feat: add Gateway API and Gateways

2025-10-30 17:37:59 +00:00 · 2024-07-07 15:02:41 +02:00
parent fe368b937e
commit 805ab61017
12 changed files with 140 additions and 8 deletions
--- a/remodel/k8s/README.md
+++ b/remodel/k8s/README.md
@@ -48,6 +48,10 @@ kubectl kustomize --enable-helm infra/storage | kubectl apply -f -
 kubectl kustomize --enable-helm infra/controllers | kubectl apply -f -
 ```

+```shell
+kubectl kustomize --enable-helm infra | kubectl apply -f -
+```
+

 # SBOM

@@ -56,6 +60,12 @@ kubectl kustomize --enable-helm infra/controllers | kubectl apply -f -
 * [x] Argo CD
 * [x] Proxmox CSI Plugin
 * [x] Cert-manager
-* [] Gateway
+* [X] Gateway
 * [] CNPG
 * [] Authentication (Keycloak, Authentik, ...)
+
+# CRDs
+
+* [] Gateway
+* [] Argo CD
+* [] Sealed-secrets
--- a/remodel/k8s/infra/application-set.yaml
+++ b/remodel/k8s/infra/application-set.yaml
@@ -9,9 +9,9 @@ spec:
  generators:
    - git:
        repoURL: https://github.com/vehagn/homelab
-        revision: HEAD
+        revision: remodel
        directories:
-          - path: remodel/infra/*
+          - path: remodel/k8s/infra/*
  template:
    metadata:
      name: '{{ path.basename }}'
@@ -21,7 +21,7 @@ spec:
      project: infrastructure
      source:
        repoURL: https://github.com/vehagn/homelab
-        targetRevision: HEAD
+        targetRevision: remodel
        path: '{{ path }}'
      destination:
        name: in-cluster
--- a/remodel/k8s/infra/network/application-set.yaml
+++ b/remodel/k8s/infra/network/application-set.yaml
@@ -9,9 +9,9 @@ spec:
  generators:
    - git:
        repoURL: https://github.com/vehagn/homelab
-        revision: HEAD
+        revision: remodel
        directories:
-          - path: remodel/infra/network/*
+          - path: remodel/k8s/infra/network/*
  template:
    metadata:
      name: '{{ path.basename }}'
@@ -23,7 +23,7 @@ spec:
        plugin:
          name: kustomize-build-with-helm
        repoURL: https://github.com/vehagn/homelab
-        targetRevision: HEAD
+        targetRevision: remodel
        path: '{{ path }}'
      destination:
        name: in-cluster
--- a/remodel/k8s/infra/network/gateway/cloudflare-api-token.yaml
+++ b/remodel/k8s/infra/network/gateway/cloudflare-api-token.yaml
@@ -0,0 +1,12 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: cloudflare-api-token
+  namespace: gateway
+spec:
+  encryptedData:
+    api-token: AgCmFZ1eCTYUq41kgZUVr0QjzppHOh/O9frkrupm6WT+QWIaMCK3qq0XmnHWox1K1SHhmix4I4TBzMuvKd8MR2SaI4lfdD4DrNoxpKOKyIKcWWiwz2Lw6CTqTr6Wa+7Iyh5qk2jna20pnGzhp4e0YMwBrVCcelpH/TiZtzXY3FrSnv2+YiPsOR+cohv1OV2E9hUbbHMJGwJQsjVGwTaw1gmEKJIVpMaR86coM7J+5NIoEuG1LeV4ZaqxDG2oQ21V2OBv8gFsO1IrlP17PTKX1Uzvw18Xcvt5ybWQIuXJM8A+0YxwEYUDYj7FyYeDIhKwo/IyUWQKMHu0MKkLMcJ7dHI7fNGH8olvR1ZcTNvtiswa7Fx3c8c70V9Ldw1B09tj+hVfv8hoW6B8uX9C8QDaGY5dlKZr0u2rswK5UVwrgnpdVZt2kWSypqG9JJ8IdcR6OSxfixJpyKryQoK26lFSXHHLrqAvbF2uIyRbYa5q6wz7zUcdAEIAJ2cDLmZ5IFYzzTiDvlDBOUddnhOy2n76pUXDxH/4yKIYFMOZB+SkCFTh54ddbEkyW4or8UK+jzzp2SzRaW0cKj5QUbqSDu+yLm6RmTqpNrmNTjMNtQVOfFXBGm6aGS9Y61kEjIvmgTsKpla9k85RVeRiVy/tsngghp3mfIXzQHZZ4IzTuTya0zb7sJzyrOwqfPgnGZyt5RQZtYl8rG/09MkJgm1iVHdWd2Fd38SdcALXEX4Qpaf8Yk0fb9B2LrHWvmAT
+  template:
+    metadata:
+      name: cloudflare-api-token
+      namespace: gateway
--- a/remodel/k8s/infra/network/gateway/cloudflare-issuer.yaml
+++ b/remodel/k8s/infra/network/gateway/cloudflare-issuer.yaml
@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cloudflare-issuer
+  namespace: gateway
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    #server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: veghag@gmail.com
+    privateKeySecretRef:
+      name: cloudflare-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token
--- a/remodel/k8s/infra/network/gateway/gateway-class.yaml
+++ b/remodel/k8s/infra/network/gateway/gateway-class.yaml
@@ -0,0 +1,6 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: cilium
+spec:
+  controllerName: io.cilium/gateway-controller
--- a/remodel/k8s/infra/network/gateway/gw-euclid.yaml
+++ b/remodel/k8s/infra/network/gateway/gw-euclid.yaml
@@ -0,0 +1,24 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: euclid
+  namespace: gateway
+  annotations:
+    cert-manager.io/issuer: cloudflare-issuer
+spec:
+  gatewayClassName: cilium
+  infrastructure:
+    annotations:
+      io.cilium/lb-ipam-ips: 192.168.1.220
+  listeners:
+    - protocol: HTTPS
+      port: 443
+      name: https-gateway
+      hostname: "*.euclid.stonegarden.dev"
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: cert-euclid
+      allowedRoutes:
+        namespaces:
+          from: All
--- a/remodel/k8s/infra/network/gateway/gw-proxmox.yaml
+++ b/remodel/k8s/infra/network/gateway/gw-proxmox.yaml
@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: proxmox
+  namespace: gateway
+spec:
+  gatewayClassName: cilium
+  infrastructure:
+    annotations:
+      io.cilium/lb-ipam-ips: 192.168.1.221
+  listeners:
+    - protocol: TLS
+      port: 443
+      name: proxmox-tls-passthrough
+      hostname: "proxmox.euclid.stonegarden.dev"
+      tls:
+        mode: Passthrough
+      allowedRoutes:
+        namespaces:
+          from: All
--- a/remodel/k8s/infra/network/gateway/gw-stonegarden.yaml
+++ b/remodel/k8s/infra/network/gateway/gw-stonegarden.yaml
@@ -0,0 +1,24 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: stonegarden
+  namespace: gateway
+  annotations:
+    cert-manager.io/issuer: cloudflare-issuer
+spec:
+  gatewayClassName: cilium
+  infrastructure:
+    annotations:
+      io.cilium/lb-ipam-ips: 192.168.1.222
+  listeners:
+    - protocol: HTTPS
+      port: 443
+      name: https-gateway
+      hostname: "*.stonegarden.dev"
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: cert-stonegarden
+      allowedRoutes:
+        namespaces:
+          from: All
--- a/remodel/k8s/infra/network/gateway/kustomization.yaml
+++ b/remodel/k8s/infra/network/gateway/kustomization.yaml
@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/experimental-install.yaml
+  - gateway-class.yaml
+  - ns.yaml
+  - cloudflare-api-token.yaml
+  - cloudflare-issuer.yaml
+  - gw-euclid.yaml
+#  - gw-proxmox.yaml
+  - gw-stonegarden.yaml
--- a/remodel/k8s/infra/network/gateway/ns.yaml
+++ b/remodel/k8s/infra/network/gateway/ns.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gateway
--- a/remodel/k8s/infra/network/project.yaml
+++ b/remodel/k8s/infra/network/project.yaml
@@ -5,7 +5,7 @@ metadata:
  namespace: argocd
 spec:
  sourceRepos:
-    - 'https://gitlab.com/vehagn/mini-homelab.git'
+    - 'https://github.com/vehagn/homelab'
    - 'https://prometheus-community.github.io/helm-charts'
    - 'https://argoproj.github.io/argo-helm'
  destinations:
@@ -13,6 +13,8 @@ spec:
      server: '*'
    - namespace: 'argocd'
      server: '*'
+    - namespace: 'cilium-secrets'
+      server: '*'
    - namespace: 'cloudflared'
      server: '*'
    - namespace: 'gateway'