fix(gateway): Pinpointed difficulties to be with wildcard

hostname: "*.stonegarden.dev" appears to give me some trouble. It could be that I've done something stupid with the certificates... again. Maybe a rate limit? Manually listing all Gateway endpoints and fixing the wildard issue at a later date.
2025-10-30 17:37:59 +00:00 · 2024-03-02 21:07:52 +01:00
parent 8e7a87c825
commit ba03da7c4b
12 changed files with 101 additions and 36 deletions
--- a/apps/media/jellyfin/kustomization.yaml
+++ b/apps/media/jellyfin/kustomization.yaml
@@ -20,4 +20,4 @@ resources:
  - service.yaml
  - deployment.yaml
  - http-route.yaml
-  - ingress-route.yaml
+#  - ingress-route.yaml
--- a/apps/public/stonegarden/kustomization.yaml
+++ b/apps/public/stonegarden/kustomization.yaml
@@ -9,4 +9,4 @@ resources:
  - service.yaml
  - deployment.yaml
  - http-route.yaml
-  - ingress-route.yaml
+#  - ingress-route.yaml
--- a/apps/test/whoami/http-route.yaml
+++ b/apps/test/whoami/http-route.yaml
@@ -8,7 +8,6 @@ spec:
      namespace: gateway
  hostnames:
    - "gateway.stonegarden.dev"
-    - "gateway-direct.stonegarden.dev"
  rules:
    - matches:
        - path:
--- a/apps/utility/haos/kustomization.yaml
+++ b/apps/utility/haos/kustomization.yaml
@@ -6,4 +6,4 @@ resources:
  - svc.yaml
  - endpoint-slice.yaml
  - http-route.yaml
-  - ingress-route.yaml
+#  - ingress-route.yaml
--- a/infra/cilium/kustomization.yaml
+++ b/infra/cilium/kustomization.yaml
@@ -9,7 +9,7 @@ resources:
 helmCharts:
  - name: cilium
    repo: https://helm.cilium.io
-    version: 1.15.0
+    version: 1.15.1
    releaseName: "cilium"
    includeCRDs: true
    namespace: kube-system
--- a/infra/cilium/values.yaml
+++ b/infra/cilium/values.yaml
@@ -15,8 +15,8 @@ operator:
 # Roll out cilium agent pods automatically when ConfigMap is updated.
 rollOutCiliumPods: true

-debug:
-  enabled: false
+#debug:
+#  enabled: true

 # Increase rate limit when doing L2 announcements
 k8sClientRateLimit:
--- a/infra/gateway/gateway-class.yaml
+++ b/infra/gateway/gateway-class.yaml
--- a/infra/gateway/gw-stonegarden.yaml
+++ b/infra/gateway/gw-stonegarden.yaml
@@ -11,10 +11,65 @@ spec:
    annotations:
      io.cilium/lb-ipam-ips: 192.168.1.172
  listeners:
+    - protocol: HTTPS
+      port: 443
+      name: https-blog
+      hostname: blog.stonegarden.dev
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: cloudflare-cert
+      allowedRoutes:
+        namespaces:
+          from: All
+    - protocol: HTTPS
+      port: 443
+      name: https-remark42
+      hostname: remark42.stonegarden.dev
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: cloudflare-cert
+      allowedRoutes:
+        namespaces:
+          from: All
+    - protocol: HTTPS
+      port: 443
+      name: https-haos
+      hostname: haos.stonegarden.dev
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: cloudflare-cert
+      allowedRoutes:
+        namespaces:
+          from: All
+    - protocol: HTTPS
+      port: 443
+      name: https-jellyfin
+      hostname: jellyfin.stonegarden.dev
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: cloudflare-cert
+      allowedRoutes:
+        namespaces:
+          from: All
+    - protocol: HTTPS
+      port: 443
+      name: https-postgres
+      hostname: postgres.stonegarden.dev
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: cloudflare-cert
+      allowedRoutes:
+        namespaces:
+          from: All
    - protocol: HTTPS
      port: 443
      name: https-gateway
-      hostname: "*.stonegarden.dev"
+      hostname: gateway.stonegarden.dev
      tls:
        certificateRefs:
          - kind: Secret
@@ -32,4 +87,15 @@ spec:
            name: cloudflare-cert
      allowedRoutes:
        namespaces:
-          from: All
+          from: All
+#    - protocol: HTTPS
+#      port: 443
+#      name: https-wildcard
+#      hostname: "*.stonegarden.dev"
+#      tls:
+#        certificateRefs:
+#          - kind: Secret
+#            name: cloudflare-cert
+#      allowedRoutes:
+#        namespaces:
+#          from: All
--- a/infra/gateway/kustomization.yaml
+++ b/infra/gateway/kustomization.yaml
@@ -3,7 +3,7 @@ kind: Kustomization

 resources:
  - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/experimental-install.yaml
-  - gateway-class.yaml
+  - gw-class.yaml
  - ns.yaml
  - cloudflare-api-token.yaml
  - cloudflare-issuer.yaml
--- a/infra/net-aux/config/cloudflared/config.yaml
+++ b/infra/net-aux/config/cloudflared/config.yaml
@@ -15,18 +15,18 @@ ingress:
    service: https://cilium-gateway-proxmox-euclid.gateway.svc.cluster.local:443
    originRequest:
      originServerName: proxmox.euclid.stonegarden.dev
-#  - hostname: haos.stonegarden.dev
-#    service: https://cilium-gateway-stonegarden.gateway.svc.cluster.local:443
-#    originRequest:
-#      originServerName: haos.stonegarden.dev
-#  - hostname: blog.stonegarden.dev
-#    service: https://cilium-gateway-stonegarden.gateway.svc.cluster.local:443
-#    originRequest:
-#      originServerName: blog.stonegarden.dev
-#  - hostname: remark42.stonegarden.dev
-#    service: https://cilium-gateway-stonegarden.gateway.svc.cluster.local:443
-#    originRequest:
-#      originServerName: remark42.stonegarden.dev
+  - hostname: haos.stonegarden.dev
+    service: https://cilium-gateway-stonegarden.gateway.svc.cluster.local:443
+    originRequest:
+      originServerName: haos.stonegarden.dev
+  - hostname: blog.stonegarden.dev
+    service: https://cilium-gateway-stonegarden.gateway.svc.cluster.local:443
+    originRequest:
+      originServerName: blog.stonegarden.dev
+  - hostname: remark42.stonegarden.dev
+    service: https://cilium-gateway-stonegarden.gateway.svc.cluster.local:443
+    originRequest:
+      originServerName: remark42.stonegarden.dev
  - hostname: gateway.stonegarden.dev
    service: https://cilium-gateway-stonegarden.gateway.svc.cluster.local:443
    originRequest:
--- a/infra/net-aux/config/pi-hole/02-custom.conf
+++ b/infra/net-aux/config/pi-hole/02-custom.conf
@@ -1,9 +1,9 @@
-#address=/stonegarden.dev/192.168.1.142
-#address=/blog.stonegarden.dev/192.168.1.172
-#address=/gateway.stonegarden.dev/192.168.1.172
-#address=/hass.stonegarden.dev/192.168.1.172
-address=/jellyfin.stonegarden.dev/192.168.1.142
+address=/stonegarden.dev/192.168.1.142
+address=/blog.stonegarden.dev/192.168.1.172
+address=/gateway.stonegarden.dev/192.168.1.172
+address=/haos.stonegarden.dev/192.168.1.172
+address=/jellyfin.stonegarden.dev/192.168.1.172
 address=/plex.stonegarden.dev/192.168.1.142
-#address=/postgres.stonegarden.dev/192.168.1.172
-#address=/remark42.stonegarden.dev/192.168.1.172
+address=/postgres.stonegarden.dev/192.168.1.172
+address=/remark42.stonegarden.dev/192.168.1.172
 edns-packet-max=1232
--- a/infra/pi-hole/config/02-custom.conf
+++ b/infra/pi-hole/config/02-custom.conf
@@ -1,9 +1,9 @@
-#address=/stonegarden.dev/192.168.1.142
-#address=/blog.stonegarden.dev/192.168.1.172
-#address=/gateway.stonegarden.dev/192.168.1.172
-#address=/hass.stonegarden.dev/192.168.1.172
-address=/jellyfin.stonegarden.dev/192.168.1.142
+address=/stonegarden.dev/192.168.1.142
+address=/blog.stonegarden.dev/192.168.1.172
+address=/gateway.stonegarden.dev/192.168.1.172
+address=/haos.stonegarden.dev/192.168.1.172
+address=/jellyfin.stonegarden.dev/192.168.1.172
 address=/plex.stonegarden.dev/192.168.1.142
-#address=/postgres.stonegarden.dev/192.168.1.172
-#address=/remark42.stonegarden.dev/192.168.1.172
+address=/postgres.stonegarden.dev/192.168.1.172
+address=/remark42.stonegarden.dev/192.168.1.172
 edns-packet-max=1232