diff --git a/kubernetes/apps/flux-system/vars/cluster-settings.yaml b/kubernetes/apps/flux-system/vars/cluster-settings.yaml index e9b406ca5..7d85aec0b 100644 --- a/kubernetes/apps/flux-system/vars/cluster-settings.yaml +++ b/kubernetes/apps/flux-system/vars/cluster-settings.yaml @@ -27,6 +27,8 @@ data: CLUSTER_LB_POSTGRES: 192.168.169.118 CLUSTER_LB_NGINX_INTERNAL: 192.168.169.119 CLUSTER_LB_NGINX_EXTERNAL: 192.168.169.120 + CLUSTER_LB_ENVOY_INTERNAL: 192.168.169.121 + CLUSTER_LB_ENVOY_EXTERNAL: 192.168.169.122 LOCAL_LAN: 192.168.8.0/22 LOCAL_LAN_OPNSENSE: 192.168.8.1 LOCAL_LAN_TRUENAS: 192.168.9.10 diff --git a/kubernetes/apps/network/envoy-gateway/external/gateway.yaml b/kubernetes/apps/network/envoy-gateway/external/gateway.yaml new file mode 100644 index 000000000..7529bb204 --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/external/gateway.yaml @@ -0,0 +1,35 @@ +--- +# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gateway_v1.json +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: external + # annotations: + # external-dns.alpha.kubernetes.io/target: external.${SECRET_CLUSTER_DOMAIN} +spec: + gatewayClassName: envoy-gateway + addresses: + - type: IPAddress + value: "${CLUSTER_LB_ENVOY_EXTERNAL}" + # infrastructure: + # annotations: + # external-dns.alpha.kubernetes.io/hostname: external.${SECRET_CLUSTER_DOMAIN} + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.${SECRET_CLUSTER_DOMAIN}" + allowedRoutes: + namespaces: + from: Same + - name: https + protocol: HTTPS + port: 443 + hostname: "*.${SECRET_CLUSTER_DOMAIN}" + allowedRoutes: + namespaces: + from: All + tls: + certificateRefs: + - kind: Secret + name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls diff --git a/kubernetes/apps/network/envoy-gateway/external/kustomization.yaml b/kubernetes/apps/network/envoy-gateway/external/kustomization.yaml new file mode 100644 index 000000000..2a01f8e7c --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/external/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: networking-system +resources: + - ./gateway.yaml + - ./redirect.yaml diff --git a/kubernetes/apps/network/envoy-gateway/external/redirect.yaml b/kubernetes/apps/network/envoy-gateway/external/redirect.yaml new file mode 100644 index 000000000..c8337dceb --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/external/redirect.yaml @@ -0,0 +1,18 @@ +--- +# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/httproute_v1.json +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: https-redirect-external + annotations: + external-dns.alpha.kubernetes.io/controller: none +spec: + parentRefs: + - name: external + port: 80 + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 diff --git a/kubernetes/apps/network/envoy-gateway/internal/gateway.yaml b/kubernetes/apps/network/envoy-gateway/internal/gateway.yaml new file mode 100644 index 000000000..5abfa17d4 --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/internal/gateway.yaml @@ -0,0 +1,35 @@ +--- +# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gateway_v1.json +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: internal + # annotations: + # external-dns.alpha.kubernetes.io/target: internal.${SECRET_CLUSTER_DOMAIN} +spec: + gatewayClassName: envoy-gateway + addresses: + - type: IPAddress + value: "${CLUSTER_LB_ENVOY_INTERNAL}" + # infrastructure: + # annotations: + # external-dns.alpha.kubernetes.io/hostname: internal.${SECRET_CLUSTER_DOMAIN} + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.${SECRET_CLUSTER_DOMAIN}" + allowedRoutes: + namespaces: + from: Same + - name: https + protocol: HTTPS + port: 443 + hostname: "*.${SECRET_CLUSTER_DOMAIN}" + allowedRoutes: + namespaces: + from: All + tls: + certificateRefs: + - kind: Secret + name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls diff --git a/kubernetes/apps/network/envoy-gateway/internal/kustomization.yaml b/kubernetes/apps/network/envoy-gateway/internal/kustomization.yaml new file mode 100644 index 000000000..1bf35fe35 --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/internal/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: networking-system +resources: + - ./gateway.yaml + - ./redirect.yaml + - ./securitypolicy.yaml diff --git a/kubernetes/apps/network/envoy-gateway/internal/redirect.yaml b/kubernetes/apps/network/envoy-gateway/internal/redirect.yaml new file mode 100644 index 000000000..16f1c9059 --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/internal/redirect.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: https-redirect-internal + annotations: + external-dns.alpha.kubernetes.io/controller: none +spec: + parentRefs: + - name: internal + port: 80 + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 diff --git a/kubernetes/apps/network/envoy-gateway/internal/securitypolicy.yaml b/kubernetes/apps/network/envoy-gateway/internal/securitypolicy.yaml new file mode 100644 index 000000000..48576cb76 --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/internal/securitypolicy.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: internal-secure +spec: + extAuth: + failOpen: false + headersToExtAuth: + - X-Forwarded-Proto + - authorization + - proxy-authorization + - accept + - cookie + http: + backendRefs: + - group: "" + kind: Service + name: authelia + namespace: default + port: 80 + path: /api/authz/ext-authz/ + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: internal diff --git a/kubernetes/apps/network/envoy-gateway/ks.yaml b/kubernetes/apps/network/envoy-gateway/ks.yaml new file mode 100644 index 000000000..575577d72 --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/ks.yaml @@ -0,0 +1,84 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app envoy-gateway + namespace: &namespace network +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 1h + path: ./kubernetes/apps/network/envoy-gateway/operator + healthChecks: + - apiVersion: helm.toolkit.fluxcd.io/v2 + kind: HelmRelease + name: *app + namespace: *namespace + - apiVersion: gateway.networking.k8s.io/v1 + kind: GatewayClass + name: envoy-gateway + healthCheckExprs: + - apiVersion: gateway.networking.k8s.io/v1 + kind: GatewayClass + failed: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'False') + inProgress: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'Unknown') + current: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'True') + prune: false + retryInterval: 2m + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + namespace: flux-system + targetNamespace: *namespace + timeout: 5m + wait: false +--- +# yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app envoy-gateway-internal + namespace: &namespace network +spec: + interval: 1h + retryInterval: 2m + timeout: 5m + prune: false + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/network/envoy-gateway/internal + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + namespace: flux-system + wait: false + dependsOn: + - name: envoy-gateway-operator + namespace: *namespace +--- +# yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app envoy-gateway-external + namespace: &namespace network +spec: + interval: 1h + retryInterval: 2m + timeout: 5m + prune: false + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/network/envoy-gateway/external + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + namespace: flux-system + wait: false + dependsOn: + - name: envoy-gateway-operator + namespace: *namespace diff --git a/kubernetes/apps/network/envoy-gateway/operator/gatewayclass.yaml b/kubernetes/apps/network/envoy-gateway/operator/gatewayclass.yaml new file mode 100644 index 000000000..79c5433cc --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/operator/gatewayclass.yaml @@ -0,0 +1,23 @@ +--- +# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gatewayclass_v1.json +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: envoy-gateway +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: proxy-config + namespace: networking-system +--- +# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.envoyproxy.io/envoyproxy_v1alpha1.json +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: proxy-config +spec: + backendTLS: + minVersion: "1.3" + maxVersion: "1.3" diff --git a/kubernetes/apps/network/envoy-gateway/operator/helmrelease.yaml b/kubernetes/apps/network/envoy-gateway/operator/helmrelease.yaml new file mode 100644 index 000000000..810ea41a1 --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/operator/helmrelease.yaml @@ -0,0 +1,41 @@ +--- +# yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: OCIRepository +metadata: + name: envoy-gateway-operator +spec: + interval: 30m + timeout: 60s + url: oci://docker.io/envoyproxy/gateway-helm + ref: + tag: 1.4.0 + layerSelector: + mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip + operation: copy +--- +# yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: envoy-gateway-operator +spec: + interval: 1h + timeout: 5m + chartRef: + kind: OCIRepository + name: envoy-gateway-operator + install: + crds: CreateReplace + remediation: + retries: -1 + upgrade: + cleanupOnFail: true + crds: CreateReplace + remediation: + retries: 5 + values: + config: + envoyGateway: + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller diff --git a/kubernetes/apps/network/envoy-gateway/operator/kustomization.yaml b/kubernetes/apps/network/envoy-gateway/operator/kustomization.yaml new file mode 100644 index 000000000..ed948af6a --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/operator/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: networking-system +resources: + - ./gatewayclass.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml index 3c2c1ecff..4dbb84c2f 100644 --- a/kubernetes/apps/network/kustomization.yaml +++ b/kubernetes/apps/network/kustomization.yaml @@ -7,6 +7,7 @@ components: - ../../components/common resources: - ./cloudflared/ks.yaml + - ./envoy-gateway/ks.yaml - ./external-dns/ks.yaml - ./nginx/ks.yaml - ./k8s-gateway/ks.yaml