bstein/titan-iac
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

maintenance: harden k3s traefik disable cleanup

Browse Source
This commit is contained in:
Brad Stein 2026-04-06 01:47:14 -03:00
parent 1e891de7e8
commit 801dde8242
5 changed files with 71 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
services/maintenance/disable-k3s-traefik-rbac.yaml Normal file
View File

@ -0,0 +1,39 @@
# services/maintenance/disable-k3s-traefik-rbac.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: disable-k3s-traefik
rules:
- apiGroups: ["k3s.cattle.io"]
resources: ["addons"]
verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["helm.cattle.io"]
resources: ["helmcharts", "helmchartconfigs"]
verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "delete"]
- apiGroups: [""]
resources: ["services", "serviceaccounts"]
verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles", "clusterrolebindings"]
verbs: ["get", "list", "watch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: disable-k3s-traefik
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: disable-k3s-traefik
subjects:
- kind: ServiceAccount
name: disable-k3s-traefik
namespace: maintenance

6
services/maintenance/k3s-traefik-cleanup-rbac.yaml
View File

@ -12,9 +12,15 @@ kind: ClusterRole
metadata: metadata:
name: k3s-traefik-cleanup name: k3s-traefik-cleanup
rules: rules:
- apiGroups: ["k3s.cattle.io"]
resources: ["addons"]
verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["helm.cattle.io"] - apiGroups: ["helm.cattle.io"]
resources: ["helmcharts", "helmchartconfigs"] resources: ["helmcharts", "helmchartconfigs"]
verbs: ["get", "list", "watch", "delete"] verbs: ["get", "list", "watch", "delete"]
- apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "list", "watch", "delete"]
- apiGroups: [""] - apiGroups: [""]
resources: ["services", "serviceaccounts"] resources: ["services", "serviceaccounts"]
verbs: ["get", "list", "watch", "delete"] verbs: ["get", "list", "watch", "delete"]

1
services/maintenance/kustomization.yaml
View File

@ -12,6 +12,7 @@ resources:
- ariadne-serviceaccount.yaml - ariadne-serviceaccount.yaml
- ariadne-rbac.yaml - ariadne-rbac.yaml
- disable-k3s-traefik-serviceaccount.yaml - disable-k3s-traefik-serviceaccount.yaml
- disable-k3s-traefik-rbac.yaml
- k3s-traefik-cleanup-rbac.yaml - k3s-traefik-cleanup-rbac.yaml
- metis-serviceaccount.yaml - metis-serviceaccount.yaml
- metis-rbac.yaml - metis-rbac.yaml

29
services/maintenance/scripts/disable_k3s_traefik.sh
View File

@ -54,11 +54,28 @@ restart_k3s() {
chroot "${host_root}" /bin/systemctl restart k3s chroot "${host_root}" /bin/systemctl restart k3s
} }
ensure_disable_flag cleanup_cluster_objects() {
remove_manifest kubectl -n kube-system delete addon traefik --ignore-not-found --wait=false >/dev/null 2>&1 || true
kubectl -n kube-system delete helmchart traefik traefik-crd --ignore-not-found --wait=false >/dev/null 2>&1 || true
kubectl -n kube-system delete job helm-install-traefik helm-install-traefik-crd --ignore-not-found --wait=false >/dev/null 2>&1 || true
kubectl -n kube-system delete deployment traefik --ignore-not-found --wait=false >/dev/null 2>&1 || true
kubectl -n kube-system delete service traefik --ignore-not-found --wait=false >/dev/null 2>&1 || true
kubectl -n kube-system delete serviceaccount traefik helm-traefik helm-traefik-crd --ignore-not-found --wait=false >/dev/null 2>&1 || true
kubectl delete clusterrole traefik-ingress-controller traefik-kube-system --ignore-not-found --wait=false >/dev/null 2>&1 || true
kubectl delete clusterrolebinding helm-kube-system-traefik helm-kube-system-traefik-crd traefik-ingress-controller traefik-kube-system --ignore-not-found --wait=false >/dev/null 2>&1 || true
}
if [ "${changed}" -eq 1 ]; then while true; do
restart_k3s changed=0
fi ensure_disable_flag
remove_manifest
sleep infinity if [ "${changed}" -eq 1 ]; then
restart_k3s
sleep 15
remove_manifest
fi
cleanup_cluster_objects
sleep 300
done

2
services/maintenance/scripts/k3s_traefik_cleanup.sh
View File

@ -1,7 +1,9 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
kubectl -n kube-system delete addon traefik --ignore-not-found --wait=false
kubectl -n kube-system delete helmchart traefik traefik-crd --ignore-not-found --wait=false kubectl -n kube-system delete helmchart traefik traefik-crd --ignore-not-found --wait=false
kubectl -n kube-system delete job helm-install-traefik helm-install-traefik-crd --ignore-not-found --wait=false
kubectl -n kube-system delete deployment traefik --ignore-not-found --wait=false kubectl -n kube-system delete deployment traefik --ignore-not-found --wait=false
kubectl -n kube-system delete service traefik --ignore-not-found --wait=false kubectl -n kube-system delete service traefik --ignore-not-found --wait=false
kubectl -n kube-system delete serviceaccount traefik helm-traefik helm-traefik-crd --ignore-not-found --wait=false kubectl -n kube-system delete serviceaccount traefik helm-traefik helm-traefik-crd --ignore-not-found --wait=false