feat(proxmox): Proxy Euclid Proxmox through Gateway

apps/utility/haos/http-route.yaml

@@ -8,7 +8,7 @@ spec:
     - name: cilium-gateway
       namespace: gateway
   hostnames:
-    - "haos.stonegarden.dev"
+    - "haos.euclid.stonegarden.dev"
   rules:
     - matches:
         - path:

apps/utility/project.yaml

@@ -13,6 +13,8 @@ spec:
       server: '*'
     - namespace: 'haos'
       server: '*'
+    - namespace: 'proxmox'
+      server: '*'
   clusterResourceWhitelist:
     - group: '*'
       kind: '*'

apps/utility/proxmox/endpoint-slice.yaml

@@ -0,0 +1,18 @@
+apiVersion: discovery.k8s.io/v1
+kind: EndpointSlice
+metadata:
+  name: proxmox-euclid-1
+  namespace: proxmox
+  labels:
+    kubernetes.io/service-name: proxmox-euclid
+    endpointslice.kubernetes.io/managed-by: cluster-admins
+addressType: IPv4
+ports:
+  - name: https
+    protocol: TCP
+    port: 8006
+endpoints:
+  - addresses:
+      - 192.168.1.42
+    conditions:  # https://github.com/argoproj/argo-cd/issues/15554
+      ready: true

apps/utility/proxmox/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ns.yaml
+  - svc.yaml
+  - endpoint-slice.yaml
+  - tls-route.yaml

apps/utility/proxmox/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: proxmox

apps/utility/proxmox/svc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: proxmox-euclid
+  namespace: proxmox
+spec:
+  ports:
+    - name: https
+      protocol: TCP
+      port: 443
+      targetPort: 8006

apps/utility/proxmox/tls-route.yaml

@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TLSRoute
+metadata:
+  name: proxmox-euclid
+  namespace: proxmox
+spec:
+  parentRefs:
+    - name: cilium-gateway
+      namespace: gateway
+  hostnames:
+    - "proxmox.euclid.stonegarden.dev"
+  rules:
+    - backendRefs:
+        - name: proxmox-euclid
+          port: 443

infra/cilium/values.yaml

@@ -16,7 +16,7 @@ operator:
 rollOutCiliumPods: true
 
 debug:
-  enabled: true
+  enabled: false
 
 # Increase rate limit when doing L2 announcements
 k8sClientRateLimit:

infra/gateway/gateway.yaml

@@ -22,6 +22,17 @@ spec:
       allowedRoutes:
         namespaces:
           from: All
+    - protocol: HTTPS
+      port: 443
+      name: https-gateway-euclid
+      hostname: "*.euclid.stonegarden.dev"
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: cloudflare-cert
+      allowedRoutes:
+        namespaces:
+          from: All
     - protocol: HTTPS
       port: 443
       name: https-domain-gateway

infra/net-aux/config/cloudflared/config.yaml

@@ -10,11 +10,15 @@ ingress:
   - hostname: hello.stonegarden.dev
     service: hello_world
   - hostname: ssh.stonegarden.dev
-    service: ssh://192.168.1.12:22
+    service: ssh://192.168.1.50:22
-  - hostname: haos.stonegarden.dev
+  - hostname: proxmox.euclid.stonegarden.dev
     service: https://cilium-gateway-cilium-gateway.gateway.svc.cluster.local:443
     originRequest:
-      originServerName: "*.stonegarden.dev"
+      originServerName: proxmox.euclid.stonegarden.dev
+  - hostname: haos.euclid.stonegarden.dev
+    service: https://cilium-gateway-cilium-gateway.gateway.svc.cluster.local:443
+    originRequest:
+      originServerName: haos.euclid.stonegarden.dev
   - hostname: blog.stonegarden.dev
     service: https://cilium-gateway-cilium-gateway.gateway.svc.cluster.local:443
     originRequest: