feat: add internal ingress, generate internal certs, setup cilium bgp, create whoami deployment
This commit is contained in:
parent
41a06897c3
commit
6bb2b612a8
|
@ -18,4 +18,6 @@ spec:
|
|||
key: api-token
|
||||
selector:
|
||||
dnsZones:
|
||||
- "${SECRET_NEW_DOMAIN}"
|
||||
- "${SECRET_NEW_DOMAIN}"
|
||||
- "internal.${SECRET_NEW_DOMAIN}"
|
||||
- "*.internal.${SECRET_NEW_DOMAIN}"
|
|
@ -18,4 +18,7 @@ spec:
|
|||
name: sops-gpg
|
||||
dependsOn:
|
||||
- name: nfd
|
||||
namespace: flux-system
|
||||
# requires certificates for communications between plugins
|
||||
- name: cert-manager
|
||||
namespace: flux-system
|
|
@ -0,0 +1,56 @@
|
|||
apiVersion: cilium.io/v2alpha1
|
||||
kind: CiliumBGPClusterConfig
|
||||
metadata:
|
||||
name: cilium-bgp
|
||||
namespace: kube-system
|
||||
spec:
|
||||
nodeSelector:
|
||||
matchExpressions:
|
||||
- key: node-role.kubernetes.io/control-plane
|
||||
operator: DoesNotExist
|
||||
bgpInstances:
|
||||
- name: "bgp-public"
|
||||
localASN: 65552
|
||||
peers:
|
||||
- name: "router"
|
||||
peerASN: 65551
|
||||
peerAddress: 192.168.1.1
|
||||
peerConfigRef:
|
||||
name: "cilium-peer-router"
|
||||
---
|
||||
apiVersion: cilium.io/v2alpha1
|
||||
kind: CiliumBGPPeerConfig
|
||||
metadata:
|
||||
name: cilium-peer-router
|
||||
namespace: kube-system
|
||||
spec:
|
||||
timers:
|
||||
holdTimeSeconds: 9
|
||||
keepAliveTimeSeconds: 3
|
||||
gracefulRestart:
|
||||
enabled: true
|
||||
restartTimeSeconds: 15
|
||||
families:
|
||||
- afi: ipv4
|
||||
safi: unicast
|
||||
advertisements:
|
||||
matchLabels:
|
||||
advertise: "bgp-public"
|
||||
---
|
||||
apiVersion: cilium.io/v2alpha1
|
||||
kind: CiliumBGPAdvertisement
|
||||
metadata:
|
||||
name: bgp-public-ad
|
||||
namespace: kube-system
|
||||
labels:
|
||||
advertise: "bgp-public"
|
||||
spec:
|
||||
advertisements:
|
||||
- advertisementType: "Service"
|
||||
service:
|
||||
addresses:
|
||||
- ExternalIP
|
||||
- LoadBalancerIP
|
||||
selector:
|
||||
matchLabels:
|
||||
service-type: public
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./main-ip-pool.yaml
|
||||
- ./bgp.yaml
|
|
@ -0,0 +1,8 @@
|
|||
apiVersion: "cilium.io/v2alpha1"
|
||||
kind: CiliumLoadBalancerIPPool
|
||||
metadata:
|
||||
name: "main-pool"
|
||||
spec:
|
||||
blocks:
|
||||
- start: "192.168.1.50"
|
||||
stop: "192.168.1.59"
|
|
@ -0,0 +1,48 @@
|
|||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: whoami
|
||||
namespace: default
|
||||
spec:
|
||||
interval: 5m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.1.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjws-charts
|
||||
namespace: flux-system
|
||||
|
||||
values:
|
||||
controllers:
|
||||
main:
|
||||
containers:
|
||||
main:
|
||||
image:
|
||||
repository: containous/whoami
|
||||
tag: latest
|
||||
|
||||
service:
|
||||
app:
|
||||
controller: main
|
||||
|
||||
ports:
|
||||
http:
|
||||
port: 80
|
||||
|
||||
ingress:
|
||||
main:
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-production
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
#traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
|
||||
|
||||
hosts:
|
||||
- host: "whoami.${SECRET_NEW_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
service:
|
||||
identifier: app
|
||||
port: http
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./helm-release.yaml
|
|
@ -0,0 +1,25 @@
|
|||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: whoami
|
||||
namespace: flux-system
|
||||
spec:
|
||||
timeout: 5m
|
||||
interval: 10m
|
||||
path: ./kubernetes/thin/apps/default/whoami/files
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: home-cluster
|
||||
decryption:
|
||||
provider: sops
|
||||
secretRef:
|
||||
name: sops-gpg
|
||||
postBuild:
|
||||
substitute: {}
|
||||
substituteFrom:
|
||||
- kind: ConfigMap
|
||||
name: cluster-settings
|
||||
- kind: Secret
|
||||
name: cluster-secrets
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./whoami/ks.yaml
|
|
@ -0,0 +1,48 @@
|
|||
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: whoami
|
||||
namespace: default
|
||||
spec:
|
||||
interval: 5m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 3.1.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjws-charts
|
||||
namespace: flux-system
|
||||
|
||||
values:
|
||||
controllers:
|
||||
main:
|
||||
containers:
|
||||
main:
|
||||
image:
|
||||
repository: containous/whoami
|
||||
tag: latest
|
||||
|
||||
service:
|
||||
app:
|
||||
controller: main
|
||||
|
||||
ports:
|
||||
http:
|
||||
port: 80
|
||||
|
||||
ingress:
|
||||
main:
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt-production
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||
#traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
|
||||
|
||||
hosts:
|
||||
- host: "whoami.${SECRET_NEW_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
service:
|
||||
identifier: app
|
||||
port: http
|
|
@ -0,0 +1,4 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- ./helm-release.yaml
|
|
@ -0,0 +1,25 @@
|
|||
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
|
||||
apiVersion: kustomize.toolkit.fluxcd.io/v1
|
||||
kind: Kustomization
|
||||
metadata:
|
||||
name: whoami
|
||||
namespace: flux-system
|
||||
spec:
|
||||
timeout: 5m
|
||||
interval: 10m
|
||||
path: ./kubernetes/thin/apps/default/whoami/files
|
||||
prune: true
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: home-cluster
|
||||
decryption:
|
||||
provider: sops
|
||||
secretRef:
|
||||
name: sops-gpg
|
||||
postBuild:
|
||||
substitute: {}
|
||||
substituteFrom:
|
||||
- kind: ConfigMap
|
||||
name: cluster-settings
|
||||
- kind: Secret
|
||||
name: cluster-secrets
|
|
@ -2,12 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||
kind: Kustomization
|
||||
resources:
|
||||
- ./helm-repositories.yaml
|
||||
#- ./main-ip-pool.yaml
|
||||
# networking
|
||||
- ./cilium
|
||||
- ./traefik
|
||||
- ../../common/apps/cert-manager
|
||||
#- ../../common/apps/metallb
|
||||
- ../../common/apps/traefik
|
||||
# storage
|
||||
#- ../../common/apps/openebs
|
||||
|
||||
# hardware
|
||||
- ../../common/apps/nfd/ks.yaml
|
||||
- ../../common/apps/intel-gpu/ks.yaml
|
||||
- ../../common/apps/intel-gpu/ks.yaml
|
||||
|
||||
- ./default
|
|
@ -1,7 +1,7 @@
|
|||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: traefik
|
||||
name: traefik-external
|
||||
namespace: traefik
|
||||
spec:
|
||||
interval: 5m
|
||||
|
@ -15,13 +15,13 @@ spec:
|
|||
namespace: flux-system
|
||||
interval: 1m
|
||||
values:
|
||||
service:
|
||||
annotations:
|
||||
io.cilium/lb-ipam-ips: 192.168.1.50
|
||||
|
||||
additionalArguments:
|
||||
- --api.insecure
|
||||
|
||||
logs:
|
||||
general:
|
||||
level: DEBUG
|
||||
|
||||
providers:
|
||||
kubernetesCRD:
|
||||
enabled: true
|
||||
|
@ -48,7 +48,7 @@ spec:
|
|||
|
||||
web:
|
||||
port: 8000
|
||||
#nodePort: 30080
|
||||
nodePort: 30080
|
||||
expose:
|
||||
default: true
|
||||
redirectTo:
|
||||
|
@ -57,7 +57,7 @@ spec:
|
|||
|
||||
websecure:
|
||||
port: 8443
|
||||
#nodePort: 30443
|
||||
nodePort: 30443
|
||||
expose:
|
||||
default: true
|
||||
protocol: TCP
|
||||
|
@ -79,9 +79,14 @@ spec:
|
|||
ingressClass:
|
||||
enabled: true
|
||||
isDefaultClass: true
|
||||
name: traefik-external
|
||||
|
||||
metrics:
|
||||
prometheus:
|
||||
entryPoint: metrics
|
||||
|
||||
namespaceOverride: traefik
|
||||
# Set default certificate
|
||||
tlsStore:
|
||||
default:
|
||||
defaultCertificate:
|
||||
secretName: wildcard-main-tls
|
||||
|
|
|
@ -0,0 +1,81 @@
|
|||
apiVersion: helm.toolkit.fluxcd.io/v2
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: traefik-internal
|
||||
namespace: traefik
|
||||
spec:
|
||||
interval: 5m
|
||||
chart:
|
||||
spec:
|
||||
chart: traefik
|
||||
version: '30.1.0'
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: traefik-charts
|
||||
namespace: flux-system
|
||||
interval: 1m
|
||||
values:
|
||||
service:
|
||||
annotations:
|
||||
io.cilium/lb-ipam-ips: 192.168.1.51
|
||||
|
||||
providers:
|
||||
kubernetesCRD:
|
||||
enabled: true
|
||||
allowCrossNamespace: false
|
||||
allowExternalNameServices: false
|
||||
allowEmptyServices: false
|
||||
namespaces: []
|
||||
|
||||
kubernetesIngress:
|
||||
enabled: true
|
||||
allowExternalNameServices: false
|
||||
allowEmptyServices: false
|
||||
namespaces: []
|
||||
publishedService:
|
||||
enabled: false
|
||||
|
||||
ports:
|
||||
web:
|
||||
port: 8000
|
||||
nodePort: 30080
|
||||
expose:
|
||||
default: true
|
||||
redirectTo:
|
||||
port: websecure
|
||||
protocol: TCP
|
||||
|
||||
websecure:
|
||||
port: 8443
|
||||
nodePort: 30443
|
||||
expose:
|
||||
default: true
|
||||
protocol: TCP
|
||||
tls:
|
||||
enabled: true
|
||||
|
||||
metrics:
|
||||
port: 9100
|
||||
expose:
|
||||
default: false
|
||||
protocol: TCP
|
||||
|
||||
# Disable Dashboard
|
||||
ingressRoute:
|
||||
dashboard:
|
||||
enabled: false
|
||||
|
||||
ingressClass:
|
||||
enabled: true
|
||||
isDefaultClass: false
|
||||
name: traefik-internal
|
||||
|
||||
metrics:
|
||||
prometheus:
|
||||
entryPoint: metrics
|
||||
|
||||
# Set default certificate
|
||||
tlsStore:
|
||||
default:
|
||||
defaultCertificate:
|
||||
secretName: wildcard-main-tls
|
|
@ -4,4 +4,5 @@ resources:
|
|||
- ./namespace.yaml
|
||||
- ./helm-repository.yaml
|
||||
- ./helm-release.yaml
|
||||
- ./internal-hr.yaml
|
||||
- ./dashboard-ingress.yaml
|
|
@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||
kind: Kustomization
|
||||
resources:
|
||||
- ./app/ks.yaml
|
||||
- ./extra/ks.yaml
|
||||
#- ./extra/ks.yaml
|
Loading…
Reference in New Issue