feat: cilium-gateway

kubernetes/apps/default/atuin/app/helmrelease.yaml

@@ -68,31 +68,31 @@ spec:
         ports:
           http:
             port: *port
-    # route:
-    #   app:
-    #     hostnames: ["sh.${SECRET_EXTERNAL_DOMAIN}"]
-    #     parentRefs:
-    #       - name: internal
-    #         namespace: network
-    #         sectionName: https
-    #     rules:
-    #       - backendRefs:
-    #           - name: app
-    #             port: *port
-    ingress:
+    route:
       app:
-        enabled: true
-        className: internal
-        hosts:
-          - host: &host "sh.${SECRET_EXTERNAL_DOMAIN}"
-            paths:
-              - path: /
-                service:
-                  identifier: app
-                  port: http
-        tls:
-          - hosts:
-              - *host
+        hostnames: ["sh.${SECRET_EXTERNAL_DOMAIN}"]
+        parentRefs:
+          - name: internal
+            namespace: kube-system
+            sectionName: https
+        rules:
+          - backendRefs:
+              - name: app
+                port: *port
+    # ingress:
+    #   app:
+    #     enabled: true
+    #     className: internal
+    #     hosts:
+    #       - host: &host "sh.${SECRET_EXTERNAL_DOMAIN}"
+    #         paths:
+    #           - path: /
+    #             service:
+    #               identifier: app
+    #               port: http
+    #     tls:
+    #       - hosts:
+    #           - *host
     persistence:
       config:
         existingClaim: atuin

kubernetes/apps/kube-system/cilium/README.md

@@ -0,0 +1,22 @@
+# Cilium
+
+## UniFi BGP
+
+```sh
+router bgp 64513
+  bgp router-id 192.168.1.1
+  no bgp ebgp-requires-policy
+
+  neighbor k8s peer-group
+  neighbor k8s remote-as 64514
+
+  neighbor 192.168.42.10 peer-group k8s
+  neighbor 192.168.42.11 peer-group k8s
+  neighbor 192.168.42.12 peer-group k8s
+
+  address-family ipv4 unicast
+    neighbor k8s next-hop-self
+    neighbor k8s soft-reconfiguration inbound
+  exit-address-family
+exit
+```

kubernetes/apps/kube-system/cilium/app/helm/values.yaml

@@ -18,10 +18,13 @@ enableIPv4BIGTCP: true
 endpointRoutes:
   enabled: true
 envoy:
-  enabled: false
+  rollOutPods: true
+  prometheus:
+    serviceMonitor:
+      enabled: true
 gatewayAPI:
-  enabled: false
-  enableAlpn: false
+  enabled: true
+  enableAlpn: true
   xffNumTrustedHops: 1
 hubble:
   enabled: false

kubernetes/apps/kube-system/cilium/gateway/external.yaml

@@ -0,0 +1,35 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gateway_v1.json
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: external
+  annotations:
+    external-dns.alpha.kubernetes.io/target: &hostname external.${SECRET_EXTERNAL_DOMAIN}
+spec:
+  gatewayClassName: cilium
+  addresses:
+    - type: IPAddress
+      value: 192.168.169.122
+  infrastructure:
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: *hostname
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      hostname: "*.${SECRET_EXTERNAL_DOMAIN}"
+      allowedRoutes:
+        namespaces:
+          from: Same
+    - name: https
+      protocol: HTTPS
+      port: 443
+      hostname: "*.${SECRET_EXTERNAL_DOMAIN}"
+      allowedRoutes:
+        namespaces:
+          from: All
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls

kubernetes/apps/kube-system/cilium/gateway/gatewayclass.yaml

@@ -0,0 +1,7 @@
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gatewayclass_v1.json
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: cilium
+spec:
+  controllerName: io.cilium/gateway-controller

kubernetes/apps/kube-system/cilium/gateway/internal.yaml

@@ -0,0 +1,35 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gateway_v1.json
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: internal
+  annotations:
+    external-dns.alpha.kubernetes.io/target: &hostname internal.${SECRET_EXTERNAL_DOMAIN}
+spec:
+  gatewayClassName: cilium
+  addresses:
+    - type: IPAddress
+      value: 192.168.169.121
+  infrastructure:
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: *hostname
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      hostname: "*.${SECRET_EXTERNAL_DOMAIN}"
+      allowedRoutes:
+        namespaces:
+          from: Same
+    - name: https
+      protocol: HTTPS
+      port: 443
+      hostname: "*.${SECRET_EXTERNAL_DOMAIN}"
+      allowedRoutes:
+        namespaces:
+          from: All
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls

kubernetes/apps/kube-system/cilium/gateway/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./external.yaml
+  - ./internal.yaml
+  - ./gatewayclass.yaml
+  - ./redirect.yaml

kubernetes/apps/kube-system/cilium/gateway/redirect.yaml

@@ -0,0 +1,22 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/httproute_v1.json
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: httpsredirect
+  annotations:
+    external-dns.alpha.kubernetes.io/controller: none
+spec:
+  parentRefs:
+    - name: internal
+      namespace: kube-system
+      sectionName: http
+    - name: external
+      namespace: kube-system
+      sectionName: http
+  rules:
+    - filters:
+        - requestRedirect:
+            scheme: https
+            statusCode: 301
+          type: RequestRedirect

kubernetes/apps/kube-system/cilium/ks.yaml

@@ -11,7 +11,7 @@ spec:
       app.kubernetes.io/name: *app
   interval: 1h
   path: ./kubernetes/apps/kube-system/cilium/app
-  prune: false
+  prune: true
   retryInterval: 2m
   sourceRef:
     kind: GitRepository
@@ -20,3 +20,24 @@ spec:
   targetNamespace: *namespace
   timeout: 5m
   wait: false
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app cilium-gateway
+  namespace: &namespace kube-system
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  interval: 1h
+  path: ./kubernetes/apps/kube-system/cilium/gateway
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: *namespace
+  timeout: 15m
+  wait: false

kubernetes/apps/kube-system/gateway-api-crds/app/helmrelease.yaml

@@ -0,0 +1,32 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: gateway-api-crds
+spec:
+  interval: 5m
+  layerSelector:
+    mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
+    operation: copy
+  ref:
+    tag: 1.3.0
+  url: oci://ghcr.io/wiremind/wiremind-helm-charts/gateway-api-crds
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: gateway-api-crds
+spec:
+  interval: 1h
+  chartRef:
+    kind: OCIRepository
+    name: gateway-api-crds
+  install:
+    remediation:
+      retries: -1
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3

kubernetes/apps/kube-system/gateway-api-crds/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml

kubernetes/apps/kube-system/gateway-api-crds/ks.yaml

@@ -0,0 +1,22 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app gateway-api-crds
+  namespace: &namespace kube-system
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  interval: 1h
+  path: ./kubernetes/apps/kube-system/gateway-api-crds/app
+  prune: true
+  retryInterval: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: *namespace
+  timeout: 5m
+  wait: false

kubernetes/apps/kube-system/kustomization.yaml

@@ -10,6 +10,7 @@ resources:
   - ./coredns/ks.yaml
   - ./descheduler/ks.yaml
   - ./intel-device-plugin/ks.yaml
+  - ./gateway-api-crds/ks.yaml
   - ./kubelet-csr-approver/ks.yaml
   - ./metrics-server/ks.yaml
   - ./node-feature-discovery/ks.yaml

kubernetes/bootstrap/apps/crds/helmfile.yaml

@@ -0,0 +1,34 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/helmfile
+
+# This helmfile is for installing Custom Resource Definitions (CRDs) from Helm charts.
+# It is not intended to be used with helmfile apply or sync.
+
+helmDefaults:
+  args: ['--include-crds', '--no-hooks'] # Prevent helmfile apply or sync
+
+releases:
+  - name: cloudflare-dns
+    namespace: network
+    chart: oci://ghcr.io/home-operations/charts-mirror/external-dns
+    version: 1.18.0
+
+  - name: external-secrets
+    namespace: external-secrets
+    chart: oci://ghcr.io/external-secrets/charts/external-secrets
+    version: 0.19.2
+
+  - name: gateway-api-crds
+    namespace: kube-system
+    chart: oci://ghcr.io/wiremind/wiremind-helm-charts/gateway-api-crds
+    version: 1.3.0
+
+  - name: keda
+    namespace: observability
+    chart: oci://ghcr.io/home-operations/charts-mirror/keda
+    version: 2.17.2
+
+  - name: kube-prometheus-stack
+    namespace: observability
+    chart: oci://ghcr.io/prometheus-community/charts/kube-prometheus-stack
+    version: 76.4.0

kubernetes/bootstrap/apps/helmfile.yaml

@@ -1,13 +1,8 @@
 ---
 # yaml-language-server: $schema=https://json.schemastore.org/helmfile
 
-# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
-kubeVersion: v1.33.2
-
 helmDefaults:
-  force: true
-  recreatePods: true
-  timeout: 600
+  cleanupOnFail: true
   wait: true
   waitForJobs: true
 
@@ -16,62 +11,42 @@ repositories:
     url: https://postfinance.github.io/kubelet-csr-approver
 
 releases:
-  - name: kube-prometheus-stack-crds
-    namespace: observability
-    chart: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds
-    version: 22.0.2
-
   - name: cilium
     namespace: kube-system
-    atomic: true
     chart: oci://ghcr.io/home-operations/charts-mirror/cilium
-    version: 1.17.6
-    values: ["../../apps/kube-system/cilium/app/helm-values.yaml"]
-    hooks:
-      - # Wait for cilium CRDs to be available
-        events: ['postsync']
-        command: bash
-        args:
-          - -c
-          - until kubectl get crd ciliumbgppeeringpolicies.cilium.io ciliuml2announcementpolicies.cilium.io ciliumloadbalancerippools.cilium.io &>/dev/null; do sleep 10; done
-        showlogs: true
-    needs: ["observability/kube-prometheus-stack-crds"]
+    version: 1.18.1
+    values: ['../kubernetes/apps/kube-system/cilium/app/helm/values.yaml']
 
   - name: coredns
     namespace: kube-system
-    atomic: true
     chart: oci://ghcr.io/coredns/charts/coredns
     version: 1.43.2
-    values: ["../../apps/kube-system/coredns/app/helm-values.yaml"]
-    needs: ["kube-system/cilium"]
+    values: ['../kubernetes/apps/kube-system/coredns/app/helm/values.yaml']
+    needs: ['kube-system/cilium']
 
   - name: kubelet-csr-approver
     namespace: kube-system
-    atomic: true
     chart: postfinance/kubelet-csr-approver
     version: 1.2.10
-    values: ["../../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml"]
-    needs: ["kube-system/coredns"]
+    values: ['../../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml']
+    needs: ['kube-system/coredns']
 
   - name: spegel
     namespace: kube-system
-    atomic: true
     chart: oci://ghcr.io/spegel-org/helm-charts/spegel
     version: 0.3.0
-    values: ["../../apps/kube-system/spegel/app/helm-values.yaml"]
-    needs: ["kube-system/kubelet-csr-approver"]
+    values: ['../kubernetes/apps/kube-system/spegel/app/helm/values.yaml']
+    needs: ['kube-system/coredns']
 
   - name: cert-manager
     namespace: cert-manager
-    atomic: true
-    chart: oci://ghcr.io/home-operations/charts-mirror/cert-manager
-    version: v1.17.1
-    values: ['../../apps/cert-manager/cert-manager/app/helm/values.yaml']
+    chart: oci://quay.io/jetstack/charts/cert-manager
+    version: v1.18.2
+    values: ['../kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml']
     needs: ['kube-system/spegel']
 
   - name: external-secrets
     namespace: external-secrets
-    atomic: true
     chart: oci://ghcr.io/external-secrets/charts/external-secrets
     version: 0.19.1
     values: ['../../apps/external-secrets/external-secrets/app/helm/values.yaml']

kubernetes/bootstrap/apps/resources.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: onepassword-secret
+  namespace: external-secrets
+stringData:
+  token: op://kubernetes/1password/OP_CONNECT_TOKEN
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sops-age
+  namespace: flux-system
+stringData:
+  age.agekey: op://kubernetes/sops/SOPS_PRIVATE_KEY
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-tunnel-id-secret
+  namespace: network
+stringData:
+  CLOUDFLARE_TUNNEL_ID: op://kubernetes/cloudflare/CLOUDFLARE_TUNNEL_ID