From b54b6b0f60d3fb71096997351e81063a128de04b Mon Sep 17 00:00:00 2001 From: Remy Moll Date: Wed, 3 Sep 2025 13:20:09 +0200 Subject: [PATCH] updated bootstrapping procedure with more sane defaults --- README.md | 11 +++++----- .../metallb-system/ipaddresspool.yaml | 8 +++++--- .../metallb-system/kustomization.yaml | 15 ++++++-------- infrastructure/metallb-system/namespace.yaml | 6 +++--- infrastructure/traefik-system/configmap.yaml | 20 +++++++++---------- infrastructure/traefik-system/values.yaml | 8 ++++---- 6 files changed, 34 insertions(+), 34 deletions(-) diff --git a/README.md b/README.md index 4ee34f1..fbc6dfd 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Kluster setup and IaaC using argoCD -### Initial setup +### Description #### Requirements: - A running k3s instance - `sealedsecrets` deployed @@ -27,20 +27,21 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo - immich - ... -#### Recap -- install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md) +## Setup instructions +1. install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md) ```bash kubectl apply -k infrastructure/sealedsecrets kubectl apply -f infrastructure/sealedsecrets/main.key kubectl delete pod -n kube-system -l name=sealed-secrets-controller ``` -- install argocd +1. install argocd and the app-of-apps bundled with it ```bash kubectl apply -k infrastructure/argocd ``` -- wait... +> NOTE: The argocd kustomization already mentions some CRDs available only after the full bootstrapping (traefik). You might have to apply the last step twice + ### Adding an application todo diff --git a/infrastructure/metallb-system/ipaddresspool.yaml b/infrastructure/metallb-system/ipaddresspool.yaml index 2b0dd17..c4fb445 100644 --- a/infrastructure/metallb-system/ipaddresspool.yaml +++ b/infrastructure/metallb-system/ipaddresspool.yaml @@ -2,7 +2,6 @@ apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: name: default - namespace: metallb-system spec: addresses: - 192.168.3.0/24 @@ -10,5 +9,8 @@ spec: apiVersion: metallb.io/v1beta1 kind: L2Advertisement metadata: - name: empty - namespace: metallb-system \ No newline at end of file + name: default +# selector is left empty on purpose to match all IPAddressPools +# spec: +# ipAddressPools: +# - default diff --git a/infrastructure/metallb-system/kustomization.yaml b/infrastructure/metallb-system/kustomization.yaml index fa2db68..2d018bf 100644 --- a/infrastructure/metallb-system/kustomization.yaml +++ b/infrastructure/metallb-system/kustomization.yaml @@ -1,15 +1,12 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -resources: - - namespace.yaml - - ipaddresspool.yaml namespace: metallb-system +resources: + # - namespace.yaml + # namespace is already included in the remote kustomization + # - github.com/metallb/metallb/config/native?ref=v0.15.2 + - github.com/metallb/metallb/config/frr?ref=v0.15.2 + - ipaddresspool.yaml -helmCharts: - - name: metallb - repo: https://metallb.github.io/metallb - version: 0.15.2 - releaseName: metallb - valuesFile: values.yaml diff --git a/infrastructure/metallb-system/namespace.yaml b/infrastructure/metallb-system/namespace.yaml index 1178cee..e4703b4 100644 --- a/infrastructure/metallb-system/namespace.yaml +++ b/infrastructure/metallb-system/namespace.yaml @@ -1,6 +1,6 @@ apiVersion: v1 kind: Namespace metadata: - name: placeholder - labels: - pod-security.kubernetes.io/enforce: privileged + name: metallb-system + # labels: + # pod-security.kubernetes.io/enforce: privileged diff --git a/infrastructure/traefik-system/configmap.yaml b/infrastructure/traefik-system/configmap.yaml index aeea288..bbba591 100644 --- a/infrastructure/traefik-system/configmap.yaml +++ b/infrastructure/traefik-system/configmap.yaml @@ -5,15 +5,15 @@ metadata: data: traefik.toml: | [ping] - + [global] checkNewVersion = false # renovate does that sendAnonymousUsage = false - + [log] level = "INFO" - + [accessLog] [accessLog.fields] defaultMode = "keep" @@ -41,17 +41,17 @@ data: dashboard = true insecure = true debug = false - + [providers] [providers.kubernetesCRD] allowCrossNamespace = true [providers.kubernetesIngress] allowExternalNameServices = true - ingressClass = "traefik" + ingressClass = "traefik" [serversTransport] insecureSkipVerify = true - + [entryPoints] [entryPoints.web] address = ":8000" @@ -66,13 +66,13 @@ data: [entryPoints.websecure.forwardedHeaders] insecure = true # forward ip headers no matter where they come from - + [entryPoints.metrics] address = ":9100" - + [entryPoints.traefik] - address = ":9000" - + address = ":8080" + [entryPoints.dnsovertls] address = ":8853" # route dns over https to other pods but provide own certificate diff --git a/infrastructure/traefik-system/values.yaml b/infrastructure/traefik-system/values.yaml index 4f6020e..550ed32 100644 --- a/infrastructure/traefik-system/values.yaml +++ b/infrastructure/traefik-system/values.yaml @@ -23,8 +23,7 @@ ingressClass: # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 enabled: true isDefaultClass: true - # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1" - fallbackApiVersion: "" + # Activate Pilot integration pilot: @@ -67,10 +66,11 @@ providers: kubernetesIngress: enabled: true allowExternalNameServices: true - ingressClass: traefik + # Ingresses missing the annotation, having an empty value, or the value traefik are processed by default. + # ingressClass: traefik # labelSelector: environment=production,method=traefik - + # Additional volumeMounts to add to the Traefik container additionalVolumeMounts: