scottk/homelab
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/homelab.git synced 2025-11-02 10:57:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(mTLS): Enable Cilium mTLS

Browse Source
This commit is contained in:
Vegard Hagen
2023-11-30 22:36:25 +01:00
parent 8d4bb606e4
commit 059e8abace
9 changed files with 56 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
apps/plex/service.yaml
View File

@@ -5,6 +5,7 @@ metadata:
spec: spec:
selector: selector:
app: plex app: plex
type: LoadBalancer
ports: ports:
- name: web - name: web
port: 32400 port: 32400

1
infra/cilium/announce.yaml
View File

@@ -2,6 +2,7 @@ apiVersion: cilium.io/v2alpha1
kind: CiliumL2AnnouncementPolicy kind: CiliumL2AnnouncementPolicy
metadata: metadata:
name: default-l2-announcement-policy name: default-l2-announcement-policy
namespace: kube-system
spec: spec:
interfaces: interfaces:
- enp0s25 - enp0s25

1
infra/cilium/ip-pool.yaml
View File

@@ -2,6 +2,7 @@ apiVersion: cilium.io/v2alpha1
kind: CiliumLoadBalancerIPPool kind: CiliumLoadBalancerIPPool
metadata: metadata:
name: default-pool name: default-pool
namespace: kube-system
spec: spec:
cidrs: cidrs:
- cidr: 192.168.1.128/25 - cidr: 192.168.1.128/25

7
infra/cilium/kustomization.yaml
View File

@@ -1,20 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: kube-system
resources: resources:
- traefik-forward-auth - traefik-forward-auth
- ingress-route.yaml - ingress-route.yaml
- ip-pool.yaml - ip-pool.yaml
- announce.yaml - announce.yaml
- pv-cilium-spire-config.yaml
#patchesStrategicMerge:
# # peer-service: "hubble-peer.default.svc.cluster.local:443"
# - patches/hubble-relay-config-peer-service-patch.yaml
helmCharts: helmCharts:
- name: cilium - name: cilium
repo: https://helm.cilium.io repo: https://helm.cilium.io
version: 1.14.4 version: 1.14.4
releaseName: "cilium" releaseName: "cilium"
namespace: kube-system
valuesFile: values.yaml valuesFile: values.yaml

19
infra/cilium/patches/hubble-relay-config-peer-service-patch.yaml
View File

@@ -1,19 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: hubble-relay-config
data:
# default set to 'default' ns which is wrong
config.yaml: |
cluster-name: kubernetes
peer-service: "hubble-peer.kube-system.svc.cluster.local:443"
listen-address: :4245
dial-timeout:
retry-timeout:
sort-buffer-len-max:
sort-buffer-drain-timeout:
tls-client-cert-file: /var/lib/hubble-relay/tls/client.crt
tls-client-key-file: /var/lib/hubble-relay/tls/client.key
tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt
disable-server-tls: true

22
infra/cilium/pv-cilium-spire-config.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: cilium-spire-pv
spec:
capacity:
storage: 1Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: cilium-spire-sc
local:
path: /disk/etc/cilium-spire
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- gauss

1
infra/cilium/traefik-forward-auth/kustomization.yaml
View File

@@ -1,5 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: kube-system
commonLabels: commonLabels:
app: traefik-forward-auth app: traefik-forward-auth

52
infra/cilium/values.yaml
View File

@@ -1,50 +1,37 @@
cluster: cluster:
name: gauss
id: 0 id: 0
name: kubernetes
debug: #debug:
enabled: true # enabled: true
encryption: k8sServiceHost: "192.168.1.12"
nodeEncryption: false k8sServicePort: "6443"
k8sServiceHost: 192.168.1.12 # Roll out cilium agent pods automatically when ConfigMap is updated.
k8sServicePort: 6443 rollOutCiliumPods: true
kubeProxyReplacement: strict # Increase rate limit when doing L2 announcements
k8sClientRateLimit:
qps: 50
burst: 100
bgpControlPlane: kubeProxyReplacement: true
enabled: false
l2announcements: l2announcements:
enabled: true enabled: true
externalIPs: externalIPs:
enabled: true enabled: true
# -- Roll out cilium agent pods automatically when configmap is updated.
rollOutCiliumPods: false
containerRuntime:
integration: containerd
enableCiliumEndpointSlice: true enableCiliumEndpointSlice: true
operator: operator:
# Can't have more replicas than nodes
replicas: 1 replicas: 1
serviceAccounts:
cilium:
name: cilium
operator:
name: cilium-operator
tunnel: vxlan
hubble: hubble:
enabled: true enabled: true
peerService:
enabled: true
clusterDomain: cluster.local
relay: relay:
enabled: true enabled: true
rollOutPods: true rollOutPods: true
@@ -60,3 +47,14 @@ hubble:
enabled: true enabled: true
method: helm method: helm
certValidityDuration: 1095 certValidityDuration: 1095
# mTLS
authentication:
enabled: true
mutual:
spire:
enabled: true
install:
server:
dataStorage:
storageClass: cilium-spire-sc

2
infra/project.yaml
View File

@@ -16,6 +16,8 @@ spec:
server: '*' server: '*'
- namespace: 'cloudflared' - namespace: 'cloudflared'
server: '*' server: '*'
- namespace: 'cilium-spire'
server: '*'
- namespace: 'gpu-operator' - namespace: 'gpu-operator'
server: '*' server: '*'
- namespace: 'kubernetes-dashboard' - namespace: 'kubernetes-dashboard'