added k3s planning md changes

2026-01-19 00:05:20 +01:00
parent 48fa532b82
commit 4e1f015a49
9 changed files with 6 additions and 117 deletions
--- a/K3S_PLANNING.md
+++ b/K3S_PLANNING.md
@@ -10,7 +10,7 @@ We will deploy a High-Availability (HA) K3s cluster consisting of 3 Control Plan
    *   VLAN 40 (IP Range: `10.100.40.0/24`).
    *   **VIP (Virtual IP):** A floating IP managed by `kube-vip` for the API Server and Ingress Controller.
 *   **Ingress Flow:**
-    *   `Internet` -> `Traefik Edge (VM 302)` -> `K3s VIP (LoadBalancer)` -> `Traefik Ingress (K3s)` -> `Pod`.
+    *   `Internet` -> `Traefik im k3s Cluster (VIP 10.100.40.6)` -> `Traefik Ingress (K3s)` -> `Pod`.
 *   **GitOps:**
    *   **Tool:** FluxCD.
    *   **Repository Structure:**
@@ -61,10 +61,11 @@ We will create a new role `k3s` and a corresponding playbook.
    *   `k3s-api.stabify.de` -> `10.100.40.5` (VIP).
    *   `*.k3s.stabify.de` -> `10.100.40.6` (Ingress VIP).

-*   **Traefik Edge Config (`vm-docker-traefik-302`):**
-    *   New Router/Service in `config/dynamic/30-k3s.yaml`.
-    *   Rule: `HostRegexp('^.+\.k3s\.stabify\.de$')`
-    *   Target: `https://10.100.40.6:443` (PassHostHeader=true).
+*   **Traefik Edge Config (im k3s Cluster):**
+    *   File Provider für TLS Passthrough zu k3s Services.
+    *   ConfigMap: `traefik-edge-dynamic-k3s`
+    *   Rule: `HostSNIRegexp('^.+\.k3s\.stabify\.de$')`
+    *   Target: `10.100.40.6:443` (TLS Passthrough).

 ## 5. Next Steps for Implementation

--- a/infrastructure/apps/traefik-edge/.gitignore
+++ b/infrastructure/apps/traefik-edge/.gitignore
@@ -1,2 +0,0 @@
-.env
-certs/
--- a/infrastructure/apps/traefik-edge/config/dynamic/00-middlewares.yaml
+++ b/infrastructure/apps/traefik-edge/config/dynamic/00-middlewares.yaml
--- a/infrastructure/apps/traefik-edge/config/dynamic/10-k3s.yaml
+++ b/infrastructure/apps/traefik-edge/config/dynamic/10-k3s.yaml
@@ -1,16 +0,0 @@
-tcp:
-  routers:
-    # Alle k3s Domains (inkl. *.apps.internal.*) über TLS Passthrough
-    k3s-passthrough:
-      rule: "HostSNIRegexp(`^.+\\.k3s\\.stabify\\.de$`)"
-      entryPoints:
-        - websecure
-      service: k3s-cluster
-      tls:
-        passthrough: true
-
-  services:
-    k3s-cluster:
-      loadBalancer:
-        servers:
-          - address: "10.100.40.6:443"
--- a/infrastructure/apps/traefik-edge/config/dynamic/20-legacy-vm.yaml
+++ b/infrastructure/apps/traefik-edge/config/dynamic/20-legacy-vm.yaml
@@ -1,18 +0,0 @@
-http:
-  routers:
-    # Route für Apps auf VM 301
-    to-apps-vm:
-      rule: HostRegexp(`^[a-z0-9-]+\.apps\.stabify\.de$`)
-      service: apps-vm-service
-      entryPoints: [ websecure ]
-      tls:
-        certResolver: le
-        domains:
-          - main: "*.apps.stabify.de"
-
-  services:
-    apps-vm-service:
-      loadBalancer:
-        servers:
-          - url: "http://vm-docker-apps-301.stabify.de:80"
-        passHostHeader: true
--- a/infrastructure/apps/traefik-edge/config/dynamic/90-edge-system.yaml
+++ b/infrastructure/apps/traefik-edge/config/dynamic/90-edge-system.yaml
--- a/infrastructure/apps/traefik-edge/config/traefik.yml
+++ b/infrastructure/apps/traefik-edge/config/traefik.yml
@@ -1,42 +0,0 @@
-api:
-  dashboard: false
-
-entryPoints:
-  web:
-    address: ":80"
-    http:
-      redirections:
-        entryPoint:
-          to: websecure
-          scheme: https
-
-  websecure:
-    address: ":443"
-    http:
-      tls:
-        certResolver: le
-        domains:
-          - main: "stabify.de"
-            sans:
-              - "*.stabify.de"
-              - "*.k3s.stabify.de"
-              - "*.sys.stabify.de"
-              - "*.apps.stabify.de"
-
-providers:
-  docker:
-    endpoint: "unix:///var/run/docker.sock"
-    exposedByDefault: false
-  file:
-    directory: "/etc/traefik/dynamic"
-    watch: true
-
-certificatesResolvers:
-  le:
-    acme:
-      email: acme@infrastructure.stabify.de
-      storage: /certs/acme.json
-      caServer: https://acme-v02.api.letsencrypt.org/directory
-      dnsChallenge:
-        provider: cloudflare
-        delayBeforeCheck: 10 
--- a/infrastructure/apps/traefik-edge/docker-compose.yml
+++ b/infrastructure/apps/traefik-edge/docker-compose.yml
@@ -1,30 +0,0 @@
---
-services:
-  traefik:
-    image: traefik:v3.6
-    container_name: traefik-edge
-    restart: unless-stopped
-    security_opt:
-      - no-new-privileges:true
-    environment:
-      - TZ=Europe/Berlin
-      - CF_API_EMAIL=${CLOUDFLARE_EMAIL}
-      - CF_DNS_API_TOKEN=${CLOUDFLARE_API_KEY}
-    command:
-      # --- DEBUGGING AKTIVIEREN ---
-      - "--log.level=DEBUG"        # Setzt das Log-Level auf DEBUG (Fehlersuche)
-      - "--accesslog=true"
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - /etc/localtime:/etc/localtime:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
-      - ./config/traefik.yml:/etc/traefik/traefik.yml:ro
-      - ./config/dynamic:/etc/traefik/dynamic:ro
-      - ./certs:/certs
-    networks:
-      - proxy
-networks:
-  proxy:
-    name: proxy-edge
--- a/infrastructure/deployments/vm-docker-traefik-302.stabify.de.yml
+++ b/infrastructure/deployments/vm-docker-traefik-302.stabify.de.yml
@@ -1,4 +0,0 @@
-apps:
-  - name: traefik-edge
-    has_secrets: true # Benötigt Cloudflare Token
-    restart_on_config_change: true # Container neu starten wenn Config-Dateien geändert wurden