fix: envoy-gateway migration

2025-09-17 18:24:14 +02:00 · 2025-08-19 09:08:41 +02:00
parent 539ec1b7db
commit 6db214c211
81 changed files with 554 additions and 299 deletions
--- a/kubernetes/apps/default/unifi/app/backendtlspolicy.yaml
+++ b/kubernetes/apps/default/unifi/app/backendtlspolicy.yaml
@@ -0,0 +1,15 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/backendtlspolicy_v1alpha3.json
+apiVersion: gateway.networking.k8s.io/v1alpha3
+kind: BackendTLSPolicy
+metadata:
+  name: unifi-backend-tls
+spec:
+  targetRefs:
+    - group: ''
+      kind: Service
+      name: unifi
+      sectionName: https
+  validation:
+    wellKnownCACertificates: System
+    hostname: unifi.${SECRET_EXTERNAL_DOMAIN}
--- a/kubernetes/apps/default/unifi/app/certificate.yaml
+++ b/kubernetes/apps/default/unifi/app/certificate.yaml
@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/certificate_v1.json
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: '${SECRET_EXTERNAL_DOMAIN/./-}-unifi'
+spec:
+  secretName: '${SECRET_EXTERNAL_DOMAIN/./-}-unifi'
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: 'unifi.${SECRET_EXTERNAL_DOMAIN}'
+  dnsNames:
+    - 'unifi.${SECRET_EXTERNAL_DOMAIN}'
+  keystores:
+    jks:
+      create: true
+      alias: unifi
+      password: aircontrolenterprise
--- a/kubernetes/apps/default/unifi/app/helmrelease.yaml
+++ b/kubernetes/apps/default/unifi/app/helmrelease.yaml
@@ -46,7 +46,7 @@ spec:
        externalTrafficPolicy: Local
        loadBalancerIP: 192.168.169.103
        ports:
-          http:
+          https:
            port: &port 8443
            protocol: HTTPS
          controller:
@@ -88,9 +88,27 @@ spec:
          - backendRefs:
              - name: *app
                port: *port
+            timeouts:
+              request: 0s # websocket, never time out
+              backendRequest: 0s # websocket, never time out
    persistence:
      config:
        enabled: true
        existingClaim: *app
        globalMounts:
          - path: /unifi
+      cert:
+        type: secret
+        name: '${SECRET_EXTERNAL_DOMAIN/./-}-unifi'
+        advancedMounts:
+          unifi:
+            app:
+              - path: /unifi/cert/cert.pem
+                subPath: tls.crt
+                readOnly: true
+              - path: /unifi/cert/privkey.pem
+                subPath: tls.key
+                readOnly: true
+              - path: /unifi/data/keystore
+                subPath: keystore.jks
+                readOnly: false
--- a/kubernetes/apps/default/unifi/app/kustomization.yaml
+++ b/kubernetes/apps/default/unifi/app/kustomization.yaml
@@ -3,4 +3,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - ./backendtlspolicy.yaml
+  - ./certificate.yaml
  - ./helmrelease.yaml
+  - ./pushsecret.yaml
--- a/kubernetes/apps/default/unifi/app/pushsecret.yaml
+++ b/kubernetes/apps/default/unifi/app/pushsecret.yaml
@@ -0,0 +1,35 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/pushsecret_v1alpha1.json
+apiVersion: external-secrets.io/v1alpha1
+kind: PushSecret
+metadata:
+  name: lets-encrypt-unifi
+spec:
+  secretStoreRefs:
+    - name: onepassword-connect
+      kind: ClusterSecretStore
+  selector:
+    secret:
+      name: ${SECRET_EXTERNAL_DOMAIN/./-}-unifi
+  template:
+    engineVersion: v2
+    data:
+      tls.crt: '{{ index . "tls.crt" | b64enc }}'
+      tls.key: '{{ index . "tls.key" | b64enc }}'
+      keystore.jks: '{{ index . "keystore.jks" | b64enc }}'
+  data:
+    - match:
+        secretKey: &key tls.crt
+        remoteRef:
+          remoteKey: lets-encrypt-unifi
+          property: *key
+    - match:
+        secretKey: &key tls.key
+        remoteRef:
+          remoteKey: lets-encrypt-unifi
+          property: *key
+    - match:
+        secretKey: &key keystore.jks
+        remoteRef:
+          remoteKey: lets-encrypt-unifi
+          property: *key