feat: envoy-gateway

kubernetes/apps/flux-system/vars/cluster-settings.yaml

@@ -27,6 +27,8 @@ data:
   CLUSTER_LB_POSTGRES: 192.168.169.118
   CLUSTER_LB_NGINX_INTERNAL: 192.168.169.119
   CLUSTER_LB_NGINX_EXTERNAL: 192.168.169.120
+  CLUSTER_LB_ENVOY_INTERNAL: 192.168.169.121
+  CLUSTER_LB_ENVOY_EXTERNAL: 192.168.169.122
   LOCAL_LAN: 192.168.8.0/22
   LOCAL_LAN_OPNSENSE: 192.168.8.1
   LOCAL_LAN_TRUENAS: 192.168.9.10

kubernetes/apps/network/envoy-gateway/external/gateway.yaml

@@ -0,0 +1,35 @@
+---
+# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gateway_v1.json
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: external
+  # annotations:
+  #   external-dns.alpha.kubernetes.io/target: external.${SECRET_CLUSTER_DOMAIN}
+spec:
+  gatewayClassName: envoy-gateway
+  addresses:
+    - type: IPAddress
+      value: "${CLUSTER_LB_ENVOY_EXTERNAL}"
+  # infrastructure:
+  #   annotations:
+  #     external-dns.alpha.kubernetes.io/hostname: external.${SECRET_CLUSTER_DOMAIN}
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      hostname: "*.${SECRET_CLUSTER_DOMAIN}"
+      allowedRoutes:
+        namespaces:
+          from: Same
+    - name: https
+      protocol: HTTPS
+      port: 443
+      hostname: "*.${SECRET_CLUSTER_DOMAIN}"
+      allowedRoutes:
+        namespaces:
+          from: All
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls

kubernetes/apps/network/envoy-gateway/external/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: networking-system
+resources:
+  - ./gateway.yaml
+  - ./redirect.yaml

kubernetes/apps/network/envoy-gateway/external/redirect.yaml

@@ -0,0 +1,18 @@
+---
+# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/httproute_v1.json
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: https-redirect-external
+  annotations:
+    external-dns.alpha.kubernetes.io/controller: none
+spec:
+  parentRefs:
+    - name: external
+      port: 80
+  rules:
+    - filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
+            statusCode: 301

kubernetes/apps/network/envoy-gateway/internal/gateway.yaml

@@ -0,0 +1,35 @@
+---
+# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gateway_v1.json
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: internal
+  # annotations:
+  #   external-dns.alpha.kubernetes.io/target: internal.${SECRET_CLUSTER_DOMAIN}
+spec:
+  gatewayClassName: envoy-gateway
+  addresses:
+    - type: IPAddress
+      value: "${CLUSTER_LB_ENVOY_INTERNAL}"
+  # infrastructure:
+  #   annotations:
+  #     external-dns.alpha.kubernetes.io/hostname: internal.${SECRET_CLUSTER_DOMAIN}
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      hostname: "*.${SECRET_CLUSTER_DOMAIN}"
+      allowedRoutes:
+        namespaces:
+          from: Same
+    - name: https
+      protocol: HTTPS
+      port: 443
+      hostname: "*.${SECRET_CLUSTER_DOMAIN}"
+      allowedRoutes:
+        namespaces:
+          from: All
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls

kubernetes/apps/network/envoy-gateway/internal/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: networking-system
+resources:
+  - ./gateway.yaml
+  - ./redirect.yaml
+  - ./securitypolicy.yaml

kubernetes/apps/network/envoy-gateway/internal/redirect.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: https-redirect-internal
+  annotations:
+    external-dns.alpha.kubernetes.io/controller: none
+spec:
+  parentRefs:
+    - name: internal
+      port: 80
+  rules:
+    - filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
+            statusCode: 301

kubernetes/apps/network/envoy-gateway/internal/securitypolicy.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: internal-secure
+spec:
+  extAuth:
+    failOpen: false
+    headersToExtAuth:
+      - X-Forwarded-Proto
+      - authorization
+      - proxy-authorization
+      - accept
+      - cookie
+    http:
+      backendRefs:
+        - group: ""
+          kind: Service
+          name: authelia
+          namespace: default
+          port: 80
+      path: /api/authz/ext-authz/
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: internal

kubernetes/apps/network/envoy-gateway/ks.yaml

@@ -0,0 +1,84 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app envoy-gateway
+  namespace: &namespace network
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  interval: 1h
+  path: ./kubernetes/apps/network/envoy-gateway/operator
+  healthChecks:
+    - apiVersion: helm.toolkit.fluxcd.io/v2
+      kind: HelmRelease
+      name: *app
+      namespace: *namespace
+    - apiVersion: gateway.networking.k8s.io/v1
+      kind: GatewayClass
+      name: envoy-gateway
+  healthCheckExprs:
+    - apiVersion: gateway.networking.k8s.io/v1
+      kind: GatewayClass
+      failed: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'False')
+      inProgress: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'Unknown')
+      current: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'True')
+  prune: false
+  retryInterval: 2m
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+    namespace: flux-system
+  targetNamespace: *namespace
+  timeout: 5m
+  wait: false
+---
+# yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app envoy-gateway-internal
+  namespace: &namespace network
+spec:
+  interval: 1h
+  retryInterval: 2m
+  timeout: 5m
+  prune: false
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/network/envoy-gateway/internal
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+    namespace: flux-system
+  wait: false
+  dependsOn:
+    - name: envoy-gateway-operator
+      namespace: *namespace
+---
+# yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app envoy-gateway-external
+  namespace: &namespace network
+spec:
+  interval: 1h
+  retryInterval: 2m
+  timeout: 5m
+  prune: false
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/network/envoy-gateway/external
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+    namespace: flux-system
+  wait: false
+  dependsOn:
+    - name: envoy-gateway-operator
+      namespace: *namespace

kubernetes/apps/network/envoy-gateway/operator/gatewayclass.yaml

@@ -0,0 +1,23 @@
+---
+# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gatewayclass_v1.json
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: envoy-gateway
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller
+  parametersRef:
+    group: gateway.envoyproxy.io
+    kind: EnvoyProxy
+    name: proxy-config
+    namespace: networking-system
+---
+# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.envoyproxy.io/envoyproxy_v1alpha1.json
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: EnvoyProxy
+metadata:
+  name: proxy-config
+spec:
+  backendTLS:
+    minVersion: "1.3"
+    maxVersion: "1.3"

kubernetes/apps/network/envoy-gateway/operator/helmrelease.yaml

@@ -0,0 +1,41 @@
+---
+# yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: envoy-gateway-operator
+spec:
+  interval: 30m
+  timeout: 60s
+  url: oci://docker.io/envoyproxy/gateway-helm
+  ref:
+    tag: 1.4.0
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy
+---
+# yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: envoy-gateway-operator
+spec:
+  interval: 1h
+  timeout: 5m
+  chartRef:
+    kind: OCIRepository
+    name: envoy-gateway-operator
+  install:
+    crds: CreateReplace
+    remediation:
+      retries: -1
+  upgrade:
+    cleanupOnFail: true
+    crds: CreateReplace
+    remediation:
+      retries: 5
+  values:
+    config:
+      envoyGateway:
+        gateway:
+          controllerName: gateway.envoyproxy.io/gatewayclass-controller

kubernetes/apps/network/envoy-gateway/operator/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: networking-system
+resources:
+  - ./gatewayclass.yaml
+  - ./helmrelease.yaml

kubernetes/apps/network/kustomization.yaml

@@ -7,6 +7,7 @@ components:
   - ../../components/common
 resources:
   - ./cloudflared/ks.yaml
+  - ./envoy-gateway/ks.yaml
   - ./external-dns/ks.yaml
   - ./nginx/ks.yaml
   - ./k8s-gateway/ks.yaml