remoll/k3s-infra
0
0
Fork 0
Code Issues 1 Pull Requests 4 Packages Projects Releases Wiki Activity

initial migration

Browse Source
This commit is contained in:
Remy Moll
2023-10-05 14:34:37 +02:00
parent 5cb41fd5e4
commit 41f0153fd0
145 changed files with 17441 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
infrastructure/traefik-system/config.values.yaml Normal file
View File

@@ -0,0 +1,2 @@
name: traefik
chart: traefik/traefik

87
infrastructure/traefik-system/configmap.yml Normal file
View File

@@ -0,0 +1,87 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-config
namespace: traefik-system
data:
traefik.toml: |
[ping]
[global]
checkNewVersion = true
sendAnonymousUsage = false
[log]
level = "INFO"
[accessLog]
# format = "json"
# filePath = "/var/log/traefik/access.log"
[accessLog.fields]
defaultMode = "keep"
[accessLog.fields.names]
"RequestProtocol" = "drop"
"level" = "drop"
"RequestContentSize" = "drop"
"RequestScheme" = "drop"
"StartLocal" = "drop"
"StartUTC" = "drop"
# ClientUsername: drop
# DownstreamStatusLine: drop
# RequestAddr: drop
# RequestCount: drop
# RequestHost: drop
# RequestLine: drop
# UpstreamAddr: drop
# UpstreamStatusLine: drop
# duration: drop
# msg: drop
# time: drop
# upstream: drop
# user_agent: drop
[api]
dashboard = true
insecure = true
debug = false
[providers]
[providers.kubernetesCRD]
allowCrossNamespace = true
[providers.kubernetesIngress]
allowExternalNameServices = true
ingressClass = "traefik"
[serversTransport]
insecureSkipVerify = true
[entryPoints]
[entryPoints.web]
address = ":8000"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = ":443" # should be the same as websecure but the loadbalancer maps 443 -> 8443
scheme = "https"
[entryPoints.websecure]
address = ":8443"
[entryPoints.metrics]
address = ":9100"
[entryPoints.traefik]
address = ":9000"
[metrics]
[metrics.influxDB2]
address = "http://influxdb-influxdb2.monitoring:80"
token = "N_jNm1hZTfyhJneTJj2G357mQ7EJdNzdvebjSJX6JkbyaXNup_IAqeYowblMgV8EjLypNvauTl27ewJvI_rbqQ=="
org = "influxdata"
bucket = "kluster"
[certificatesResolvers.default-tls.acme]
email = "me@moll.re"
storage = "/certs/acme.json"
[certificatesResolvers.default-tls.acme.tlsChallenge]
[experimental.plugins.traefik-plugin-geoblock]
moduleName = "github.com/nscuro/traefik-plugin-geoblock"
version = "v0.10.0"

33
infrastructure/traefik-system/pvc.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: v1
kind: PersistentVolume
metadata:
namespace: traefik-system
name: traefik-certificate
labels:
directory: traefik
spec:
storageClassName: fast
capacity:
storage: "10Mi"
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
nfs:
path: /export/kluster/traefik/certs
server: 192.168.1.157
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: traefik-system
name: traefik-certificate
spec:
storageClassName: fast
accessModes:
- ReadWriteOnce
resources:
requests:
storage: "10Mi"
selector:
matchLabels:
directory: traefik

2
infrastructure/traefik-system/telegraf.config.values.yaml Normal file
View File

@@ -0,0 +1,2 @@
name: telegraf-traefik
chart: influxdata/telegraf

151
infrastructure/traefik-system/telegraf.values.yaml Normal file
View File

@@ -0,0 +1,151 @@
## Default values.yaml for Telegraf
## This is a YAML-formatted file.
## ref: https://hub.docker.com/r/library/telegraf/tags/
replicaCount: 1
image:
repo: "telegraf"
tag: "1.24"
pullPolicy: IfNotPresent
podAnnotations: {}
podLabels: {}
imagePullSecrets: []
## Configure args passed to Telegraf containers
args: []
# The name of a secret in the same kubernetes namespace which contains values to
# be added to the environment (must be manually created)
# This can be useful for auth tokens, etc.
# envFromSecret: "telegraf-tokens"
env:
- name: HOSTNAME
value: "telegraf-polling-service"
# An older "volumeMounts" key was previously added which will likely
# NOT WORK as you expect. Please use this newer configuration.
volumes:
- name: traefik-logs
persistentVolumeClaim:
claimName: traefik-logs
mountPoints:
- name: traefik-logs
mountPath: /traefik_logs
## Node labels for pod assignment
## ref: https://kubernetes.io/docs/user-guide/node-selection/
nodeSelector: {}
## Affinity for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: # to read the traefik logs the pod must be on the same node as traefik
podAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions: # matches labels: app.kubernetes.io/name=traefik
- key: app.kubernetes.io/name
operator: In
values:
- traefik
topologyKey: "kubernetes.io/hostname"
## Tolerations for pod assignment
## Ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
# - key: "key"
# operator: "Equal|Exists"
# value: "value"
# effect: "NoSchedule|PreferNoSchedule|NoExecute(1.6 only)"
service:
enabled: false
type: ClusterIP
annotations: {}
rbac:
# Specifies whether RBAC resources should be created
create: true
# Create only for the release namespace or cluster wide (Role vs ClusterRole)
clusterWide: false
# Rules for the created rule
rules: []
# When using the prometheus input to scrape all pods you need extra rules set to the ClusterRole to be
# able to scan the pods for scraping labels. The following rules have been taken from:
# https://github.com/helm/charts/blob/master/stable/prometheus/templates/server-clusterrole.yaml#L8-L46
# - apiGroups:
# - ""
# resources:
# - nodes
# - nodes/proxy
# - nodes/metrics
# - services
# - endpoints
# - pods
# - ingresses
# - configmaps
# verbs:
# - get
# - list
# - watch
# - apiGroups:
# - "extensions"
# resources:
# - ingresses/status
# - ingresses
# verbs:
# - get
# - list
# - watch
# - nonResourceURLs:
# - "/metrics"
# verbs:
# - get
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
# The name of the ServiceAccount to use.
# If not set and create is true, a name is generated using the fullname template
name:
# Annotations for the ServiceAccount
annotations: {}
## Exposed telegraf configuration
## For full list of possible values see `/docs/all-config-values.yaml` and `/docs/all-config-values.toml`
## ref: https://docs.influxdata.com/telegraf/v1.1/administration/configuration/
config:
agent:
interval: "10s"
round_interval: true
metric_batch_size: 1000
metric_buffer_limit: 10000
collection_jitter: "0s"
flush_interval: "10s"
flush_jitter: "0s"
precision: ""
debug: false
quiet: false
logfile: ""
hostname: "$HOSTNAME"
omit_hostname: true
# processors:
# - enum:
# mapping:
# field: "status"
# dest: "status_code"-+
# value_mappings:
# healthy: 1
# problem: 2
# critical: 3
outputs:
- influxdb_v2:
urls:
- "http://influxdb-influxdb2.monitoring:80"
token: N_jNm1hZTfyhJneTJj2G357mQ7EJdNzdvebjSJX6JkbyaXNup_IAqeYowblMgV8EjLypNvauTl27ewJvI_rbqQ==
organization: "influxdata"
bucket: "kluster"
# retention_policy: "2w"
inputs:
- docker_log:
endpoint: "unix:///var/run/docker.sock"
from_beginning: false
container_name_include: ["traefik"]

241
infrastructure/traefik-system/values.yaml Normal file
View File

@@ -0,0 +1,241 @@
# Default values for Traefik
image:
name: traefik
# defaults to appVersion
tag: ""
pullPolicy: IfNotPresent
#
# Configure the deployment
#
deployment:
enabled: true
# Can be either Deployment or DaemonSet
kind: Deployment
# Number of pods of the deployment (only applies when kind == Deployment)
replicas: 1
# Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
# revisionHistoryLimit: 1
# Amount of time (in seconds) before Kubernetes will send the SIGKILL signal if Traefik does not shut down
terminationGracePeriodSeconds: 60
# The minimum number of seconds Traefik needs to be up and running before the DaemonSet/Deployment controller considers it available
minReadySeconds: 0
# Additional deployment annotations (e.g. for jaeger-operator sidecar injection)
annotations: {}
# Additional deployment labels (e.g. for filtering deployment by custom labels)
labels: {}
# Additional pod annotations (e.g. for mesh injection or prometheus scraping)
podAnnotations: {}
# Additional Pod labels (e.g. for filtering Pod by custom labels)
podLabels: {}
# Additional containers (e.g. for metric offloading sidecars)
additionalContainers: []
# https://docs.datadoghq.com/developers/dogstatsd/unix_socket/?tab=host
# - name: socat-proxy
# image: alpine/socat:1.0.5
# args: ["-s", "-u", "udp-recv:8125", "unix-sendto:/socket/socket"]
# volumeMounts:
# - name: dsdsocket
# mountPath: /socket
# Additional volumes available for use with initContainers and additionalContainers
additionalVolumes:
# - name: traefik-logs
# persistentVolumeClaim:
# claimName: traefik-logs
- name: traefik-certificate
persistentVolumeClaim:
claimName: traefik-certificate
- name: traefik-config
configMap:
name: traefik-config
# - name: dsdsocket
# hostPath:
# path: /var/run/statsd-exporter
# Additional initContainers (e.g. for setting file permission as shown below)
initContainers: []
# The "volume-permissions" init container is required if you run into permission issues.
# Related issue: https://github.com/traefik/traefik/issues/6972
# - name: volume-permissions
# image: busybox:1.31.1
# command: ["sh", "-c", "chmod -Rv 600 /data/*"]
# volumeMounts:
# - name: data
# mountPath: /data
# Use process namespace sharing
shareProcessNamespace: false
# Custom pod DNS policy. Apply if `hostNetwork: true`
# dnsPolicy: ClusterFirstWithHostNet
# Additional imagePullSecrets
imagePullSecrets: []
# - name: myRegistryKeySecretName
# Use ingressClass. Ignored if Traefik version < 2.3 / kubernetes < 1.18.x
ingressClass:
# true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
enabled: true
isDefaultClass: true
# Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
fallbackApiVersion: ""
# Activate Pilot integration
pilot:
enabled: false
token: ""
# Toggle Pilot Dashboard
# dashboard: false
# Enable experimental features
experimental:
http3:
enabled: false
plugins:
enabled: false
kubernetesGateway:
enabled: false
# certificate:
# group: "core"
# kind: "Secret"
# name: "mysecret"
# By default, Gateway would be created to the Namespace you are deploying Traefik to.
# You may create that Gateway in another namespace, setting its name below:
# namespace: default
# Create an IngressRoute for the dashboard
ingressRoute:
dashboard:
enabled: false
# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
annotations: {}
# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
labels: {}
#
# Configure providers
#
providers:
kubernetesCRD:
enabled: true
allowCrossNamespace: false
allowExternalNameServices: true
allowEmptyServices: false
# ingressClass: traefik-internal
# labelSelector: environment=production,method=traefik
namespaces: []
# - "default"
kubernetesIngress:
enabled: true
allowExternalNameServices: true
allowEmptyServices: false
ingressClass: traefik
# labelSelector: environment=production,method=traefik
namespaces: []
# - "default"
# IP used for Kubernetes Ingress endpoints
publishedService:
enabled: false
# Published Kubernetes Service to copy status from. Format: namespace/servicename
# By default this Traefik service
# pathOverride: ""
# Add volumes to the traefik pod. The volume name will be passed to tpl.
# This can be used to mount a cert pair or a configmap that holds a config.toml file.
# After the volume has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
# additionalArguments:
# - "--providers.file.filename=/config/dynamic.toml"
# - "--ping"
# - "--ping.entrypoint=web"
volumes: []
# - name: traefik-config
# mountPath: /config
# configMap:
# name: traefik-config
# - name: public-cert
# mountPath: "/certs"
# type: secret
# - name: '{{ printf "%s-configs" .Release.Name }}'
# mountPath: "/config"
# type: configMap
# Additional volumeMounts to add to the Traefik container
additionalVolumeMounts:
# - name: traefik-logs
# mountPath: /var/log/traefik
# nfs:
# server: 192.168.1.157
# path: /kluster/traefik
# # For instance when using a logshipper for access logs
# - name: traefik-logs
# # claimName: traefik-logs
# mountPath: /var/log/traefik
- name: traefik-certificate
# claimName: traefik-certificate
mountPath: /certs
- name: traefik-config
mountPath: /config
globalArguments:
- "--configfile=/config/traefik.toml"
additionalArguments: []
# Environment variables to be passed to Traefik's binary
env:
- name: TZ
value: "Europe/Berlin"
# - name: SOME_VAR
# value: some-var-value
# - name: SOME_VAR_FROM_CONFIG_MAP
# valueFrom:
# configMapRef:
# name: configmap-name
# key: config-key
# - name: SOME_SECRET
# valueFrom:
# secretKeyRef:
# name: secret-name
# key: secret-key
# Configure ports
ports: {} # leave unconfigured to use the values from the toml file
envFrom: []
# - configMapRef:
# name: config-map-name
# - secretRef:
# name: secret-name
tlsOptions: {}
# Options for the main traefik service, where the entrypoints traffic comes
# from.
service:
enabled: true
type: LoadBalancer
# Additional annotations applied to both TCP and UDP services (e.g. for cloud provider specific config)
annotations: {}
# Additional annotations for TCP service only
annotationsTCP: {}
# Additional annotations for UDP service only
annotationsUDP: {}
# Additional service labels (e.g. for filtering Service by custom labels)
labels: {}
# Additional entries here will be added to the service spec.
# Cannot contain type, selector or ports entries.
spec:
# externalTrafficPolicy: Local
loadBalancerIP: 192.168.3.1