forgejo/infrastructure-documentation
1
0
Fork 0
mirror of https://code.forgejo.org/infrastructure/documentation synced 2024-11-22 11:21:10 +00:00
Code Issues Activity

traefik: switch to manual install and pinning of v3

Browse source
This commit is contained in:
Earl Warren 2024-10-22 13:02:27 +02:00
parent 0f9b5ff8e2
commit 60ddffb514
No known key found for this signature in database
GPG key ID: 0579CB2928A78A00
4 changed files with 44 additions and 42 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
k3s-host/setup.sh
View file

@ -9,8 +9,6 @@ else
set -e set -e
fi fi
export INSTALL_K3S_VERSION=v1.30.5+k3s1
source $SELF_DIR/variables.sh source $SELF_DIR/variables.sh
source $SELF_DIR/secrets.sh source $SELF_DIR/secrets.sh
@ -165,6 +163,12 @@ EOF
if ! grep --quiet 'export KUBECONFIG' ~/.bashrc; then if ! grep --quiet 'export KUBECONFIG' ~/.bashrc; then
echo "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >>~/.bashrc echo "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >>~/.bashrc
fi fi
#
# To upgrade, systemctl stop k3s before running this. A node
# that is already part of a cluster does not need the --token
# or --server so there is no need to provide the number of an
# existing node.
#
if ! sudo systemctl --quiet is-active k3s; then if ! sudo systemctl --quiet is-active k3s; then
args="" args=""
if test "$existing"; then if test "$existing"; then
@ -177,7 +181,8 @@ EOF
if test "$self_node" = $node_k8s_etcd; then if test "$self_node" = $node_k8s_etcd; then
args="$args --disable-apiserver --disable-controller-manager --disable-scheduler" args="$args --disable-apiserver --disable-controller-manager --disable-scheduler"
fi fi
curl -fL https://get.k3s.io | sh -s - server $args --cluster-init --disable=servicelb --write-kubeconfig-mode=644 --node-ip=$node_k8s_ipv4_prefix.$self_node,$node_k8s_ipv6_prefix::$self_node $node_k8s_cidr --flannel-ipv6-masq export INSTALL_K3S_VERSION=v1.30.5+k3s1
curl -fL https://get.k3s.io | sh -s - server $args --cluster-init --disable=servicelb --disable=traefik --write-kubeconfig-mode=644 --node-ip=$node_k8s_ipv4_prefix.$self_node,$node_k8s_ipv6_prefix::$self_node $node_k8s_cidr --flannel-ipv6-masq
if test "$self_node" = $node_k8s_etcd; then if test "$self_node" = $node_k8s_etcd; then
retry --times 20 -- kubectl taint nodes $(hostname) key1=value1:NoSchedule retry --times 20 -- kubectl taint nodes $(hostname) key1=value1:NoSchedule
fi fi
@ -192,7 +197,9 @@ function setup_k8s_apply() {
} }
function setup_k8s_traefik() { function setup_k8s_traefik() {
setup_k8s_apply traefik.yml # https://github.com/traefik/traefik-helm-chart?tab=readme-ov-file#deploying-traefik
helm repo add traefik https://traefik.github.io/charts
$SELF_DIR/subst.sh traefik.yml | helm upgrade --install --namespace kube-system traefik -f - --set installCRDs=true --version 32.1.1 traefik/traefik
} }
function setup_k8s_nfs() { function setup_k8s_nfs() {

65
k3s-host/traefik.yml
View file

@ -1,35 +1,30 @@
apiVersion: helm.cattle.io/v1 deployment:
kind: HelmChartConfig replicas: 2
metadata: ports:
name: traefik web:
namespace: kube-system port: 80
spec: redirectTo:
valuesContent: |- port: websecure
deployment: priority: 1
replicas: 2 ssh-next:
ports: port: 2020
web: exposedPort: 2020
port: 80 # https://github.com/traefik/traefik-helm-chart/blob/v32.1.1/traefik/values.yaml#L611-L614
redirectTo: expose:
port: websecure default: true
priority: 1 service:
ssh-next: annotations:
port: 2020 metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6
exposedPort: 2020 spec:
expose: true externalTrafficPolicy: Local
service: ipFamilyPolicy: PreferDualStack
annotations: logs:
metallb.universe.tf/loadBalancerIPs: $failover_ipv4,$failover_ipv6 general:
spec: level: INFO
externalTrafficPolicy: Local access:
ipFamilyPolicy: PreferDualStack enabled: true
logs: fields:
general: headers:
level: INFO # https://github.com/traefik/traefik-helm-chart/blob/v32.1.1/traefik/values.yaml#L365-L369
access: names:
enabled: true User-Agent: keep
fields:
headers:
# https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml#L304-L308
names:
User-Agent: keep

4
k8s-forgejo/next-values.yml
View file

@ -6,7 +6,7 @@ image:
ingress: ingress:
annotations: annotations:
# https://doc.traefik.io/traefik/v2.10/routing/providers/kubernetes-ingress/#on-ingress # https://doc.traefik.io/traefik/v3.1/routing/providers/kubernetes-ingress/#on-ingress
# reference middlewares via `<namspace>-<name>@kubernetescrd` # reference middlewares via `<namspace>-<name>@kubernetescrd`
traefik.ingress.kubernetes.io/router.middlewares: default-forgejo-ratelimit@kubernetescrd traefik.ingress.kubernetes.io/router.middlewares: default-forgejo-ratelimit@kubernetescrd
tls: tls:
@ -29,7 +29,7 @@ extraDeploy:
metadata: metadata:
name: forgejo-ratelimit name: forgejo-ratelimit
spec: spec:
# https://doc.traefik.io/traefik/v2.10/middlewares/http/ratelimit/ # https://doc.traefik.io/traefik/v3.1/middlewares/http/ratelimit/
rateLimit: rateLimit:
average: 10 average: 10
burst: 20 burst: 20

2
k8s.md
View file

@ -91,7 +91,7 @@ For the first node `./setup.sh setup_k8s`. For nodes joining the cluster `./setu
- [metallb](https://metallb.universe.tf) instead of the default load balancer because it does not allow for a public IP different from the `k8s` node IP. - [metallb](https://metallb.universe.tf) instead of the default load balancer because it does not allow for a public IP different from the `k8s` node IP.
`./setup.sh setup_k8s_metallb` `./setup.sh setup_k8s_metallb`
- [traefik](https://traefik.io/) [v2.10](https://doc.traefik.io/traefik/v2.10/) installed from the [v25.0](https://github.com/traefik/traefik-helm-chart/tree/v25.0.0) helm chart. - [traefik](https://traefik.io/) [v2.10](https://doc.traefik.io/traefik/v3.1/) installed from the [v25.0](https://github.com/traefik/traefik-helm-chart/tree/v31.1.1) helm chart.
`./setup.sh setup_k8s_traefik` `./setup.sh setup_k8s_traefik`
- [cert-manager](https://cert-manager.io/). - [cert-manager](https://cert-manager.io/).
`./setup.sh setup_k8s_certmanager` `./setup.sh setup_k8s_certmanager`