feat(vpn): split gateway into external and internal services

k8s/apps/external/haos/http-route.yaml

@@ -5,7 +5,9 @@ metadata:
   namespace: haos
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: external
+      namespace: gateway
+    - name: internal
       namespace: gateway
   hostnames:
     - "haos.stonegarden.dev"

k8s/apps/homepage/blog/hugo/http-route.yaml

@@ -5,7 +5,9 @@ metadata:
   namespace: blog
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: external
+      namespace: gateway
+    - name: internal
       namespace: gateway
   hostnames:
     - "blog.stonegarden.dev"

k8s/apps/homepage/blog/remark42/http-route.yaml

@@ -5,7 +5,9 @@ metadata:
   namespace: blog
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: external
+      namespace: gateway
+    - name: internal
       namespace: gateway
   hostnames:
     - "remark42.stonegarden.dev"

k8s/apps/homepage/stonegarden/http-route.yaml

@@ -5,7 +5,9 @@ metadata:
   namespace: stonegarden
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: external
+      namespace: gateway
+    - name: internal
       namespace: gateway
   hostnames:
     - "stonegarden.dev"

k8s/apps/media/arr/lidarr/http-route.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: arr
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: internal
       namespace: gateway
   hostnames:
     - "lidarr.stonegarden.dev"

k8s/apps/media/arr/prowlarr/http-route.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: arr
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: internal
       namespace: gateway
   hostnames:
     - "prowlarr.stonegarden.dev"

k8s/apps/media/arr/radarr/http-route.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: arr
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: internal
       namespace: gateway
   hostnames:
     - "radarr.stonegarden.dev"

k8s/apps/media/arr/sonarr/http-route.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: arr
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: internal
       namespace: gateway
   hostnames:
     - "sonarr.stonegarden.dev"

k8s/apps/media/arr/torrent/http-route.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: arr
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: internal
       namespace: gateway
   hostnames:
     - "torrent.stonegarden.dev"

k8s/apps/media/jellyfin/http-route.yaml

@@ -5,7 +5,9 @@ metadata:
   namespace: jellyfin
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: external
+      namespace: gateway
+    - name: internal
       namespace: gateway
   hostnames:
     - "jellyfin.stonegarden.dev"

k8s/apps/media/plex/http-route.yaml

@@ -5,7 +5,9 @@ metadata:
   namespace: plex
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: external
+      namespace: gateway
+    - name: internal
       namespace: gateway
   hostnames:
     - "plex.stonegarden.dev"

k8s/infra/auth/keycloak/http-route.yaml

@@ -1,11 +1,34 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: keycloak
+  name: external
   namespace: keycloak
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: external
+      namespace: gateway
+  hostnames:
+    - "keycloak.stonegarden.dev"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /realms/homelab
+        - path:
+            type: PathPrefix
+            value: /resources
+      backendRefs:
+        - name: keycloak
+          port: 80
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: internal
+  namespace: keycloak
+spec:
+  parentRefs:
+    - name: internal
       namespace: gateway
   hostnames:
     - "keycloak.stonegarden.dev"

k8s/infra/controllers/argocd/http-route.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: argocd
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: internal
       namespace: gateway
   hostnames:
     - "argocd.stonegarden.dev"

k8s/infra/monitoring/hubble/http-route.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: internal
       namespace: gateway
   hostnames:
     - "hubble.stonegarden.dev"

k8s/infra/monitoring/prometheus-stack/http-route.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: monitoring
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: internal
       namespace: gateway
   hostnames:
     - "grafana.stonegarden.dev"

k8s/infra/network/cloudflared/config.yaml

@@ -9,20 +9,20 @@ warp-routing:
 ingress:
   - hostname: hello.stonegarden.dev
     service: hello_world
-  - hostname: proxmox.stonegarden.dev
-    service: https://proxmox.proxmox.svc.cluster.local:443
-    originRequest:
-      originServerName: proxmox.stonegarden.dev
-  - hostname: truenas.stonegarden.dev
-    service: https://truenas.truenas.svc.cluster.local:443
-    originRequest:
-      originServerName: truenas.stonegarden.dev
+#  - hostname: proxmox.stonegarden.dev
+#    service: https://proxmox.proxmox.svc.cluster.local:443
+#    originRequest:
+#      originServerName: proxmox.stonegarden.dev
+#  - hostname: truenas.stonegarden.dev
+#    service: https://truenas.truenas.svc.cluster.local:443
+#    originRequest:
+#      originServerName: truenas.stonegarden.dev
   - hostname: "*.stonegarden.dev"
-    service: https://cilium-gateway-stonegarden.gateway.svc.cluster.local:443
+    service: https://cilium-gateway-external.gateway.svc.cluster.local:443
     originRequest:
       originServerName: "*.stonegarden.dev"
   - hostname: stonegarden.dev
-    service: https://cilium-gateway-stonegarden.gateway.svc.cluster.local:443
+    service: https://cilium-gateway-external.gateway.svc.cluster.local:443
     originRequest:
       originServerName: stonegarden.dev
   - service: http_status:404

k8s/infra/network/dns/adguard/config/AdGuardHome.yaml

@@ -141,16 +141,18 @@ filtering:
   parental_block_host: family-block.dns.adguard.com
   safebrowsing_block_host: standard-block.dns.adguard.com
   rewrites:
-    - domain: '*.stonegarden.dev'
-      answer: 192.168.1.222
-    - domain: stonegarden.dev
-      answer: 192.168.1.222
     - domain: plex.stonegarden.dev
       answer: 192.168.1.228
     - domain: jellyfin.stonegarden.dev
       answer: 192.168.1.229
-    - domain: whoami.stonegarden.dev
-      answer: 192.168.1.223
+    - domain: proxmox.stonegarden.dev
+      answer: 192.168.1.221
+    - domain: truenas.stonegarden.dev
+      answer: 192.168.1.221
+    - domain: '*.stonegarden.dev'
+      answer: 192.168.1.220
+    - domain: stonegarden.dev
+      answer: 192.168.1.220
   safebrowsing_cache_size: 1048576
   safesearch_cache_size: 1048576
   parental_cache_size: 1048576

k8s/infra/network/dns/adguard/http-route.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: dns
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: internal
       namespace: gateway
   hostnames:
     - "adguard.stonegarden.dev"

k8s/infra/network/dns/unbound/deployment.yaml

@@ -1,15 +1,15 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: DaemonSet
 metadata:
   name: unbound
   namespace: dns
 spec:
-  replicas: 2
+#  replicas: 2
   selector:
     matchLabels:
       app: unbound
-  strategy:
-    type: Recreate
+#  strategy:
+#    type: Recreate
   template:
     metadata:
       labels:
@@ -37,7 +37,7 @@ spec:
               protocol: UDP
           resources:
             requests:
-              cpu: 50m
+              cpu: 10m
               memory: 64Mi
             limits:
               cpu: 500m

k8s/infra/network/gateway/gw-external.yaml

@@ -1,7 +1,7 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: Gateway
 metadata:
-  name: stonegarden
+  name: external
   namespace: gateway
 spec:
   gatewayClassName: cilium

k8s/infra/network/gateway/gw-internal.yaml

@@ -0,0 +1,33 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: internal
+  namespace: gateway
+spec:
+  gatewayClassName: cilium
+  infrastructure:
+    annotations:
+      io.cilium/lb-ipam-ips: 192.168.1.220
+  listeners:
+    - protocol: HTTPS
+      port: 443
+      name: https-gateway
+      hostname: "*.stonegarden.dev"
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: cert-stonegarden
+      allowedRoutes:
+        namespaces:
+          from: All
+    - protocol: HTTPS
+      port: 443
+      name: https-domain-gateway
+      hostname: stonegarden.dev
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: cert-stonegarden
+      allowedRoutes:
+        namespaces:
+          from: All

k8s/infra/network/gateway/kustomization.yaml

@@ -5,5 +5,6 @@ resources:
   - cert-stonegarden.yaml
   - gateway-class.yaml
   - ns.yaml
-  - gw-stonegarden.yaml
+  - gw-external.yaml
+  - gw-internal.yaml
   - gw-tls-passthrough.yaml

k8s/infra/vpn/netbird/http-route.yaml

@@ -1,22 +1,17 @@
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
 metadata:
-  name: netbird
+  name: api
   namespace: netbird
 spec:
   parentRefs:
-    - name: stonegarden
+    - name: external
+      namespace: gateway
+    - name: internal
       namespace: gateway
   hostnames:
     - "netbird.stonegarden.dev"
   rules:
-    - backendRefs:
-        - name: netbird-dashboard
-          port: 80
-      matches:
-        - path:
-            type: PathPrefix
-            value: /
     - backendRefs:
         - name: netbird-backend-management
           port: 80
@@ -34,3 +29,23 @@ spec:
         - path:
             type: PathPrefix
             value: /signalexchange.SignalExchange/
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: dashboard
+  namespace: netbird
+spec:
+  parentRefs:
+    - name: internal
+      namespace: gateway
+  hostnames:
+    - "netbird.stonegarden.dev"
+  rules:
+    - backendRefs:
+        - name: netbird-dashboard
+          port: 80
+      matches:
+        - path:
+            type: PathPrefix
+            value: /