1
0
Fork 0
mirror of https://code.forgejo.org/infrastructure/documentation synced 2024-11-25 20:11:11 +00:00

traefik: switch to manual install and pinning of v3

This commit is contained in:
Earl Warren 2024-10-22 13:02:27 +02:00
parent 0f9b5ff8e2
commit 60ddffb514
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
4 changed files with 44 additions and 42 deletions

View file

@ -9,8 +9,6 @@ else
set -e set -e
fi fi
export INSTALL_K3S_VERSION=v1.30.5+k3s1
source $SELF_DIR/variables.sh source $SELF_DIR/variables.sh
source $SELF_DIR/secrets.sh source $SELF_DIR/secrets.sh
@ -165,6 +163,12 @@ EOF
if ! grep --quiet 'export KUBECONFIG' ~/.bashrc; then if ! grep --quiet 'export KUBECONFIG' ~/.bashrc; then
echo "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >>~/.bashrc echo "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >>~/.bashrc
fi fi
#
# To upgrade, systemctl stop k3s before running this. A node
# that is already part of a cluster does not need the --token
# or --server so there is no need to provide the number of an
# existing node.
#
if ! sudo systemctl --quiet is-active k3s; then if ! sudo systemctl --quiet is-active k3s; then
args="" args=""
if test "$existing"; then if test "$existing"; then
@ -177,7 +181,8 @@ EOF
if test "$self_node" = $node_k8s_etcd; then if test "$self_node" = $node_k8s_etcd; then
args="$args --disable-apiserver --disable-controller-manager --disable-scheduler" args="$args --disable-apiserver --disable-controller-manager --disable-scheduler"
fi fi
curl -fL https://get.k3s.io | sh -s - server $args --cluster-init --disable=servicelb --write-kubeconfig-mode=644 --node-ip=$node_k8s_ipv4_prefix.$self_node,$node_k8s_ipv6_prefix::$self_node $node_k8s_cidr --flannel-ipv6-masq export INSTALL_K3S_VERSION=v1.30.5+k3s1
curl -fL https://get.k3s.io | sh -s - server $args --cluster-init --disable=servicelb --disable=traefik --write-kubeconfig-mode=644 --node-ip=$node_k8s_ipv4_prefix.$self_node,$node_k8s_ipv6_prefix::$self_node $node_k8s_cidr --flannel-ipv6-masq
if test "$self_node" = $node_k8s_etcd; then if test "$self_node" = $node_k8s_etcd; then
retry --times 20 -- kubectl taint nodes $(hostname) key1=value1:NoSchedule retry --times 20 -- kubectl taint nodes $(hostname) key1=value1:NoSchedule
fi fi
@ -192,7 +197,9 @@ function setup_k8s_apply() {
} }
function setup_k8s_traefik() { function setup_k8s_traefik() {
setup_k8s_apply traefik.yml # https://github.com/traefik/traefik-helm-chart?tab=readme-ov-file#deploying-traefik
helm repo add traefik https://traefik.github.io/charts
$SELF_DIR/subst.sh traefik.yml | helm upgrade --install --namespace kube-system traefik -f - --set installCRDs=true --version 32.1.1 traefik/traefik
} }
function setup_k8s_nfs() { function setup_k8s_nfs() {

View file

@ -1,13 +1,6 @@
apiVersion: helm.cattle.io/v1 deployment:
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
deployment:
replicas: 2 replicas: 2
ports: ports:
web: web:
port: 80 port: 80
redirectTo: redirectTo:
@ -16,20 +9,22 @@ spec:
ssh-next: ssh-next:
port: 2020 port: 2020
exposedPort: 2020 exposedPort: 2020
expose: true # https://github.com/traefik/traefik-helm-chart/blob/v32.1.1/traefik/values.yaml#L611-L614
service: expose:
default: true
service:
annotations: annotations:
metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6 metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6
spec: spec:
externalTrafficPolicy: Local externalTrafficPolicy: Local
ipFamilyPolicy: PreferDualStack ipFamilyPolicy: PreferDualStack
logs: logs:
general: general:
level: INFO level: INFO
access: access:
enabled: true enabled: true
fields: fields:
headers: headers:
# https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml#L304-L308 # https://github.com/traefik/traefik-helm-chart/blob/v32.1.1/traefik/values.yaml#L365-L369
names: names:
User-Agent: keep User-Agent: keep

View file

@ -6,7 +6,7 @@ image:
ingress: ingress:
annotations: annotations:
# https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-ingress/#on-ingress # https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-ingress/#on-ingress
# reference middlewares via `<namspace>-<name>@kubernetescrd` # reference middlewares via `<namspace>-<name>@kubernetescrd`
traefik.ingress.kubernetes.io/router.middlewares: default-forgejo-ratelimit@kubernetescrd traefik.ingress.kubernetes.io/router.middlewares: default-forgejo-ratelimit@kubernetescrd
tls: tls:
@ -29,7 +29,7 @@ extraDeploy:
metadata: metadata:
name: forgejo-ratelimit name: forgejo-ratelimit
spec: spec:
# https://doc.traefik.io/traefik/v2.10/middlewares/http/ratelimit/ # https://doc.traefik.io/traefik/v3.1/middlewares/http/ratelimit/
rateLimit: rateLimit:
average: 10 average: 10
burst: 20 burst: 20

2
k8s.md
View file

@ -91,7 +91,7 @@ For the first node `./setup.sh setup_k8s`. For nodes joining the cluster `./setu
- [metallb](https://metallb.universe.tf) instead of the default load balancer because it does not allow for a public IP different from the `k8s` node IP. - [metallb](https://metallb.universe.tf) instead of the default load balancer because it does not allow for a public IP different from the `k8s` node IP.
`./setup.sh setup_k8s_metallb` `./setup.sh setup_k8s_metallb`
- [traefik](https://traefik.io/) [v2.10](https://doc.traefik.io/traefik/v2.10/) installed from the [v25.0](https://github.com/traefik/traefik-helm-chart/tree/v25.0.0) helm chart. - [traefik](https://traefik.io/) [v2.10](https://doc.traefik.io/traefik/v3.1/) installed from the [v25.0](https://github.com/traefik/traefik-helm-chart/tree/v31.1.1) helm chart.
`./setup.sh setup_k8s_traefik` `./setup.sh setup_k8s_traefik`
- [cert-manager](https://cert-manager.io/). - [cert-manager](https://cert-manager.io/).
`./setup.sh setup_k8s_certmanager` `./setup.sh setup_k8s_certmanager`