[management, proxy] Add CrowdSec IP reputation integration for reverse proxy (#5722)

shared/management/http/api/openapi.yml

@@ -2860,6 +2860,11 @@ components:
           type: string
           description: "Protocol type: http, tcp, or udp"
           example: "http"
+        metadata:
+          type: object
+          additionalProperties:
+            type: string
+          description: "Extra context about the request (e.g. crowdsec_verdict)"
       required:
         - id
         - service_id
@@ -3258,6 +3263,14 @@ components:
             pattern: '^[a-zA-Z]{2}$'
             example: "DE"
           description: ISO 3166-1 alpha-2 country codes to block.
+        crowdsec_mode:
+          type: string
+          enum:
+            - "off"
+            - "enforce"
+            - "observe"
+          default: "off"
+          description: CrowdSec IP reputation mode. Only available when the proxy cluster supports CrowdSec.
     PasswordAuthConfig:
       type: object
       properties:
@@ -3361,6 +3374,10 @@ components:
           type: boolean
           description: Whether a subdomain label is required in front of this domain. When true, the domain cannot be used bare.
           example: false
+        supports_crowdsec:
+          type: boolean
+          description: Whether the proxy cluster has CrowdSec configured
+          example: false
       required:
         - id
         - domain

shared/management/http/api/types.gen.go

@@ -17,6 +17,27 @@ const (
 	TokenAuthScopes  = "TokenAuth.Scopes"
 )
 
+// Defines values for AccessRestrictionsCrowdsecMode.
+const (
+	AccessRestrictionsCrowdsecModeEnforce AccessRestrictionsCrowdsecMode = "enforce"
+	AccessRestrictionsCrowdsecModeObserve AccessRestrictionsCrowdsecMode = "observe"
+	AccessRestrictionsCrowdsecModeOff     AccessRestrictionsCrowdsecMode = "off"
+)
+
+// Valid indicates whether the value is a known member of the AccessRestrictionsCrowdsecMode enum.
+func (e AccessRestrictionsCrowdsecMode) Valid() bool {
+	switch e {
+	case AccessRestrictionsCrowdsecModeEnforce:
+		return true
+	case AccessRestrictionsCrowdsecModeObserve:
+		return true
+	case AccessRestrictionsCrowdsecModeOff:
+		return true
+	default:
+		return false
+	}
+}
+
 // Defines values for CreateAzureIntegrationRequestHost.
 const (
 	CreateAzureIntegrationRequestHostMicrosoftCom CreateAzureIntegrationRequestHost = "microsoft.com"
@@ -1326,8 +1347,14 @@ type AccessRestrictions struct {
 
 	// BlockedCountries ISO 3166-1 alpha-2 country codes to block.
 	BlockedCountries *[]string `json:"blocked_countries,omitempty"`
+
+	// CrowdsecMode CrowdSec IP reputation mode. Only available when the proxy cluster supports CrowdSec.
+	CrowdsecMode *AccessRestrictionsCrowdsecMode `json:"crowdsec_mode,omitempty"`
 }
 
+// AccessRestrictionsCrowdsecMode CrowdSec IP reputation mode. Only available when the proxy cluster supports CrowdSec.
+type AccessRestrictionsCrowdsecMode string
+
 // AccessiblePeer defines model for AccessiblePeer.
 type AccessiblePeer struct {
 	// CityName Commonly used English name of the city
@@ -3680,6 +3707,9 @@ type ProxyAccessLog struct {
 	// Id Unique identifier for the access log entry
 	Id string `json:"id"`
 
+	// Metadata Extra context about the request (e.g. crowdsec_verdict)
+	Metadata *map[string]string `json:"metadata,omitempty"`
+
 	// Method HTTP method of the request
 	Method string `json:"method"`
 
@@ -3759,6 +3789,9 @@ type ReverseProxyDomain struct {
 	// RequireSubdomain Whether a subdomain label is required in front of this domain. When true, the domain cannot be used bare.
 	RequireSubdomain *bool `json:"require_subdomain,omitempty"`
 
+	// SupportsCrowdsec Whether the proxy cluster has CrowdSec configured
+	SupportsCrowdsec *bool `json:"supports_crowdsec,omitempty"`
+
 	// SupportsCustomPorts Whether the cluster supports binding arbitrary TCP/UDP ports
 	SupportsCustomPorts *bool `json:"supports_custom_ports,omitempty"`