temp

k8s/xiongxiao.me/traefik/traefik-complete.yaml

@@ -1,9 +1,9 @@
 ---
 # Traefik 完整部署配置
 # 包含 RBAC、Deployment、Service、IngressClass 和 Let's Encrypt SSL
-# tags: traefik, ingress, ssl, https, let's encrypt, acme, kubernetes
-# description: Traefik 反向代理完整配置,包含自动 SSL 证书支持(Let's Encrypt)
-# title: Traefik 完整部署配置 - 含 SSL 证书
+# tags: traefik, ingress, ssl, https, let's encrypt, acme, kubernetes, master-node
+# description: Traefik 反向代理完整配置,部署在 master 节点,包含自动 SSL 证书支持(Let's Encrypt)
+# title: Traefik 完整部署配置 - 含 SSL 证书(Master 节点部署)
 # createdAt: 2025-11-26
 ---
 # PersistentVolume 用于存储 ACME 证书数据
@@ -131,12 +131,22 @@ spec:
         app: traefik
     spec:
       serviceAccountName: traefik
+      # 节点选择器:选择 master 节点(已注释,允许在任意节点调度)
+      # nodeSelector:
+      #   node-role.kubernetes.io/control-plane: ""
+      # 容忍 master 节点的污点
+      tolerations:
+      - key: node-role.kubernetes.io/control-plane
+        operator: Exists
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/master
+        operator: Exists
+        effect: NoSchedule
       containers:
       - name: traefik
-        image: traefik:v3.2
+        image: traefik:latest
         args:
           - --api.insecure=true
-          - --providers.kubernetesingress
           - --providers.kubernetescrd
           - --entrypoints.web.address=:80
           - --entrypoints.websecure.address=:443
@@ -191,4 +201,22 @@ kind: IngressClass
 metadata:
   name: traefik
 spec:
-  controller: traefik.io/ingress-controller
+  controller: traefik.io/ingress-controller
+---
+# Traefik Dashboard IngressRoute - HTTPS only
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-dashboard
+  namespace: traefik
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik.xiongxiao.me`)
+      kind: Rule
+      services:
+        - name: api@internal
+          kind: TraefikService
+  tls:
+    certResolver: letsencrypt