对齐文件规范

2026-03-27 16:58:41 +08:00
parent 231b6713c4
commit 31709425e2
235 changed files with 5433 additions and 2850 deletions
--- a/ansible/files/03-03/traefik-dashboard-acme.yaml
+++ b/ansible/files/03-03/traefik-dashboard-acme.yaml
@@ -0,0 +1,74 @@
+# 03-03 Traefik Dashboard + ACME（合并版 HelmChartConfig）
+# 说明：同一 chart 只能有一份 HelmChartConfig（name: traefik），所以 Dashboard 与 ACME 必须合并。
+# 使用前：替换 <YOUR_REAL_EMAIL>；创建 cloudflare-api-token Secret；按实际修改 nodeSelector/trustedIPs/hosts。
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    ports:
+      web:
+        expose: true
+      websecure:
+        expose: true
+      traefik:
+        expose: true
+
+    additionalArguments:
+      # Dashboard
+      - "--api.dashboard=true"
+      - "--api.insecure=true"
+
+      # ACME（Cloudflare DNS-01）
+      - "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
+      - "--certificatesresolvers.cloudflare.acme.email=<YOUR_REAL_EMAIL>"
+      - "--certificatesresolvers.cloudflare.acme.storage=/data/acme.json"
+      # - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
+      - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
+      - "--certificatesresolvers.cloudflare.acme.dnschallenge.propagation.delayBeforeChecks=600"
+
+      # 健康检查：/ping 走 443（给 HAProxy https httpchk 用）
+      - "--ping=true"
+      - "--ping.entryPoint=websecure"
+
+      # PROXY protocol（HAProxy 前置时需要）
+      - "--entrypoints.web.proxyProtocol.trustedIPs=192.168.2.0/24"
+      - "--entrypoints.websecure.proxyProtocol.trustedIPs=192.168.2.0/24"
+
+    env:
+      - name: CF_DNS_API_TOKEN
+        valueFrom:
+          secretKeyRef:
+            name: cloudflare-api-token
+            key: api-token
+
+    nodeSelector:
+      kubernetes.io/hostname: ylc61
+
+    # persistence：将 /data 持久化（local-path PVC），保证 acme.json 落盘
+    persistence:
+      enabled: true
+      name: data
+      accessMode: ReadWriteOnce
+      size: 128Mi
+      path: /data
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: kube-system
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
+