chore(cilium): Move Cilium configuration to kustomize-bases

2025-12-14 13:57:30 +01:00 · 2025-12-14 13:57:30 +01:00 · 471e15389e
commit 471e15389e
parent 1420189990
12 changed files with 75 additions and 110 deletions
--- a/k8s-peterg/cilium/gateways.yaml
+++ b/k8s-peterg/cilium/gateways.yaml
@ -26,30 +26,3 @@ spec:
        certificateRefs:
          - kind: Secret
            name: tls-wildcard-peterg-nl
---
-apiVersion: gateway.networking.k8s.io/v1
-kind: Gateway
-metadata:
-  name: internal
-spec:
-  gatewayClassName: cilium
-  addresses:
-    - type: IPAddress
-      value: 10.167.84.11
-  listeners:
-    - allowedRoutes:
-        namespaces:
-          from: All
-      name: http
-      port: 80
-      protocol: HTTP
-    - allowedRoutes:
-        namespaces:
-          from: All
-      name: https
-      port: 443
-      protocol: HTTPS
-      tls:
-        certificateRefs:
-          - kind: Secret
-            name: tls-wildcard-peterg-nl
--- a/k8s-peterg/cilium/httproute.yaml
+++ b/k8s-peterg/cilium/httproute.yaml
@ -1,22 +1,6 @@
 ---
 apiVersion: gateway.networking.k8s.io/v1
 kind: HTTPRoute
-metadata:
-  name: http-filter-redirect
-spec:
-  parentRefs:
-    - name: public
-      sectionName: http
-    - name: internal
-      sectionName: http
-  rules:
-    - filters:
-        - type: RequestRedirect
-          requestRedirect:
-            scheme: https
---
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
 metadata:
  name: hubble-route
  namespace: kube-system
--- a/k8s-peterg/cilium/ip-pool.yaml
+++ b/k8s-peterg/cilium/ip-pool.yaml
@ -14,10 +14,3 @@ metadata:
 spec:
  blocks:
    - cidr: "10.7.65.250/32"
---
-apiVersion: "cilium.io/v2alpha1"
-kind: CiliumL2AnnouncementPolicy
-metadata:
-  name: l2adv
-spec:
-  loadBalancerIPs: true
--- a/k8s-peterg/cilium/kustomization.yaml
+++ b/k8s-peterg/cilium/kustomization.yaml
@ -4,14 +4,19 @@ kind: Kustomization
 namespace: kube-system

 resources:
+  - ../../kustomize-bases/cilium
  - ip-pool.yaml
  - gateways.yaml
  - httproute.yaml

-helmCharts:
-  - name: cilium
-    repo: https://helm.cilium.io
-    namespace: kube-system
-    releaseName: cilium
-    version: 1.18.3
-    valuesFile: values.yaml
+patches:
+  - patch: |-
+      - op: replace
+        path: /spec/addresses/0/value
+        value: 10.167.84.11 
+      - op: replace
+        path: /spec/listeners/1/tls/certificateRefs/0/name
+        value: tls-wildcard-peterg-nl
+    target:
+      kind: Gateway
+      name: internal
--- a/k8s-wheatley/cilium/ip-pool.yaml
+++ b/k8s-wheatley/cilium/ip-pool.yaml
@ -6,10 +6,3 @@ metadata:
 spec:
  blocks:
    - cidr: "10.13.37.30/32"
---
-apiVersion: "cilium.io/v2alpha1"
-kind: CiliumL2AnnouncementPolicy
-metadata:
-  name: l2adv
-spec:
-  loadBalancerIPs: true
--- a/k8s-wheatley/cilium/kustomization.yaml
+++ b/k8s-wheatley/cilium/kustomization.yaml
@ -4,14 +4,19 @@ kind: Kustomization
 namespace: kube-system

 resources:
+  - ../../kustomize-bases/cilium
  - ip-pool.yaml
  - gateways.yaml
  - httproute.yaml

-helmCharts:
-  - name: cilium
-    repo: https://helm.cilium.io
-    namespace: kube-system
-    releaseName: cilium
-    version: 1.18.3
-    valuesFile: values.yaml
+patches:
+  - patch: |-
+      - op: replace
+        path: /spec/addresses/0/value
+        value: 10.13.37.30 
+      - op: replace
+        path: /spec/listeners/1/tls/certificateRefs/0/name
+        value: tls-wildcard-wheatley-in
+    target:
+      kind: Gateway
+      name: internal
--- a/k8s-wheatley/cilium/values.yaml
+++ b/k8s-wheatley/cilium/values.yaml
@ -1,38 +0,0 @@
-k8sServiceHost: localhost
-k8sServicePort: 7445
-kubeProxyReplacement: true
-
-cgroup:
-  hostRoot: /sys/fs/cgroup
-  autoMount:
-    enabled: false
-
-securityContext:
-  capabilities:
-    ciliumAgent:
-      - CHOWN
-      - KILL
-      - NET_ADMIN
-      - NET_RAW
-      - IPC_LOCK
-      - SYS_ADMIN
-      - SYS_RESOURCE
-      - DAC_OVERRIDE
-      - FOWNER
-      - SETGID
-      - SETUID
-    cleanCiliumState:
-      - NET_ADMIN
-      - SYS_ADMIN
-      - SYS_RESOURCE
-
-hubble:
-  relay:
-    enabled: true
-  ui:
-    enabled: true
-
-gatewayAPI:
-  enabled: true
-  enableAlpn: true
-  enableAppProtocol: true
--- a/kustomize-bases/cilium/gateways.yaml
+++ b/kustomize-bases/cilium/gateways.yaml
@ -7,7 +7,7 @@ spec:
  gatewayClassName: cilium
  addresses:
    - type: IPAddress
-      value: 10.13.37.30
+      value: placeholder
  listeners:
    - allowedRoutes:
        namespaces:
@ -15,3 +15,13 @@ spec:
      name: http
      port: 80
      protocol: HTTP
+    - allowedRoutes:
+        namespaces:
+          from: All
+      name: https
+      port: 443
+      protocol: HTTPS
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: placeholder
--- a/kustomize-bases/cilium/httproute.yaml
+++ b/kustomize-bases/cilium/httproute.yaml
@ -0,0 +1,16 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-filter-redirect
+spec:
+  parentRefs:
+    - name: public
+      sectionName: http
+    - name: internal
+      sectionName: http
+  rules:
+    - filters:
+        - type: RequestRedirect
+          requestRedirect:
+            scheme: https
--- a/kustomize-bases/cilium/kustomization.yaml
+++ b/kustomize-bases/cilium/kustomization.yaml
@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+
+resources:
+  - l2-advertisement.yaml
+  - gateways.yaml
+  - httproute.yaml
+
+helmCharts:
+  - name: cilium
+    repo: https://helm.cilium.io
+    namespace: kube-system
+    releaseName: cilium
+    version: 1.18.3
+    valuesFile: values.yaml
--- a/kustomize-bases/cilium/l2-advertisement.yaml
+++ b/kustomize-bases/cilium/l2-advertisement.yaml
@ -0,0 +1,7 @@
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumL2AnnouncementPolicy
+metadata:
+  name: l2adv
+spec:
+  loadBalancerIPs: true
--- a/kustomize-bases/cilium/values.yaml
+++ b/kustomize-bases/cilium/values.yaml