jack/Deploy-Laboratory
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
31709425e27e8a6f23315b084bc28d46ef6be126
Deploy-Laboratory/ansible/files/03-02/traefik-acme.yaml
Jack 31709425e2 对齐文件规范
2026-03-27 16:58:41 +08:00

42 lines
2.9 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# 03-02 Traefik ACME 配置HelmChartConfig
# 含ACMECloudflare DNS-01、ping 健康检查websecure、PROXY protocol trustedIPs
# 使用前:替换 <YOUR_REAL_EMAIL>,创建 cloudflare-api-token Secret按实际修改 nodeSelector/trustedIPs
# 部署kubectl apply -f traefik-acme.yaml或复制到 K3s manifests 目录)
#
# 推荐Dashboard + ACME + local-path 一份清单):见 ../traefik-dashboard-acme/traefik-dashboard-acme.yaml
---
apiVersion: helm.cattle.io/v1 # HelmChartConfig 所在的 API 版本
kind: HelmChartConfig # HelmChartConfig给 K3s 自带 Helm chart 注入 values 的资源
metadata: # 该对象的标识信息
name: traefik # chart 对应的对象名称(通常与 Traefik chart name 一致)
namespace: kube-system # HelmChartConfig 的命名空间Traefik 默认在 kube-system
spec: # chart 注入配置的具体内容
valuesContent: |- # 以“字符串形式的 YAML”注入到 Helm chart values由 chart 解析)
additionalArguments: # 追加给 Traefik 的额外启动参数列表
- "--log.level=INFO" # 日志级别INFO
- "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53" # DNS resolver 列表
- "--certificatesresolvers.cloudflare.acme.email=<YOUR_REAL_EMAIL>" # ACME 注册邮箱
- "--certificatesresolvers.cloudflare.acme.storage=/data/acme.json" # ACME 存储(容器内路径)
# - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory" # 测试用,上线前删除
- "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare" # 使用 Cloudflare 作为 DNS-01 provider
- "--certificatesresolvers.cloudflare.acme.dnschallenge.propagation.delayBeforeChecks=600" # DNS propagation 等待时间(秒)
# 健康检查GET /ping 在 443(HTTPS) 返回 200供 HAProxy 对 443 做 option httpchk + ssl
- "--ping=true" # 开启 ping healthcheck
- "--ping.entryPoint=websecure" # ping 走 websecure(HTTPS) entrypoint
# PROXY protocoltrustedIPs 需包含 HAProxy 所在 IP/网段
- "--entrypoints.web.proxyProtocol.trustedIPs=192.168.2.0/24" # HTTP entrypoint 信任的代理网段
- "--entrypoints.websecure.proxyProtocol.trustedIPs=192.168.2.0/24" # HTTPS entrypoint 信任的代理网段
env: # 环境变量注入(给 Traefik chart
- name: CF_DNS_API_TOKEN # Cloudflare API Token 环境变量名
valueFrom: # 从 Secret 中读取环境变量值
secretKeyRef: # Secret 引用方式:按 key 取值
name: cloudflare-api-token # Secret 名称(你创建的 Cloudflare Token Secret
key: api-token # Secret 内对应的 key 名
nodeSelector: # 把 Traefik Pod 固定到指定节点(配合 RWO 本地存储更安全)
kubernetes.io/hostname: ylc61 # 固定节点主机名(按你的实际节点修改)
Reference in New Issue View Git Blame Copy Permalink