After some testing and fiddling around, I don't think it's worth the
hassle. Not only was ingress-nginx much less stable since integrating
the crowdsec bouncer plugin, but also just providing some questionable
log parsers etc, mainly focusing on bruteforce attacks for passwords,
which is useless when everything goes to SSO anyway.

Finally there were some other technical faux pas, like hardcoded
passwords on the integrated dashboard (which is also mostly useless),
expired GPG keys on the Fedora repository and finally a lack of bouncer
modules on current Fedora releases, depsite the docs claiming otherwise.
And given the issues date back to march, it doesn't seem to be a
something that will be resolved any time soon.

I guess my biggest critique is that the whole "fail2ban of the modern
area" limits itself to IP addresses only. No additional metadata to
block or mitigate attacks or identify attackers. Relying on IP addresses
only in 2023 is not on time. The whole being distributed with the lapi
server, is nice, but not enough to make this acceptable.

This patch adds a haproxy deployment to the cluster, which allows to
mimic the haproxy setup outside the cluster. Making sure that traffic is
automatically redirected and works around the limitations of ingress
nginx, of limiting proxy protocol to a boolean for either all traffic or
for none.

Currently the fix for various DoS attack turned out to be an own DoS
attack since it removed the default scopes from the keycloak provider.

Currently the fix for various DoS attack turned out to be an own DoS
attack since it removed the default scopes from the keycloak provider.

This patch adjust the key to use the armored format, which flux supports

This reverts commit 342a9382.