added k3s planning md changes
This commit is contained in:
@@ -10,7 +10,7 @@ We will deploy a High-Availability (HA) K3s cluster consisting of 3 Control Plan
|
|||||||
* VLAN 40 (IP Range: `10.100.40.0/24`).
|
* VLAN 40 (IP Range: `10.100.40.0/24`).
|
||||||
* **VIP (Virtual IP):** A floating IP managed by `kube-vip` for the API Server and Ingress Controller.
|
* **VIP (Virtual IP):** A floating IP managed by `kube-vip` for the API Server and Ingress Controller.
|
||||||
* **Ingress Flow:**
|
* **Ingress Flow:**
|
||||||
* `Internet` -> `Traefik Edge (VM 302)` -> `K3s VIP (LoadBalancer)` -> `Traefik Ingress (K3s)` -> `Pod`.
|
* `Internet` -> `Traefik im k3s Cluster (VIP 10.100.40.6)` -> `Traefik Ingress (K3s)` -> `Pod`.
|
||||||
* **GitOps:**
|
* **GitOps:**
|
||||||
* **Tool:** FluxCD.
|
* **Tool:** FluxCD.
|
||||||
* **Repository Structure:**
|
* **Repository Structure:**
|
||||||
@@ -61,10 +61,11 @@ We will create a new role `k3s` and a corresponding playbook.
|
|||||||
* `k3s-api.stabify.de` -> `10.100.40.5` (VIP).
|
* `k3s-api.stabify.de` -> `10.100.40.5` (VIP).
|
||||||
* `*.k3s.stabify.de` -> `10.100.40.6` (Ingress VIP).
|
* `*.k3s.stabify.de` -> `10.100.40.6` (Ingress VIP).
|
||||||
|
|
||||||
* **Traefik Edge Config (`vm-docker-traefik-302`):**
|
* **Traefik Edge Config (im k3s Cluster):**
|
||||||
* New Router/Service in `config/dynamic/30-k3s.yaml`.
|
* File Provider für TLS Passthrough zu k3s Services.
|
||||||
* Rule: `HostRegexp('^.+\.k3s\.stabify\.de$')`
|
* ConfigMap: `traefik-edge-dynamic-k3s`
|
||||||
* Target: `https://10.100.40.6:443` (PassHostHeader=true).
|
* Rule: `HostSNIRegexp('^.+\.k3s\.stabify\.de$')`
|
||||||
|
* Target: `10.100.40.6:443` (TLS Passthrough).
|
||||||
|
|
||||||
## 5. Next Steps for Implementation
|
## 5. Next Steps for Implementation
|
||||||
|
|
||||||
|
|||||||
2
infrastructure/apps/traefik-edge/.gitignore
vendored
2
infrastructure/apps/traefik-edge/.gitignore
vendored
@@ -1,2 +0,0 @@
|
|||||||
.env
|
|
||||||
certs/
|
|
||||||
@@ -1,16 +0,0 @@
|
|||||||
tcp:
|
|
||||||
routers:
|
|
||||||
# Alle k3s Domains (inkl. *.apps.internal.*) über TLS Passthrough
|
|
||||||
k3s-passthrough:
|
|
||||||
rule: "HostSNIRegexp(`^.+\\.k3s\\.stabify\\.de$`)"
|
|
||||||
entryPoints:
|
|
||||||
- websecure
|
|
||||||
service: k3s-cluster
|
|
||||||
tls:
|
|
||||||
passthrough: true
|
|
||||||
|
|
||||||
services:
|
|
||||||
k3s-cluster:
|
|
||||||
loadBalancer:
|
|
||||||
servers:
|
|
||||||
- address: "10.100.40.6:443"
|
|
||||||
@@ -1,18 +0,0 @@
|
|||||||
http:
|
|
||||||
routers:
|
|
||||||
# Route für Apps auf VM 301
|
|
||||||
to-apps-vm:
|
|
||||||
rule: HostRegexp(`^[a-z0-9-]+\.apps\.stabify\.de$`)
|
|
||||||
service: apps-vm-service
|
|
||||||
entryPoints: [ websecure ]
|
|
||||||
tls:
|
|
||||||
certResolver: le
|
|
||||||
domains:
|
|
||||||
- main: "*.apps.stabify.de"
|
|
||||||
|
|
||||||
services:
|
|
||||||
apps-vm-service:
|
|
||||||
loadBalancer:
|
|
||||||
servers:
|
|
||||||
- url: "http://vm-docker-apps-301.stabify.de:80"
|
|
||||||
passHostHeader: true
|
|
||||||
@@ -1,42 +0,0 @@
|
|||||||
api:
|
|
||||||
dashboard: false
|
|
||||||
|
|
||||||
entryPoints:
|
|
||||||
web:
|
|
||||||
address: ":80"
|
|
||||||
http:
|
|
||||||
redirections:
|
|
||||||
entryPoint:
|
|
||||||
to: websecure
|
|
||||||
scheme: https
|
|
||||||
|
|
||||||
websecure:
|
|
||||||
address: ":443"
|
|
||||||
http:
|
|
||||||
tls:
|
|
||||||
certResolver: le
|
|
||||||
domains:
|
|
||||||
- main: "stabify.de"
|
|
||||||
sans:
|
|
||||||
- "*.stabify.de"
|
|
||||||
- "*.k3s.stabify.de"
|
|
||||||
- "*.sys.stabify.de"
|
|
||||||
- "*.apps.stabify.de"
|
|
||||||
|
|
||||||
providers:
|
|
||||||
docker:
|
|
||||||
endpoint: "unix:///var/run/docker.sock"
|
|
||||||
exposedByDefault: false
|
|
||||||
file:
|
|
||||||
directory: "/etc/traefik/dynamic"
|
|
||||||
watch: true
|
|
||||||
|
|
||||||
certificatesResolvers:
|
|
||||||
le:
|
|
||||||
acme:
|
|
||||||
email: acme@infrastructure.stabify.de
|
|
||||||
storage: /certs/acme.json
|
|
||||||
caServer: https://acme-v02.api.letsencrypt.org/directory
|
|
||||||
dnsChallenge:
|
|
||||||
provider: cloudflare
|
|
||||||
delayBeforeCheck: 10
|
|
||||||
@@ -1,30 +0,0 @@
|
|||||||
---
|
|
||||||
services:
|
|
||||||
traefik:
|
|
||||||
image: traefik:v3.6
|
|
||||||
container_name: traefik-edge
|
|
||||||
restart: unless-stopped
|
|
||||||
security_opt:
|
|
||||||
- no-new-privileges:true
|
|
||||||
environment:
|
|
||||||
- TZ=Europe/Berlin
|
|
||||||
- CF_API_EMAIL=${CLOUDFLARE_EMAIL}
|
|
||||||
- CF_DNS_API_TOKEN=${CLOUDFLARE_API_KEY}
|
|
||||||
command:
|
|
||||||
# --- DEBUGGING AKTIVIEREN ---
|
|
||||||
- "--log.level=DEBUG" # Setzt das Log-Level auf DEBUG (Fehlersuche)
|
|
||||||
- "--accesslog=true"
|
|
||||||
ports:
|
|
||||||
- "80:80"
|
|
||||||
- "443:443"
|
|
||||||
volumes:
|
|
||||||
- /etc/localtime:/etc/localtime:ro
|
|
||||||
- /var/run/docker.sock:/var/run/docker.sock:ro
|
|
||||||
- ./config/traefik.yml:/etc/traefik/traefik.yml:ro
|
|
||||||
- ./config/dynamic:/etc/traefik/dynamic:ro
|
|
||||||
- ./certs:/certs
|
|
||||||
networks:
|
|
||||||
- proxy
|
|
||||||
networks:
|
|
||||||
proxy:
|
|
||||||
name: proxy-edge
|
|
||||||
@@ -1,4 +0,0 @@
|
|||||||
apps:
|
|
||||||
- name: traefik-edge
|
|
||||||
has_secrets: true # Benötigt Cloudflare Token
|
|
||||||
restart_on_config_change: true # Container neu starten wenn Config-Dateien geändert wurden
|
|
||||||
Reference in New Issue
Block a user