From a82b5d870d746e9e4c3e1890de11f25737ed0fbb Mon Sep 17 00:00:00 2001
From: kappa <kappa@inouter.com>
Date: Wed, 25 Mar 2026 08:57:44 +0900
Subject: [PATCH] =?UTF-8?q?apisix:=20=EC=84=9C=EC=9A=B8=20K3s=20CRD=20?=
 =?UTF-8?q?=EC=9E=90=EB=8F=99=20=EA=B4=80=EB=A6=AC=20=EC=A0=84=ED=99=98=20?=
 =?UTF-8?q?=EB=B0=98=EC=98=81=20(Gateway=20API=20+=20Ingress=20Controller?=
 =?UTF-8?q?=202.0.1)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 infra/apisix.md | 56 +++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 45 insertions(+), 11 deletions(-)

diff --git a/infra/apisix.md b/infra/apisix.md
index 6a1ffb5..76158b6 100644
--- a/infra/apisix.md
+++ b/infra/apisix.md
@@ -1,6 +1,6 @@
 ---
 title: APISIX 설정 및 운영
-updated: 2026-03-18
+updated: 2026-03-25
 ---
 
 ## 아키텍처
@@ -37,20 +37,54 @@ BunnyCDN(inouter, ID 5316471) → apisix-osaka(172.233.93.180) → 백엔드
 - 보안: SafeLine WAF + CrowdSec 연동
 - upstream: incus-jp1 내부(10.253.x), K3s Traefik
 
-### 서울 (K3s, apisix 네임스페이스)
+### 서울 (K3s 새 클러스터, apisix 네임스페이스)
 ```
-인터넷 → OpenWrt HAProxy(:80/:443) → 3노드 hostNetwork(:9080/:9443) → APISIX → K3s 서비스 → pods
+인터넷 → OpenWrt HAProxy(:80/:443) → 3노드 hostPort(80→9080, 443→9443) → APISIX → K3s 서비스 → pods
 ```
 - 용도: KR존 리버스 프록시
-- 배포: K3s apisix 네임스페이스, hostNetwork 모드로 3노드(hp2/kr1/kr2)에 배포
-- upstream: K3s Traefik (192.168.9.134/214/135:443), LAN 서비스(192.168.9.x)
-- SSL: cert-manager wildcard `*.inouter.com` 인증서
-- Admin API: `apisix-admin` ClusterIP 서비스 (10.43.70.216:9180)
-- etcd: apisix-etcd StatefulSet (K3s 내부, ClusterIP 10.43.20.100:2379)
-- NodePort: apisix-gateway 80:32020/TCP, 443:30675/TCP (HAProxy는 hostNetwork :9080/:9443 직접 사용)
-- 이전: kr2 incus 컨테이너(10.179.99.126)에서 K3s로 이전
+- 클러스터: K3s 새 클러스터 (Supabase PostgreSQL 백엔드, kr2+kr1+hp2)
+- 배포: K3s apisix 네임스페이스, Deployment replica 3, hostPort 80/443
+- APISIX: 3.15.0-ubuntu, node_listen 9080, SSL 9443
+- **관리 방식: Ingress Controller 2.0.1 + Gateway API CRD** (Admin API 수동 관리 불필요)
+  - GatewayClass: `apisix` (controllerName: `apisix.apache.org/apisix-ingress-controller`)
+  - Gateway: `apisix-gateway` (HTTP 9080, HTTPS 9443)
+  - GatewayProxy: `apisix-proxy` (ControlPlane, apisix-admin:9180)
+  - 라우트: HTTPRoute/TCPRoute CRD로 관리 → Ingress Controller가 Admin API를 통해 자동 sync
+- SSL: Gateway listener에서 cert-manager 와일드카드 시크릿 참조
+  - `*.inouter.com` (wildcard-inouter-tls)
+  - `*.anvil.it.com` (wildcard-anvil-it-com-tls)
+  - `*.actions.it.com` (wildcard-actions-it-com-tls)
+- etcd: apisix-etcd StatefulSet (K3s 내부)
+- Admin API: `apisix-admin` ClusterIP (9180), Ingress Controller 전용
+- 2026-03-25 Admin API 수동 관리에서 CRD 자동 관리로 전환 완료
 
-#### global_rules
+#### 라우트 관리 (CRD 기반)
+
+라우트 추가/수정은 HTTPRoute CRD로:
+```yaml
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: my-service
+  namespace: my-namespace
+spec:
+  hostnames: ["my-service.inouter.com"]
+  parentRefs:
+    - name: apisix-gateway
+      namespace: apisix
+  rules:
+    - backendRefs:
+        - name: my-service-svc
+          port: 8080
+      matches:
+        - path:
+            type: PathPrefix
+            value: /
+```
+
+플러그인 적용: `apisix.apache.org/plugin-config-name` 어노테이션으로 PluginConfig 참조.
+
+#### global_rules (기존 etcd 직접 등록)
 - `real-ip` — source: http_x_real_ip, trusted: 0.0.0.0/0
 - `http-logger` → CrowdSec (10.253.100.240:8085, auth_header: apisix-crowdsec-log-2024)