feat: envoy-gateway

kubernetes/apps/network/envoy-gateway/internal/gateway.yaml

@@ -0,0 +1,35 @@
+---
+# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gateway_v1.json
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: internal
+  # annotations:
+  #   external-dns.alpha.kubernetes.io/target: internal.${SECRET_CLUSTER_DOMAIN}
+spec:
+  gatewayClassName: envoy-gateway
+  addresses:
+    - type: IPAddress
+      value: "${CLUSTER_LB_ENVOY_INTERNAL}"
+  # infrastructure:
+  #   annotations:
+  #     external-dns.alpha.kubernetes.io/hostname: internal.${SECRET_CLUSTER_DOMAIN}
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      hostname: "*.${SECRET_CLUSTER_DOMAIN}"
+      allowedRoutes:
+        namespaces:
+          from: Same
+    - name: https
+      protocol: HTTPS
+      port: 443
+      hostname: "*.${SECRET_CLUSTER_DOMAIN}"
+      allowedRoutes:
+        namespaces:
+          from: All
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls

kubernetes/apps/network/envoy-gateway/internal/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: networking-system
+resources:
+  - ./gateway.yaml
+  - ./redirect.yaml
+  - ./securitypolicy.yaml

kubernetes/apps/network/envoy-gateway/internal/redirect.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: https-redirect-internal
+  annotations:
+    external-dns.alpha.kubernetes.io/controller: none
+spec:
+  parentRefs:
+    - name: internal
+      port: 80
+  rules:
+    - filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
+            statusCode: 301

kubernetes/apps/network/envoy-gateway/internal/securitypolicy.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.envoyproxy.io/v1alpha1
+kind: SecurityPolicy
+metadata:
+  name: internal-secure
+spec:
+  extAuth:
+    failOpen: false
+    headersToExtAuth:
+      - X-Forwarded-Proto
+      - authorization
+      - proxy-authorization
+      - accept
+      - cookie
+    http:
+      backendRefs:
+        - group: ""
+          kind: Service
+          name: authelia
+          namespace: default
+          port: 80
+      path: /api/authz/ext-authz/
+  targetRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: internal