crowdsecurity · sabban · May 5, 2026 · May 18, 2026 · May 18, 2026 · May 18, 2026
diff --git a/crowdsec-docs/docs/appsec/quickstart/traefik.mdx b/crowdsec-docs/docs/appsec/quickstart/traefik.mdx
@@ -325,7 +325,7 @@ http:
           crowdsecAppsecHost: crowdsec:7422
           crowdsecAppsecFailureBlock: true
           crowdsecAppsecUnreachableBlock: true
-          crowdsecLapiKey: privateKey-foo
+          crowdsecLapiKey: <your-shared-traefik-bouncer-key>
 ```
 
 
@@ -336,11 +336,94 @@ Instead if you define the configuration using labels on the containers you can a
       - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.enabled=true"
       - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecAppsecEnabled=true"
       - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecAppsecHost=crowdsec:7422"
-      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecLapiKey=privateKey-foo"
+      - "traefik.http.middlewares.crowdsec-bar.plugin.bouncer.crowdsecLapiKey=<your-shared-traefik-bouncer-key>"
 ```
 </TabItem>
 <TabItem value="kubernetes">
-Here's a Traefik Middleware ressource you can apply with
+For Kubernetes, use the same secret management pattern as in the [Traefik
+bouncer setup](/u/bouncers/traefik#store-the-traefik-bouncer-key-in-a-kubernetes-secret):
+store the shared bouncer key in Kubernetes secrets and reference it from both
+CrowdSec and Traefik.
+
+Two secrets are needed because CrowdSec and Traefik run in different
+namespaces:
+
+- In the `crowdsec` namespace, CrowdSec LAPI reads `BOUNCER_KEY_traefik` from
+  the `crowdsec-keys` secret.
+- In the `traefik` namespace, Traefik mounts the same key from the
+  `crowdsec-bouncer-key` secret as a file.
+
+Both secrets must contain the same `BOUNCER_KEY_traefik` value. If you already
+created them for the base bouncer setup, you can reuse them here.
+
+Create or update the secrets:
+
+```yaml title="crowdsec-keys.yaml"
+apiVersion: v1
+kind: Secret
+metadata:
+  name: crowdsec-keys
+  namespace: crowdsec
+type: Opaque
+stringData:
+  ENROLL_KEY: "<your-existing-enroll-key>"
+  BOUNCER_KEY_traefik: "<your-shared-traefik-bouncer-key>"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: crowdsec-bouncer-key
+  namespace: traefik
+type: Opaque
+stringData:
+  BOUNCER_KEY_traefik: "<your-shared-traefik-bouncer-key>"
+```
+
+Apply it:
+
+```bash
+kubectl apply -f crowdsec-keys.yaml
+```
+
+Then make sure the CrowdSec Helm values reference `BOUNCER_KEY_traefik` from
+the `crowdsec-keys` secret:
+
+```yaml title="crowdsec-values.yaml"
+lapi:
+  env:
+    - name: BOUNCER_KEY_traefik
+      valueFrom:
+        secretKeyRef:
+          name: crowdsec-keys
+          key: BOUNCER_KEY_traefik
+```
+
+Apply the CrowdSec release again:
+
+```bash
+helm upgrade --install crowdsec crowdsec/crowdsec --namespace crowdsec --create-namespace -f crowdsec-values.yaml
+```
+
+Then configure Traefik to mount the `crowdsec-bouncer-key` secret and
+reference it with `crowdsecLapiKeyFile`.
+
+Use a Traefik values file like this:
+
+```yaml title="traefik-values.yaml"
+experimental:
+  plugins:
+    bouncer:
+      moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+      version: v1.4.5
+volumes:
+  - name: crowdsec-bouncer-key
+    mountPath: /etc/traefik/crowdsec
+    type: secret
+    secretName: crowdsec-bouncer-key
+```
+
+Then create a Traefik Middleware resource:
+
 ```bash
 kubectl apply -f traefik-middleware.yaml
 ```
@@ -358,7 +441,36 @@ spec:
       crowdsecMode: stream
       crowdsecLapiScheme: http
       crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
-      crowdsecLapiKey: <shadowed>
+      crowdsecLapiKeyFile: /etc/traefik/crowdsec/BOUNCER_KEY_traefik
+      htttTimeoutSeconds: 60
+      forwardedheaderstrustedips:
+        - 10.0.0.0/8
+        - 192.168.0.0/16
+        - 134.209.137.94
+        - 2a03:b0c0:2:f0::f557:a001
+      crowdsecAppsecEnabled: false
+      crowdsecAppsecHost: crowdsec:7422
+      crowdsecAppsecFailureBlock: true
+      crowdsecAppsecUnreachableBlock: true
+```
+
+<details>
+<summary>Less secure alternative: define the Traefik bouncer key inline with <code>crowdsecLapiKey</code> instead of mounting <code>crowdsecLapiKeyFile</code></summary>
+
+```yaml values="traefik-middleware.yaml"
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: crowdsec
+  namespace: traefik
+spec:
+  plugin:
+    crowdsec-bouncer-traefik-plugin:
+      enabled: true
+      crowdsecMode: stream
+      crowdsecLapiScheme: http
+      crowdsecLapiHost: crowdsec-service.crowdsec.svc.cluster.local:8080
+      crowdsecLapiKey: <your-shared-traefik-bouncer-key>
       htttTimeoutSeconds: 60
       forwardedheaderstrustedips:
         - 10.0.0.0/8
@@ -371,6 +483,8 @@ spec:
       crowdsecAppsecUnreachableBlock: true
 ```
 
+</details>
+
 You can still add some route configuration through
 [IngressRoute](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/crd/http/ingressroute/)
 and attach the middleware to those routes.