From 6bb2b612a84f6f6b4fe9697b6485f9a1737ab875 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sat, 7 Sep 2024 22:05:05 -0400 Subject: [PATCH] feat: add internal ingress, generate internal certs, setup cilium bgp, create whoami deployment --- .../certs/files/letsencrypt-prod.yaml | 4 +- kubernetes/common/apps/intel-gpu/ks.yaml | 3 + kubernetes/thin/apps/cilium/bgp.yaml | 56 +++++++++++++ .../thin/apps/cilium/kustomization.yaml | 5 ++ kubernetes/thin/apps/cilium/main-ip-pool.yaml | 8 ++ .../home-assistant/files/helm-release.yaml | 48 +++++++++++ .../home-assistant/files/kustomization.yaml | 4 + .../thin/apps/default/home-assistant/ks.yaml | 25 ++++++ .../thin/apps/default/kustomization.yaml | 4 + .../default/whoami/files/helm-release.yaml | 48 +++++++++++ .../default/whoami/files/kustomization.yaml | 4 + kubernetes/thin/apps/default/whoami/ks.yaml | 25 ++++++ kubernetes/thin/apps/kustomization.yaml | 12 +-- .../apps/traefik/app/files/helm-release.yaml | 21 +++-- .../apps/traefik/app/files/internal-hr.yaml | 81 +++++++++++++++++++ .../apps/traefik/app/files/kustomization.yaml | 1 + .../thin/apps/traefik/kustomization.yaml | 2 +- 17 files changed, 336 insertions(+), 15 deletions(-) create mode 100644 kubernetes/thin/apps/cilium/bgp.yaml create mode 100644 kubernetes/thin/apps/cilium/kustomization.yaml create mode 100644 kubernetes/thin/apps/cilium/main-ip-pool.yaml create mode 100644 kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml create mode 100644 kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml create mode 100644 kubernetes/thin/apps/default/home-assistant/ks.yaml create mode 100644 kubernetes/thin/apps/default/kustomization.yaml create mode 100644 kubernetes/thin/apps/default/whoami/files/helm-release.yaml create mode 100644 kubernetes/thin/apps/default/whoami/files/kustomization.yaml create mode 100644 kubernetes/thin/apps/default/whoami/ks.yaml create mode 100644 kubernetes/thin/apps/traefik/app/files/internal-hr.yaml diff --git a/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml b/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml index c882f1e..7aae355 100644 --- a/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml +++ b/kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml @@ -18,4 +18,6 @@ spec: key: api-token selector: dnsZones: - - "${SECRET_NEW_DOMAIN}" \ No newline at end of file + - "${SECRET_NEW_DOMAIN}" + - "internal.${SECRET_NEW_DOMAIN}" + - "*.internal.${SECRET_NEW_DOMAIN}" \ No newline at end of file diff --git a/kubernetes/common/apps/intel-gpu/ks.yaml b/kubernetes/common/apps/intel-gpu/ks.yaml index 6f0ac05..f02ec18 100644 --- a/kubernetes/common/apps/intel-gpu/ks.yaml +++ b/kubernetes/common/apps/intel-gpu/ks.yaml @@ -18,4 +18,7 @@ spec: name: sops-gpg dependsOn: - name: nfd + namespace: flux-system + # requires certificates for communications between plugins + - name: cert-manager namespace: flux-system \ No newline at end of file diff --git a/kubernetes/thin/apps/cilium/bgp.yaml b/kubernetes/thin/apps/cilium/bgp.yaml new file mode 100644 index 0000000..02b53bd --- /dev/null +++ b/kubernetes/thin/apps/cilium/bgp.yaml @@ -0,0 +1,56 @@ +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPClusterConfig +metadata: + name: cilium-bgp + namespace: kube-system +spec: + nodeSelector: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: DoesNotExist + bgpInstances: + - name: "bgp-public" + localASN: 65552 + peers: + - name: "router" + peerASN: 65551 + peerAddress: 192.168.1.1 + peerConfigRef: + name: "cilium-peer-router" +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPPeerConfig +metadata: + name: cilium-peer-router + namespace: kube-system +spec: + timers: + holdTimeSeconds: 9 + keepAliveTimeSeconds: 3 + gracefulRestart: + enabled: true + restartTimeSeconds: 15 + families: + - afi: ipv4 + safi: unicast + advertisements: + matchLabels: + advertise: "bgp-public" +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPAdvertisement +metadata: + name: bgp-public-ad + namespace: kube-system + labels: + advertise: "bgp-public" +spec: + advertisements: + - advertisementType: "Service" + service: + addresses: + - ExternalIP + - LoadBalancerIP + selector: + matchLabels: + service-type: public \ No newline at end of file diff --git a/kubernetes/thin/apps/cilium/kustomization.yaml b/kubernetes/thin/apps/cilium/kustomization.yaml new file mode 100644 index 0000000..b436c3f --- /dev/null +++ b/kubernetes/thin/apps/cilium/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./main-ip-pool.yaml +- ./bgp.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/cilium/main-ip-pool.yaml b/kubernetes/thin/apps/cilium/main-ip-pool.yaml new file mode 100644 index 0000000..bccf201 --- /dev/null +++ b/kubernetes/thin/apps/cilium/main-ip-pool.yaml @@ -0,0 +1,8 @@ +apiVersion: "cilium.io/v2alpha1" +kind: CiliumLoadBalancerIPPool +metadata: + name: "main-pool" +spec: + blocks: + - start: "192.168.1.50" + stop: "192.168.1.59" \ No newline at end of file diff --git a/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml b/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml new file mode 100644 index 0000000..8efa6d8 --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml @@ -0,0 +1,48 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: whoami + namespace: default +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 3.1.0 + sourceRef: + kind: HelmRepository + name: bjws-charts + namespace: flux-system + + values: + controllers: + main: + containers: + main: + image: + repository: containous/whoami + tag: latest + + service: + app: + controller: main + + ports: + http: + port: 80 + + ingress: + main: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + + hosts: + - host: "whoami.${SECRET_NEW_DOMAIN}" + paths: + - path: / + service: + identifier: app + port: http diff --git a/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml b/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml new file mode 100644 index 0000000..ea3145d --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/default/home-assistant/ks.yaml b/kubernetes/thin/apps/default/home-assistant/ks.yaml new file mode 100644 index 0000000..a92aa63 --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: whoami + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/default/whoami/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/default/kustomization.yaml b/kubernetes/thin/apps/default/kustomization.yaml new file mode 100644 index 0000000..c7dcc20 --- /dev/null +++ b/kubernetes/thin/apps/default/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./whoami/ks.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/default/whoami/files/helm-release.yaml b/kubernetes/thin/apps/default/whoami/files/helm-release.yaml new file mode 100644 index 0000000..8efa6d8 --- /dev/null +++ b/kubernetes/thin/apps/default/whoami/files/helm-release.yaml @@ -0,0 +1,48 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: whoami + namespace: default +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 3.1.0 + sourceRef: + kind: HelmRepository + name: bjws-charts + namespace: flux-system + + values: + controllers: + main: + containers: + main: + image: + repository: containous/whoami + tag: latest + + service: + app: + controller: main + + ports: + http: + port: 80 + + ingress: + main: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + + hosts: + - host: "whoami.${SECRET_NEW_DOMAIN}" + paths: + - path: / + service: + identifier: app + port: http diff --git a/kubernetes/thin/apps/default/whoami/files/kustomization.yaml b/kubernetes/thin/apps/default/whoami/files/kustomization.yaml new file mode 100644 index 0000000..ea3145d --- /dev/null +++ b/kubernetes/thin/apps/default/whoami/files/kustomization.yaml @@ -0,0 +1,4 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: +- ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/default/whoami/ks.yaml b/kubernetes/thin/apps/default/whoami/ks.yaml new file mode 100644 index 0000000..a92aa63 --- /dev/null +++ b/kubernetes/thin/apps/default/whoami/ks.yaml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: whoami + namespace: flux-system +spec: + timeout: 5m + interval: 10m + path: ./kubernetes/thin/apps/default/whoami/files + prune: true + sourceRef: + kind: GitRepository + name: home-cluster + decryption: + provider: sops + secretRef: + name: sops-gpg + postBuild: + substitute: {} + substituteFrom: + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets \ No newline at end of file diff --git a/kubernetes/thin/apps/kustomization.yaml b/kubernetes/thin/apps/kustomization.yaml index abaab00..faa4846 100644 --- a/kubernetes/thin/apps/kustomization.yaml +++ b/kubernetes/thin/apps/kustomization.yaml @@ -2,12 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helm-repositories.yaml -#- ./main-ip-pool.yaml +# networking +- ./cilium +- ./traefik - ../../common/apps/cert-manager -#- ../../common/apps/metallb -- ../../common/apps/traefik # storage #- ../../common/apps/openebs - +# hardware - ../../common/apps/nfd/ks.yaml -- ../../common/apps/intel-gpu/ks.yaml \ No newline at end of file +- ../../common/apps/intel-gpu/ks.yaml + +- ./default \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml index 6870c99..5a93165 100644 --- a/kubernetes/thin/apps/traefik/app/files/helm-release.yaml +++ b/kubernetes/thin/apps/traefik/app/files/helm-release.yaml @@ -1,7 +1,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: traefik + name: traefik-external namespace: traefik spec: interval: 5m @@ -15,13 +15,13 @@ spec: namespace: flux-system interval: 1m values: + service: + annotations: + io.cilium/lb-ipam-ips: 192.168.1.50 + additionalArguments: - --api.insecure - logs: - general: - level: DEBUG - providers: kubernetesCRD: enabled: true @@ -48,7 +48,7 @@ spec: web: port: 8000 - #nodePort: 30080 + nodePort: 30080 expose: default: true redirectTo: @@ -57,7 +57,7 @@ spec: websecure: port: 8443 - #nodePort: 30443 + nodePort: 30443 expose: default: true protocol: TCP @@ -79,9 +79,14 @@ spec: ingressClass: enabled: true isDefaultClass: true + name: traefik-external metrics: prometheus: entryPoint: metrics - namespaceOverride: traefik + # Set default certificate + tlsStore: + default: + defaultCertificate: + secretName: wildcard-main-tls diff --git a/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml new file mode 100644 index 0000000..c270de5 --- /dev/null +++ b/kubernetes/thin/apps/traefik/app/files/internal-hr.yaml @@ -0,0 +1,81 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: traefik-internal + namespace: traefik +spec: + interval: 5m + chart: + spec: + chart: traefik + version: '30.1.0' + sourceRef: + kind: HelmRepository + name: traefik-charts + namespace: flux-system + interval: 1m + values: + service: + annotations: + io.cilium/lb-ipam-ips: 192.168.1.51 + + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: false + allowExternalNameServices: false + allowEmptyServices: false + namespaces: [] + + kubernetesIngress: + enabled: true + allowExternalNameServices: false + allowEmptyServices: false + namespaces: [] + publishedService: + enabled: false + + ports: + web: + port: 8000 + nodePort: 30080 + expose: + default: true + redirectTo: + port: websecure + protocol: TCP + + websecure: + port: 8443 + nodePort: 30443 + expose: + default: true + protocol: TCP + tls: + enabled: true + + metrics: + port: 9100 + expose: + default: false + protocol: TCP + + # Disable Dashboard + ingressRoute: + dashboard: + enabled: false + + ingressClass: + enabled: true + isDefaultClass: false + name: traefik-internal + + metrics: + prometheus: + entryPoint: metrics + + # Set default certificate + tlsStore: + default: + defaultCertificate: + secretName: wildcard-main-tls \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/app/files/kustomization.yaml b/kubernetes/thin/apps/traefik/app/files/kustomization.yaml index 191a565..529ab34 100644 --- a/kubernetes/thin/apps/traefik/app/files/kustomization.yaml +++ b/kubernetes/thin/apps/traefik/app/files/kustomization.yaml @@ -4,4 +4,5 @@ resources: - ./namespace.yaml - ./helm-repository.yaml - ./helm-release.yaml +- ./internal-hr.yaml - ./dashboard-ingress.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/traefik/kustomization.yaml b/kubernetes/thin/apps/traefik/kustomization.yaml index c2d4a00..3342dd8 100644 --- a/kubernetes/thin/apps/traefik/kustomization.yaml +++ b/kubernetes/thin/apps/traefik/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./app/ks.yaml -- ./extra/ks.yaml \ No newline at end of file +#- ./extra/ks.yaml \ No newline at end of file