feat(gateway): Enabled and configured Cilium as a GatewayClass

Hooked up Cert-manager to Gateway for TLS certificatesk

apps/media/jellyfin/http-route.yaml

@@ -0,0 +1,18 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: jellyfin-http-route
+spec:
+  parentRefs:
+    - name: cilium-gateway
+      namespace: gateway
+  hostnames:
+    - "jellyfin.stonegarden.dev"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: jellyfin-svc
+          port: 8096

apps/media/jellyfin/kustomization.yaml

@@ -20,3 +20,4 @@ resources:
   - service.yaml
   - deployment.yaml
   - ingress.yaml
+  - http-route.yaml

apps/media/plex/http-route.yaml

@@ -0,0 +1,18 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: plex-http-route
+spec:
+  parentRefs:
+    - name: cilium-gateway
+      namespace: gateway
+  hostnames:
+    - "plex.stonegarden.dev"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: plex
+          port: 32400

apps/media/plex/kustomization.yaml

@@ -20,3 +20,4 @@ resources:
   - service.yaml
   - deployment.yaml
   - ingress.yaml
+  - http-route.yaml

apps/test/whoami/http-route.yaml

@@ -0,0 +1,19 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: whoami-http-route
+spec:
+  parentRefs:
+    - name: cilium-gateway
+      namespace: gateway
+  hostnames:
+    - "gateway.stonegarden.dev"
+    - "gateway-direct.stonegarden.dev"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: whoami
+          port: 80

apps/test/whoami/ingress-route.yaml

@@ -1,7 +1,7 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: whoami
+  name: whoami-ingress-route
   labels:
     app: traefik
 spec:
@@ -22,7 +22,7 @@ spec:
           port: 80
       middlewares:
         - name: traefik-forward-auth
-    - match: Host(`whoami-open.stonegarden.dev`)
+    - match: Host(`whoami-ingress-route.stonegarden.dev`)
       kind: Rule
       services:
         - name: whoami

apps/test/whoami/ingress.yaml

@@ -3,15 +3,9 @@ kind: Ingress
 metadata:
   name: whoami-ingress
   namespace: whoami
-  annotations:
-    cert-manager.io/issuer: "cloudflare-issuer"
 spec:
-#  tls:
-#    - hosts:
-#        - issuer.stonegarden.dev
-#      secretName: tls-ingress-https
   rules:
-    - host: issuer.stonegarden.dev
+    - host: whoami-ingress.stonegarden.dev
       http:
         paths:
           - path: /

apps/test/whoami/issuer.yaml

@@ -1,17 +0,0 @@
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: le-whoami-http
-  namespace: whoami
-spec:
-  acme:
-    email: veghag@gmail.com
-    server: https://acme-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-      # if not existing, register a new account and stores it
-      name: whoami-issuer-account-key
-    solvers:
-      - http01:
-          # The ingressClass used to create the necessary ingress routes
-          ingress:
-            class: traefik

apps/test/whoami/kustomization.yaml

@@ -4,7 +4,8 @@ namespace: whoami
 
 resources:
 #  - issuer.yaml
-  - ingress.yaml
+#  - ingress.yaml
   - ingress-route.yaml
+  - http-route.yaml
   - traefik-forward-auth
   - whoami

infra/cert-manager/kustomization.yaml

@@ -12,6 +12,5 @@ helmCharts:
     namespace: cert-manager
     valuesInline:
       installCRDs: true
-#      config:
+      extraArgs:
-#         featureGates:
+        - "--feature-gates=ExperimentalGatewayAPISupport=true"
-#           experimentalGatewayAPISupport: true

infra/cilium/kustomization.yaml

@@ -11,7 +11,7 @@ resources:
 helmCharts:
   - name: cilium
     repo: https://helm.cilium.io
-    version: 1.14.4
+    version: 1.14.5
     releaseName: "cilium"
     namespace: kube-system
     valuesFile: values.yaml

infra/cilium/values.yaml

@@ -2,21 +2,29 @@ cluster:
   name: gauss
   id: 0
 
-#debug:
-#  enabled: true
-
 k8sServiceHost: "192.168.1.12"
 k8sServicePort: "6443"
 
+kubeProxyReplacement: true
+
+operator:
+  # Can't have more replicas than nodes
+  replicas: 1
+  rollOutPods: true
+
 # Roll out cilium agent pods automatically when ConfigMap is updated.
 rollOutCiliumPods: true
 
+#debug:
+#  enabled: true
+
+image:
+  tag: "v1.15.0-rc.0"
+
 # Increase rate limit when doing L2 announcements
 k8sClientRateLimit:
-  qps: 50
+  qps: 100
-  burst: 100
+  burst: 200
-
-kubeProxyReplacement: true
 
 l2announcements:
   enabled: true
@@ -26,9 +34,8 @@ externalIPs:
 
 enableCiliumEndpointSlice: true
 
-operator:
+gatewayAPI:
-  # Can't have more replicas than nodes
+  enabled: true
-  replicas: 1
 
 hubble:
   enabled: true
@@ -38,15 +45,6 @@ hubble:
   ui:
     enabled: true
     rollOutPods: true
-    frontend:
-      server:
-        ipv6:
-          enabled: false
-  tls:
-    auto:
-      enabled: true
-      method: helm
-      certValidityDuration: 1095
 
 # mTLS
 authentication:

infra/gateway/cloudflare-api-token.yaml

@@ -0,0 +1,13 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: cloudflare-api-token
+  namespace: gateway
+spec:
+  encryptedData:
+    api-token: AgB5clzsduCRhJYbeHhAc9azBeucWvZUAwFmZTgLayqwQ2iJKWtj4aBwbS/uhkKRLnT2Gb8+Tp43Za3B2wjq7beFzdg/o3icrtzOe0YFnS4ph1OZQgW5v9c+0FtdtbRMYuB3QDz8EuPpv13QkGw9JvaHtDMHWSDzIyV81cyYu8LRKvnU9oZBG7DJxsoRDaKMEpUdHKb5cBid7a+keTW8CAr50noN8pZd9qIXYIrnvCpap+vz7hasJz4VMajvZx7G4z2N+b/TS0+6jLW3MaDr13Etf9h2gUEwdrWiGghwNJ3T+lcYBdn0kgkWYK5X2Cvia/ca2bSCfOFrPW2hTaIa2WiiWm49ji4Q3QZdLAZCXeVAvErATPwui1Gqx0O7EEl6oAt/e9obf7DH7P5DgWjMCb6YE+5X0JT2C8fW2BNd7PgMkYrzgbthFwT4Tnmo1aApafr0YzUGdNnseVQtBWXcjeBRqcKZuEWmK15qIirFs9wUTWD2HwIt+KcVcF5ZUh0Lmw7a3ueXU88Ufebg/HJS3Qgrv390cHzhGFxl4/5mCHUjPHDt6Ox7mDNtwG9vQqUJsIpKb7huepiVjL59p2NF0dqxH77NAm5sN5vVqQhL1dFakCr3uJi0SFWESXrOTEpy+SvU+HCHSl7cXAWmCdNikvH/NS3icOMv4zl8gZ6UKP7V1SgpWGS9xBhVxtBbbDaoJwmPQAENP2VKZk955LVL5ajNyza7F6eFUpaXgOoaambuc0PTmRnFjZnz
+  template:
+    metadata:
+      name: cloudflare-api-token
+      namespace: gateway
+    type: Opaque

infra/gateway/cloudflare-issuer.yaml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: cloudflare-issuer
+  namespace: gateway
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: veghag@gmail.com
+    privateKeySecretRef:
+      name: cloudflare-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token

infra/gateway/gateway-class.yaml

@@ -0,0 +1,6 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: cilium
+spec:
+  controllerName: io.cilium/gateway-controller

infra/gateway/gateway.yaml

@@ -0,0 +1,29 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: cilium-gateway
+  namespace: gateway
+  annotations:
+    cert-manager.io/issuer: cloudflare-issuer
+    io.cilium/lb-ipam-ips: 192.168.1.172
+spec:
+  gatewayClassName: cilium
+  infrastructure:
+    labels:
+      test-label: test-label
+    annotations:
+      io.cilium/lb-ipam-ips: 192.168.1.172
+  addresses:
+    - value: 192.168.1.172
+  listeners:
+    - protocol: HTTPS
+      port: 443
+      name: https-gateway
+      hostname: "*.stonegarden.dev"
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: cloudflare-cert
+      allowedRoutes:
+        namespaces:
+          from: All

infra/gateway/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/experimental-install.yaml
+  - gateway-class.yaml
+  - ns.yaml
+  - cloudflare-api-token.yaml
+  - cloudflare-issuer.yaml
+  - gateway.yaml

infra/gateway/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: gateway

infra/net-aux/config/cloudflared/config.yaml

@@ -19,10 +19,14 @@ ingress:
           - aud1 d34ec64c62e56195ac6158dbfbeae62155d110f5c3a3b7e949572916dc57a6f3
   - hostname: ssh.stonegarden.dev
     service: ssh://192.168.1.12:22
+  - hostname: gateway.stonegarden.dev
+    service: https://cilium-gateway-cilium-gateway.gateway.svc.cluster.local:443
+    originRequest:
+      originServerName: "*.stonegarden.dev"
   - hostname: stonegarden.dev
     service: https://traefik.traefik.svc.cluster.local:443
     originRequest:
-      originServerName: stonegarden.dev
+      originServerName: "*.stonegarden.dev"
   - hostname: "*.stonegarden.dev"
     service: https://traefik.traefik.svc.cluster.local:443
     originRequest:

infra/net-aux/config/pi-hole/02-custom.conf

@@ -1,2 +1,5 @@
 address=/stonegarden.dev/192.168.1.142
+address=/gateway.stonegarden.dev/192.168.1.219
+address=/jellyfin.stonegarden.dev/192.168.1.219
+address=/plex.stonegarden.dev/192.168.1.219
 edns-packet-max=1232

infra/pi-hole/config/02-custom.conf

@@ -1,2 +1,5 @@
 address=/stonegarden.dev/192.168.1.142
+address=/gateway.stonegarden.dev/192.168.1.219
+address=/jellyfin.stonegarden.dev/192.168.1.219
+address=/plex.stonegarden.dev/192.168.1.219
 edns-packet-max=1232

infra/project.yaml

@@ -16,8 +16,12 @@ spec:
       server: '*'
     - namespace: 'cloudflared'
       server: '*'
+    - namespace: 'cilium-secrets'
+      server: '*'
     - namespace: 'cilium-spire'
       server: '*'
+    - namespace: 'gateway'
+      server: '*'
     - namespace: 'gpu-operator'
       server: '*'
     - namespace: 'kubernetes-dashboard'