remoll/k3s-infra
0
0
Fork 0
Code Issues 1 Pull Requests 10 Packages Projects Releases Wiki Activity

updated bootstrapping procedure with more sane defaults

Browse Source
This commit is contained in:
Remy Moll
2025-09-03 13:20:09 +02:00
parent e98d7330f1
commit b54b6b0f60
6 changed files with 34 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
README.md
View File

@@ -1,7 +1,7 @@
# Kluster setup and IaaC using argoCD # Kluster setup and IaaC using argoCD
### Initial setup ### Description
#### Requirements: #### Requirements:
- A running k3s instance - A running k3s instance
- `sealedsecrets` deployed - `sealedsecrets` deployed
@@ -27,20 +27,21 @@ The app-of-apps will bootstrap a fully featured cluster with the following compo
- immich - immich
- ... - ...
#### Recap ## Setup instructions
- install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md) 1. install sealedsecrets see [README](./infrastructure/sealedsecrets/README.md)
```bash ```bash
kubectl apply -k infrastructure/sealedsecrets kubectl apply -k infrastructure/sealedsecrets
kubectl apply -f infrastructure/sealedsecrets/main.key kubectl apply -f infrastructure/sealedsecrets/main.key
kubectl delete pod -n kube-system -l name=sealed-secrets-controller kubectl delete pod -n kube-system -l name=sealed-secrets-controller
``` ```
- install argocd 1. install argocd and the app-of-apps bundled with it
```bash ```bash
kubectl apply -k infrastructure/argocd kubectl apply -k infrastructure/argocd
``` ```
- wait...
> NOTE: The argocd kustomization already mentions some CRDs available only after the full bootstrapping (traefik). You might have to apply the last step twice
### Adding an application ### Adding an application
todo todo

8
infrastructure/metallb-system/ipaddresspool.yaml
View File

@@ -2,7 +2,6 @@ apiVersion: metallb.io/v1beta1
kind: IPAddressPool kind: IPAddressPool
metadata: metadata:
name: default name: default
namespace: metallb-system
spec: spec:
addresses: addresses:
- 192.168.3.0/24 - 192.168.3.0/24
@@ -10,5 +9,8 @@ spec:
apiVersion: metallb.io/v1beta1 apiVersion: metallb.io/v1beta1
kind: L2Advertisement kind: L2Advertisement
metadata: metadata:
name: empty name: default
namespace: metallb-system # selector is left empty on purpose to match all IPAddressPools
# spec:
# ipAddressPools:
# - default

15
infrastructure/metallb-system/kustomization.yaml
View File

@@ -1,15 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources:
- namespace.yaml
- ipaddresspool.yaml
namespace: metallb-system namespace: metallb-system
resources:
# - namespace.yaml
# namespace is already included in the remote kustomization
# - github.com/metallb/metallb/config/native?ref=v0.15.2
- github.com/metallb/metallb/config/frr?ref=v0.15.2
- ipaddresspool.yaml
helmCharts:
- name: metallb
repo: https://metallb.github.io/metallb
version: 0.15.2
releaseName: metallb
valuesFile: values.yaml

6
infrastructure/metallb-system/namespace.yaml
View File

@@ -1,6 +1,6 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: placeholder name: metallb-system
labels: # labels:
pod-security.kubernetes.io/enforce: privileged # pod-security.kubernetes.io/enforce: privileged

20
infrastructure/traefik-system/configmap.yaml
View File

@@ -5,15 +5,15 @@ metadata:
data: data:
traefik.toml: | traefik.toml: |
[ping] [ping]
[global] [global]
checkNewVersion = false checkNewVersion = false
# renovate does that # renovate does that
sendAnonymousUsage = false sendAnonymousUsage = false
[log] [log]
level = "INFO" level = "INFO"
[accessLog] [accessLog]
[accessLog.fields] [accessLog.fields]
defaultMode = "keep" defaultMode = "keep"
@@ -41,17 +41,17 @@ data:
dashboard = true dashboard = true
insecure = true insecure = true
debug = false debug = false
[providers] [providers]
[providers.kubernetesCRD] [providers.kubernetesCRD]
allowCrossNamespace = true allowCrossNamespace = true
[providers.kubernetesIngress] [providers.kubernetesIngress]
allowExternalNameServices = true allowExternalNameServices = true
ingressClass = "traefik" ingressClass = "traefik"
[serversTransport] [serversTransport]
insecureSkipVerify = true insecureSkipVerify = true
[entryPoints] [entryPoints]
[entryPoints.web] [entryPoints.web]
address = ":8000" address = ":8000"
@@ -66,13 +66,13 @@ data:
[entryPoints.websecure.forwardedHeaders] [entryPoints.websecure.forwardedHeaders]
insecure = true insecure = true
# forward ip headers no matter where they come from # forward ip headers no matter where they come from
[entryPoints.metrics] [entryPoints.metrics]
address = ":9100" address = ":9100"
[entryPoints.traefik] [entryPoints.traefik]
address = ":9000" address = ":8080"
[entryPoints.dnsovertls] [entryPoints.dnsovertls]
address = ":8853" address = ":8853"
# route dns over https to other pods but provide own certificate # route dns over https to other pods but provide own certificate

8
infrastructure/traefik-system/values.yaml
View File

@@ -23,8 +23,7 @@ ingressClass:
# true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12 # true is not unit-testable yet, pending https://github.com/rancher/helm-unittest/pull/12
enabled: true enabled: true
isDefaultClass: true isDefaultClass: true
# Use to force a networking.k8s.io API Version for certain CI/CD applications. E.g. "v1beta1"
fallbackApiVersion: ""
# Activate Pilot integration # Activate Pilot integration
pilot: pilot:
@@ -67,10 +66,11 @@ providers:
kubernetesIngress: kubernetesIngress:
enabled: true enabled: true
allowExternalNameServices: true allowExternalNameServices: true
ingressClass: traefik # Ingresses missing the annotation, having an empty value, or the value traefik are processed by default.
# ingressClass: traefik
# labelSelector: environment=production,method=traefik # labelSelector: environment=production,method=traefik
# Additional volumeMounts to add to the Traefik container # Additional volumeMounts to add to the Traefik container
additionalVolumeMounts: additionalVolumeMounts: