♻️ networking

2025-09-17 18:24:14 +02:00 · 2022-09-15 11:46:59 +02:00
parent 10c85363fc
commit 1cce3a7c2f
15 changed files with 128 additions and 55 deletions
--- a/cluster/apps/kube-tools/kyverno/policies/apply-ingress-external-dns-annotations.yaml
+++ b/cluster/apps/kube-tools/kyverno/policies/apply-ingress-external-dns-annotations.yaml
@@ -28,5 +28,3 @@ spec:
            annotations:
              +(external-dns.alpha.kubernetes.io/target): |-
                services.${SECRET_DOMAIN}.
-              +(external-dns/is-public): |-
-                true
--- a/cluster/apps/networking/external-dns/helm-release.yaml
+++ b/cluster/apps/networking/external-dns/helm-release.yaml
@@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: external-dns
-  namespace: networking
+  namespace: default
 spec:
  interval: 15m
  chart:
@@ -14,7 +14,6 @@ spec:
        kind: HelmRepository
        name: external-dns-charts
        namespace: flux-system
-      interval: 15m
  install:
    createNamespace: true
    remediation:
@@ -23,7 +22,7 @@ spec:
    remediation:
      retries: 5
  values:
-    interval: 15m
+    interval: 2m
    logLevel: debug
    provider: ovh
    env:
@@ -43,7 +42,7 @@ spec:
            name: ovh-external-dns-creds
            key: consummer-key
    extraArgs:
-      - --annotation-filter=external-dns/is-public in (true)
+      - --annotation-filter=external-dns.home.arpa/enabled in (true)
    policy: sync
    sources:
      - ingress
--- a/cluster/apps/networking/external-dns/secret.sops.yaml
+++ b/cluster/apps/networking/external-dns/secret.sops.yaml
@@ -4,7 +4,7 @@ kind: Secret
 type: Opaque
 metadata:
    name: ovh-external-dns-creds
-    namespace: networking
+    namespace: default
 stringData:
    application-key: ENC[AES256_GCM,data:eM+c4o7krcCr38iYl+V9aw==,iv:bWvn6Du2AYczidEiYcCiiXiCWQoNTM55+pEqEDT5gVg=,tag:XAtpQsK7J7mQWs47qqAt/Q==,type:str]
    application-secret: ENC[AES256_GCM,data:dsAI3MXIpqC5FQZojzchOUfJPARBYOOUbnmY042w9DQ=,iv:gLh0ySZfm1akVIcnN/LMuuI7GZrBBq/X6mnQd1j9BeA=,tag:wIKWVoDMRfn68Ot56HFPGA==,type:str]
@@ -24,8 +24,8 @@ sops:
            bi8wYjlEM0xGZExSV05HSGlkYjQ2VlUKesUixJpqR2iYx5kNxrbD0kTG1siHVKqq
            sh8UblAqd1av0/3Qpj9dMF8awR8Q80dElcEwXT90Ks/S7p/uEA358g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-07-03T14:42:00Z"
-    mac: ENC[AES256_GCM,data:xJz+bm7161D3j/NEHZi9XxEp5uHsDDIqKow/nOQzSeHufyiGg34pdR8ibXt+7p6sru64ZIRNKV/OklwtRrLFoiyM/+ZFsgpWC67ACIdksu0cBjIKXsaKSyvdkcZ/hC9C5wMpYMqABBDogYPhR32PqsJ1VBWlCckG0kjo7PNOubk=,iv:ponCl1jFjElSY8HbCbRv4w4gL0C12deWBRzgrXSQpTE=,tag:p/kxR5ZiVxvX7JO6e/ZtMw==,type:str]
+    lastmodified: "2022-09-15T09:52:51Z"
+    mac: ENC[AES256_GCM,data:cZAwl1uF59cBodh8F4KSZU8/sLyoRy6k2rFuYx3KH/YpICKj2Omg9D3cH1uUF+x1URYbRcKajKrIZMmpd6gjvoRERjnreuzosZwxeannkTpfZ0N5ivydTSETa9mjPXCP+4VdPQISG0ZYx91uf0nrsZnK3dPOT0W/TfEhAI3JB9c=,iv:ufpSLuakm9X5VB8ZgHdyZyH6PAo11yKHV5jj7TuNPcU=,tag:+GY39oTJ91codPkDrTQYTw==,type:str]
    pgp: []
    encrypted_regex: ^(data|stringData)$
    version: 3.7.3
--- a/cluster/apps/networking/ingress-nginx/certificate.yaml
+++ b/cluster/apps/networking/ingress-nginx/certificate.yaml
@@ -2,9 +2,10 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
-  namespace: networking
+  name: "${SECRET_CLUSTER_DOMAIN/./-}"
+  namespace: default
 spec:
+  secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls"
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
@@ -12,4 +13,3 @@ spec:
  dnsNames:
    - "${SECRET_CLUSTER_DOMAIN}"
    - "*.${SECRET_CLUSTER_DOMAIN}"
-  secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
--- a/cluster/apps/networking/ingress-nginx/helm-release.yaml
+++ b/cluster/apps/networking/ingress-nginx/helm-release.yaml
@@ -3,22 +3,30 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: ingress-nginx
-  namespace: networking
+  namespace: default
 spec:
-  interval: 5m
+  interval: 15m
  chart:
    spec:
-      # renovate: registryUrl=https://kubernetes.github.io/ingress-nginx
      chart: ingress-nginx
      version: 4.2.5
      sourceRef:
        kind: HelmRepository
        name: ingress-nginx-charts
        namespace: flux-system
-      interval: 5m
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  dependsOn:
+    - name: cert-manager
+      namespace: cert-manager
  values:
    controller:
-      replicaCount: 2
+      replicaCount: 3
      service:
        type: LoadBalancer
        externalIPs:
@@ -26,31 +34,36 @@ spec:
        externalTrafficPolicy: Local
      publishService:
        enabled: true
-
+      ingressClassResource:
+        default: true
      config:
-        ssl-protocols: "TLSv1.3 TLSv1.2"
-        custom-http-errors: |
-          401,403,404,500,501,502,503
-        enable-vts-status: "false"
+        client-header-timeout: 120
+        client-body-buffer-size: "100M"
+        client-body-timeout: 120
+        custom-http-errors: |-
+          400,401,403,404,500,502,503,504
+        enable-brotli: "true"
+        forwarded-for-header: "CF-Connecting-IP"
        hsts-max-age: "31449600"
-        proxy-body-size: "50m"
-
+        keep-alive: 120
+        keep-alive-requests: 10000
+        proxy-body-size: "100M"
+        ssl-protocols: "TLSv1.3 TLSv1.2"
+        use-forwarded-headers: "true"
      extraArgs:
-        default-ssl-certificate: "networking/${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
-
-      resources:
-        requests:
-          memory: 250Mi
-          cpu: 50m
-
+        default-ssl-certificate: |-
+          default/${SECRET_CLUSTER_DOMAIN/./-}-tls
      metrics:
        enabled: true
        serviceMonitor:
          enabled: true
-          namespace: networking
+          namespace: default
          namespaceSelector:
            any: true
-
+      resources:
+        requests:
+          memory: 250Mi
+          cpu: 50m
      affinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
@@ -63,7 +76,6 @@ spec:
                      values:
                        - ingress-nginx
                topologyKey: kubernetes.io/hostname
-
    defaultBackend:
      enabled: true
      image:
--- a/cluster/apps/networking/ingress-nginx/kustomization.yaml
+++ b/cluster/apps/networking/ingress-nginx/kustomization.yaml
@@ -2,4 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - certificate.yaml
  - helm-release.yaml
--- a/cluster/apps/networking/k8s-gateway/helm-release.yaml
+++ b/cluster/apps/networking/k8s-gateway/helm-release.yaml
@@ -3,9 +3,9 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: k8s-gateway
-  namespace: networking
+  namespace: default
 spec:
-  interval: 5m
+  interval: 15m
  chart:
    spec:
      # renovate: registryUrl=https://ori-edge.github.io/k8s_gateway/
@@ -15,7 +15,15 @@ spec:
        kind: HelmRepository
        name: k8s-gateway-charts
        namespace: flux-system
-      interval: 5m
+  install:
+    createNamespace: true
+    crds: CreateReplace
+    remediation:
+      retries: 5
+  upgrade:
+    crds: CreateReplace
+    remediation:
+      retries: 5
  values:
    domain: "${SECRET_CLUSTER_DOMAIN}"
    service:
--- a/cluster/apps/networking/kustomization.yaml
+++ b/cluster/apps/networking/kustomization.yaml
@@ -2,10 +2,9 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - namespace.yaml
-  - certificate
  - external-dns
  - ingress-nginx
  - k8s-gateway
  - smtp-relay
+  - tigera-operator
  - unifi
--- a/cluster/apps/networking/namespace.yaml
+++ b/cluster/apps/networking/namespace.yaml
@@ -1,5 +0,0 @@
---
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: networking
--- a/cluster/apps/networking/tigera-operator/helm-release.yaml
+++ b/cluster/apps/networking/tigera-operator/helm-release.yaml
@@ -0,0 +1,47 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: tigera-operator
+  namespace: tigera-operator
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: tigera-operator
+      version: v3.24.1
+      sourceRef:
+        kind: HelmRepository
+        name: project-calico-charts
+        namespace: flux-system
+  install:
+    createNamespace: true
+    crds: CreateReplace
+    remediation:
+      retries: 5
+  upgrade:
+    crds: CreateReplace
+    remediation:
+      retries: 5
+  values:
+    installation:
+      enabled: true
+      registry: quay.io
+      imagePath: calico
+      calicoNetwork:
+        bgp: Enabled
+        hostPorts: Disabled
+        # Note: The ipPools section cannot be modified post-install.
+        ipPools:
+          - blockSize: 26
+            cidr: "${NET_POD_CIDR}"
+            encapsulation: None
+            natOutgoing: Enabled
+            nodeSelector: all()
+        linuxDataplane: Iptables
+        multiInterfaceMode: None
+        nodeAddressAutodetectionV4:
+          cidrs:
+            - "${NET_NODE_CIDR}"
+      nodeMetricsPort: 9091
+      typhaMetricsPort: 9093
--- a/cluster/apps/networking/tigera-operator/kustomization.yaml
+++ b/cluster/apps/networking/tigera-operator/kustomization.yaml
@@ -2,4 +2,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - certificate.yaml
+  - helm-release.yaml
--- a/cluster/apps/networking/unifi/helm-release.yaml
+++ b/cluster/apps/networking/unifi/helm-release.yaml
@@ -3,28 +3,33 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
  name: unifi
-  namespace: networking
+  namespace: default
 spec:
-  interval: 5m
+  interval: 15m
  chart:
    spec:
-      # renovate: registryUrl=https://k8s-at-home.com/charts/
      chart: unifi
      version: 5.1.2
      sourceRef:
        kind: HelmRepository
        name: k8s-at-home-charts
        namespace: flux-system
-      interval: 5m
+  install:
+    createNamespace: true
+    crds: CreateReplace
+    remediation:
+      retries: 5
+  upgrade:
+    crds: CreateReplace
+    remediation:
+      retries: 5
  values:
    image:
      repository: jacobalberty/unifi
      tag: v7.2.92
      pullPolicy: IfNotPresent
-
    env:
      TZ: "${TIMEZONE}"
-
    service:
      main:
        type: LoadBalancer
@@ -57,7 +62,6 @@ spec:
            enabled: true
            port: 10001
            protocol: UDP
-
    ingress:
      main:
        enabled: true
@@ -69,12 +73,10 @@ spec:
        tls:
          - hosts:
              - "unifi.${SECRET_CLUSTER_DOMAIN}"
-
    persistence:
      data:
        enabled: true
        existingClaim: unifi-config
-
    resources:
      requests:
        memory: 2Gi
--- a/cluster/apps/networking/unifi/volume.yaml
+++ b/cluster/apps/networking/unifi/volume.yaml
@@ -3,8 +3,10 @@ apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: unifi-config
-  namespace: networking
+  namespace: default
  labels:
+    app.kubernetes.io/name: &name unifi
+    app.kubernetes.io/instance: *name
    kasten-io/backup: "true"
 spec:
  accessModes:
--- a/cluster/charts/kustomization.yaml
+++ b/cluster/charts/kustomization.yaml
@@ -21,6 +21,7 @@ resources:
  - kyverno-charts.yaml
  - metrics-server-charts.yaml
  - node-feature-discovery.yaml
+  - project-calico-charts.yaml
  - prometheus-community-charts.yaml
  - rook-ceph-charts.yaml
  - runix-charts.yaml
--- a/cluster/charts/project-calico-charts.yaml
+++ b/cluster/charts/project-calico-charts.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: project-calico-charts
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://projectcalico.docs.tigera.io/charts