expertfab-infra/docs/k3s.md

# ExpertFab – K3s Cluster

**Schaubild:** [../diagrams/k8s_cluster.png](../diagrams/k8s_cluster.png)

---

## Cluster-Übersicht

| Eigenschaft       | Wert                             |
|-------------------|----------------------------------|
| Distribution      | K3s v1.34.6+k3s1                 |
| Container Runtime | containerd 2.2.2                 |
| OS                | Ubuntu 24.04.4 LTS               |
| Kernel            | 6.8.0-107-generic                |
| Ingress           | Traefik (websecure / TLS)        |
| TLS               | cert-manager + Let's Encrypt     |
| Storage           | Longhorn (verteiltes Block-Storage)|
| CNI               | Flannel                          |
| LB                | MetalLB → 10.42.71.60            |

---

## Nodes

| Name          | IP           | Proxmox-VM    | Proxmox-Host  | Rolle         |
|---------------|--------------|---------------|---------------|---------------|
| efsckubadm    | 10.42.71.50  | efsckubctl    | efproxcl02n01 | control-plane |
| efsckubnode1  | 10.42.71.51  | efsckubnode1  | efproxcl02n02 | worker        |
| efsckubnode2  | 10.42.71.52  | efsckubnode02 | efproxcl02n01 | worker        |

---

## Namespaces

| Namespace        | Inhalt                                  |
|------------------|-----------------------------------------|
| `erpnext`        | ERPNext + MariaDB + DragonflyDB         |
| `paperless`      | Paperless-NGX + PostgreSQL              |
| `zitadel`        | Zitadel SSO + PostgreSQL                |
| `rabbitmq`       | RabbitMQ + FastAPI                      |
| `coworkbase`     | Coworkbase                              |
| `qubicticker`    | Qubic Ticker                            |
| `longhorn-system`| Longhorn Storage                        |
| `cert-manager`   | cert-manager (Let's Encrypt)            |
| `metallb-system` | MetalLB LoadBalancer                    |
| `kube-system`    | Traefik, CoreDNS, etc.                  |

---

## Ingresses (Traefik)

| Host                        | Namespace    | TLS |
|-----------------------------|--------------|-----|
| expertfab.de                | erpnext      | ✓   |
| www.expertfab.de            | erpnext      | ✓   |
| docs.expertfab.de           | paperless    | ✓   |
| auth.expertfab.de           | zitadel      | ✓   |
| api.expertfab.de            | rabbitmq     | ✓   |
| coworkbase.de               | coworkbase   | ✓   |
| www.coworkbase.de           | coworkbase   | ✓   |
| qubicticker.qchief.io       | qubicticker  | ✓   |

**ClusterIssuer:** `letsencrypt`  
**TLS Secret (ERPNext):** `expertfab-tls`

---

## ERPNext Deployment

| Komponente         | Typ        | Details                                    |
|--------------------|------------|--------------------------------------------|
| Nginx              | Deployment | Frontend, `frappeSiteNameHeader=expertfab.de` |
| Gunicorn           | Deployment | Web Workers                                |
| Worker default     | Deployment | Background Jobs                            |
| Worker short       | Deployment | Kurze Jobs                                 |
| Worker long        | Deployment | Lange Jobs                                 |
| MariaDB            | StatefulSet| v10.6, PVC: 3Gi RWO                        |
| DragonflyDB cache  | Deployment | Redis-kompatibel                           |
| DragonflyDB queue  | Deployment | Redis-kompatibel, PVC: 2Gi RWO (Anmerkung¹)|

> ¹ Helm-Values definieren 2Gi für Queue, tatsächliche PVC zeigt 3Gi Sites-Volume als RWX

**Helm Chart:** frappe/erpnext 8.0.14  
**Custom Image:** git.expertfab.de/expertfab/customdocker:1.0.2  
**Apps:** erpnext, hrms, payments, webshop, ecommerce_integrations, efrevolutgateway

---

## DNS-Besonderheit (Hairpin-NAT)

OPNsense löst nur `www.expertfab.de` → `10.42.71.60` (intern) auf.  
`expertfab.de` (ohne www) → öffentliche IP → von innen nicht erreichbar.

**Fix:** Frappe `host_name` = `https://www.expertfab.de`  
**Pfad:** `/home/frappe/frappe-bench/sites/expertfab.de/site_config.json`  
**Betrifft:** wkhtmltopdf PDF-Generierung (hängt sonst 120s → 504)