feat: add internal ingress, generate internal certs, setup cilium bgp, create whoami deployment

2024-09-07 22:05:05 -04:00 · 2024-09-07 22:05:05 -04:00 · 6bb2b612a8
parent 41a06897c3
commit 6bb2b612a8
17 changed files with 336 additions and 15 deletions
--- a/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml
+++ b/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml
@ -18,4 +18,6 @@ spec:
              key: api-token
        selector:
          dnsZones:
-            - "${SECRET_NEW_DOMAIN}"
+            - "${SECRET_NEW_DOMAIN}"
+            - "internal.${SECRET_NEW_DOMAIN}"
+            - "*.internal.${SECRET_NEW_DOMAIN}"
--- a/kubernetes/common/apps/intel-gpu/ks.yaml
+++ b/kubernetes/common/apps/intel-gpu/ks.yaml
@ -18,4 +18,7 @@ spec:
      name: sops-gpg
  dependsOn:
  - name: nfd
+    namespace: flux-system
+  # requires certificates for communications between plugins
+  - name: cert-manager
    namespace: flux-system
--- a/kubernetes/thin/apps/cilium/bgp.yaml
+++ b/kubernetes/thin/apps/cilium/bgp.yaml
@ -0,0 +1,56 @@
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPClusterConfig
+metadata:
+  name: cilium-bgp
+  namespace: kube-system
+spec:
+  nodeSelector:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: DoesNotExist
+  bgpInstances:
+  - name: "bgp-public"
+    localASN: 65552
+    peers:
+    - name: "router"
+      peerASN: 65551
+      peerAddress: 192.168.1.1
+      peerConfigRef:
+        name: "cilium-peer-router"
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPPeerConfig
+metadata:
+  name: cilium-peer-router
+  namespace: kube-system
+spec:
+  timers:
+    holdTimeSeconds: 9
+    keepAliveTimeSeconds: 3
+  gracefulRestart:
+    enabled: true
+    restartTimeSeconds: 15
+  families:
+    - afi: ipv4
+      safi: unicast
+      advertisements:
+        matchLabels:
+          advertise: "bgp-public"
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPAdvertisement
+metadata:
+  name: bgp-public-ad
+  namespace: kube-system
+  labels:
+    advertise: "bgp-public"
+spec:
+  advertisements:
+  - advertisementType: "Service"
+    service:
+      addresses:
+      - ExternalIP
+      - LoadBalancerIP
+    selector:
+      matchLabels:
+        service-type: public
--- a/kubernetes/thin/apps/cilium/kustomization.yaml
+++ b/kubernetes/thin/apps/cilium/kustomization.yaml
@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./main-ip-pool.yaml
+- ./bgp.yaml
--- a/kubernetes/thin/apps/cilium/main-ip-pool.yaml
+++ b/kubernetes/thin/apps/cilium/main-ip-pool.yaml
@ -0,0 +1,8 @@
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "main-pool"
+spec:
+  blocks:
+  - start: "192.168.1.50"
+    stop: "192.168.1.59"
--- a/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml
+++ b/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml
@ -0,0 +1,48 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: whoami
+  namespace: default
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    controllers:
+      main:
+        containers:
+          main:
+            image:
+              repository: containous/whoami
+              tag: latest
+
+    service:
+      app:
+        controller: main
+
+        ports:
+          http:
+            port: 80
+
+    ingress:
+      main:
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+          #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
+
+        hosts:
+        - host: "whoami.${SECRET_NEW_DOMAIN}"
+          paths:
+          - path: /
+            service:
+              identifier: app
+              port: http
--- a/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml
+++ b/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./helm-release.yaml
--- a/kubernetes/thin/apps/default/home-assistant/ks.yaml
+++ b/kubernetes/thin/apps/default/home-assistant/ks.yaml
@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: whoami
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/thin/apps/default/whoami/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets
--- a/kubernetes/thin/apps/default/kustomization.yaml
+++ b/kubernetes/thin/apps/default/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./whoami/ks.yaml
--- a/kubernetes/thin/apps/default/whoami/files/helm-release.yaml
+++ b/kubernetes/thin/apps/default/whoami/files/helm-release.yaml
@ -0,0 +1,48 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: whoami
+  namespace: default
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjws-charts
+        namespace: flux-system
+
+  values:
+    controllers:
+      main:
+        containers:
+          main:
+            image:
+              repository: containous/whoami
+              tag: latest
+
+    service:
+      app:
+        controller: main
+
+        ports:
+          http:
+            port: 80
+
+    ingress:
+      main:
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-production
+          traefik.ingress.kubernetes.io/router.entrypoints: websecure
+          #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
+
+        hosts:
+        - host: "whoami.${SECRET_NEW_DOMAIN}"
+          paths:
+          - path: /
+            service:
+              identifier: app
+              port: http
--- a/kubernetes/thin/apps/default/whoami/files/kustomization.yaml
+++ b/kubernetes/thin/apps/default/whoami/files/kustomization.yaml
@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- ./helm-release.yaml
--- a/kubernetes/thin/apps/default/whoami/ks.yaml
+++ b/kubernetes/thin/apps/default/whoami/ks.yaml
@ -0,0 +1,25 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: whoami
+  namespace: flux-system
+spec:
+  timeout: 5m
+  interval: 10m
+  path: ./kubernetes/thin/apps/default/whoami/files
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-cluster
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-gpg
+  postBuild:
+    substitute: {}
+    substituteFrom:
+      - kind: ConfigMap
+        name: cluster-settings
+      - kind: Secret
+        name: cluster-secrets
--- a/kubernetes/thin/apps/kustomization.yaml
+++ b/kubernetes/thin/apps/kustomization.yaml
@ -2,12 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./helm-repositories.yaml
-#- ./main-ip-pool.yaml
+# networking
+- ./cilium
+- ./traefik
 - ../../common/apps/cert-manager
-#- ../../common/apps/metallb
- ../../common/apps/traefik
 # storage
 #- ../../common/apps/openebs
-
+# hardware
 - ../../common/apps/nfd/ks.yaml
- ../../common/apps/intel-gpu/ks.yaml
+- ../../common/apps/intel-gpu/ks.yaml
+
+- ./default
--- a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml
+++ b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml
@ -1,7 +1,7 @@
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
-  name: traefik
+  name: traefik-external
  namespace: traefik
 spec:
  interval: 5m
@ -15,13 +15,13 @@ spec:
        namespace: flux-system
      interval: 1m
  values:
+    service:
+      annotations:
+        io.cilium/lb-ipam-ips: 192.168.1.50
+
    additionalArguments:
    - --api.insecure

-    logs:
-      general:
-        level: DEBUG
-
    providers:
      kubernetesCRD:
        enabled: true
@ -48,7 +48,7 @@ spec:

      web:
        port: 8000
-        #nodePort: 30080
+        nodePort: 30080
        expose:
          default: true
        redirectTo:
@ -57,7 +57,7 @@ spec:

      websecure:
        port: 8443
-        #nodePort: 30443
+        nodePort: 30443
        expose:
          default: true
        protocol: TCP
@ -79,9 +79,14 @@ spec:
    ingressClass:
      enabled: true
      isDefaultClass: true
+      name: traefik-external

    metrics:
      prometheus:
        entryPoint: metrics

-    namespaceOverride: traefik
+    # Set default certificate
+    tlsStore:
+      default:
+        defaultCertificate:
+          secretName: wildcard-main-tls
--- a/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml
+++ b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml
@ -0,0 +1,81 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: traefik-internal
+  namespace: traefik
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: traefik
+      version: '30.1.0'
+      sourceRef:
+        kind: HelmRepository
+        name: traefik-charts
+        namespace: flux-system
+      interval: 1m
+  values:
+    service:
+      annotations:
+        io.cilium/lb-ipam-ips: 192.168.1.51
+
+    providers:
+      kubernetesCRD:
+        enabled: true
+        allowCrossNamespace: false
+        allowExternalNameServices: false
+        allowEmptyServices: false
+        namespaces: []
+
+      kubernetesIngress:
+        enabled: true
+        allowExternalNameServices: false
+        allowEmptyServices: false
+        namespaces: []
+        publishedService:
+          enabled: false
+
+    ports:
+      web:
+        port: 8000
+        nodePort: 30080
+        expose:
+          default: true
+        redirectTo:
+          port: websecure
+        protocol: TCP
+
+      websecure:
+        port: 8443
+        nodePort: 30443
+        expose:
+          default: true
+        protocol: TCP
+        tls:
+          enabled: true
+
+      metrics:
+        port: 9100
+        expose:
+          default: false
+        protocol: TCP
+
+    # Disable Dashboard
+    ingressRoute:
+      dashboard:
+        enabled: false
+
+    ingressClass:
+      enabled: true
+      isDefaultClass: false
+      name: traefik-internal
+
+    metrics:
+      prometheus:
+        entryPoint: metrics
+    
+    # Set default certificate
+    tlsStore:
+      default:
+        defaultCertificate:
+          secretName: wildcard-main-tls
--- a/kubernetes/thin/apps/traefik/app/files/kustomization.yaml
+++ b/kubernetes/thin/apps/traefik/app/files/kustomization.yaml
@ -4,4 +4,5 @@ resources:
 - ./namespace.yaml
 - ./helm-repository.yaml
 - ./helm-release.yaml
+- ./internal-hr.yaml
 - ./dashboard-ingress.yaml
--- a/kubernetes/thin/apps/traefik/kustomization.yaml
+++ b/kubernetes/thin/apps/traefik/kustomization.yaml
@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - ./app/ks.yaml
- ./extra/ks.yaml
+#- ./extra/ks.yaml