wip: more or less working argo and cilium helmfile setup

values/cilium/cilium-manifests/cilium-test/CiliumNetworkPolicy-allow-api-server.yaml

@@ -0,0 +1,22 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: cilium-test
+spec:
+  egress:
+    - toEndpoints:
+        - {}
+    - toEntities:
+        - cluster
+    - toEntities:
+        - remote-node
+    - toEntities:
+        - world
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - cluster
+    - fromEntities:
+        - world

values/cilium/cilium-manifests/cilium.yaml

@@ -0,0 +1,57 @@
+{{- if .Values.clusterConfig.argo.enabled }}
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cilium
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+spec:
+  destination:
+    namespace: kube-system
+    server: 'https://kubernetes.default.svc'
+  sources:
+  - repoURL: {{ .Values.clusterConfig.manifests }}
+    targetRevision: HEAD
+    path: helmfiles/cilium
+    plugin:
+      name: helmfile
+      env:
+        - name: CLUSTER_NAME
+          value: {{ .Values.clusterConfig.cluster }}
+  project: sys
+  syncPolicy:
+    syncOptions:
+    - ServerSideApply=true
+    {{- if .Values.cilium.autosync }}
+    automated:
+      prune: true
+      # selfHeal: false
+    {{- end }}
+  ignoreDifferences:
+    - group: apps
+      jqPathExpressions:
+        - .spec.volumeClaimTemplates
+      kind: StatefulSet
+      name: spire-server
+    - group: monitoring.coreos.com
+      jqPathExpressions:
+        - .spec.endpoints[]?.relabelings[]?.action
+      kind: ServiceMonitor
+    - group: ''
+      jsonPointers:
+        - /data/ca.crt
+      kind: ConfigMap
+      name: hubble-ca-cert
+    - group: ''
+      jsonPointers:
+        - /data/ca.crt
+        - /data/ca.key
+      kind: Secret
+      name: cilium-ca
+    - group: ''
+      jqPathExpressions:
+        - .spec.ports[]?.nodePort
+      kind: Service
+      name: cilium-ingress
+{{- end }}

values/cilium/cilium-manifests/loadbalancer.yaml

@@ -0,0 +1,23 @@
+{{if .Values.cilium.loadbalancerPool.enabled }}
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "loadbalancer"
+spec:
+  blocks:
+  {{- range .Values.cilium.loadbalancerPool.cidr }}
+  - cidr: {{ . }}
+  {{- end }}
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumL2AnnouncementPolicy
+metadata:
+  name: policy
+spec:
+  nodeSelector:
+    matchExpressions:
+      - key: node-role.kubernetes.io/control-plane
+        operator: DoesNotExist
+  externalIPs: true
+  loadBalancerIPs: true
+{{- end}}

values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-acme-solvers.yaml

@@ -0,0 +1,13 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-acme-solvers
+spec:
+  description: Policy for ingress for Acme Solvers.
+  endpointSelector:
+    matchLabels:
+      acme.cert-manager.io/http01-solver: "true"
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress-nginx

values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-dns.yaml

@@ -0,0 +1,24 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-dns
+spec:
+  description: 'description: Allow only dns traffic by default. Also acts as a deny-all policy'
+  egress:
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+              protocol: UDP
+        - rules:
+            dns:
+              - matchPattern: '*'
+  endpointSelector:
+    matchExpressions:
+      - key: io.kubernetes.pod.namespace
+        operator: NotIn
+        values:
+          - kube-system

values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-mariadb-operator.yaml

@@ -0,0 +1,18 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-mariadb-operator
+spec:
+  description: allow mariadb instances to be reached by operator
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: mariadb
+  ingress:
+    - fromEndpoints:
+        - matchLabels:
+            app.kubernetes.io/name: mariadb-operator
+            io.kubernetes.pod.namespace: mariadb-operator
+      toPorts:
+        - ports:
+            - port: "3306"
+              protocol: TCP

values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-allow-s3.yaml

@@ -0,0 +1,20 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: allow-s3-traffic
+spec:
+  description: Policy for egress for CNPG Backups.
+  egress:
+    - toFQDNs:
+      {{- range .Values.clusterConfig.s3.hosts }}
+        - matchName: {{ . | quote }}
+      {{- end }}
+      {{- range .Values.clusterConfig.s3.patterns }}
+        - matchPattern: {{ . | quote }}
+      {{- end }}
+    - toCIDR:
+      {{- range .Values.clusterConfig.s3.cidr }}
+        - {{ . | quote }}
+      {{- end }}
+  endpointSelector:
+    matchLabels: {}

values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-cilium-health-checks.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: cilium-health-checks
+spec:
+  description: Health checks
+  egress:
+    - toEntities:
+        - remote-node
+  endpointSelector:
+    matchLabels:
+      reserved:health: ""
+  ingress:
+    - fromEntities:
+        - remote-node

values/cilium/cilium-manifests/policies/CiliumClusterwideNetworkPolicy-deny-all.yaml

@@ -0,0 +1,9 @@
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+  name: deny-all
+spec:
+  description: Deny all
+  egress: []
+  endpointSelector: {}
+  ingress: []

values/cilium/spire-manifests/CiliumNetworkPolicy-allow-api-server.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-api-server
+  namespace: cilium-spire
+spec:
+  egress:
+    - toEntities:
+        - kube-apiserver
+      toPorts:
+        - ports:
+            - port: "6443"
+              protocol: TCP
+  endpointSelector:
+    matchLabels: {}

values/cilium/spire-manifests/CiliumNetworkPolicy-allow-remote-node-to-server.yaml

@@ -0,0 +1,15 @@
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: allow-remote-node-to-server
+  namespace: cilium-spire
+spec:
+  endpointSelector:
+    matchLabels: {}
+  ingress:
+    - fromEntities:
+        - remote-node
+      toPorts:
+        - ports:
+            - port: "8081"
+              protocol: TCP

values/cilium/values-oceanbox.yaml.gotmpl

@@ -0,0 +1,15 @@
+cilium:
+  enabled: true
+  nodePort:
+    enable: true
+  l2announcement:
+    enable: true
+  loadbalancerPool:
+    enabled: true
+    cidr:
+     - 10.255.241.11/32
+     - 10.255.241.12/32
+     - 10.255.241.13/32
+     - 10.255.241.14/32
+     - 10.255.241.15/32
+

values/cilium/values.yaml.gotmpl

@@ -0,0 +1,32 @@
+cilium:
+  enabled: false
+  autosync: true
+  spire:
+    enabled: false
+  envoy:
+    enabled: false
+  hubble:
+    ui: true
+    enabled: false
+  encryption:
+    enabled: true
+    type: wireguard
+  kubeProxyReplacement: true
+  l2announcement:
+    enabled: false
+  nodePort:
+    enabled: false
+  gatewayAPI:
+    enabled: false
+  ingressController:
+    enabled: false
+    defaultClass: false
+    loadbalancerMode: shared
+  policyAuditMode: false
+  upgradeCompatability: 1.15
+  k8sServiceHost: localhost
+  k8sServicePort: 7445
+  loadbalancerPool:
+    enabled: false
+    cidr: []
+