From 384a60244ddecd84163887004bc9f0241b89063b Mon Sep 17 00:00:00 2001 From: Erki Aas Date: Thu, 15 Aug 2024 13:40:22 +0300 Subject: [PATCH] update readme about network --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index 6850d9d..cf7fdc6 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,12 @@ Tip: Search the repo for `kind: xyz` for examples. [^nonginx]: No nginx annotations! Use `kind: Ingress` instead. `IngressRoute` is not used as it doesn't support [`external-dns`](bind/README.md) out of the box. [^authz]: Applications should use OpenID Connect (`kind: OIDCClient`) for authentication, whereever possible. If not possible, use `kind: OIDCMiddlewareClient` client, which will provide authentication via a Traefik middleware (`traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd`). Sometimes you might use both for extra security. +### Network + +All nodes are in Infra VLAN 21. Routing is implemented with BGP, all nodes and the router make a full-mesh. Both Serice LB IPs and Pod IPs are advertised to the router. Router does NAT for outbound pod traffic. +See the [Calico installation](tigera-operator/application.yml) for Kube side and Routing / BGP in the router. +Static routes for 193.40.103.36/30 have been added in pve nodes to make them communicating with Passmower via Traefik more stable - otherwise packets coming back to the PVE are routed directly via VLAN 21 internal IPs by the worker nodes, breaking TCP. + ### Databases / -stores: - KeyDB: `kind: KeydbClaim` (replaces Redis[^redisdead])