# 03-03 Traefik Dashboard + ACME(合并版 HelmChartConfig) # 说明:同一 chart 只能有一份 HelmChartConfig(name: traefik),所以 Dashboard 与 ACME 必须合并。 # 使用前:替换 ;创建 cloudflare-api-token Secret;按实际修改 nodeSelector/trustedIPs/hosts。 --- apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: name: traefik namespace: kube-system spec: valuesContent: |- ports: web: expose: true websecure: expose: true traefik: expose: true additionalArguments: # Dashboard - "--api.dashboard=true" - "--api.insecure=true" # ACME(Cloudflare DNS-01) - "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53" - "--certificatesresolvers.cloudflare.acme.email=" - "--certificatesresolvers.cloudflare.acme.storage=/data/acme.json" # - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare" - "--certificatesresolvers.cloudflare.acme.dnschallenge.propagation.delayBeforeChecks=600" # 健康检查:/ping 走 443(给 HAProxy https httpchk 用) - "--ping=true" - "--ping.entryPoint=websecure" # PROXY protocol(HAProxy 前置时需要) - "--entrypoints.web.proxyProtocol.trustedIPs=192.168.2.0/24" - "--entrypoints.websecure.proxyProtocol.trustedIPs=192.168.2.0/24" env: - name: CF_DNS_API_TOKEN valueFrom: secretKeyRef: name: cloudflare-api-token key: api-token nodeSelector: kubernetes.io/hostname: ylc61 # persistence:将 /data 持久化(local-path PVC),保证 acme.json 落盘 persistence: enabled: true name: data accessMode: ReadWriteOnce size: 128Mi path: /data --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard namespace: kube-system spec: entryPoints: - web routes: - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`) kind: Rule services: - name: api@internal kind: TraefikService