From 60ddffb5148bd0c7b29e172fb3072d1fa7d7ce12 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Tue, 22 Oct 2024 13:02:27 +0200 Subject: [PATCH] traefik: switch to manual install and pinning of v3 --- k3s-host/setup.sh | 15 ++++++--- k3s-host/traefik.yml | 65 +++++++++++++++++-------------------- k8s-forgejo/next-values.yml | 4 +-- k8s.md | 2 +- 4 files changed, 44 insertions(+), 42 deletions(-) diff --git a/k3s-host/setup.sh b/k3s-host/setup.sh index 3ad54ff..51ec9cc 100755 --- a/k3s-host/setup.sh +++ b/k3s-host/setup.sh @@ -9,8 +9,6 @@ else set -e fi -export INSTALL_K3S_VERSION=v1.30.5+k3s1 - source $SELF_DIR/variables.sh source $SELF_DIR/secrets.sh @@ -165,6 +163,12 @@ EOF if ! grep --quiet 'export KUBECONFIG' ~/.bashrc; then echo "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >>~/.bashrc fi + # + # To upgrade, systemctl stop k3s before running this. A node + # that is already part of a cluster does not need the --token + # or --server so there is no need to provide the number of an + # existing node. + # if ! sudo systemctl --quiet is-active k3s; then args="" if test "$existing"; then @@ -177,7 +181,8 @@ EOF if test "$self_node" = $node_k8s_etcd; then args="$args --disable-apiserver --disable-controller-manager --disable-scheduler" fi - curl -fL https://get.k3s.io | sh -s - server $args --cluster-init --disable=servicelb --write-kubeconfig-mode=644 --node-ip=$node_k8s_ipv4_prefix.$self_node,$node_k8s_ipv6_prefix::$self_node $node_k8s_cidr --flannel-ipv6-masq + export INSTALL_K3S_VERSION=v1.30.5+k3s1 + curl -fL https://get.k3s.io | sh -s - server $args --cluster-init --disable=servicelb --disable=traefik --write-kubeconfig-mode=644 --node-ip=$node_k8s_ipv4_prefix.$self_node,$node_k8s_ipv6_prefix::$self_node $node_k8s_cidr --flannel-ipv6-masq if test "$self_node" = $node_k8s_etcd; then retry --times 20 -- kubectl taint nodes $(hostname) key1=value1:NoSchedule fi @@ -192,7 +197,9 @@ function setup_k8s_apply() { } function setup_k8s_traefik() { - setup_k8s_apply traefik.yml + # https://github.com/traefik/traefik-helm-chart?tab=readme-ov-file#deploying-traefik + helm repo add traefik https://traefik.github.io/charts + $SELF_DIR/subst.sh traefik.yml | helm upgrade --install --namespace kube-system traefik -f - --set installCRDs=true --version 32.1.1 traefik/traefik } function setup_k8s_nfs() { diff --git a/k3s-host/traefik.yml b/k3s-host/traefik.yml index c3a214f..6ded3d0 100644 --- a/k3s-host/traefik.yml +++ b/k3s-host/traefik.yml @@ -1,35 +1,30 @@ -apiVersion: helm.cattle.io/v1 -kind: HelmChartConfig -metadata: - name: traefik - namespace: kube-system -spec: - valuesContent: |- - deployment: - replicas: 2 - ports: - web: - port: 80 - redirectTo: - port: websecure - priority: 1 - ssh-next: - port: 2020 - exposedPort: 2020 - expose: true - service: - annotations: - metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6 - spec: - externalTrafficPolicy: Local - ipFamilyPolicy: PreferDualStack - logs: - general: - level: INFO - access: - enabled: true - fields: - headers: - # https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml#L304-L308 - names: - User-Agent: keep +deployment: + replicas: 2 +ports: + web: + port: 80 + redirectTo: + port: websecure + priority: 1 + ssh-next: + port: 2020 + exposedPort: 2020 + # https://github.com/traefik/traefik-helm-chart/blob/v32.1.1/traefik/values.yaml#L611-L614 + expose: + default: true +service: + annotations: + metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6 + spec: + externalTrafficPolicy: Local + ipFamilyPolicy: PreferDualStack +logs: + general: + level: INFO + access: + enabled: true + fields: + headers: + # https://github.com/traefik/traefik-helm-chart/blob/v32.1.1/traefik/values.yaml#L365-L369 + names: + User-Agent: keep diff --git a/k8s-forgejo/next-values.yml b/k8s-forgejo/next-values.yml index 5921a90..a95b242 100644 --- a/k8s-forgejo/next-values.yml +++ b/k8s-forgejo/next-values.yml @@ -6,7 +6,7 @@ image: ingress: annotations: - # https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-ingress/#on-ingress + # https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-ingress/#on-ingress # reference middlewares via `-@kubernetescrd` traefik.ingress.kubernetes.io/router.middlewares: default-forgejo-ratelimit@kubernetescrd tls: @@ -29,7 +29,7 @@ extraDeploy: metadata: name: forgejo-ratelimit spec: - # https://doc.traefik.io/traefik/v2.10/middlewares/http/ratelimit/ + # https://doc.traefik.io/traefik/v3.1/middlewares/http/ratelimit/ rateLimit: average: 10 burst: 20 diff --git a/k8s.md b/k8s.md index 1e8af4c..3c1a63d 100644 --- a/k8s.md +++ b/k8s.md @@ -91,7 +91,7 @@ For the first node `./setup.sh setup_k8s`. For nodes joining the cluster `./setu - [metallb](https://metallb.universe.tf) instead of the default load balancer because it does not allow for a public IP different from the `k8s` node IP. `./setup.sh setup_k8s_metallb` -- [traefik](https://traefik.io/) [v2.10](https://doc.traefik.io/traefik/v2.10/) installed from the [v25.0](https://github.com/traefik/traefik-helm-chart/tree/v25.0.0) helm chart. +- [traefik](https://traefik.io/) [v2.10](https://doc.traefik.io/traefik/v3.1/) installed from the [v25.0](https://github.com/traefik/traefik-helm-chart/tree/v31.1.1) helm chart. `./setup.sh setup_k8s_traefik` - [cert-manager](https://cert-manager.io/). `./setup.sh setup_k8s_certmanager`