feat(cilium): Enable gateway

values/cilium/cilium-manifests/gateway.yaml

@@ -0,0 +1,45 @@
+{{- if .Values.cilium.gatewayTest.enabled }}
+# TODO: Move to ListernerSets when those get Promoted to GA
+# Resources:
+# - https://gateway-api.sigs.k8s.io/geps/gep-1713/
+# - https://github.com/kubernetes-sigs/gateway-api/issues/1713
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: shared-gateway
+  namespace: kube-system
+spec:
+  gatewayClassName: cilium
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              shared-gateway-access: "true"
+    - name: https
+      protocol: HTTPS
+      port: 443
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: wildcard-oceanbox-io
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              shared-gateway-access: "true"
+    - name: ssh
+      protocol: TCP
+      port: 22
+      allowedRoutes:
+        namespaces:
+          from: Selector
+          selector:
+            matchLabels:
+              shared-gateway-access: "true"
+{{- end}}

values/cilium/cilium-manifests/hetzner-gateway.yaml

@@ -0,0 +1,29 @@
+{{- if eq .Values.dapr.cluster "hel1" }}
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: shared-gateway
+spec:
+  infrastructure:
+    annotations:
+      load-balancer.hetzner.cloud/location: hel1
+      load-balancer.hetzner.cloud/type: lb11
+      load-balancer.hetzner.cloud/name: load-balancer-2
+      load-balancer.hetzner.cloud/use-private-ip: "true"
+      load-balancer.hetzner.cloud/uses-proxyprotocol: "true"
+      load-balancer.hetzner.cloud/http-redirect-https: "false"
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-oceanbox-io
+spec:
+  secretName: wildcard-oceanbox-io
+  commonName: oceanbox.io
+  dnsNames:
+    - oceanbox.io
+    - "*.oceanbox.io"
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+{{- end }}

values/cilium/env.yaml.gotmpl

@@ -32,3 +32,4 @@ cilium:
   loadbalancerPool:
     enabled: false
     cidr: []
+  cluster: {{ requiredEnv "ARGOCD_ENV_CLUSTER_NAME" }}

values/gitea/manifests/gateway-routes.yaml

@@ -0,0 +1,38 @@
+---
+# HTTP Route for Gitea web interface
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: gitea-http
+  namespace: gitea
+spec:
+  parentRefs:
+  - name: shared-gateway
+    namespace: kube-system
+  hostnames:
+  - {{ .Values.gitea.hostname }}
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: "/"
+    backendRefs:
+    - name: gitea-http
+      port: 3000
+
+---
+# TCP Route for Gitea SSH
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: TCPRoute
+metadata:
+  name: gitea-ssh
+  namespace: gitea
+spec:
+  parentRefs:
+  - name: shared-gateway
+    namespace: kube-system
+    sectionName: ssh
+  rules:
+  - backendRefs:
+    - name: gitea-ssh
+      port: 22

values/gitea/manifests/gitea.yaml

@@ -30,6 +30,7 @@ spec:
     managedNamespaceMetadata:
       labels:
         component: sys
+        shared-gateway-access: "true"
     syncOptions:
       - CreateNamespace=true
       - ApplyOutOfSyncOnly=true