migrate

2025-12-02 17:36:53 -06:00
parent 076a9e6bc8
commit cc2f89f9fc
27 changed files with 236 additions and 11 deletions
--- a/clusters/cl01tl/helm/cilium/Chart.lock
+++ b/clusters/cl01tl/helm/cilium/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: cilium
+  repository: https://helm.cilium.io/
+  version: 1.18.4
+digest: sha256:e38eb92ee87c9a52b0f45a2451142ade02bac7d484b246d32379eacce3800bc8
+generated: "2025-12-02T17:17:49.043599-06:00"
--- a/clusters/cl01tl/helm/cilium/Chart.yaml
+++ b/clusters/cl01tl/helm/cilium/Chart.yaml
@@ -0,0 +1,21 @@
+apiVersion: v2
+name: cilium
+version: 1.0.0
+description: Cilium
+keywords:
+  - cilium
+  - cni
+  - network
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/9e6f5b17-e186-4af0-81cd-af647b162d3d
+sources:
+  - https://github.com/cilium/cilium
+  - https://github.com/cilium/charts
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: cilium
+    version: 1.18.4
+    repository: https://helm.cilium.io/
+icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/cilium.png
+appVersion: 1.17.3
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-advertisement.yaml
@@ -0,0 +1,19 @@
+# apiVersion: cilium.io/v2alpha1
+# kind: CiliumBGPAdvertisement
+# metadata:
+#   name: cilium-bgp-advertisements
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-bgp-advertisements
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   advertisements:
+#     - advertisementType: "Service"
+#       service:
+#         addresses:
+#           - ExternalIP
+#           - LoadBalancerIP
+#       selector:
+#         matchExpressions:
+#          - {key: somekey, operator: NotIn, values: ['never-used-value']}
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-cluster-config.yaml
@@ -0,0 +1,22 @@
+# apiVersion: cilium.io/v2alpha1
+# kind: CiliumBGPClusterConfig
+# metadata:
+#   name: cilium-bgp
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-bgp
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   nodeSelector:
+#     matchLabels:
+#       node-role.kubernetes.io/bgp: "65020"
+#   bgpInstances:
+#     - name: "65020"
+#       localASN: 65020
+#       peers:
+#         - name: "udm-65000"
+#           peerASN: 65000
+#           peerAddress: 192.168.1.1
+#           peerConfigRef:
+#             name: "cilium-peer"
--- a/clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-bgp-peer-config.yaml
@@ -0,0 +1,23 @@
+# apiVersion: cilium.io/v2alpha1
+# kind: CiliumBGPPeerConfig
+# metadata:
+#   name: cilium-peer
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: cilium-peer
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+# spec:
+#   timers:
+#     holdTimeSeconds: 9
+#     keepAliveTimeSeconds: 3
+#   ebgpMultihop: 4
+#   gracefulRestart:
+#     enabled: true
+#     restartTimeSeconds: 15
+#   families:
+#     - afi: ipv4
+#       safi: unicast
+#       advertisements:
+#         matchLabels:
+#           app.kubernetes.io/name: cilium-bgp-advertisements
--- a/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/cilium-load-balancer-ip-pool.yaml
@@ -0,0 +1,31 @@
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: default-ip-pool
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: default-ip-pool
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  blocks:
+    - start: "10.232.1.21"
+      stop: "10.232.1.23"
+    - start: "10.232.2.21"
+      stop: "10.232.2.23"
+
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: bgp-ip-pool
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: bgp-ip-pool
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  blocks:
+    - start: "10.232.2.100"
+      stop: "10.232.2.200"
+  disabled: true
--- a/clusters/cl01tl/helm/cilium/templates/gateway.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/gateway.yaml
@@ -0,0 +1,35 @@
+# apiVersion: gateway.networking.k8s.io/v1
+# kind: Gateway
+# metadata:
+#   name: tls-gateway
+#   namespace: {{ .Release.Namespace }}
+#   labels:
+#     app.kubernetes.io/name: tls-gateway
+#     app.kubernetes.io/instance: {{ .Release.Name }}
+#     app.kubernetes.io/part-of: {{ .Release.Name }}
+#   annotations:
+#     cert-manager.io/cluster-issuer: letsencrypt-issuer
+# spec:
+#   gatewayClassName: cilium
+#   listeners:
+#     - allowedRoutes:
+#         namespaces:
+#           from: All
+#       hostname: '*.alexlebens.net'
+#       name: http
+#       port: 80
+#       protocol: HTTP
+#     - allowedRoutes:
+#         namespaces:
+#           from: All
+#       hostname: '*.alexlebens.net'
+#       name: https
+#       port: 443
+#       protocol: HTTPS
+#       tls:
+#         certificateRefs:
+#           - group: ''
+#             kind: Secret
+#             name: https-gateway-cert
+#             namespace: kube-system
+#         mode: Terminate
--- a/clusters/cl01tl/helm/cilium/templates/http-route.yaml
+++ b/clusters/cl01tl/helm/cilium/templates/http-route.yaml
@@ -0,0 +1,28 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-route-hubble
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: http-route-hubble
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - hubble.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: hubble-ui
+          port: 80
+          weight: 100
--- a/clusters/cl01tl/helm/cilium/values.yaml
+++ b/clusters/cl01tl/helm/cilium/values.yaml
@@ -0,0 +1,103 @@
+cilium:
+  k8sServiceHost: "localhost"
+  k8sServicePort: "7445"
+  k8sClientRateLimit:
+    qps: 50
+    burst: 100
+  rollOutCiliumPods: true
+  securityContext:
+    capabilities:
+      ciliumAgent:
+        - CHOWN
+        - KILL
+        - NET_ADMIN
+        - NET_RAW
+        - IPC_LOCK
+        - SYS_ADMIN
+        - SYS_RESOURCE
+        - DAC_OVERRIDE
+        - FOWNER
+        - SETGID
+        - SETUID
+        - PERFMON
+        - BPF
+      cleanCiliumState:
+        - NET_ADMIN
+        - SYS_ADMIN
+        - SYS_RESOURCE
+  l2announcements:
+    enabled: false
+  bgpControlPlane:
+    enabled: false
+    secretsNamespace:
+      name: kube-system
+    statusReport:
+      enabled: true
+    routerIDAllocation:
+      mode: "default"
+  devices: end0 enp6s0
+  enableK8sEndpointSlice: true
+  ciliumEndpointSlice:
+    enabled: true
+  ingressController:
+    enabled: false
+  gatewayAPI:
+    enabled: true
+    enableAlpn: true
+    enableAppProtocol: true
+  externalIPs:
+    enabled: true
+  socketLB:
+    enabled: true
+    hostNamespaceOnly: true
+  hubble:
+    enabled: true
+    metrics:
+      serviceMonitor:
+        enabled: true
+    relay:
+      enabled: true
+      metrics:
+        serviceMonitor:
+          enabled: true
+    ui:
+      enabled: true
+      ingress:
+        enabled: false
+  ipam:
+    mode: "kubernetes"
+  ipv4:
+    enabled: true
+  ipv6:
+    enabled: false
+  kubeProxyReplacement: true
+  l7Proxy: true
+  prometheus:
+    enabled: true
+    serviceMonitor:
+      enabled: true
+  envoy:
+    enabled: true
+    securityContext:
+      capabilities:
+        keepCapNetBindService: true
+        envoy:
+          - NET_ADMIN
+          - NET_BIND_SERVICE
+          - PERFMON
+          - BPF
+    prometheus:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  operator:
+    enabled: true
+    rollOutPods: true
+    prometheus:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+  cgroup:
+    autoMount:
+      enabled: false
+    hostRoot: /sys/fs/cgroup