Sascha Dodenhöft
00c7ec292f
Namespace, StorageClass (Longhorn), Postgres, API, Web, OAuth2-Proxy (Zitadel OIDC) und Traefik-Ingress fuer https://gongme.expertfab.de. Images: git.expertfab.de/expertfab/ef-gongme-{api,web}:latest Auth: Zitadel hinter OAuth2-Proxy v7.7.1 TLS: cert-manager letsencrypt-ClusterIssuer secret-oauth2.yaml enthaelt Platzhalter — CLIENT_ID/SECRET muessen nach Zitadel-App-Anlage eingetragen werden. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
4.1 KiB
4.1 KiB
ExpertFab – K3s Cluster
Schaubild: ../diagrams/k8s_cluster.png
Cluster-Übersicht
| Eigenschaft | Wert |
|---|---|
| Distribution | K3s v1.34.6+k3s1 |
| Container Runtime | containerd 2.2.2 |
| OS | Ubuntu 24.04.4 LTS |
| Kernel | 6.8.0-107-generic |
| Ingress | Traefik (websecure / TLS) |
| TLS | cert-manager + Let's Encrypt |
| Storage | Longhorn (verteiltes Block-Storage) |
| CNI | Flannel |
| LB | MetalLB → 10.42.71.60 |
Nodes
| Name | IP | Proxmox-VM | Proxmox-Host | Rolle |
|---|---|---|---|---|
| efsckubadm | 10.42.71.50 | efsckubctl | efproxcl02n01 | control-plane |
| efsckubnode1 | 10.42.71.51 | efsckubnode1 | efproxcl02n02 | worker |
| efsckubnode2 | 10.42.71.52 | efsckubnode02 | efproxcl02n01 | worker |
Namespaces
| Namespace | Inhalt |
|---|---|
erpnext |
ERPNext + MariaDB + DragonflyDB |
paperless |
Paperless-NGX + PostgreSQL |
zitadel |
Zitadel SSO + PostgreSQL |
rabbitmq |
RabbitMQ + FastAPI |
coworkbase |
Coworkbase |
qubicticker |
Qubic Ticker |
longhorn-system |
Longhorn Storage |
cert-manager |
cert-manager (Let's Encrypt) |
metallb-system |
MetalLB LoadBalancer |
kube-system |
Traefik, CoreDNS, etc. |
Ingresses (Traefik)
| Host | Namespace | TLS |
|---|---|---|
| expertfab.de | erpnext | ✓ |
| www.expertfab.de | erpnext | ✓ |
| docs.expertfab.de | paperless | ✓ |
| auth.expertfab.de | zitadel | ✓ |
| api.expertfab.de | rabbitmq | ✓ |
| gongme.expertfab.de | gongme | ✓ |
| coworkbase.de | coworkbase | ✓ |
| www.coworkbase.de | coworkbase | ✓ |
| qubicticker.qchief.io | qubicticker | ✓ |
ClusterIssuer: letsencrypt
TLS Secret (ERPNext): expertfab-tls
ERPNext Deployment
| Komponente | Typ | Details |
|---|---|---|
| Nginx | Deployment | Frontend, frappeSiteNameHeader=expertfab.de |
| Gunicorn | Deployment | Web Workers |
| Worker default | Deployment | Background Jobs |
| Worker short | Deployment | Kurze Jobs |
| Worker long | Deployment | Lange Jobs |
| MariaDB | StatefulSet | v10.6, PVC: 3Gi RWO |
| DragonflyDB cache | Deployment | Redis-kompatibel |
| DragonflyDB queue | Deployment | Redis-kompatibel, PVC: 2Gi RWO (Anmerkung¹) |
¹ Helm-Values definieren 2Gi für Queue, tatsächliche PVC zeigt 3Gi Sites-Volume als RWX
Helm Chart: frappe/erpnext 8.0.14
Custom Image: git.expertfab.de/expertfab/customdocker:1.0.2
Apps: erpnext, hrms, payments, webshop, ecommerce_integrations, efrevolutgateway
DNS-Besonderheit (Hairpin-NAT)
OPNsense löst nur www.expertfab.de → 10.42.71.60 (intern) auf.
expertfab.de (ohne www) → öffentliche IP → von innen nicht erreichbar.
Fix: Frappe host_name = https://www.expertfab.de
Pfad: /home/frappe/frappe-bench/sites/expertfab.de/site_config.json
Betrifft: wkhtmltopdf PDF-Generierung (hängt sonst 120s → 504)