From 471e15389e461e4894996c56edc952f25c39c4c6 Mon Sep 17 00:00:00 2001 From: pgijsbertsen <117165507+pgijsbertsen@users.noreply.github.com> Date: Sun, 14 Dec 2025 13:57:30 +0100 Subject: [PATCH] chore(cilium): Move Cilium configuration to kustomize-bases --- k8s-peterg/cilium/gateways.yaml | 27 ------------- k8s-peterg/cilium/httproute.yaml | 16 -------- k8s-peterg/cilium/ip-pool.yaml | 7 ---- k8s-peterg/cilium/kustomization.yaml | 19 ++++++---- k8s-wheatley/cilium/ip-pool.yaml | 7 ---- k8s-wheatley/cilium/kustomization.yaml | 19 ++++++---- k8s-wheatley/cilium/values.yaml | 38 ------------------- .../cilium/gateways.yaml | 12 +++++- kustomize-bases/cilium/httproute.yaml | 16 ++++++++ kustomize-bases/cilium/kustomization.yaml | 17 +++++++++ kustomize-bases/cilium/l2-advertisement.yaml | 7 ++++ .../cilium/values.yaml | 0 12 files changed, 75 insertions(+), 110 deletions(-) delete mode 100644 k8s-wheatley/cilium/values.yaml rename {k8s-wheatley => kustomize-bases}/cilium/gateways.yaml (54%) create mode 100644 kustomize-bases/cilium/httproute.yaml create mode 100644 kustomize-bases/cilium/kustomization.yaml create mode 100644 kustomize-bases/cilium/l2-advertisement.yaml rename {k8s-peterg => kustomize-bases}/cilium/values.yaml (100%) diff --git a/k8s-peterg/cilium/gateways.yaml b/k8s-peterg/cilium/gateways.yaml index 72e55a8..c70b37f 100644 --- a/k8s-peterg/cilium/gateways.yaml +++ b/k8s-peterg/cilium/gateways.yaml @@ -26,30 +26,3 @@ spec: certificateRefs: - kind: Secret name: tls-wildcard-peterg-nl ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: internal -spec: - gatewayClassName: cilium - addresses: - - type: IPAddress - value: 10.167.84.11 - listeners: - - allowedRoutes: - namespaces: - from: All - name: http - port: 80 - protocol: HTTP - - allowedRoutes: - namespaces: - from: All - name: https - port: 443 - protocol: HTTPS - tls: - certificateRefs: - - kind: Secret - name: tls-wildcard-peterg-nl diff --git a/k8s-peterg/cilium/httproute.yaml b/k8s-peterg/cilium/httproute.yaml index 6795784..8268f95 100644 --- a/k8s-peterg/cilium/httproute.yaml +++ b/k8s-peterg/cilium/httproute.yaml @@ -1,22 +1,6 @@ --- apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute -metadata: - name: http-filter-redirect -spec: - parentRefs: - - name: public - sectionName: http - - name: internal - sectionName: http - rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute metadata: name: hubble-route namespace: kube-system diff --git a/k8s-peterg/cilium/ip-pool.yaml b/k8s-peterg/cilium/ip-pool.yaml index ddc5a85..5c05ee6 100644 --- a/k8s-peterg/cilium/ip-pool.yaml +++ b/k8s-peterg/cilium/ip-pool.yaml @@ -14,10 +14,3 @@ metadata: spec: blocks: - cidr: "10.7.65.250/32" ---- -apiVersion: "cilium.io/v2alpha1" -kind: CiliumL2AnnouncementPolicy -metadata: - name: l2adv -spec: - loadBalancerIPs: true diff --git a/k8s-peterg/cilium/kustomization.yaml b/k8s-peterg/cilium/kustomization.yaml index 3328e07..b923a34 100644 --- a/k8s-peterg/cilium/kustomization.yaml +++ b/k8s-peterg/cilium/kustomization.yaml @@ -4,14 +4,19 @@ kind: Kustomization namespace: kube-system resources: + - ../../kustomize-bases/cilium - ip-pool.yaml - gateways.yaml - httproute.yaml -helmCharts: - - name: cilium - repo: https://helm.cilium.io - namespace: kube-system - releaseName: cilium - version: 1.18.3 - valuesFile: values.yaml +patches: + - patch: |- + - op: replace + path: /spec/addresses/0/value + value: 10.167.84.11 + - op: replace + path: /spec/listeners/1/tls/certificateRefs/0/name + value: tls-wildcard-peterg-nl + target: + kind: Gateway + name: internal diff --git a/k8s-wheatley/cilium/ip-pool.yaml b/k8s-wheatley/cilium/ip-pool.yaml index daad5b9..0def4b7 100644 --- a/k8s-wheatley/cilium/ip-pool.yaml +++ b/k8s-wheatley/cilium/ip-pool.yaml @@ -6,10 +6,3 @@ metadata: spec: blocks: - cidr: "10.13.37.30/32" ---- -apiVersion: "cilium.io/v2alpha1" -kind: CiliumL2AnnouncementPolicy -metadata: - name: l2adv -spec: - loadBalancerIPs: true diff --git a/k8s-wheatley/cilium/kustomization.yaml b/k8s-wheatley/cilium/kustomization.yaml index 3328e07..7ca2e92 100644 --- a/k8s-wheatley/cilium/kustomization.yaml +++ b/k8s-wheatley/cilium/kustomization.yaml @@ -4,14 +4,19 @@ kind: Kustomization namespace: kube-system resources: + - ../../kustomize-bases/cilium - ip-pool.yaml - gateways.yaml - httproute.yaml -helmCharts: - - name: cilium - repo: https://helm.cilium.io - namespace: kube-system - releaseName: cilium - version: 1.18.3 - valuesFile: values.yaml +patches: + - patch: |- + - op: replace + path: /spec/addresses/0/value + value: 10.13.37.30 + - op: replace + path: /spec/listeners/1/tls/certificateRefs/0/name + value: tls-wildcard-wheatley-in + target: + kind: Gateway + name: internal diff --git a/k8s-wheatley/cilium/values.yaml b/k8s-wheatley/cilium/values.yaml deleted file mode 100644 index f84e56e..0000000 --- a/k8s-wheatley/cilium/values.yaml +++ /dev/null @@ -1,38 +0,0 @@ -k8sServiceHost: localhost -k8sServicePort: 7445 -kubeProxyReplacement: true - -cgroup: - hostRoot: /sys/fs/cgroup - autoMount: - enabled: false - -securityContext: - capabilities: - ciliumAgent: - - CHOWN - - KILL - - NET_ADMIN - - NET_RAW - - IPC_LOCK - - SYS_ADMIN - - SYS_RESOURCE - - DAC_OVERRIDE - - FOWNER - - SETGID - - SETUID - cleanCiliumState: - - NET_ADMIN - - SYS_ADMIN - - SYS_RESOURCE - -hubble: - relay: - enabled: true - ui: - enabled: true - -gatewayAPI: - enabled: true - enableAlpn: true - enableAppProtocol: true diff --git a/k8s-wheatley/cilium/gateways.yaml b/kustomize-bases/cilium/gateways.yaml similarity index 54% rename from k8s-wheatley/cilium/gateways.yaml rename to kustomize-bases/cilium/gateways.yaml index 785bfc3..1128be1 100644 --- a/k8s-wheatley/cilium/gateways.yaml +++ b/kustomize-bases/cilium/gateways.yaml @@ -7,7 +7,7 @@ spec: gatewayClassName: cilium addresses: - type: IPAddress - value: 10.13.37.30 + value: placeholder listeners: - allowedRoutes: namespaces: @@ -15,3 +15,13 @@ spec: name: http port: 80 protocol: HTTP + - allowedRoutes: + namespaces: + from: All + name: https + port: 443 + protocol: HTTPS + tls: + certificateRefs: + - kind: Secret + name: placeholder diff --git a/kustomize-bases/cilium/httproute.yaml b/kustomize-bases/cilium/httproute.yaml new file mode 100644 index 0000000..a6efb80 --- /dev/null +++ b/kustomize-bases/cilium/httproute.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: http-filter-redirect +spec: + parentRefs: + - name: public + sectionName: http + - name: internal + sectionName: http + rules: + - filters: + - type: RequestRedirect + requestRedirect: + scheme: https diff --git a/kustomize-bases/cilium/kustomization.yaml b/kustomize-bases/cilium/kustomization.yaml new file mode 100644 index 0000000..274f760 --- /dev/null +++ b/kustomize-bases/cilium/kustomization.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kube-system + +resources: + - l2-advertisement.yaml + - gateways.yaml + - httproute.yaml + +helmCharts: + - name: cilium + repo: https://helm.cilium.io + namespace: kube-system + releaseName: cilium + version: 1.18.3 + valuesFile: values.yaml diff --git a/kustomize-bases/cilium/l2-advertisement.yaml b/kustomize-bases/cilium/l2-advertisement.yaml new file mode 100644 index 0000000..0f08ccc --- /dev/null +++ b/kustomize-bases/cilium/l2-advertisement.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: "cilium.io/v2alpha1" +kind: CiliumL2AnnouncementPolicy +metadata: + name: l2adv +spec: + loadBalancerIPs: true diff --git a/k8s-peterg/cilium/values.yaml b/kustomize-bases/cilium/values.yaml similarity index 100% rename from k8s-peterg/cilium/values.yaml rename to kustomize-bases/cilium/values.yaml