, SQL injection, XSS, and other application-layer attacks.
+
+For a full walkthrough, see the
+[AppSec Quickstart for Traefik](/docs/next/appsec/quickstart/traefik).
+:::
+
+# Traefik on kubernetes
 
 ## Objectives
 
@@ -49,25 +59,16 @@ At the end, you will have:
 - The bouncer key mounted into the Traefik pod as a file
 - An operational pattern that avoids committing the LAPI key in plaintext
 
-:::tip AppSec Support
-This bouncer supports the [AppSec Component](/docs/next/appsec/intro) for
-real-time WAF protection. Enable `crowdsecAppsecEnabled: true` in your
-middleware configuration to get virtual patching and defense against known
-CVEs, SQL injection, XSS, and other application-layer attacks.
-
-For a full walkthrough, see the
-[AppSec Quickstart for Traefik](/docs/next/appsec/quickstart/traefik).
-:::
-
 ## Prerequisites
 
-1. It is assumed that you already have:
-   - A working CrowdSec [Security Engine](/intro.mdx) installation. For a
-     Kubernetes install quickstart, refer to
-     [/u/getting_started/installation/kubernetes](/u/getting_started/installation/kubernetes).
-   - A working Traefik installation in Kubernetes.
-   - Existing `IngressRoute`, `Ingress`, or other Traefik-managed routes
-     exposing your applications.
+It is assumed that you already have:
+
+- A working CrowdSec [Security Engine](/intro.mdx) installation. For a
+  Kubernetes install quickstart, refer to
+  [/u/getting_started/installation/kubernetes](/u/getting_started/installation/kubernetes).
+- A working Traefik installation in Kubernetes.
+- Existing `IngressRoute`, `Ingress`, or other Traefik-managed routes
+  exposing your applications.
 
 :::warning
 This integration currently relies on a community Traefik plugin, not on a
@@ -76,9 +77,11 @@ first-party CrowdSec remediation component.
 The upstream project used in this guide is:
 
 - `maxlerebourg/crowdsec-bouncer-traefik-plugin`
-:::
+  :::
+
+## Required traefik configuration items
 
-### Source IPs
+### Traefik configuration's on source IPs
 
 To ensure remediation works correctly, Traefik must receive the real client IP
 for each request. When Traefik is deployed behind a load balancer, CDN, or
@@ -127,6 +130,7 @@ consequence, the Service's `externalTrafficPolicy` must be set to `Local`, and
 the workload must run either as a `DaemonSet` or as a `Deployment` ensuring one
 pod per node. This guarantees that no traffic, and therefore no security
 events, is missed.
+
 </details>
 
 ### Traefik Custom Resource Definitions
@@ -197,8 +201,8 @@ helm upgrade --install traefik traefik/traefik \
 
 ## Store the Traefik bouncer key in a Kubernetes secret
 
-As with the Envoy guide, the practical approach is to choose a fixed key, store
-it in a Kubernetes secret, and force `BOUNCER_KEY_traefik` from `lapi.env` with
+The practical approach is to choose a fixed key, store it in a Kubernetes
+secret, and force `BOUNCER_KEY_traefik` from `lapi.env` with
 `valueFrom.secretKeyRef`.
 
 Create or update the secrets used by CrowdSec LAPI and Traefik:
@@ -251,6 +255,9 @@ helm upgrade --install crowdsec crowdsec/crowdsec \
   -f crowdsec-values.yaml
 ```
 
+The second secret of the `crowdsec-keys.yaml` is meant for further use in the
+traefik configuration. It will be described later on.
+
 ## Verify CrowdSec LAPI access
 
 The Traefik middleware only needs access to CrowdSec LAPI. Make sure the
@@ -276,13 +283,9 @@ To achieve remediation in a Traefik environment, create a `Middleware`
 resource.
 
 :::important
-Unlike the Envoy bouncer deployment, the Traefik `Middleware` CRD does not have
-a native `secretKeyRef` field for the plugin configuration. In Kubernetes, the
-recommended pattern is to mount the key from a `Secret` into the Traefik pod and
-reference it with `crowdsecLapiKeyFile`.
-
-Avoid committing a middleware manifest with `crowdsecLapiKey:
-<real-secret-value>` in Git.
+The Traefik `Middleware` CRD does not have a native `secretKeyRef` field for the
+plugin configuration. In Kubernetes, the key can be mounted from a `Secret` into
+the Traefik pod and reference it with `crowdsecLapiKeyFile`.
 :::
 
 Mount the Traefik-side secret into the pod and let the middleware read it from a
@@ -343,8 +346,7 @@ literal key in the middleware manifest.
 <details>
 <summary>Show direct <code>crowdsecLapiKey</code> example</summary>
 
-If you only need a quick functional test, you can still apply a middleware
-manifest with the key inline:
+You can apply a middleware manifest with an inline key as well:
 
 ```yaml title="bouncer-middleware.yaml"
 apiVersion: traefik.io/v1alpha1
@@ -370,7 +372,7 @@ kubectl apply -f bouncer-middleware.yaml
 ```
 
 This is useful for quick validation, but `crowdsecLapiKeyFile` with a mounted
-Kubernetes secret is the recommended approach for production.
+Kubernetes secret seems to be a more secure approach.
 
 </details>