From 826207877b84e639605e7fb8766aad8edf80cc30 Mon Sep 17 00:00:00 2001 From: Nick Adam Date: Sun, 18 Jan 2026 01:47:46 +0100 Subject: [PATCH] changed traefik edge to k3s traefik --- hello.txt | 0 infrastructure/traefik-app.yaml | 65 +++++++++++++++++++ infrastructure/traefik-edge-config-app.yaml | 26 ++++++++ .../traefik-edge/configmap-dynamic-k3s.yaml | 26 ++++++++ .../configmap-dynamic-legacy.yaml | 28 ++++++++ .../traefik-edge/external-secret-app.yaml | 26 ++++++++ .../traefik-edge/external-secret.yaml | 22 +++++++ infrastructure/traefik-edge/pvc-acme.yaml | 15 +++++ .../traefik-middleware-ipwhitelist.yaml | 4 +- 9 files changed, 210 insertions(+), 2 deletions(-) delete mode 100644 hello.txt create mode 100644 infrastructure/traefik-edge-config-app.yaml create mode 100644 infrastructure/traefik-edge/configmap-dynamic-k3s.yaml create mode 100644 infrastructure/traefik-edge/configmap-dynamic-legacy.yaml create mode 100644 infrastructure/traefik-edge/external-secret-app.yaml create mode 100644 infrastructure/traefik-edge/external-secret.yaml create mode 100644 infrastructure/traefik-edge/pvc-acme.yaml diff --git a/hello.txt b/hello.txt deleted file mode 100644 index e69de29..0000000 diff --git a/infrastructure/traefik-app.yaml b/infrastructure/traefik-app.yaml index b96987d..6f30b68 100644 --- a/infrastructure/traefik-app.yaml +++ b/infrastructure/traefik-app.yaml @@ -43,6 +43,71 @@ spec: allowCrossNamespace: true publishedService: enabled: true + # File Provider für Edge-Config (dynamic configs) + file: + directory: /etc/traefik/dynamic + watch: true + # ACME/Certificates für TLS Termination (Edge-Funktionalität) + certificatesResolvers: + le: + acme: + email: acme@infrastructure.stabify.de + storage: /certs/acme.json + dnsChallenge: + provider: cloudflare + delayBeforeCheck: 10 + # Additional Arguments für File Provider (Edge-Config) + additionalArguments: + - "--providers.file.directory=/etc/traefik/dynamic" + - "--providers.file.watch=true" + # ACME/Certificates für TLS Termination (Edge-Funktionalität) + certificatesResolvers: + le: + acme: + email: acme@infrastructure.stabify.de + storage: /certs/acme.json + dnsChallenge: + provider: cloudflare + delayBeforeCheck: 10 + # Extra Volumes (ConfigMaps + PVC für ACME) + extraVolumes: + - name: traefik-edge-dynamic-k3s + type: configMap + configMap: + name: traefik-edge-dynamic-k3s + - name: traefik-edge-dynamic-legacy + type: configMap + configMap: + name: traefik-edge-dynamic-legacy + - name: traefik-edge-acme + type: persistentVolumeClaim + persistentVolumeClaim: + claimName: traefik-edge-acme + # Extra Volume Mounts + extraVolumeMounts: + - name: traefik-edge-dynamic-k3s + mountPath: /etc/traefik/dynamic/10-k3s.yaml + subPath: 10-k3s.yaml + readOnly: true + - name: traefik-edge-dynamic-legacy + mountPath: /etc/traefik/dynamic/20-legacy-vm.yaml + subPath: 20-legacy-vm.yaml + readOnly: true + - name: traefik-edge-acme + mountPath: /certs + readOnly: false + # Environment Variables für Cloudflare DNS Challenge + env: + - name: CF_DNS_API_TOKEN + valueFrom: + secretKeyRef: + name: traefik-edge-cloudflare + key: CF_DNS_API_TOKEN + - name: CF_API_EMAIL + valueFrom: + secretKeyRef: + name: traefik-edge-cloudflare + key: CF_API_EMAIL destination: server: https://kubernetes.default.svc namespace: traefik-system diff --git a/infrastructure/traefik-edge-config-app.yaml b/infrastructure/traefik-edge-config-app.yaml new file mode 100644 index 0000000..70b3fb7 --- /dev/null +++ b/infrastructure/traefik-edge-config-app.yaml @@ -0,0 +1,26 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik-edge-config + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-2" # Vor Traefik, damit ConfigMaps existieren +spec: + project: default + source: + repoURL: https://git.cloud-infra.prod.openmailserver.de/stabify/gitops.git + targetRevision: HEAD + path: infrastructure/traefik-edge + directory: + recurse: false + include: "*.yaml" + destination: + server: https://kubernetes.default.svc + namespace: traefik-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/infrastructure/traefik-edge/configmap-dynamic-k3s.yaml b/infrastructure/traefik-edge/configmap-dynamic-k3s.yaml new file mode 100644 index 0000000..8e47cb3 --- /dev/null +++ b/infrastructure/traefik-edge/configmap-dynamic-k3s.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: traefik-edge-dynamic-k3s + namespace: traefik-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/component: edge-dynamic +data: + 10-k3s.yaml: | + tcp: + routers: + # Alle k3s Domains (inkl. *.apps.internal.*) über TLS Passthrough + k3s-passthrough: + rule: "HostSNIRegexp(`^.+\\.k3s\\.stabify\\.de$`)" + entryPoints: + - websecure + service: k3s-cluster + tls: + passthrough: true + + services: + k3s-cluster: + loadBalancer: + servers: + - address: "10.100.40.6:443" diff --git a/infrastructure/traefik-edge/configmap-dynamic-legacy.yaml b/infrastructure/traefik-edge/configmap-dynamic-legacy.yaml new file mode 100644 index 0000000..0a9d333 --- /dev/null +++ b/infrastructure/traefik-edge/configmap-dynamic-legacy.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: traefik-edge-dynamic-legacy + namespace: traefik-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/component: edge-dynamic +data: + 20-legacy-vm.yaml: | + http: + routers: + # Route für Apps auf VM 301 + to-apps-vm: + rule: HostRegexp(`^[a-z0-9-]+\.apps\.stabify\.de$`) + service: apps-vm-service + entryPoints: [ websecure ] + tls: + certResolver: le + domains: + - main: "*.apps.stabify.de" + + services: + apps-vm-service: + loadBalancer: + servers: + - url: "http://vm-docker-apps-301.stabify.de:80" + passHostHeader: true diff --git a/infrastructure/traefik-edge/external-secret-app.yaml b/infrastructure/traefik-edge/external-secret-app.yaml new file mode 100644 index 0000000..d5d8c31 --- /dev/null +++ b/infrastructure/traefik-edge/external-secret-app.yaml @@ -0,0 +1,26 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: traefik-edge-secrets + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "-3" # Vor ConfigMaps und Traefik +spec: + project: default + source: + repoURL: https://git.cloud-infra.prod.openmailserver.de/stabify/gitops.git + targetRevision: HEAD + path: infrastructure/traefik-edge + directory: + recurse: false + include: external-secret.yaml + destination: + server: https://kubernetes.default.svc + namespace: traefik-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true diff --git a/infrastructure/traefik-edge/external-secret.yaml b/infrastructure/traefik-edge/external-secret.yaml new file mode 100644 index 0000000..6435657 --- /dev/null +++ b/infrastructure/traefik-edge/external-secret.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: traefik-edge-cloudflare + namespace: traefik-system +spec: + refreshInterval: "1h" + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: traefik-edge-cloudflare + creationPolicy: Owner + data: + - secretKey: CF_DNS_API_TOKEN + remoteRef: + key: secret/infrastructure/cloudflare + property: api_token + - secretKey: CF_API_EMAIL + remoteRef: + key: secret/infrastructure/cloudflare + property: email diff --git a/infrastructure/traefik-edge/pvc-acme.yaml b/infrastructure/traefik-edge/pvc-acme.yaml new file mode 100644 index 0000000..0a0b4ac --- /dev/null +++ b/infrastructure/traefik-edge/pvc-acme.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: traefik-edge-acme + namespace: traefik-system + labels: + app.kubernetes.io/name: traefik + app.kubernetes.io/component: edge-acme +spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn + resources: + requests: + storage: 1Gi diff --git a/infrastructure/traefik-middleware-ipwhitelist.yaml b/infrastructure/traefik-middleware-ipwhitelist.yaml index aad2780..a865717 100644 --- a/infrastructure/traefik-middleware-ipwhitelist.yaml +++ b/infrastructure/traefik-middleware-ipwhitelist.yaml @@ -14,7 +14,7 @@ spec: sourceRange: - "10.100.0.0/16" # Internes Netzwerk (VLAN 30, 40, 90, etc.) - "10.200.0.0/24" # VPN-Netzwerk - # Hinweis: Traefik Edge hat eigene IP-Whitelist für *.apps.internal.* - # Dadurch kommen nur VPN-Clients durch, auch über öffentliche Domains + - "10.100.30.12/32" # Traefik Edge IP (wichtig: Bei TLS Passthrough sieht k3s nur die Edge IP als Client) + # Hinweis: *.apps.internal.* wird nur über interne DNS aufgelöst, daher relativ sicher # Weitere VPN-Ranges hier hinzufügen: # - "10.100.200.0/24" # Beispiel: Dediziertes VPN-Subnetz