feat: implement bgp and gateway api #821
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- kubernetes/argo-system Kustomization: flux-system/1-argo-system HelmRelease: argo-system/argo-workflows
+++ kubernetes/argo-system Kustomization: flux-system/1-argo-system HelmRelease: argo-system/argo-workflows
@@ -77,17 +77,12 @@
tag: v3.6.5
server:
authModes:
- sso
deploymentAnnotations:
secret.reloader.stakater.com/reload: argo-workflows-secret
- ingress:
- enabled: true
- hosts:
- - workflows.timtor.dev
- ingressClassName: nginx
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
--- kubernetes/argo-system Kustomization: flux-system/1-argo-system HTTPRoute: argo-system/argo-workflows-server
+++ kubernetes/argo-system Kustomization: flux-system/1-argo-system HTTPRoute: argo-system/argo-workflows-server
@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-argo-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: argo-workflows-server
+ namespace: argo-system
+spec:
+ hostnames:
+ - workflows.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: argo-workflows-server
+ port: 2746
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/argo-system Kustomization: flux-system/1-argo-system HTTPRoute: argo-system/argo-workflows-server-http-rediect
+++ kubernetes/argo-system Kustomization: flux-system/1-argo-system HTTPRoute: argo-system/argo-workflows-server-http-rediect
@@ -0,0 +1,27 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-argo-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: argo-workflows-server-http-rediect
+ namespace: argo-system
+spec:
+ hostnames:
+ - workflows.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/kromgo Kustomization: flux-system/5-kromgo HelmRelease: kromgo/kromgo
+++ kubernetes/kromgo Kustomization: flux-system/5-kromgo HelmRelease: kromgo/kromgo
@@ -46,33 +46,60 @@
rollingUpdate:
unavailable: 1
strategy: RollingUpdate
type: deployment
defaultPodOptions:
automountServiceAccountToken: false
- ingress:
- main:
- className: nginx
- hosts:
- - host: kromgo.timtor.dev
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: main
- port: 8080
persistence:
kromgo-config:
advancedMounts:
main:
main:
- path: /kromgo/config.yaml
readOnly: true
subPath: config.yaml
name: kromgo-config
type: configMap
+ route:
+ http-redirect:
+ enabled: true
+ hostnames:
+ - kromgo.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ main:
+ enabled: true
+ hostnames:
+ - kromgo.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: kromgo
+ port: 8080
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
service:
main:
controller: main
ports:
http:
port: 8080
--- kubernetes/kromgo Kustomization: flux-system/5-kromgo CiliumNetworkPolicy: kromgo/kromgo-app-policy
+++ kubernetes/kromgo Kustomization: flux-system/5-kromgo CiliumNetworkPolicy: kromgo/kromgo-app-policy
@@ -12,12 +12,22 @@
matchLabels:
app.kubernetes.io/name: kromgo
ingress:
- fromEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: ingress-nginx
+ toPorts:
+ - ports:
+ - port: '8080'
+ protocol: TCP
+- endpointSelector:
+ matchLabels:
+ app.kubernetes.io/name: kromgo
+ ingress:
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '8080'
protocol: TCP
- egress:
- toEndpoints:
--- kubernetes/metallb-system Kustomization: flux-system/1-metallb-system Namespace: flux-system/metallb-system
+++ kubernetes/metallb-system Kustomization: flux-system/1-metallb-system Namespace: flux-system/metallb-system
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 1-metallb-system
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- pod-security.kubernetes.io/audit: privileged
- pod-security.kubernetes.io/enforce: privileged
- pod-security.kubernetes.io/warn: privileged
- name: metallb-system
-
--- kubernetes/metallb-system Kustomization: flux-system/1-metallb-system HelmRepository: metallb-system/metallb
+++ kubernetes/metallb-system Kustomization: flux-system/1-metallb-system HelmRepository: metallb-system/metallb
@@ -1,13 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 1-metallb-system
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: metallb
- namespace: metallb-system
-spec:
- interval: 24h
- url: https://metallb.github.io/metallb
-
--- kubernetes/metallb-system Kustomization: flux-system/1-metallb-system HelmRelease: metallb-system/metallb
+++ kubernetes/metallb-system Kustomization: flux-system/1-metallb-system HelmRelease: metallb-system/metallb
@@ -1,30 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 1-metallb-system
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: metallb
- namespace: metallb-system
-spec:
- chart:
- spec:
- chart: metallb
- sourceRef:
- kind: HelmRepository
- name: metallb
- version: 0.14.9
- install:
- crds: CreateReplace
- interval: 1h
- maxHistory: 1
- upgrade:
- crds: CreateReplace
- values:
- crds:
- enabled: true
- speaker:
- frr:
- enabled: false
-
--- kubernetes/metallb-system Kustomization: flux-system/1-metallb-system IPAddressPool: metallb-system/default
+++ kubernetes/metallb-system Kustomization: flux-system/1-metallb-system IPAddressPool: metallb-system/default
@@ -1,13 +0,0 @@
----
-apiVersion: metallb.io/v1beta1
-kind: IPAddressPool
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 1-metallb-system
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: default
- namespace: metallb-system
-spec:
- addresses:
- - 192.168.253.100/32
-
--- kubernetes/metallb-system Kustomization: flux-system/1-metallb-system L2Advertisement: metallb-system/default
+++ kubernetes/metallb-system Kustomization: flux-system/1-metallb-system L2Advertisement: metallb-system/default
@@ -1,15 +0,0 @@
----
-apiVersion: metallb.io/v1beta1
-kind: L2Advertisement
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 1-metallb-system
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: default
- namespace: metallb-system
-spec:
- interfaces:
- - eth0
- ipAddressPools:
- - default
-
--- kubernetes/ingress-nginx Kustomization: flux-system/3-ingress-nginx HelmRelease: ingress-nginx/ingress-nginx
+++ kubernetes/ingress-nginx Kustomization: flux-system/3-ingress-nginx HelmRelease: ingress-nginx/ingress-nginx
@@ -85,13 +85,13 @@
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
service:
externalIPs:
- - 192.168.253.100
+ - 192.168.33.2
externalTrafficPolicy: Local
type: LoadBalancer
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
--- kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph Ingress: rook-ceph/s3-fast
+++ kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph Ingress: rook-ceph/s3-fast
@@ -1,23 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 2-rook-ceph
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: s3-fast
- namespace: rook-ceph
-spec:
- ingressClassName: nginx
- rules:
- - host: s3-fast.timtor.dev
- http:
- paths:
- - backend:
- service:
- name: rook-ceph-rgw-fast
- port:
- number: 8080
- path: /
- pathType: Prefix
-
--- kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/ceph-dashboard
+++ kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/ceph-dashboard
@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 2-rook-ceph
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: ceph-dashboard
+ namespace: rook-ceph
+spec:
+ hostnames:
+ - ceph.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: rook-ceph-mgr-dashboard
+ port: 7000
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/ceph-dashboard-http-redirect
+++ kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/ceph-dashboard-http-redirect
@@ -0,0 +1,27 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 2-rook-ceph
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: ceph-dashboard-http-redirect
+ namespace: rook-ceph
+spec:
+ hostnames:
+ - ceph.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/s3-fast
+++ kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/s3-fast
@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 2-rook-ceph
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: s3-fast
+ namespace: rook-ceph
+spec:
+ hostnames:
+ - s3-fast.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: rook-ceph-rgw-fast
+ port: 8080
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/s3-fast-http-redirect
+++ kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/s3-fast-http-redirect
@@ -0,0 +1,27 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 2-rook-ceph
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: s3-fast-http-redirect
+ namespace: rook-ceph
+spec:
+ hostnames:
+ - s3-fast.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system HelmRelease: kube-system/cilium
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system HelmRelease: kube-system/cilium
@@ -11,33 +11,41 @@
chart:
spec:
chart: cilium
sourceRef:
kind: HelmRepository
name: cilium
- version: 1.16.6
+ version: 1.17.10
interval: 1h
maxHistory: 1
values:
+ bgpControlPlane:
+ enabled: true
cgroup:
autoMount:
enabled: false
hostRoot: /sys/fs/cgroup
envoy:
enabled: true
+ gatewayAPI:
+ enabled: true
+ gatewayClass:
+ create: auto
hubble:
enabled: true
relay:
enabled: true
ui:
enabled: true
ipam:
mode: kubernetes
k8sServiceHost: localhost
k8sServicePort: 7445
kubeProxyReplacement: true
+ nodePort:
+ enabled: true
securityContext:
capabilities:
ciliumAgent:
- CHOWN
- KILL
- NET_ADMIN
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system GitRepository: kube-system/gateway-api-crd
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system GitRepository: kube-system/gateway-api-crd
@@ -0,0 +1,19 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: gateway-api-crd
+ namespace: kube-system
+spec:
+ ignore: |
+ /*
+ !/config/crd/standard
+ !/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml
+ interval: 1m
+ ref:
+ tag: v1.3.0
+ url: https://github.com/kubernetes-sigs/gateway-api
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system Kustomization: kube-system/gateway-api-crd
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system Kustomization: kube-system/gateway-api-crd
@@ -0,0 +1,16 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: gateway-api-crd
+ namespace: kube-system
+spec:
+ interval: 10m0s
+ prune: false
+ sourceRef:
+ kind: GitRepository
+ name: gateway-api-crd
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumBGPClusterConfig: flux-system/cilium-bgp
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumBGPClusterConfig: flux-system/cilium-bgp
@@ -0,0 +1,23 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPClusterConfig
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cilium-bgp
+spec:
+ bgpInstances:
+ - localASN: 65001
+ name: homelab-talos-cluster
+ peers:
+ - name: mikrotik
+ peerASN: 65000
+ peerAddress: 192.168.248.1
+ peerConfigRef:
+ name: cilium-peer
+ nodeSelector:
+ matchExpressions:
+ - key: node-role.kubernetes.io/control-plane
+ operator: DoesNotExist
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumBGPPeerConfig: flux-system/cilium-peer
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumBGPPeerConfig: flux-system/cilium-peer
@@ -0,0 +1,22 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPPeerConfig
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cilium-peer
+spec:
+ families:
+ - advertisements:
+ matchLabels:
+ advertise: bgp
+ afi: ipv4
+ safi: unicast
+ gracefulRestart:
+ enabled: true
+ restartTimeSeconds: 15
+ timers:
+ holdTimeSeconds: 9
+ keepAliveTimeSeconds: 3
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumBGPAdvertisement: flux-system/shared-bgpadvertisements
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumBGPAdvertisement: flux-system/shared-bgpadvertisements
@@ -0,0 +1,20 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPAdvertisement
+metadata:
+ labels:
+ advertise: bgp
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: shared-bgpadvertisements
+spec:
+ advertisements:
+ - advertisementType: Service
+ selector:
+ matchExpressions:
+ - key: dummy
+ operator: DoesNotExist
+ service:
+ addresses:
+ - LoadBalancerIP
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system Certificate: kube-system/timtor.dev-wildcard-certificate
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system Certificate: kube-system/timtor.dev-wildcard-certificate
@@ -0,0 +1,18 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: timtor.dev-wildcard-certificate
+ namespace: kube-system
+spec:
+ dnsNames:
+ - timtor.dev
+ - '*.timtor.dev'
+ issuerRef:
+ kind: ClusterIssuer
+ name: timtor.dev-le-dns01
+ secretName: timtor.dev-wildcard-certificate-secret
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system GatewayClass: flux-system/cilium
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system GatewayClass: flux-system/cilium
@@ -0,0 +1,12 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cilium
+spec:
+ controllerName: io.cilium/gateway-controller
+ description: The default Cilium GatewayClass
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system Gateway: kube-system/cilium-default
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system Gateway: kube-system/cilium-default
@@ -0,0 +1,34 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cilium-default
+ namespace: kube-system
+spec:
+ addresses:
+ - type: IPAddress
+ value: 192.168.33.1
+ gatewayClassName: cilium
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: https
+ port: 443
+ protocol: HTTPS
+ tls:
+ certificateRefs:
+ - group: ''
+ kind: Secret
+ name: timtor.dev-wildcard-certificate-secret
+ mode: Terminate
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumLoadBalancerIPPool: flux-system/shared-pool
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumLoadBalancerIPPool: flux-system/shared-pool
@@ -0,0 +1,17 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumLoadBalancerIPPool
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: shared-pool
+spec:
+ allowFirstLastIPs: 'No'
+ blocks:
+ - cidr: 192.168.33.0/24
+ serviceSelector:
+ matchExpressions:
+ - key: dummy
+ operator: DoesNotExist
+
--- kubernetes/grafana Kustomization: flux-system/5-grafana HelmRelease: grafana/grafana
+++ kubernetes/grafana Kustomization: flux-system/5-grafana HelmRelease: grafana/grafana
@@ -114,17 +114,12 @@
ha_peer_timeout: 15s
ha_peers: grafana-alerting:9094
image:
registry: docker.io
repository: grafana/grafana
tag: 12.0.1
- ingress:
- enabled: true
- hosts:
- - grafana.timtor.dev
- ingressClassName: nginx
plugins:
- grafana-synthetic-monitoring-app
podAnnotations:
secret.reloader.stakater.com/reload: grafana-secret
replicas: 2
resources:
--- kubernetes/grafana Kustomization: flux-system/5-grafana CiliumNetworkPolicy: grafana/grafana-app-policy
+++ kubernetes/grafana Kustomization: flux-system/5-grafana CiliumNetworkPolicy: grafana/grafana-app-policy
@@ -9,15 +9,14 @@
namespace: grafana
specs:
- endpointSelector:
matchLabels:
app.kubernetes.io/name: grafana
ingress:
- - fromEndpoints:
- - matchLabels:
- k8s:io.kubernetes.pod.namespace: ingress-nginx
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '3000'
protocol: TCP
- egress:
- toEndpoints:
--- kubernetes/grafana Kustomization: flux-system/5-grafana HTTPRoute: grafana/grafana
+++ kubernetes/grafana Kustomization: flux-system/5-grafana HTTPRoute: grafana/grafana
@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 5-grafana
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: grafana
+ namespace: grafana
+spec:
+ hostnames:
+ - grafana.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: grafana
+ port: 80
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/grafana Kustomization: flux-system/5-grafana HTTPRoute: grafana/grafana-http-redirect
+++ kubernetes/grafana Kustomization: flux-system/5-grafana HTTPRoute: grafana/grafana-http-redirect
@@ -0,0 +1,27 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 5-grafana
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: grafana-http-redirect
+ namespace: grafana
+spec:
+ hostnames:
+ - grafana.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/unifi-controller Kustomization: flux-system/5-unifi-controller HelmRelease: unifi-controller/unifi-controller
+++ kubernetes/unifi-controller Kustomization: flux-system/5-unifi-controller HelmRelease: unifi-controller/unifi-controller
@@ -90,12 +90,13 @@
subPath: data
type: persistentVolumeClaim
tmp:
globalMounts:
- path: /tmp
type: emptyDir
+ route: {}
service:
main:
controller: main
ports:
http:
port: 8443
--- kubernetes/miniflux Kustomization: flux-system/6-miniflux HelmRelease: miniflux/miniflux
+++ kubernetes/miniflux Kustomization: flux-system/6-miniflux HelmRelease: miniflux/miniflux
@@ -88,32 +88,59 @@
automountServiceAccountToken: false
securityContext:
fsGroup: 65534
replicas: 1
strategy: RollingUpdate
type: deployment
- ingress:
- main:
- className: nginx
- hosts:
- - host: rss.timtor.dev
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: main
- port: 8080
persistence:
secret:
type: custom
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: miniflux-secret
+ route:
+ http-redirect:
+ enabled: true
+ hostnames:
+ - rss.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ main:
+ enabled: true
+ hostnames:
+ - rss.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: miniflux
+ port: 8080
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
service:
main:
controller: main
ports:
http:
port: 8080
--- kubernetes/miniflux Kustomization: flux-system/6-miniflux CiliumNetworkPolicy: miniflux/miniflux-app-policy
+++ kubernetes/miniflux Kustomization: flux-system/6-miniflux CiliumNetworkPolicy: miniflux/miniflux-app-policy
@@ -9,15 +9,14 @@
namespace: miniflux
specs:
- endpointSelector:
matchLabels:
app.kubernetes.io/name: miniflux
ingress:
- - fromEndpoints:
- - matchLabels:
- k8s:io.kubernetes.pod.namespace: ingress-nginx
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '8080'
protocol: TCP
- egress:
- toEndpoints:
--- kubernetes/mydata/immich Kustomization: flux-system/6-immich HelmRelease: mydata/immich
+++ kubernetes/mydata/immich Kustomization: flux-system/6-immich HelmRelease: mydata/immich
@@ -181,25 +181,12 @@
defaultPodOptions:
automountServiceAccountToken: false
securityContext:
fsGroup: 65534
global:
nameOverride: immich
- ingress:
- main:
- annotations:
- nginx.ingress.kubernetes.io/proxy-body-size: '0'
- className: nginx
- hosts:
- - host: photo.timtor.dev
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: server
- port: 3001
persistence:
cache:
accessMode: ReadWriteMany
advancedMounts:
machine-learning:
main:
@@ -223,12 +210,50 @@
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: immich-secret
+ route:
+ http-redirect:
+ enabled: true
+ hostnames:
+ - photo.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ main:
+ enabled: true
+ hostnames:
+ - photo.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: immich
+ port: 3001
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
service:
machine-learning:
controller: machine-learning
ports:
http:
port: 3003
--- kubernetes/mydata/immich Kustomization: flux-system/6-immich CiliumNetworkPolicy: mydata/immich-app-policy
+++ kubernetes/mydata/immich Kustomization: flux-system/6-immich CiliumNetworkPolicy: mydata/immich-app-policy
@@ -14,19 +14,16 @@
matchLabels:
app.kubernetes.io/name: immich
ingress:
- {}
- endpointSelector:
matchLabels:
- app.kubernetes.io/component: server
app.kubernetes.io/name: immich
ingress:
- - fromEndpoints:
- - matchLabels:
- app.kubernetes.io/name: ingress-nginx
- k8s:io.kubernetes.pod.namespace: ingress-nginx
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '3001'
protocol: TCP
- egress:
- toEndpoints:
--- kubernetes/mydata/navidrome Kustomization: flux-system/6-navidrome HelmRelease: mydata/navidrome
+++ kubernetes/mydata/navidrome Kustomization: flux-system/6-navidrome HelmRelease: mydata/navidrome
@@ -61,23 +61,12 @@
pod:
securityContext:
fsGroup: 65534
replicas: 1
strategy: Recreate
type: deployment
- ingress:
- main:
- className: nginx
- hosts:
- - host: music.timtor.dev
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: main
- port: 4533
persistence:
cache:
accessMode: ReadWriteOnce
advancedMounts:
main:
main:
@@ -97,12 +86,50 @@
advancedMounts:
main:
main:
- path: /db
existingClaim: navidrome-db
type: persistentVolumeClaim
+ route:
+ http-redirect:
+ enabled: true
+ hostnames:
+ - music.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ main:
+ enabled: true
+ hostnames:
+ - music.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: navidrome
+ port: 4533
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
service:
main:
controller: main
ports:
http:
port: 4533
--- kubernetes/mydata/navidrome Kustomization: flux-system/6-navidrome CiliumNetworkPolicy: mydata/navidrome-policy
+++ kubernetes/mydata/navidrome Kustomization: flux-system/6-navidrome CiliumNetworkPolicy: mydata/navidrome-policy
@@ -9,15 +9,13 @@
namespace: mydata
specs:
- endpointSelector:
matchLabels:
app.kubernetes.io/name: navidrome
ingress:
- - fromEndpoints:
- - matchLabels:
- app.kubernetes.io/name: ingress-nginx
- k8s:io.kubernetes.pod.namespace: ingress-nginx
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '4533'
protocol: TCP
--- kubernetes/mydata/nextcloud Kustomization: flux-system/6-nextcloud HelmRelease: mydata/nextcloud
+++ kubernetes/mydata/nextcloud Kustomization: flux-system/6-nextcloud HelmRelease: mydata/nextcloud
@@ -98,25 +98,12 @@
fsGroup: 33
replicas: 2
rollingUpdate:
unavailable: 1
strategy: RollingUpdate
type: deployment
- ingress:
- main:
- annotations:
- nginx.ingress.kubernetes.io/proxy-body-size: '0'
- className: nginx
- hosts:
- - host: drive.timtor.dev
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: main
- port: 8080
persistence:
apache-extra-config:
globalMounts:
- path: /etc/apache2/conf-enabled/extra.conf
subPath: extra.conf
items:
@@ -181,12 +168,50 @@
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: nextcloud-secret
+ route:
+ http-redirect:
+ enabled: true
+ hostnames:
+ - drive.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ main:
+ enabled: true
+ hostnames:
+ - drive.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: nextcloud
+ port: 8080
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
service:
main:
controller: main
ports:
http:
port: 8080
--- kubernetes/mydata/nextcloud Kustomization: flux-system/6-nextcloud CiliumNetworkPolicy: mydata/nextcloud-app-policy
+++ kubernetes/mydata/nextcloud Kustomization: flux-system/6-nextcloud CiliumNetworkPolicy: mydata/nextcloud-app-policy
@@ -9,16 +9,14 @@
namespace: mydata
specs:
- endpointSelector:
matchLabels:
app.kubernetes.io/name: nextcloud
ingress:
- - fromEndpoints:
- - matchLabels:
- app.kubernetes.io/name: ingress-nginx
- k8s:io.kubernetes.pod.namespace: ingress-nginx
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '8080'
protocol: TCP
- egress:
- toEndpoints:
--- kubernetes/vaultwarden Kustomization: flux-system/6-vaultwarden HelmRelease: vaultwarden/vaultwarden
+++ kubernetes/vaultwarden Kustomization: flux-system/6-vaultwarden HelmRelease: vaultwarden/vaultwarden
@@ -85,28 +85,12 @@
value: '1'
securityContext:
fsGroup: 65534
replicas: 1
strategy: Recreate
type: deployment
- ingress:
- main:
- className: nginx
- hosts:
- - host: vault.timtor.dev
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: main
- port: 8080
- - path: /notifications/hub
- pathType: Prefix
- service:
- identifier: main
- port: 8080
persistence:
data:
existingClaim: vaultwarden-data
globalMounts:
- path: /data
type: persistentVolumeClaim
@@ -115,12 +99,50 @@
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: vaultwarden-secret
+ route:
+ http-redirect:
+ enabled: true
+ hostnames:
+ - vault.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ main:
+ enabled: true
+ hostnames:
+ - vault.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: vaultwarden
+ port: 8080
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
service:
main:
controller: main
ports:
http:
port: 8080
--- kubernetes/vaultwarden Kustomization: flux-system/6-vaultwarden CiliumNetworkPolicy: vaultwarden/vaultwarden-policy
+++ kubernetes/vaultwarden Kustomization: flux-system/6-vaultwarden CiliumNetworkPolicy: vaultwarden/vaultwarden-policy
@@ -9,15 +9,14 @@
namespace: vaultwarden
specs:
- endpointSelector:
matchLabels:
app.kubernetes.io/name: vaultwarden
ingress:
- - fromEndpoints:
- - matchLabels:
- k8s:io.kubernetes.pod.namespace: ingress-nginx
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '8080'
protocol: TCP
- egress:
- toEndpoints:
--- kubernetes/flux-system Kustomization: flux-system/0-flux-system Kustomization: flux-system/1-metallb-system
+++ kubernetes/flux-system Kustomization: flux-system/0-flux-system Kustomization: flux-system/1-metallb-system
@@ -1,17 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 0-flux-system
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: 1-metallb-system
- namespace: flux-system
-spec:
- interval: 10m0s
- path: /kubernetes/metallb-system
- prune: false
- sourceRef:
- kind: GitRepository
- name: homelab
-
--- kubernetes/flux-system Kustomization: flux-system/0-flux-system HTTPRoute: flux-system/webhook-receiver
+++ kubernetes/flux-system Kustomization: flux-system/0-flux-system HTTPRoute: flux-system/webhook-receiver
@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 0-flux-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: webhook-receiver
+ namespace: flux-system
+spec:
+ hostnames:
+ - flux.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: webhook-receiver
+ port: 80
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/flux-system Kustomization: flux-system/0-flux-system HTTPRoute: flux-system/webhook-receiver-http-redirect
+++ kubernetes/flux-system Kustomization: flux-system/0-flux-system HTTPRoute: flux-system/webhook-receiver-http-redirect
@@ -0,0 +1,27 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 0-flux-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: webhook-receiver-http-redirect
+ namespace: flux-system
+spec:
+ hostnames:
+ - flux.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ |
--- HelmRelease: miniflux/miniflux Ingress: miniflux/miniflux
+++ HelmRelease: miniflux/miniflux Ingress: miniflux/miniflux
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: miniflux
- labels:
- app.kubernetes.io/instance: miniflux
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: miniflux
- namespace: miniflux
-spec:
- ingressClassName: nginx
- rules:
- - host: rss.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: miniflux
- port:
- number: 8080
-
--- HelmRelease: miniflux/miniflux HTTPRoute: miniflux/miniflux-http-redirect
+++ HelmRelease: miniflux/miniflux HTTPRoute: miniflux/miniflux-http-redirect
@@ -0,0 +1,31 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: miniflux-http-redirect
+ labels:
+ app.kubernetes.io/instance: miniflux
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: miniflux
+ namespace: miniflux
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ hostnames:
+ - rss.timtor.dev
+ rules:
+ - backendRefs: null
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+
--- HelmRelease: miniflux/miniflux HTTPRoute: miniflux/miniflux-main
+++ HelmRelease: miniflux/miniflux HTTPRoute: miniflux/miniflux-main
@@ -0,0 +1,32 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: miniflux-main
+ labels:
+ app.kubernetes.io/instance: miniflux
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: miniflux
+ namespace: miniflux
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - rss.timtor.dev
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: miniflux
+ namespace: miniflux
+ port: 8080
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- HelmRelease: kromgo/kromgo Ingress: kromgo/kromgo
+++ HelmRelease: kromgo/kromgo Ingress: kromgo/kromgo
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: kromgo
- labels:
- app.kubernetes.io/instance: kromgo
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: kromgo
- namespace: kromgo
-spec:
- ingressClassName: nginx
- rules:
- - host: kromgo.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: kromgo
- port:
- number: 8080
-
--- HelmRelease: kromgo/kromgo HTTPRoute: kromgo/kromgo-http-redirect
+++ HelmRelease: kromgo/kromgo HTTPRoute: kromgo/kromgo-http-redirect
@@ -0,0 +1,31 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: kromgo-http-redirect
+ labels:
+ app.kubernetes.io/instance: kromgo
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kromgo
+ namespace: kromgo
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ hostnames:
+ - kromgo.timtor.dev
+ rules:
+ - backendRefs: null
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+
--- HelmRelease: kromgo/kromgo HTTPRoute: kromgo/kromgo-main
+++ HelmRelease: kromgo/kromgo HTTPRoute: kromgo/kromgo-main
@@ -0,0 +1,32 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: kromgo-main
+ labels:
+ app.kubernetes.io/instance: kromgo
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kromgo
+ namespace: kromgo
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - kromgo.timtor.dev
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: kromgo
+ namespace: kromgo
+ port: 8080
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- HelmRelease: mydata/navidrome Ingress: mydata/navidrome
+++ HelmRelease: mydata/navidrome Ingress: mydata/navidrome
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: navidrome
- labels:
- app.kubernetes.io/instance: navidrome
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: navidrome
- namespace: mydata
-spec:
- ingressClassName: nginx
- rules:
- - host: music.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: navidrome
- port:
- number: 4533
-
--- HelmRelease: mydata/navidrome HTTPRoute: mydata/navidrome-http-redirect
+++ HelmRelease: mydata/navidrome HTTPRoute: mydata/navidrome-http-redirect
@@ -0,0 +1,31 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: navidrome-http-redirect
+ labels:
+ app.kubernetes.io/instance: navidrome
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: navidrome
+ namespace: mydata
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ hostnames:
+ - music.timtor.dev
+ rules:
+ - backendRefs: null
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+
--- HelmRelease: mydata/navidrome HTTPRoute: mydata/navidrome-main
+++ HelmRelease: mydata/navidrome HTTPRoute: mydata/navidrome-main
@@ -0,0 +1,32 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: navidrome-main
+ labels:
+ app.kubernetes.io/instance: navidrome
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: navidrome
+ namespace: mydata
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - music.timtor.dev
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: navidrome
+ namespace: mydata
+ port: 4533
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- HelmRelease: mydata/immich Ingress: mydata/immich
+++ HelmRelease: mydata/immich Ingress: mydata/immich
@@ -1,26 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: immich
- labels:
- app.kubernetes.io/instance: immich
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: immich
- annotations:
- nginx.ingress.kubernetes.io/proxy-body-size: '0'
- namespace: mydata
-spec:
- ingressClassName: nginx
- rules:
- - host: photo.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: immich
- port:
- number: 3001
-
--- HelmRelease: mydata/immich HTTPRoute: mydata/immich-http-redirect
+++ HelmRelease: mydata/immich HTTPRoute: mydata/immich-http-redirect
@@ -0,0 +1,31 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: immich-http-redirect
+ labels:
+ app.kubernetes.io/instance: immich
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: immich
+ namespace: mydata
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ hostnames:
+ - photo.timtor.dev
+ rules:
+ - backendRefs: null
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+
--- HelmRelease: mydata/immich HTTPRoute: mydata/immich-main
+++ HelmRelease: mydata/immich HTTPRoute: mydata/immich-main
@@ -0,0 +1,32 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: immich-main
+ labels:
+ app.kubernetes.io/instance: immich
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: immich
+ namespace: mydata
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - photo.timtor.dev
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: immich
+ namespace: mydata
+ port: 3001
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- HelmRelease: vaultwarden/vaultwarden Ingress: vaultwarden/vaultwarden
+++ HelmRelease: vaultwarden/vaultwarden Ingress: vaultwarden/vaultwarden
@@ -1,31 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: vaultwarden
- labels:
- app.kubernetes.io/instance: vaultwarden
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: vaultwarden
- namespace: vaultwarden
-spec:
- ingressClassName: nginx
- rules:
- - host: vault.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: vaultwarden
- port:
- number: 8080
- - path: /notifications/hub
- pathType: Prefix
- backend:
- service:
- name: vaultwarden
- port:
- number: 8080
-
--- HelmRelease: vaultwarden/vaultwarden HTTPRoute: vaultwarden/vaultwarden-http-redirect
+++ HelmRelease: vaultwarden/vaultwarden HTTPRoute: vaultwarden/vaultwarden-http-redirect
@@ -0,0 +1,31 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: vaultwarden-http-redirect
+ labels:
+ app.kubernetes.io/instance: vaultwarden
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: vaultwarden
+ namespace: vaultwarden
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ hostnames:
+ - vault.timtor.dev
+ rules:
+ - backendRefs: null
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+
--- HelmRelease: vaultwarden/vaultwarden HTTPRoute: vaultwarden/vaultwarden-main
+++ HelmRelease: vaultwarden/vaultwarden HTTPRoute: vaultwarden/vaultwarden-main
@@ -0,0 +1,32 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: vaultwarden-main
+ labels:
+ app.kubernetes.io/instance: vaultwarden
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: vaultwarden
+ namespace: vaultwarden
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - vault.timtor.dev
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: vaultwarden
+ namespace: vaultwarden
+ port: 8080
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
@@ -13,42 +13,63 @@
debug: 'false'
debug-verbose: ''
enable-policy: default
policy-cidr-match-mode: ''
operator-prometheus-serve-addr: :9963
enable-metrics: 'true'
+ enable-envoy-config: 'true'
+ envoy-config-retry-interval: 15s
+ enable-gateway-api: 'true'
+ enable-gateway-api-secrets-sync: 'true'
+ enable-gateway-api-proxy-protocol: 'false'
+ enable-gateway-api-app-protocol: 'false'
+ enable-gateway-api-alpn: 'false'
+ gateway-api-xff-num-trusted-hops: '0'
+ gateway-api-service-externaltrafficpolicy: Cluster
+ gateway-api-secrets-namespace: cilium-secrets
+ gateway-api-hostnetwork-enabled: 'false'
+ gateway-api-hostnetwork-nodelabelselector: ''
+ enable-policy-secrets-sync: 'true'
+ policy-secrets-only-from-secrets-namespace: 'true'
+ policy-secrets-namespace: cilium-secrets
enable-ipv4: 'true'
enable-ipv6: 'false'
custom-cni-conf: 'false'
enable-bpf-clock-probe: 'false'
monitor-aggregation: medium
monitor-aggregation-interval: 5s
monitor-aggregation-flags: all
bpf-map-dynamic-size-ratio: '0.0025'
bpf-policy-map-max: '16384'
bpf-lb-map-max: '65536'
bpf-lb-external-clusterip: 'false'
+ bpf-lb-source-range-all-types: 'false'
+ bpf-lb-algorithm-annotation: 'false'
+ bpf-lb-mode-annotation: 'false'
+ bpf-distributed-lru: 'false'
bpf-events-drop-enabled: 'true'
bpf-events-policy-verdict-enabled: 'true'
bpf-events-trace-enabled: 'true'
preallocate-bpf-maps: 'false'
cluster-name: default
cluster-id: '0'
routing-mode: tunnel
tunnel-protocol: vxlan
+ tunnel-source-port-range: 0-0
service-no-backend-response: reject
enable-l7-proxy: 'true'
enable-ipv4-masquerade: 'true'
enable-ipv4-big-tcp: 'false'
enable-ipv6-big-tcp: 'false'
enable-ipv6-masquerade: 'true'
enable-tcx: 'true'
datapath-mode: veth
enable-masquerade-to-route-source: 'false'
enable-xt-socket-fallback: 'true'
install-no-conntrack-iptables-rules: 'false'
+ iptables-random-fully: 'false'
auto-direct-node-routes: 'false'
direct-routing-skip-unreachable: 'false'
enable-local-redirect-policy: 'false'
enable-runtime-device-detection: 'true'
kube-proxy-replacement: 'true'
kube-proxy-replacement-healthz-bind-address: ''
@@ -56,23 +77,26 @@
nodeport-addresses: ''
enable-health-check-nodeport: 'true'
enable-health-check-loadbalancer-ip: 'false'
node-port-bind-protection: 'true'
enable-auto-protect-node-port-range: 'true'
bpf-lb-acceleration: disabled
+ enable-experimental-lb: 'false'
enable-svc-source-range-check: 'true'
enable-l2-neigh-discovery: 'true'
arping-refresh-period: 30s
k8s-require-ipv4-pod-cidr: 'false'
k8s-require-ipv6-pod-cidr: 'false'
enable-k8s-networkpolicy: 'true'
+ enable-endpoint-lockdown-on-policy-overflow: 'false'
write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
cni-exclusive: 'true'
cni-log-file: /var/run/cilium/cilium-cni.log
enable-endpoint-health-checking: 'true'
enable-health-checking: 'true'
+ health-check-icmp-failure-threshold: '3'
enable-well-known-identities: 'false'
enable-node-selector-labels: 'false'
synchronize-k8s-nodes: 'true'
operator-api-serve-addr: 127.0.0.1:9234
enable-hubble: 'true'
hubble-socket-path: /var/run/cilium/hubble.sock
@@ -82,34 +106,36 @@
hubble-disable-tls: 'false'
hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
ipam: kubernetes
ipam-cilium-node-update-rate: 15s
+ default-lb-service-ipam: lbipam
egress-gateway-reconciliation-trigger-interval: 1s
enable-vtep: 'false'
vtep-endpoint: ''
vtep-cidr: ''
vtep-mask: ''
vtep-mac: ''
+ enable-bgp-control-plane: 'true'
+ bgp-secrets-namespace: kube-system
+ enable-bgp-control-plane-status-report: 'true'
procfs: /host/proc
bpf-root: /sys/fs/bpf
cgroup-root: /sys/fs/cgroup
enable-k8s-terminating-endpoint: 'true'
enable-sctp: 'false'
- k8s-client-qps: '10'
- k8s-client-burst: '20'
remove-cilium-node-taints: 'true'
set-cilium-node-taints: 'true'
set-cilium-is-up-condition: 'true'
unmanaged-pod-watcher-interval: '15'
dnsproxy-enable-transparent-mode: 'true'
dnsproxy-socket-linger-timeout: '10'
tofqdns-dns-reject-response-code: refused
tofqdns-enable-dns-compression: 'true'
- tofqdns-endpoint-max-ip-per-hostname: '50'
+ tofqdns-endpoint-max-ip-per-hostname: '1000'
tofqdns-idle-connection-grace-period: 0s
tofqdns-max-deferred-connection-deletes: '10000'
tofqdns-proxy-response-max-delay: 100ms
agent-not-ready-taint-key: node.cilium.io/agent-not-ready
mesh-auth-enabled: 'true'
mesh-auth-queue-size: '1024'
@@ -119,15 +145,22 @@
proxy-xff-num-trusted-hops-egress: '0'
proxy-connect-timeout: '2'
proxy-initial-fetch-timeout: '30'
proxy-max-requests-per-connection: '0'
proxy-max-connection-duration-seconds: '0'
proxy-idle-timeout-seconds: '60'
+ proxy-max-concurrent-retries: '128'
+ http-retry-count: '3'
external-envoy-proxy: 'true'
envoy-base-id: '0'
+ envoy-access-log-buffer-size: '4096'
envoy-keep-cap-netbindservice: 'false'
max-connected-clusters: '255'
clustermesh-enable-endpoint-sync: 'false'
clustermesh-enable-mcs-api: 'false'
nat-map-stats-entries: '32'
nat-map-stats-interval: 30s
+ enable-internal-traffic-policy: 'true'
+ enable-lb-ipam: 'true'
+ enable-non-default-deny-policies: 'true'
+ enable-source-ip-verification: 'true'
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config
@@ -3,8 +3,8 @@
kind: ConfigMap
metadata:
name: cilium-envoy-config
namespace: kube-system
data:
bootstrap-config.json: |
- {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}}
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-relay-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-relay-config
@@ -3,12 +3,11 @@
kind: ConfigMap
metadata:
name: hubble-relay-config
namespace: kube-system
data:
config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.kube-system.svc.cluster.local.:443\"\
- \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\
- \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file:\
- \ /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key\n\
- tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\n\
- disable-server-tls: true\n"
+ \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\
+ \ \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt\n\
+ tls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key\ntls-hubble-server-ca-files:\
+ \ /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\ndisable-server-tls: true\n"
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator
@@ -53,12 +53,13 @@
- update
- patch
- apiGroups:
- ''
resources:
- namespaces
+ - secrets
verbs:
- get
- list
- watch
- apiGroups:
- ''
@@ -66,12 +67,16 @@
- services
- endpoints
verbs:
- get
- list
- watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumclusterwidenetworkpolicies
verbs:
@@ -135,12 +140,19 @@
- update
- get
- list
- watch
- delete
- patch
+- apiGroups:
+ - cilium.io
+ resources:
+ - ciliumbgpclusterconfigs/status
+ - ciliumbgppeerconfigs/status
+ verbs:
+ - update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
@@ -181,12 +193,13 @@
resources:
- ciliumloadbalancerippools
- ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
+ - ciliumbgppeerconfigs
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
@@ -205,7 +218,40 @@
resources:
- leases
verbs:
- create
- get
- update
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gatewayclasses
+ - gateways
+ - tlsroutes
+ - httproutes
+ - grpcroutes
+ - referencegrants
+ - referencepolicies
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gatewayclasses/status
+ - gateways/status
+ - httproutes/status
+ - grpcroutes/status
+ - tlsroutes/status
+ verbs:
+ - update
+ - patch
+- apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceimports
+ verbs:
+ - get
+ - list
+ - watch
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
@@ -25,15 +25,17 @@
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec:
securityContext:
appArmorProfile:
type: Unconfined
+ seccompProfile:
+ type: Unconfined
containers:
- name: cilium-agent
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
imagePullPolicy: IfNotPresent
command:
- cilium-agent
args:
- --config-dir=/tmp/cilium/config-map
startupProbe:
@@ -55,12 +57,14 @@
path: /healthz
port: 9879
scheme: HTTP
httpHeaders:
- name: brief
value: 'true'
+ - name: require-k8s-connectivity
+ value: 'false'
periodSeconds: 30
successThreshold: 1
failureThreshold: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
@@ -179,13 +183,13 @@
mountPath: /var/lib/cilium/tls/hubble
readOnly: true
- name: tmp
mountPath: /tmp
initContainers:
- name: config
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
imagePullPolicy: IfNotPresent
command:
- cilium-dbg
- build-config
env:
- name: K8S_NODE_NAME
@@ -204,13 +208,13 @@
value: '7445'
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
- name: apply-sysctl-overwrites
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
imagePullPolicy: IfNotPresent
env:
- name: BIN_PATH
value: /opt/cni/bin
command:
- sh
@@ -234,13 +238,13 @@
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
- name: mount-bpf-fs
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
imagePullPolicy: IfNotPresent
args:
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
command:
- /bin/bash
- -c
@@ -250,13 +254,13 @@
privileged: true
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
- name: clean-cilium-state
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
imagePullPolicy: IfNotPresent
command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
@@ -298,13 +302,13 @@
- name: cilium-cgroup
mountPath: /sys/fs/cgroup
mountPropagation: HostToContainer
- name: cilium-run
mountPath: /var/run/cilium
- name: install-cni-binaries
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
imagePullPolicy: IfNotPresent
command:
- /install-plugin.sh
resources:
requests:
cpu: 100m
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy
+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy
@@ -28,22 +28,21 @@
spec:
securityContext:
appArmorProfile:
type: Unconfined
containers:
- name: cilium-envoy
- image: quay.io/cilium/cilium-envoy:v1.30.9-1737073743-40a016d11c0d863b772961ed0168eea6fe6b10a5@sha256:a69dfe0e54b24b0ff747385c8feeae0612cfbcae97bfcc8ee42a773bb3f69c88
+ image: quay.io/cilium/cilium-envoy:v1.34.10-1760767433-887ebe7d6ccc2a9dc8c73f6ae4927283283b507e@sha256:78a7c6ceb4135680eb94ed1ca80b1be00647878e6694522f8380cc2a8b99e434
imagePullPolicy: IfNotPresent
command:
- /usr/bin/cilium-envoy-starter
args:
- --
- -c /var/run/cilium/envoy/bootstrap-config.json
- --base-id 0
- --log-level info
- - --log-format [%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v
startupProbe:
httpGet:
host: 127.0.0.1
path: /healthz
port: 9878
scheme: HTTP
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
@@ -30,13 +30,13 @@
name: cilium-operator
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-operator
spec:
containers:
- name: cilium-operator
- image: quay.io/cilium/operator-generic:v1.16.6@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
+ image: quay.io/cilium/operator-generic:v1.17.10@sha256:09cee355c86b8c50d43ecc8f63cedc5d4a8597aa41be72a63ca4479c31c2f2be
imagePullPolicy: IfNotPresent
command:
- cilium-operator-generic
args:
- --config-dir=/tmp/cilium/config-map
- --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay
+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay
@@ -33,13 +33,13 @@
capabilities:
drop:
- ALL
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
- image: quay.io/cilium/hubble-relay:v1.16.6@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b
+ image: quay.io/cilium/hubble-relay:v1.17.10@sha256:da6747dd2bccc2901693b49ed4a687723f8d5c1e37d40fb95ea04910d31eaab2
imagePullPolicy: IfNotPresent
command:
- hubble-relay
args:
- serve
ports:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui
+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui
@@ -31,13 +31,13 @@
runAsUser: 1001
priorityClassName: null
serviceAccountName: hubble-ui
automountServiceAccountToken: true
containers:
- name: frontend
- image: quay.io/cilium/hubble-ui:v0.13.1@sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6
+ image: quay.io/cilium/hubble-ui:v0.13.3@sha256:661d5de7050182d495c6497ff0b007a7a1e379648e60830dd68c4d78ae21761d
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8081
livenessProbe:
httpGet:
@@ -52,13 +52,13 @@
mountPath: /etc/nginx/conf.d/default.conf
subPath: nginx.conf
- name: tmp-dir
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
- name: backend
- image: quay.io/cilium/hubble-ui-backend:v0.13.1@sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b
+ image: quay.io/cilium/hubble-ui-backend:v0.13.3@sha256:db1454e45dc39ca41fbf7cad31eec95d99e5b9949c39daaad0fa81ef29d56953
imagePullPolicy: IfNotPresent
env:
- name: EVENTS_SERVER_PORT
value: '8090'
- name: FLOWS_API_ADDR
value: hubble-relay:80
--- HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets
+++ HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-gateway-secrets
+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-gateway-secrets
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-gateway-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kube-system/cilium Role: kube-system/cilium-bgp-control-plane-secrets
+++ HelmRelease: kube-system/cilium Role: kube-system/cilium-bgp-control-plane-secrets
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-bgp-control-plane-secrets
+ namespace: kube-system
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets
+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-tlsinterception-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-gateway-secrets
+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-gateway-secrets
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-operator-gateway-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - update
+ - patch
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets
+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-operator-tlsinterception-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - update
+ - patch
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-gateway-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-gateway-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-gateway-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-gateway-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-bgp-control-plane-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-bgp-control-plane-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-bgp-control-plane-secrets
+ namespace: kube-system
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-bgp-control-plane-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-tlsinterception-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-gateway-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-gateway-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-operator-gateway-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-operator-gateway-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium-operator
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-operator-tlsinterception-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-operator-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium-operator
+ namespace: kube-system
+
--- HelmRelease: metallb-system/metallb ServiceAccount: metallb-system/metallb-controller
+++ HelmRelease: metallb-system/metallb ServiceAccount: metallb-system/metallb-controller
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: metallb-controller
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
-
--- HelmRelease: metallb-system/metallb ServiceAccount: metallb-system/metallb-speaker
+++ HelmRelease: metallb-system/metallb ServiceAccount: metallb-system/metallb-speaker
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: metallb-speaker
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: speaker
-
--- HelmRelease: metallb-system/metallb ConfigMap: metallb-system/metallb-excludel2
+++ HelmRelease: metallb-system/metallb ConfigMap: metallb-system/metallb-excludel2
@@ -1,27 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: metallb-excludel2
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-data:
- excludel2.yaml: |
- announcedInterfacesToExclude:
- - ^docker.*
- - ^cbr.*
- - ^dummy.*
- - ^virbr.*
- - ^lxcbr.*
- - ^veth.*
- - ^lo$
- - ^cali.*
- - ^tunl.*
- - ^flannel.*
- - ^kube-ipvs.*
- - ^cni.*
- - ^nodelocaldns.*
-
--- HelmRelease: metallb-system/metallb ClusterRole: metallb-system/metallb:controller
+++ HelmRelease: metallb-system/metallb ClusterRole: metallb-system/metallb:controller
@@ -1,86 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: metallb:controller
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-rules:
-- apiGroups:
- - ''
- resources:
- - services
- - namespaces
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - nodes
- verbs:
- - list
-- apiGroups:
- - ''
- resources:
- - services/status
- verbs:
- - update
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- resourceNames:
- - metallb-webhook-configuration
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - list
- - watch
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- resourceNames:
- - bfdprofiles.metallb.io
- - bgpadvertisements.metallb.io
- - bgppeers.metallb.io
- - ipaddresspools.metallb.io
- - l2advertisements.metallb.io
- - communities.metallb.io
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - list
- - watch
-
--- HelmRelease: metallb-system/metallb ClusterRole: metallb-system/metallb:speaker
+++ HelmRelease: metallb-system/metallb ClusterRole: metallb-system/metallb:speaker
@@ -1,44 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: metallb:speaker
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-rules:
-- apiGroups:
- - ''
- resources:
- - services
- - endpoints
- - nodes
- - namespaces
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - metallb.io
- resources:
- - servicel2statuses
- - servicel2statuses/status
- verbs:
- - '*'
-
--- HelmRelease: metallb-system/metallb ClusterRoleBinding: metallb-system/metallb:controller
+++ HelmRelease: metallb-system/metallb ClusterRoleBinding: metallb-system/metallb:controller
@@ -1,18 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: metallb:controller
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-subjects:
-- kind: ServiceAccount
- name: metallb-controller
- namespace: metallb-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: metallb:controller
-
--- HelmRelease: metallb-system/metallb ClusterRoleBinding: metallb-system/metallb:speaker
+++ HelmRelease: metallb-system/metallb ClusterRoleBinding: metallb-system/metallb:speaker
@@ -1,18 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: metallb:speaker
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-subjects:
-- kind: ServiceAccount
- name: metallb-speaker
- namespace: metallb-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: metallb:speaker
-
--- HelmRelease: metallb-system/metallb Role: metallb-system/metallb-pod-lister
+++ HelmRelease: metallb-system/metallb Role: metallb-system/metallb-pod-lister
@@ -1,83 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: metallb-pod-lister
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-rules:
-- apiGroups:
- - ''
- resources:
- - pods
- verbs:
- - list
- - get
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - bfdprofiles
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - bgppeers
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - l2advertisements
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - bgpadvertisements
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - ipaddresspools
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - communities
- verbs:
- - get
- - list
- - watch
-
--- HelmRelease: metallb-system/metallb Role: metallb-system/metallb-controller
+++ HelmRelease: metallb-system/metallb Role: metallb-system/metallb-controller
@@ -1,94 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: metallb-controller
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-rules:
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - create
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - secrets
- resourceNames:
- - metallb-memberlist
- verbs:
- - list
-- apiGroups:
- - apps
- resources:
- - deployments
- resourceNames:
- - metallb-controller
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - ipaddresspools
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - bgppeers
- verbs:
- - get
- - list
-- apiGroups:
- - metallb.io
- resources:
- - bgpadvertisements
- verbs:
- - get
- - list
-- apiGroups:
- - metallb.io
- resources:
- - l2advertisements
- verbs:
- - get
- - list
-- apiGroups:
- - metallb.io
- resources:
- - communities
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - bfdprofiles
- verbs:
- - get
- - list
- - watch
-
--- HelmRelease: metallb-system/metallb RoleBinding: metallb-system/metallb-pod-lister
+++ HelmRelease: metallb-system/metallb RoleBinding: metallb-system/metallb-pod-lister
@@ -1,18 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: metallb-pod-lister
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: metallb-pod-lister
-subjects:
-- kind: ServiceAccount
- name: metallb-speaker
-
--- HelmRelease: metallb-system/metallb RoleBinding: metallb-system/metallb-controller
+++ HelmRelease: metallb-system/metallb RoleBinding: metallb-system/metallb-controller
@@ -1,18 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: metallb-controller
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: metallb-controller
-subjects:
-- kind: ServiceAccount
- name: metallb-controller
-
--- HelmRelease: metallb-system/metallb Service: metallb-system/metallb-webhook-service
+++ HelmRelease: metallb-system/metallb Service: metallb-system/metallb-webhook-service
@@ -1,19 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: metallb-webhook-service
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-spec:
- ports:
- - port: 443
- targetPort: 9443
- selector:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/component: controller
-
--- HelmRelease: metallb-system/metallb DaemonSet: metallb-system/metallb-speaker
+++ HelmRelease: metallb-system/metallb DaemonSet: metallb-system/metallb-speaker
@@ -1,117 +0,0 @@
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: metallb-speaker
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: speaker
-spec:
- updateStrategy:
- type: RollingUpdate
- selector:
- matchLabels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/component: speaker
- template:
- metadata:
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/component: speaker
- spec:
- serviceAccountName: metallb-speaker
- terminationGracePeriodSeconds: 0
- hostNetwork: true
- volumes:
- - name: memberlist
- secret:
- secretName: metallb-memberlist
- defaultMode: 420
- - name: metallb-excludel2
- configMap:
- defaultMode: 256
- name: metallb-excludel2
- containers:
- - name: speaker
- image: quay.io/metallb/speaker:v0.14.9
- args:
- - --port=7472
- - --log-level=info
- env:
- - name: METALLB_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: METALLB_HOST
- valueFrom:
- fieldRef:
- fieldPath: status.hostIP
- - name: METALLB_ML_BIND_ADDR
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: METALLB_ML_LABELS
- value: app.kubernetes.io/name=metallb,app.kubernetes.io/component=speaker
- - name: METALLB_ML_BIND_PORT
- value: '7946'
- - name: METALLB_ML_SECRET_KEY_PATH
- value: /etc/ml_secret_key
- - name: METALLB_POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- ports:
- - name: monitoring
- containerPort: 7472
- - name: memberlist-tcp
- containerPort: 7946
- protocol: TCP
- - name: memberlist-udp
- containerPort: 7946
- protocol: UDP
- livenessProbe:
- httpGet:
- path: /metrics
- port: monitoring
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- readinessProbe:
- httpGet:
- path: /metrics
- port: monitoring
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- securityContext:
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- capabilities:
- drop:
- - ALL
- add:
- - NET_RAW
- volumeMounts:
- - name: memberlist
- mountPath: /etc/ml_secret_key
- - name: metallb-excludel2
- mountPath: /etc/metallb
- nodeSelector:
- kubernetes.io/os: linux
- tolerations:
- - key: node-role.kubernetes.io/master
- effect: NoSchedule
- operator: Exists
- - key: node-role.kubernetes.io/control-plane
- effect: NoSchedule
- operator: Exists
-
--- HelmRelease: metallb-system/metallb Deployment: metallb-system/metallb-controller
+++ HelmRelease: metallb-system/metallb Deployment: metallb-system/metallb-controller
@@ -1,86 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: metallb-controller
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
-spec:
- strategy:
- type: RollingUpdate
- selector:
- matchLabels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/component: controller
- template:
- metadata:
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/component: controller
- spec:
- serviceAccountName: metallb-controller
- terminationGracePeriodSeconds: 0
- securityContext:
- fsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- containers:
- - name: controller
- image: quay.io/metallb/controller:v0.14.9
- args:
- - --port=7472
- - --log-level=info
- - --tls-min-version=VersionTLS12
- env:
- - name: METALLB_ML_SECRET_NAME
- value: metallb-memberlist
- - name: METALLB_DEPLOYMENT
- value: metallb-controller
- ports:
- - name: monitoring
- containerPort: 7472
- - containerPort: 9443
- name: webhook-server
- protocol: TCP
- volumeMounts:
- - mountPath: /tmp/k8s-webhook-server/serving-certs
- name: cert
- readOnly: true
- livenessProbe:
- httpGet:
- path: /metrics
- port: monitoring
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- readinessProbe:
- httpGet:
- path: /metrics
- port: monitoring
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- securityContext:
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- capabilities:
- drop:
- - ALL
- nodeSelector:
- kubernetes.io/os: linux
- volumes:
- - name: cert
- secret:
- defaultMode: 420
- secretName: metallb-webhook-cert
-
--- HelmRelease: metallb-system/metallb ValidatingWebhookConfiguration: metallb-system/metallb-webhook-configuration
+++ HelmRelease: metallb-system/metallb ValidatingWebhookConfiguration: metallb-system/metallb-webhook-configuration
@@ -1,131 +0,0 @@
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: metallb-webhook-configuration
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-webhooks:
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: metallb-webhook-service
- namespace: metallb-system
- path: /validate-metallb-io-v1beta2-bgppeer
- failurePolicy: Fail
- name: bgppeervalidationwebhook.metallb.io
- rules:
- - apiGroups:
- - metallb.io
- apiVersions:
- - v1beta2
- operations:
- - CREATE
- - UPDATE
- resources:
- - bgppeers
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: metallb-webhook-service
- namespace: metallb-system
- path: /validate-metallb-io-v1beta1-ipaddresspool
- failurePolicy: Fail
- name: ipaddresspoolvalidationwebhook.metallb.io
- rules:
- - apiGroups:
- - metallb.io
- apiVersions:
- - v1beta1
- operations:
- - CREATE
- - UPDATE
- resources:
- - ipaddresspools
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: metallb-webhook-service
- namespace: metallb-system
- path: /validate-metallb-io-v1beta1-bgpadvertisement
- failurePolicy: Fail
- name: bgpadvertisementvalidationwebhook.metallb.io
- rules:
- - apiGroups:
- - metallb.io
- apiVersions:
- - v1beta1
- operations:
- - CREATE
- - UPDATE
- resources:
- - bgpadvertisements
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: metallb-webhook-service
- namespace: metallb-system
- path: /validate-metallb-io-v1beta1-community
- failurePolicy: Fail
- name: communityvalidationwebhook.metallb.io
- rules:
- - apiGroups:
- - metallb.io
- apiVersions:
- - v1beta1
- operations:
- - CREATE
- - UPDATE
- resources:
- - communities
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: metallb-webhook-service
- namespace: metallb-system
- path: /validate-metallb-io-v1beta1-bfdprofile
- failurePolicy: Fail
- name: bfdprofilevalidationwebhook.metallb.io
- rules:
- - apiGroups:
- - metallb.io
- apiVersions:
- - v1beta1
- operations:
- - CREATE
- - DELETE
- resources:
- - bfdprofiles
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: metallb-webhook-service
- namespace: metallb-system
- path: /validate-metallb-io-v1beta1-l2advertisement
- failurePolicy: Fail
- name: l2advertisementvalidationwebhook.metallb.io
- rules:
- - apiGroups:
- - metallb.io
- apiVersions:
- - v1beta1
- operations:
- - CREATE
- - UPDATE
- resources:
- - l2advertisements
- sideEffects: None
-
--- HelmRelease: ingress-nginx/ingress-nginx Service: ingress-nginx/ingress-nginx-controller
+++ HelmRelease: ingress-nginx/ingress-nginx Service: ingress-nginx/ingress-nginx-controller
@@ -10,13 +10,13 @@
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: LoadBalancer
externalIPs:
- - 192.168.253.100
+ - 192.168.33.2
externalTrafficPolicy: Local
ipFamilyPolicy: SingleStack
ipFamilies:
- IPv4
ports:
- name: http
--- HelmRelease: argo-system/argo-workflows Ingress: argo-system/argo-workflows-server
+++ HelmRelease: argo-system/argo-workflows Ingress: argo-system/argo-workflows-server
@@ -1,27 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: argo-workflows-server
- namespace: argo-system
- labels:
- app.kubernetes.io/name: argo-workflows-server
- app.kubernetes.io/instance: argo-workflows
- app.kubernetes.io/component: server
- app: server
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: argo-workflows
-spec:
- ingressClassName: nginx
- rules:
- - host: workflows.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: argo-workflows-server
- port:
- number: 2746
-
--- HelmRelease: grafana/grafana ConfigMap: grafana/grafana
+++ HelmRelease: grafana/grafana ConfigMap: grafana/grafana
@@ -50,13 +50,13 @@
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
- domain = grafana.timtor.dev
+ domain = ''
root_url = https://grafana.timtor.dev
[unified_alerting]
enabled = true
ha_advertise_address = ${POD_IP}:9094
ha_listen_address = ${POD_IP}:9094
ha_peer_timeout = 15s
--- HelmRelease: grafana/grafana Ingress: grafana/grafana
+++ HelmRelease: grafana/grafana Ingress: grafana/grafana
@@ -1,23 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: grafana
- namespace: grafana
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
-spec:
- ingressClassName: nginx
- rules:
- - host: grafana.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: grafana
- port:
- number: 80
-
--- HelmRelease: mydata/nextcloud Ingress: mydata/nextcloud
+++ HelmRelease: mydata/nextcloud Ingress: mydata/nextcloud
@@ -1,26 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: nextcloud
- labels:
- app.kubernetes.io/instance: nextcloud
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: nextcloud
- annotations:
- nginx.ingress.kubernetes.io/proxy-body-size: '0'
- namespace: mydata
-spec:
- ingressClassName: nginx
- rules:
- - host: drive.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: nextcloud
- port:
- number: 8080
-
--- HelmRelease: mydata/nextcloud HTTPRoute: mydata/nextcloud-http-redirect
+++ HelmRelease: mydata/nextcloud HTTPRoute: mydata/nextcloud-http-redirect
@@ -0,0 +1,31 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: nextcloud-http-redirect
+ labels:
+ app.kubernetes.io/instance: nextcloud
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: nextcloud
+ namespace: mydata
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ hostnames:
+ - drive.timtor.dev
+ rules:
+ - backendRefs: null
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+
--- HelmRelease: mydata/nextcloud HTTPRoute: mydata/nextcloud-main
+++ HelmRelease: mydata/nextcloud HTTPRoute: mydata/nextcloud-main
@@ -0,0 +1,32 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: nextcloud-main
+ labels:
+ app.kubernetes.io/instance: nextcloud
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: nextcloud
+ namespace: mydata
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - drive.timtor.dev
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: nextcloud
+ namespace: mydata
+ port: 8080
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ |
timtorChen
force-pushed
the
implement-bgp-y-gatewayapi
branch
from
f4bb0fd to
a8156ef
Compare
timtorChen
force-pushed
the
implement-bgp-y-gatewayapi
branch
from
a8156ef to
f5eaf4a
Compare
- upgrade cilium to 1.17 to support gateway.spec.address - change ingress-nginx to use 192.168.33.2 (only for unifi-controller https backend) - add gateway-api crd implement gateway - add httproute gatewayapi - httproute grafana gatewayapi - httproute kromgo gatewayapi - httproute miniflux gatewayapi (not implement) - unifi controller use https backend gatewayapi - vaultwarden gatewayapi - immich, nextcloud, navidrome apigateway - httproute ceph object httproute - add rook-ceph dashboard apigateway - httproute flux receiver
timtorChen
force-pushed
the
implement-bgp-y-gatewayapi
branch
from
f5eaf4a to
9e9753d
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Related issue: #737.
This PR implements my first trial of BGP and Gateway API.
Changes
spec.addresses.192.168.33.0/24Notes
spec.serviceAllocationand CiliumBGPAdvertisementspec.advertisementsselectors were set.Related discussions: