From 7f4e75f2b51fccde0a42d7008808b5c5388a67c1 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Thu, 12 Feb 2026 13:09:05 -0600 Subject: [PATCH] feat: enable gateway and l2 --- .../cilium-l2-announcement-policy.yaml | 35 ++++--- .../cilium-load-balancer-ip-pool.yaml | 2 - .../cl01tl/helm/cilium/templates/gateway.yaml | 92 +++++++++---------- clusters/cl01tl/helm/cilium/values.yaml | 6 +- 4 files changed, 67 insertions(+), 68 deletions(-) diff --git a/clusters/cl01tl/helm/cilium/templates/cilium-l2-announcement-policy.yaml b/clusters/cl01tl/helm/cilium/templates/cilium-l2-announcement-policy.yaml index af6080a5f..1bc8e2693 100644 --- a/clusters/cl01tl/helm/cilium/templates/cilium-l2-announcement-policy.yaml +++ b/clusters/cl01tl/helm/cilium/templates/cilium-l2-announcement-policy.yaml @@ -1,18 +1,17 @@ -# apiVersion: "cilium.io/v2alpha1" -# kind: CiliumL2AnnouncementPolicy -# metadata: -# name: node-gateway-l2-policy -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: node-gateway-l2-policy -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/part-of: {{ .Release.Name }} -# spec: -# nodeSelector: -# matchLabels: -# kubernetes.io/hostname: talos-ix7-xku -# interfaces: -# - end0 -# - enp6s0 -# externalIPs: true -# loadBalancerIPs: true +apiVersion: "cilium.io/v2alpha1" +kind: CiliumL2AnnouncementPolicy +metadata: + name: node-gateway-l2-policy + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: node-gateway-l2-policy + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + nodeSelector: + matchLabels: + kubernetes.io/hostname: talos-ix7-xku + interfaces: + - "^enp.*" + externalIPs: true + loadBalancerIPs: true diff --git a/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml b/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml index 80191f2ef..ed8da55a8 100644 --- a/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml +++ b/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml @@ -9,8 +9,6 @@ metadata: app.kubernetes.io/part-of: {{ .Release.Name }} spec: blocks: - - start: "10.232.1.21" - stop: "10.232.1.23" - start: "10.232.2.21" stop: "10.232.2.23" diff --git a/clusters/cl01tl/helm/cilium/templates/gateway.yaml b/clusters/cl01tl/helm/cilium/templates/gateway.yaml index 52387c139..b0cc3ad86 100644 --- a/clusters/cl01tl/helm/cilium/templates/gateway.yaml +++ b/clusters/cl01tl/helm/cilium/templates/gateway.yaml @@ -1,46 +1,46 @@ -# apiVersion: gateway.networking.k8s.io/v1 -# kind: Gateway -# metadata: -# name: cilium-tls-gateway -# namespace: {{ .Release.Namespace }} -# labels: -# app.kubernetes.io/name: cilium-tls-gateway -# app.kubernetes.io/instance: {{ .Release.Name }} -# app.kubernetes.io/part-of: {{ .Release.Name }} -# annotations: -# cert-manager.io/cluster-issuer: letsencrypt-issuer -# io.cilium/lb-ipam-ips: "10.232.1.23" -# spec: -# addresses: -# - type: IPAddress -# value: 10.232.1.23 -# gatewayClassName: cilium -# listeners: -# - allowedRoutes: -# namespaces: -# from: All -# hostname: '*.alexlebens.net' -# name: https -# port: 443 -# protocol: HTTPS -# tls: -# certificateRefs: -# - group: '' -# kind: Secret -# name: https-gateway-cert -# namespace: kube-system -# mode: Terminate -# - allowedRoutes: -# namespaces: -# from: All -# hostname: 'alexlebens.net' -# name: https-domain -# port: 443 -# protocol: HTTPS -# tls: -# certificateRefs: -# - group: '' -# kind: Secret -# name: https-gateway-cert -# namespace: kube-system -# mode: Terminate +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: cilium-tls-gateway + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: cilium-tls-gateway + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/part-of: {{ .Release.Name }} + annotations: + cert-manager.io/cluster-issuer: letsencrypt-issuer + io.cilium/lb-ipam-ips: "10.232.1.23" +spec: + addresses: + - type: IPAddress + value: 10.232.1.23 + gatewayClassName: cilium + listeners: + - allowedRoutes: + namespaces: + from: All + hostname: '*.alexlebens.net' + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: '' + kind: Secret + name: https-gateway-cert + namespace: kube-system + mode: Terminate + - allowedRoutes: + namespaces: + from: All + hostname: 'alexlebens.net' + name: https-domain + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - group: '' + kind: Secret + name: https-gateway-cert + namespace: kube-system + mode: Terminate diff --git a/clusters/cl01tl/helm/cilium/values.yaml b/clusters/cl01tl/helm/cilium/values.yaml index 84a1b1453..8d55f7520 100644 --- a/clusters/cl01tl/helm/cilium/values.yaml +++ b/clusters/cl01tl/helm/cilium/values.yaml @@ -26,7 +26,7 @@ cilium: - SYS_ADMIN - SYS_RESOURCE l2announcements: - enabled: false + enabled: true bgpControlPlane: enabled: false secretsNamespace: @@ -37,7 +37,7 @@ cilium: mode: "default" bpf: hostLegacyRouting: true - devices: end0 enp6s0 + devices: '^(enp|end|eth)[0-9a-z]*' enableK8sEndpointSlice: true ciliumEndpointSlice: enabled: true @@ -47,6 +47,8 @@ cilium: enabled: true enableAlpn: true enableAppProtocol: true + gatewayClass: + create: true externalIPs: enabled: true socketLB: