feat: add internal ingress, generate internal certs, setup cilium bgp, create whoami deployment

This commit is contained in:
SeanOMik 2024-09-07 22:05:05 -04:00
parent 41a06897c3
commit 6bb2b612a8
17 changed files with 336 additions and 15 deletions

View File

@ -18,4 +18,6 @@ spec:
key: api-token
selector:
dnsZones:
- "${SECRET_NEW_DOMAIN}"
- "${SECRET_NEW_DOMAIN}"
- "internal.${SECRET_NEW_DOMAIN}"
- "*.internal.${SECRET_NEW_DOMAIN}"

View File

@ -18,4 +18,7 @@ spec:
name: sops-gpg
dependsOn:
- name: nfd
namespace: flux-system
# requires certificates for communications between plugins
- name: cert-manager
namespace: flux-system

View File

@ -0,0 +1,56 @@
apiVersion: cilium.io/v2alpha1
kind: CiliumBGPClusterConfig
metadata:
name: cilium-bgp
namespace: kube-system
spec:
nodeSelector:
matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: DoesNotExist
bgpInstances:
- name: "bgp-public"
localASN: 65552
peers:
- name: "router"
peerASN: 65551
peerAddress: 192.168.1.1
peerConfigRef:
name: "cilium-peer-router"
---
apiVersion: cilium.io/v2alpha1
kind: CiliumBGPPeerConfig
metadata:
name: cilium-peer-router
namespace: kube-system
spec:
timers:
holdTimeSeconds: 9
keepAliveTimeSeconds: 3
gracefulRestart:
enabled: true
restartTimeSeconds: 15
families:
- afi: ipv4
safi: unicast
advertisements:
matchLabels:
advertise: "bgp-public"
---
apiVersion: cilium.io/v2alpha1
kind: CiliumBGPAdvertisement
metadata:
name: bgp-public-ad
namespace: kube-system
labels:
advertise: "bgp-public"
spec:
advertisements:
- advertisementType: "Service"
service:
addresses:
- ExternalIP
- LoadBalancerIP
selector:
matchLabels:
service-type: public

View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./main-ip-pool.yaml
- ./bgp.yaml

View File

@ -0,0 +1,8 @@
apiVersion: "cilium.io/v2alpha1"
kind: CiliumLoadBalancerIPPool
metadata:
name: "main-pool"
spec:
blocks:
- start: "192.168.1.50"
stop: "192.168.1.59"

View File

@ -0,0 +1,48 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: whoami
namespace: default
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 3.1.0
sourceRef:
kind: HelmRepository
name: bjws-charts
namespace: flux-system
values:
controllers:
main:
containers:
main:
image:
repository: containous/whoami
tag: latest
service:
app:
controller: main
ports:
http:
port: 80
ingress:
main:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
#traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
hosts:
- host: "whoami.${SECRET_NEW_DOMAIN}"
paths:
- path: /
service:
identifier: app
port: http

View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helm-release.yaml

View File

@ -0,0 +1,25 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: whoami
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/thin/apps/default/whoami/files
prune: true
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./whoami/ks.yaml

View File

@ -0,0 +1,48 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: whoami
namespace: default
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 3.1.0
sourceRef:
kind: HelmRepository
name: bjws-charts
namespace: flux-system
values:
controllers:
main:
containers:
main:
image:
repository: containous/whoami
tag: latest
service:
app:
controller: main
ports:
http:
port: 80
ingress:
main:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
#traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
hosts:
- host: "whoami.${SECRET_NEW_DOMAIN}"
paths:
- path: /
service:
identifier: app
port: http

View File

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helm-release.yaml

View File

@ -0,0 +1,25 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: whoami
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/thin/apps/default/whoami/files
prune: true
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

View File

@ -2,12 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helm-repositories.yaml
#- ./main-ip-pool.yaml
# networking
- ./cilium
- ./traefik
- ../../common/apps/cert-manager
#- ../../common/apps/metallb
- ../../common/apps/traefik
# storage
#- ../../common/apps/openebs
# hardware
- ../../common/apps/nfd/ks.yaml
- ../../common/apps/intel-gpu/ks.yaml
- ../../common/apps/intel-gpu/ks.yaml
- ./default

View File

@ -1,7 +1,7 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: traefik
name: traefik-external
namespace: traefik
spec:
interval: 5m
@ -15,13 +15,13 @@ spec:
namespace: flux-system
interval: 1m
values:
service:
annotations:
io.cilium/lb-ipam-ips: 192.168.1.50
additionalArguments:
- --api.insecure
logs:
general:
level: DEBUG
providers:
kubernetesCRD:
enabled: true
@ -48,7 +48,7 @@ spec:
web:
port: 8000
#nodePort: 30080
nodePort: 30080
expose:
default: true
redirectTo:
@ -57,7 +57,7 @@ spec:
websecure:
port: 8443
#nodePort: 30443
nodePort: 30443
expose:
default: true
protocol: TCP
@ -79,9 +79,14 @@ spec:
ingressClass:
enabled: true
isDefaultClass: true
name: traefik-external
metrics:
prometheus:
entryPoint: metrics
namespaceOverride: traefik
# Set default certificate
tlsStore:
default:
defaultCertificate:
secretName: wildcard-main-tls

View File

@ -0,0 +1,81 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: traefik-internal
namespace: traefik
spec:
interval: 5m
chart:
spec:
chart: traefik
version: '30.1.0'
sourceRef:
kind: HelmRepository
name: traefik-charts
namespace: flux-system
interval: 1m
values:
service:
annotations:
io.cilium/lb-ipam-ips: 192.168.1.51
providers:
kubernetesCRD:
enabled: true
allowCrossNamespace: false
allowExternalNameServices: false
allowEmptyServices: false
namespaces: []
kubernetesIngress:
enabled: true
allowExternalNameServices: false
allowEmptyServices: false
namespaces: []
publishedService:
enabled: false
ports:
web:
port: 8000
nodePort: 30080
expose:
default: true
redirectTo:
port: websecure
protocol: TCP
websecure:
port: 8443
nodePort: 30443
expose:
default: true
protocol: TCP
tls:
enabled: true
metrics:
port: 9100
expose:
default: false
protocol: TCP
# Disable Dashboard
ingressRoute:
dashboard:
enabled: false
ingressClass:
enabled: true
isDefaultClass: false
name: traefik-internal
metrics:
prometheus:
entryPoint: metrics
# Set default certificate
tlsStore:
default:
defaultCertificate:
secretName: wildcard-main-tls

View File

@ -4,4 +4,5 @@ resources:
- ./namespace.yaml
- ./helm-repository.yaml
- ./helm-release.yaml
- ./internal-hr.yaml
- ./dashboard-ingress.yaml

View File

@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./app/ks.yaml
- ./extra/ks.yaml
#- ./extra/ks.yaml