From 059e8abace4a08cc92103b4be4d0b9d0bf677e98 Mon Sep 17 00:00:00 2001 From: Vegard Hagen Date: Thu, 30 Nov 2023 22:36:25 +0100 Subject: [PATCH] feat(mTLS): Enable Cilium mTLS --- apps/plex/service.yaml | 1 + infra/cilium/announce.yaml | 1 + infra/cilium/ip-pool.yaml | 1 + infra/cilium/kustomization.yaml | 7 +-- ...ubble-relay-config-peer-service-patch.yaml | 19 ------- infra/cilium/pv-cilium-spire-config.yaml | 22 ++++++++ .../traefik-forward-auth/kustomization.yaml | 1 + infra/cilium/values.yaml | 54 +++++++++---------- infra/project.yaml | 2 + 9 files changed, 56 insertions(+), 52 deletions(-) delete mode 100644 infra/cilium/patches/hubble-relay-config-peer-service-patch.yaml create mode 100644 infra/cilium/pv-cilium-spire-config.yaml diff --git a/apps/plex/service.yaml b/apps/plex/service.yaml index 6177f7e..81831d8 100644 --- a/apps/plex/service.yaml +++ b/apps/plex/service.yaml @@ -5,6 +5,7 @@ metadata: spec: selector: app: plex + type: LoadBalancer ports: - name: web port: 32400 \ No newline at end of file diff --git a/infra/cilium/announce.yaml b/infra/cilium/announce.yaml index 3a5dbda..dbe67aa 100644 --- a/infra/cilium/announce.yaml +++ b/infra/cilium/announce.yaml @@ -2,6 +2,7 @@ apiVersion: cilium.io/v2alpha1 kind: CiliumL2AnnouncementPolicy metadata: name: default-l2-announcement-policy + namespace: kube-system spec: interfaces: - enp0s25 diff --git a/infra/cilium/ip-pool.yaml b/infra/cilium/ip-pool.yaml index 5515b8e..aaee9c5 100644 --- a/infra/cilium/ip-pool.yaml +++ b/infra/cilium/ip-pool.yaml @@ -2,6 +2,7 @@ apiVersion: cilium.io/v2alpha1 kind: CiliumLoadBalancerIPPool metadata: name: default-pool + namespace: kube-system spec: cidrs: - cidr: 192.168.1.128/25 \ No newline at end of file diff --git a/infra/cilium/kustomization.yaml b/infra/cilium/kustomization.yaml index ca2d9be..00d0bb1 100644 --- a/infra/cilium/kustomization.yaml +++ b/infra/cilium/kustomization.yaml @@ -1,20 +1,17 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kube-system resources: - traefik-forward-auth - ingress-route.yaml - ip-pool.yaml - announce.yaml - -#patchesStrategicMerge: -# # peer-service: "hubble-peer.default.svc.cluster.local:443" -# - patches/hubble-relay-config-peer-service-patch.yaml + - pv-cilium-spire-config.yaml helmCharts: - name: cilium repo: https://helm.cilium.io version: 1.14.4 releaseName: "cilium" + namespace: kube-system valuesFile: values.yaml \ No newline at end of file diff --git a/infra/cilium/patches/hubble-relay-config-peer-service-patch.yaml b/infra/cilium/patches/hubble-relay-config-peer-service-patch.yaml deleted file mode 100644 index cdff13e..0000000 --- a/infra/cilium/patches/hubble-relay-config-peer-service-patch.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: hubble-relay-config -data: - # default set to 'default' ns which is wrong - config.yaml: | - cluster-name: kubernetes - peer-service: "hubble-peer.kube-system.svc.cluster.local:443" - listen-address: :4245 - dial-timeout: - retry-timeout: - sort-buffer-len-max: - sort-buffer-drain-timeout: - tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt - tls-client-key-file: /var/lib/hubble-relay/tls/client.key - tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt - disable-server-tls: true - diff --git a/infra/cilium/pv-cilium-spire-config.yaml b/infra/cilium/pv-cilium-spire-config.yaml new file mode 100644 index 0000000..43c8ca9 --- /dev/null +++ b/infra/cilium/pv-cilium-spire-config.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: cilium-spire-pv +spec: + capacity: + storage: 1Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: cilium-spire-sc + local: + path: /disk/etc/cilium-spire + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - gauss \ No newline at end of file diff --git a/infra/cilium/traefik-forward-auth/kustomization.yaml b/infra/cilium/traefik-forward-auth/kustomization.yaml index 515e0f7..b10dbaf 100644 --- a/infra/cilium/traefik-forward-auth/kustomization.yaml +++ b/infra/cilium/traefik-forward-auth/kustomization.yaml @@ -1,5 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: kube-system commonLabels: app: traefik-forward-auth diff --git a/infra/cilium/values.yaml b/infra/cilium/values.yaml index 9bf3e82..6b67931 100644 --- a/infra/cilium/values.yaml +++ b/infra/cilium/values.yaml @@ -1,50 +1,37 @@ cluster: + name: gauss id: 0 - name: kubernetes -debug: - enabled: true +#debug: +# enabled: true -encryption: - nodeEncryption: false +k8sServiceHost: "192.168.1.12" +k8sServicePort: "6443" -k8sServiceHost: 192.168.1.12 -k8sServicePort: 6443 +# Roll out cilium agent pods automatically when ConfigMap is updated. +rollOutCiliumPods: true -kubeProxyReplacement: strict +# Increase rate limit when doing L2 announcements +k8sClientRateLimit: + qps: 50 + burst: 100 -bgpControlPlane: - enabled: false +kubeProxyReplacement: true l2announcements: enabled: true + externalIPs: enabled: true -# -- Roll out cilium agent pods automatically when configmap is updated. -rollOutCiliumPods: false - -containerRuntime: - integration: containerd - enableCiliumEndpointSlice: true operator: + # Can't have more replicas than nodes replicas: 1 -serviceAccounts: - cilium: - name: cilium - operator: - name: cilium-operator - -tunnel: vxlan - hubble: enabled: true - peerService: - enabled: true - clusterDomain: cluster.local relay: enabled: true rollOutPods: true @@ -59,4 +46,15 @@ hubble: auto: enabled: true method: helm - certValidityDuration: 1095 \ No newline at end of file + certValidityDuration: 1095 + +# mTLS +authentication: + enabled: true + mutual: + spire: + enabled: true + install: + server: + dataStorage: + storageClass: cilium-spire-sc diff --git a/infra/project.yaml b/infra/project.yaml index a2f774b..0de9806 100644 --- a/infra/project.yaml +++ b/infra/project.yaml @@ -16,6 +16,8 @@ spec: server: '*' - namespace: 'cloudflared' server: '*' + - namespace: 'cilium-spire' + server: '*' - namespace: 'gpu-operator' server: '*' - namespace: 'kubernetes-dashboard'