updated bootstrapping procedure with more sane defaults

2025-09-03 13:20:09 +02:00
parent e98d7330f1
commit b54b6b0f60
6 changed files with 34 additions and 34 deletions
--- a/infrastructure/metallb-system/ipaddresspool.yaml
+++ b/infrastructure/metallb-system/ipaddresspool.yaml
@@ -2,7 +2,6 @@ apiVersion: metallb.io/v1beta1
 kind: IPAddressPool
 metadata:
  name: default
-  namespace: metallb-system
 spec:
  addresses:
    - 192.168.3.0/24
@@ -10,5 +9,8 @@ spec:
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement
 metadata:
-  name: empty
-  namespace: metallb-system
+  name: default
+# selector is left empty on purpose to match all IPAddressPools
+# spec:
+#   ipAddressPools:
+#   - default
--- a/infrastructure/metallb-system/kustomization.yaml
+++ b/infrastructure/metallb-system/kustomization.yaml
@@ -1,15 +1,12 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-resources: 
-  - namespace.yaml
-  - ipaddresspool.yaml

 namespace: metallb-system

+resources:
+  # - namespace.yaml
+  # namespace is already included in the remote kustomization
+  # - github.com/metallb/metallb/config/native?ref=v0.15.2
+  - github.com/metallb/metallb/config/frr?ref=v0.15.2
+  - ipaddresspool.yaml

-helmCharts:
-  - name: metallb
-    repo: https://metallb.github.io/metallb
-    version: 0.15.2
-    releaseName: metallb
-    valuesFile: values.yaml
--- a/infrastructure/metallb-system/namespace.yaml
+++ b/infrastructure/metallb-system/namespace.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: placeholder
-  labels:
-    pod-security.kubernetes.io/enforce: privileged 
+  name: metallb-system
+  # labels:
+    # pod-security.kubernetes.io/enforce: privileged
--- a/infrastructure/traefik-system/configmap.yaml
+++ b/infrastructure/traefik-system/configmap.yaml
@@ -5,15 +5,15 @@ metadata:
 data:
  traefik.toml: |
    [ping]
-    
+
    [global]
      checkNewVersion = false
      # renovate does that
      sendAnonymousUsage = false
-    
+
    [log]
      level = "INFO"
-    
+
    [accessLog]
      [accessLog.fields]
        defaultMode = "keep"
@@ -41,17 +41,17 @@ data:
      dashboard = true
      insecure = true
      debug = false
- 
+
    [providers]
      [providers.kubernetesCRD]
        allowCrossNamespace = true
      [providers.kubernetesIngress]
        allowExternalNameServices = true
-        ingressClass = "traefik"    
+        ingressClass = "traefik"

    [serversTransport]
      insecureSkipVerify = true
- 
+
    [entryPoints]
      [entryPoints.web]
        address = ":8000"
@@ -66,13 +66,13 @@ data:
        [entryPoints.websecure.forwardedHeaders]
          insecure = true
          # forward ip headers no matter where they come from
-      
+
      [entryPoints.metrics]
        address = ":9100"
-      
+
      [entryPoints.traefik]
-        address = ":9000"
-      
+        address = ":8080"
+
      [entryPoints.dnsovertls]
        address = ":8853"
        # route dns over https to other pods but provide own certificate
--- a/infrastructure/traefik-system/values.yaml
+++ b/infrastructure/traefik-system/values.yaml
@@ -23,8 +23,7 @@ ingressClass:
  # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
  enabled: true
  isDefaultClass: true
-  # Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
-  fallbackApiVersion: ""
+

 # Activate Pilot integration
 pilot:
@@ -67,10 +66,11 @@ providers:
  kubernetesIngress:
    enabled: true
    allowExternalNameServices: true
-    ingressClass: traefik
+    # Ingresses missing the annotation, having an empty value, or the value traefik are processed by default.
+    # ingressClass: traefik
    # labelSelector: environment=production,method=traefik

-  
+

 # Additional volumeMounts to add to the Traefik container
 additionalVolumeMounts: