stabify/gitops
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d0712d02c060386ce3f805fcb95164ea816241ad
gitops/infrastructure/traefik-app.yaml

146 lines
4.9 KiB
YAML
Raw Blame History

apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: traefik
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "-1"
spec:
project: default
source:
repoURL: https://traefik.github.io/charts
chart: traefik
targetRevision: 26.0.0
helm:
values: |
deployment:
replicas: 3 # HA: Einer pro Node
# WICHTIG: affinity muss auf oberster Ebene stehen, NICHT unter deployment!
affinity:
podAntiAffinity:
# WICHTIG: requiredDuringSchedulingIgnoredDuringExecution = Hard Rule
# Verhindert, dass Pods auf dem gleichen Node laufen
# Nur app.kubernetes.io/name verwenden (ohne instance), damit die Regel
# mit allen Traefik-Pods funktioniert (auch bei Deployment-Updates)
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchLabels:
app.kubernetes.io/name: traefik
topologyKey: kubernetes.io/hostname
service:
enabled: true
type: LoadBalancer
spec:
loadBalancerIP: "10.100.40.6" # Zwingt Kube-VIP diese IP zu nutzen
ports:
web:
port: 8000
expose: true
exposedPort: 80
protocol: TCP
websecure:
port: 8443
expose: true
exposedPort: 443
protocol: TCP
ingressRoute:
dashboard:
enabled: false
providers:
kubernetesCRD:
enabled: true
allowCrossNamespace: true
kubernetesIngress:
enabled: true
allowCrossNamespace: true
publishedService:
enabled: true
# File Provider für Edge-Config (dynamic configs)
file:
directory: /etc/traefik/dynamic
watch: true
# ACME/Certificates für TLS Termination (Edge-Funktionalität)
certificatesResolvers:
le:
acme:
email: acme@infrastructure.stabify.de
storage: /certs/acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 10
# Additional Arguments für File Provider (Edge-Config)
additionalArguments:
- "--providers.file.directory=/etc/traefik/dynamic"
- "--providers.file.watch=true"
# ACME/Certificates für TLS Termination (Edge-Funktionalität)
certificatesResolvers:
le:
acme:
email: acme@infrastructure.stabify.de
storage: /certs/acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 10
# Extra Volumes (ConfigMaps + PVC für ACME + EmptyDir für dynamic directory)
extraVolumes:
- name: dynamic-dir-empty
type: emptyDir
emptyDir: {}
- name: traefik-edge-dynamic-k3s
type: configMap
configMap:
name: traefik-edge-dynamic-k3s
- name: traefik-edge-dynamic-legacy
type: configMap
configMap:
name: traefik-edge-dynamic-legacy
- name: traefik-edge-acme
type: persistentVolumeClaim
persistentVolumeClaim:
claimName: traefik-edge-acme
# Init Container um /etc/traefik/dynamic Verzeichnis zu erstellen
# (EmptyDir wird erst erstellt, wenn initContainer läuft)
initContainers:
- name: create-dynamic-dir
image: busybox:latest
command: ["sh", "-c", "mkdir -p /etc/traefik/dynamic && touch /etc/traefik/dynamic/.keep"]
volumeMounts:
- name: dynamic-dir-empty
mountPath: /etc/traefik/dynamic
# Extra Volume Mounts
extraVolumeMounts:
- name: dynamic-dir-empty
mountPath: /etc/traefik/dynamic
- name: traefik-edge-dynamic-k3s
mountPath: /etc/traefik/dynamic/10-k3s.yaml
subPath: 10-k3s.yaml
readOnly: true
- name: traefik-edge-dynamic-legacy
mountPath: /etc/traefik/dynamic/20-legacy-vm.yaml
subPath: 20-legacy-vm.yaml
readOnly: true
- name: traefik-edge-acme
mountPath: /certs
readOnly: false
# Environment Variables für Cloudflare DNS Challenge
env:
- name: CF_DNS_API_TOKEN
valueFrom:
secretKeyRef:
name: traefik-edge-cloudflare
key: CF_DNS_API_TOKEN
- name: CF_API_EMAIL
valueFrom:
secretKeyRef:
name: traefik-edge-cloudflare
key: CF_API_EMAIL
destination:
server: https://kubernetes.default.svc
namespace: traefik-system
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
Reference in New Issue View Git Blame Copy Permalink