86 lines
2.7 KiB
YAML
86 lines
2.7 KiB
YAML
# 03-03 Traefik Dashboard + ACME(合并版 HelmChartConfig)
|
||
# 说明:同一 chart 只能有一份 HelmChartConfig(name: traefik),所以 Dashboard 与 ACME 必须合并。
|
||
# 使用前:替换 <YOUR_REAL_EMAIL>;创建 cloudflare-api-token Secret;按实际修改 nodeSelector/trustedIPs/hosts。
|
||
---
|
||
apiVersion: helm.cattle.io/v1
|
||
kind: HelmChartConfig
|
||
metadata:
|
||
name: traefik
|
||
namespace: kube-system
|
||
spec:
|
||
valuesContent: |-
|
||
# chart 39.x:expose 须为表,布尔会与默认 values 合并冲突并导致 helm upgrade 模板失败
|
||
ports:
|
||
web:
|
||
expose:
|
||
default: true
|
||
websecure:
|
||
expose:
|
||
default: true
|
||
traefik:
|
||
expose:
|
||
default: true
|
||
|
||
additionalArguments:
|
||
# Dashboard
|
||
- "--api.dashboard=true"
|
||
- "--api.insecure=true"
|
||
|
||
# ACME(Cloudflare DNS-01)
|
||
- "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
|
||
- "--certificatesresolvers.cloudflare.acme.email=<YOUR_REAL_EMAIL>"
|
||
- "--certificatesresolvers.cloudflare.acme.storage=/data/acme.json"
|
||
# - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
|
||
- "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
|
||
- "--certificatesresolvers.cloudflare.acme.dnschallenge.propagation.delayBeforeChecks=600"
|
||
|
||
# 健康检查:/ping 走 443(给 HAProxy https httpchk 用)
|
||
- "--ping=true"
|
||
- "--ping.entryPoint=websecure"
|
||
|
||
# PROXY protocol(HAProxy 前置时需要)
|
||
- "--entrypoints.web.proxyProtocol.trustedIPs=192.168.2.0/24"
|
||
- "--entrypoints.websecure.proxyProtocol.trustedIPs=192.168.2.0/24"
|
||
|
||
env:
|
||
- name: CF_DNS_API_TOKEN
|
||
valueFrom:
|
||
secretKeyRef:
|
||
name: cloudflare-api-token
|
||
key: api-token
|
||
|
||
nodeSelector:
|
||
kubernetes.io/hostname: ylc61
|
||
|
||
# ping 绑定 websecure 时,chart 默认仍对 traefik(8080) 做 HTTP /ping → 404;与 chart 39 对齐探针
|
||
deployment:
|
||
healthchecksPort: 8443
|
||
healthchecksScheme: HTTPS
|
||
|
||
# persistence:将 /data 持久化,保证 acme.json 落盘
|
||
# 显式 local-path:避免集群默认 StorageClass 为 longhorn 等未就绪时 Pod 长期 Pending
|
||
persistence:
|
||
enabled: true
|
||
name: data
|
||
accessMode: ReadWriteOnce
|
||
size: 128Mi
|
||
path: /data
|
||
storageClass: local-path
|
||
|
||
---
|
||
apiVersion: traefik.io/v1alpha1
|
||
kind: IngressRoute
|
||
metadata:
|
||
name: traefik-dashboard
|
||
namespace: kube-system
|
||
spec:
|
||
entryPoints:
|
||
- web
|
||
routes:
|
||
- match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
|
||
kind: Rule
|
||
services:
|
||
- name: api@internal
|
||
kind: TraefikService
|
||
|