add networking, storage, and observability docs
This commit is contained in:
Tuan-Dat Tran
84
docs/networking.md
Normal file
84
docs/networking.md
Normal file
@@ -0,0 +1,84 @@
|
||||
# Networking
|
||||
|
||||
## IP Layout
|
||||
|
||||
| Segment | Range | Purpose |
|
||||
|---------|-------|---------|
|
||||
| LAN | `192.168.20.0/24` | All VMs — flat layer 2 |
|
||||
| MetalLB pool | Reserved /28 within LAN | LoadBalancer services in Kubernetes |
|
||||
| K8s service CIDR | `10.43.0.0/16` | In-cluster service IPs |
|
||||
| K8s pod CIDR | `10.42.0.0/16` | Pod networking (Flannel) |
|
||||
| WireGuard | `10.133.7.0/24` | VPN tunnel: cluster ↔ edge VPS |
|
||||
|
||||
---
|
||||
|
||||
## Traffic Flows
|
||||
|
||||
### Public services (Cloudflare tunnel)
|
||||
|
||||
```
|
||||
User → Cloudflare (CDN + DDoS) → Cloudflared pod (×2, in-cluster) → Traefik → Service
|
||||
```
|
||||
|
||||
Cloudflare acts as both CDN and the TLS termination point for public services. No ports are forwarded on the home router.
|
||||
|
||||
### VPS-proxied services (Pangolin tunnel)
|
||||
|
||||
```
|
||||
User → Edge VPS → Traefik (VPS) → Pangolin server → Newt client (in-cluster) → Traefik → Service
|
||||
```
|
||||
|
||||
Used for services that need HTTP(S) proxying without Cloudflare in front.
|
||||
|
||||
### Remote admin (WireGuard VPN)
|
||||
|
||||
```
|
||||
Admin → WireGuard client → Edge VPS (WireGuard server)
|
||||
→ wg-gateway pod (10.133.7.4)
|
||||
→ K8s service CIDR (10.43.0.0/16)
|
||||
```
|
||||
|
||||
The `mii-wireguard` pod acts as the WireGuard client inside the cluster. It masquerades the K8s service CIDR so all cluster services are reachable over the VPN — no split-DNS required.
|
||||
|
||||
### Gitea → ArgoCD webhook
|
||||
|
||||
```
|
||||
Gitea (docker-host11) → push webhook → ArgoCD (in-cluster) → reconcile manifests
|
||||
```
|
||||
|
||||
ArgoCD polls on a schedule and also receives webhooks from the self-hosted Gitea instance on git push.
|
||||
|
||||
### ArgoCD Image Updater → Gitea
|
||||
|
||||
```
|
||||
Image Updater detects new tag in registry
|
||||
→ commits updated annotation to Gitea repo
|
||||
→ ArgoCD detects commit → re-syncs Deployment
|
||||
```
|
||||
|
||||
Keeps image versions in Git without a human in the loop.
|
||||
|
||||
### Media stack
|
||||
|
||||
```
|
||||
Prowlarr (indexer aggregator)
|
||||
→ Sonarr / Radarr (request management)
|
||||
→ qBittorrent + Gluetun sidecar (download over ProtonVPN)
|
||||
→ Unpackarr (extract archives)
|
||||
→ NFS share on aya01
|
||||
→ Jellyfin (on docker-host11, hardware transcoding via Intel QuickSync)
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## Certificate Management
|
||||
|
||||
Cert-Manager handles all TLS automatically via **Let's Encrypt DNS-01** using the Cloudflare API. No HTTP-01 challenges — DNS-01 works for internal-only domains and wildcard certs.
|
||||
|
||||
The edge VPS (Traefik) uses Netcup DNS API for its own certs.
|
||||
|
||||
---
|
||||
|
||||
## Service Mesh
|
||||
|
||||
Istio runs in **Ambient mode** (no sidecars). The `ztunnel` DaemonSet runs on every node and handles transparent L4 proxying for all pods in the mesh. Waypoint proxies (L7) are not yet deployed.
|
||||
Reference in New Issue
Block a user