upgrade to traefik v3 - switched to DaemonSet to prevent NAT and keep source IP
This commit is contained in:
@@ -14,6 +14,12 @@
|
|||||||
become: yes
|
become: yes
|
||||||
when: inventory_hostname != ansible_hostname
|
when: inventory_hostname != ansible_hostname
|
||||||
|
|
||||||
|
- name: Prevent apt source conflict
|
||||||
|
ansible.builtin.file:
|
||||||
|
state: absent
|
||||||
|
path: /etc/apt/sources.list.d/docker.list
|
||||||
|
become: yes
|
||||||
|
|
||||||
- name: Install role geerlingguy.docker
|
- name: Install role geerlingguy.docker
|
||||||
community.general.ansible_galaxy_install:
|
community.general.ansible_galaxy_install:
|
||||||
type: role
|
type: role
|
||||||
@@ -71,7 +77,7 @@
|
|||||||
vars:
|
vars:
|
||||||
k3s_version: v1.30.3+k3s1
|
k3s_version: v1.30.3+k3s1
|
||||||
token: changeme!
|
token: changeme!
|
||||||
extra_server_args: "--docker"
|
extra_server_args: "--docker --disable traefik"
|
||||||
extra_agent_args: "--docker"
|
extra_agent_args: "--docker"
|
||||||
api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
|
api_endpoint: "{{ hostvars[groups['server'][0]]['ansible_host'] | default(groups['server'][0]) }}"
|
||||||
|
|
||||||
@@ -98,7 +104,7 @@
|
|||||||
community.general.ipify_facts:
|
community.general.ipify_facts:
|
||||||
- become: true
|
- become: true
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
dest: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml
|
dest: /var/lib/rancher/k3s/server/manifests/traefik-v3.yaml
|
||||||
content: |-
|
content: |-
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
data:
|
data:
|
||||||
@@ -110,11 +116,15 @@
|
|||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
---
|
---
|
||||||
apiVersion: helm.cattle.io/v1
|
apiVersion: helm.cattle.io/v1
|
||||||
kind: HelmChartConfig
|
kind: HelmChart
|
||||||
metadata:
|
metadata:
|
||||||
name: traefik
|
name: traefik
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
spec:
|
spec:
|
||||||
|
repo: https://traefik.github.io/charts
|
||||||
|
chart: traefik
|
||||||
|
version: v30.1.0
|
||||||
|
targetNamespace: kube-system
|
||||||
valuesContent: |-
|
valuesContent: |-
|
||||||
{{ traefik_helm_values | to_nice_yaml | indent( width=4 ) }}
|
{{ traefik_helm_values | to_nice_yaml | indent( width=4 ) }}
|
||||||
vars:
|
vars:
|
||||||
@@ -149,21 +159,29 @@
|
|||||||
- websecure
|
- websecure
|
||||||
middlewares:
|
middlewares:
|
||||||
localIp:
|
localIp:
|
||||||
ipWhiteList:
|
IPAllowList:
|
||||||
sourceRange:
|
sourceRange:
|
||||||
- "192.168.1.0/24"
|
- "192.168.1.0/24"
|
||||||
- "{{ ipify_public_ip }}/32"
|
- "{{ ipify_public_ip }}/32"
|
||||||
traefik_helm_values: # https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml <- for v25 (`kubectl describe deployments.apps traefik -n kube-system | grep helm.sh/chart`)
|
traefik_helm_values:
|
||||||
|
# default is https://github.com/traefik/traefik-helm-chart/blob/v25.0.0/traefik/values.yaml <- for v25 (`kubectl describe deployments.apps traefik -n kube-system | grep helm.sh/chart`)
|
||||||
|
# current is https://github.com/traefik/traefik-helm-chart/blob/v30.1.0/traefik/values.yaml
|
||||||
|
deployment:
|
||||||
|
kind: DaemonSet
|
||||||
service:
|
service:
|
||||||
spec:
|
spec:
|
||||||
externalTrafficPolicy: Local
|
externalTrafficPolicy: Local
|
||||||
ports:
|
ports:
|
||||||
traefik:
|
traefik:
|
||||||
expose: true
|
expose:
|
||||||
|
default: true
|
||||||
|
ingressRoute:
|
||||||
|
dashboard:
|
||||||
|
enabled: true
|
||||||
globalArguments: [] # deactivate --global.sendanonymoususage
|
globalArguments: [] # deactivate --global.sendanonymoususage
|
||||||
logs:
|
logs:
|
||||||
general:
|
general:
|
||||||
level: TRACE
|
level: DEBUG
|
||||||
# format: json
|
# format: json
|
||||||
access:
|
access:
|
||||||
enabled: true
|
enabled: true
|
||||||
@@ -204,9 +222,9 @@
|
|||||||
name: traefik-duckdns-token
|
name: traefik-duckdns-token
|
||||||
# MY_TOKEN=<my token (see https://www.duckdns.org/domains)>
|
# MY_TOKEN=<my token (see https://www.duckdns.org/domains)>
|
||||||
# kubectl create secret generic traefik-duckdns-token --from-literal="DUCKDNS_TOKEN=$MY_TOKEN" -n kube-system
|
# kubectl create secret generic traefik-duckdns-token --from-literal="DUCKDNS_TOKEN=$MY_TOKEN" -n kube-system
|
||||||
- name: touch manifests/traefik-config.yaml to trigger update
|
- name: touch manifests/traefik.yaml to trigger update
|
||||||
ansible.builtin.file:
|
ansible.builtin.file:
|
||||||
path: /var/lib/rancher/k3s/server/manifests/traefik-config.yaml
|
path: /var/lib/rancher/k3s/server/manifests/traefik-v3.yaml
|
||||||
state: touch
|
state: touch
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
|
|||||||
@@ -215,7 +215,7 @@
|
|||||||
gitea_credentials:
|
gitea_credentials:
|
||||||
username: arcodange
|
username: arcodange
|
||||||
password: "{{ argocd_token }}"
|
password: "{{ argocd_token }}"
|
||||||
argocd_helm_values:
|
argocd_helm_values: # https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/values.yaml
|
||||||
global:
|
global:
|
||||||
domain: argocd.arcodange.duckdns.org
|
domain: argocd.arcodange.duckdns.org
|
||||||
configs:
|
configs:
|
||||||
|
|||||||
Reference in New Issue
Block a user