From ae01e69fc2f771e4e0086b1ffc9fecf81b6bf58a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20J=C3=B6rg?= Date: Fri, 13 Mar 2026 16:05:15 +0100 Subject: [PATCH] wip: Gateway Setup --- charts/docs/templates/httproute.yaml | 46 +++++++ charts/docs/values.yaml | 7 +- charts/makai/templates/httproute.yaml | 46 +++++++ charts/makai/values.yaml | 7 +- helmfile.d/docs.yaml.gotmpl | 1 + helmfile.d/gitea.yaml.gotmpl | 1 + helmfile.d/makai.yaml.gotmpl | 1 + values/argo/manifests/argo.yaml | 1 + values/argo/manifests/httproute.yaml | 40 ++++++ values/argo/values/argocd.yaml.gotmpl | 11 +- values/cilium/cilium-manifests/gateway.yaml | 56 ++++++++- values/docs/manifests/docs.yaml | 3 + values/docs/manifests/gateway-routes.yaml | 1 + values/docs/values/values.yaml.gotmpl | 46 +++++++ values/drupal/manifests/ingress.yaml | 60 +++++---- values/env-hel1.yaml | 2 + values/env.yaml | 2 + values/fornix/manifests/fornix.yaml | 3 + values/fornix/manifests/gateway-routes.yaml | 38 ++++++ values/fornix/values/values.yaml | 2 +- values/gatus/manifests/gatus.yaml | 1 + values/gatus/manifests/ingress.yaml | 47 ++++++- values/gitea/manifests/gateway-routes.yaml | 25 ++++ values/gitea/values/values.yaml.gotmpl | 8 ++ values/makai/manifests/gateway-routes.yaml | 1 + values/makai/manifests/makai.yaml | 3 + values/makai/values/values.yaml.gotmpl | 46 +++++++ values/prometheus/manifests/httproutes.yaml | 118 ++++++++++++++++++ values/prometheus/manifests/prometheus.yaml | 1 + .../prometheus/values/prometheus.yaml.gotmpl | 12 ++ values/system/hel1/hubble-ui-ingress.yaml | 73 +++++------ values/system/hel1/kube-system-labels.yaml | 6 + 32 files changed, 638 insertions(+), 77 deletions(-) create mode 100644 charts/docs/templates/httproute.yaml create mode 100644 charts/makai/templates/httproute.yaml create mode 100644 values/argo/manifests/httproute.yaml create mode 100644 values/docs/manifests/gateway-routes.yaml create mode 100644 values/docs/values/values.yaml.gotmpl create mode 100644 values/fornix/manifests/gateway-routes.yaml create mode 100644 values/gitea/values/values.yaml.gotmpl create mode 100644 values/makai/manifests/gateway-routes.yaml create mode 100644 values/makai/values/values.yaml.gotmpl create mode 100644 values/prometheus/manifests/httproutes.yaml create mode 100644 values/system/hel1/kube-system-labels.yaml diff --git a/charts/docs/templates/httproute.yaml b/charts/docs/templates/httproute.yaml new file mode 100644 index 00000000..026350f4 --- /dev/null +++ b/charts/docs/templates/httproute.yaml @@ -0,0 +1,46 @@ +{{- if .Values.httpRoute.enabled -}} +{{- $fullName := include "docs.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ $fullName }} + labels: + {{- include "docs.labels" . | nindent 4 }} +spec: + parentRefs: + {{- toYaml .Values.httpRoute.parentRefs | nindent 4 }} + {{- with .Values.httpRoute.hostnames }} + hostnames: + {{- toYaml . | nindent 4 }} + {{- end }} + rules: + {{- range .Values.httpRoute.rules }} + - {{- with .matches }} + matches: + {{- toYaml . | nindent 8 }} + {{- end }} + backendRefs: + - name: {{ $fullName }} + port: {{ $svcPort }} + {{- end }} +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-gateway-to-{{ $fullName }} + labels: + {{- include "docs.labels" . | nindent 4 }} +spec: + endpointSelector: + matchLabels: + {{- include "docs.selectorLabels" . | nindent 6 }} + ingress: + - fromCIDRSet: + {{- range .Values.clusterConfig.ingress_whitelist }} + - cidr: {{ . }} + {{- end }} + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": {{ .Release.Namespace }} +{{- end }} diff --git a/charts/docs/values.yaml b/charts/docs/values.yaml index 4767328d..95cf48f5 100644 --- a/charts/docs/values.yaml +++ b/charts/docs/values.yaml @@ -46,8 +46,13 @@ service: type: ClusterIP port: 8080 ingress: - enabled: true + enabled: false className: nginx +httpRoute: + enabled: false + parentRefs: [] + hostnames: [] + rules: [] persistence: enabled: false size: 1G diff --git a/charts/makai/templates/httproute.yaml b/charts/makai/templates/httproute.yaml new file mode 100644 index 00000000..a735acfc --- /dev/null +++ b/charts/makai/templates/httproute.yaml @@ -0,0 +1,46 @@ +{{- if .Values.httpRoute.enabled -}} +{{- $fullName := include "makai.fullname" . -}} +{{- $svcPort := .Values.service.port -}} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: {{ $fullName }} + labels: + {{- include "makai.labels" . | nindent 4 }} +spec: + parentRefs: + {{- toYaml .Values.httpRoute.parentRefs | nindent 4 }} + {{- with .Values.httpRoute.hostnames }} + hostnames: + {{- toYaml . | nindent 4 }} + {{- end }} + rules: + {{- range .Values.httpRoute.rules }} + - {{- with .matches }} + matches: + {{- toYaml . | nindent 8 }} + {{- end }} + backendRefs: + - name: {{ $fullName }} + port: {{ $svcPort }} + {{- end }} +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-gateway-to-{{ $fullName }} + labels: + {{- include "makai.labels" . | nindent 4 }} +spec: + endpointSelector: + matchLabels: + {{- include "makai.selectorLabels" . | nindent 6 }} + ingress: + - fromCIDRSet: + {{- range .Values.clusterConfig.ingress_whitelist }} + - cidr: {{ . }} + {{- end }} + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": {{ .Release.Namespace }} +{{- end }} diff --git a/charts/makai/values.yaml b/charts/makai/values.yaml index 898b8e2a..9c7a62e2 100644 --- a/charts/makai/values.yaml +++ b/charts/makai/values.yaml @@ -46,8 +46,13 @@ service: type: ClusterIP port: 8080 ingress: - enabled: true + enabled: false className: nginx +httpRoute: + enabled: false + parentRefs: [] + hostnames: [] + rules: [] persistence: enabled: false size: 1G diff --git a/helmfile.d/docs.yaml.gotmpl b/helmfile.d/docs.yaml.gotmpl index cee2bc9e..1da28f0f 100644 --- a/helmfile.d/docs.yaml.gotmpl +++ b/helmfile.d/docs.yaml.gotmpl @@ -11,6 +11,7 @@ releases: condition: docs.enabled values: - ../values/docs/values/values.yaml + - ../values/docs/values/values.yaml.gotmpl - ../values/docs/values/values-{{ .Environment.Name }}.yaml postRenderer: ../bin/kustomizer postRendererArgs: diff --git a/helmfile.d/gitea.yaml.gotmpl b/helmfile.d/gitea.yaml.gotmpl index fba0f5ab..eb02f0df 100644 --- a/helmfile.d/gitea.yaml.gotmpl +++ b/helmfile.d/gitea.yaml.gotmpl @@ -17,6 +17,7 @@ releases: condition: gitea.enabled values: - ../values/gitea/values/values.yaml + - ../values/gitea/values/values.yaml.gotmpl - ../values/gitea/values/values-{{ .Environment.Name }}.yaml postRenderer: ../bin/kustomizer postRendererArgs: diff --git a/helmfile.d/makai.yaml.gotmpl b/helmfile.d/makai.yaml.gotmpl index 948070d6..795c8035 100644 --- a/helmfile.d/makai.yaml.gotmpl +++ b/helmfile.d/makai.yaml.gotmpl @@ -11,6 +11,7 @@ releases: condition: makai.enabled values: - ../values/makai/values/values.yaml + - ../values/makai/values/values.yaml.gotmpl - ../values/makai/values/values-{{ .Environment.Name }}.yaml postRenderer: ../bin/kustomizer postRendererArgs: diff --git a/values/argo/manifests/argo.yaml b/values/argo/manifests/argo.yaml index eca380b6..7b152971 100644 --- a/values/argo/manifests/argo.yaml +++ b/values/argo/manifests/argo.yaml @@ -28,6 +28,7 @@ spec: managedNamespaceMetadata: labels: component: sys + shared-gateway-access: "true" syncOptions: - CreateNamespace=true - ApplyOutOfSyncOnly=true diff --git a/values/argo/manifests/httproute.yaml b/values/argo/manifests/httproute.yaml new file mode 100644 index 00000000..d0b3095e --- /dev/null +++ b/values/argo/manifests/httproute.yaml @@ -0,0 +1,40 @@ +{{- if .Values.clusterConfig.gatewayAPI.enabled }} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: argocd-server + namespace: argocd +spec: + parentRefs: + - name: shared-gateway + namespace: kube-system + sectionName: https-internal + hostnames: + - argocd.{{ .Values.clusterConfig.domain }} + rules: + - matches: + - path: + type: PathPrefix + value: "/" + backendRefs: + - name: argocd-server + port: 80 +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-gateway-to-argocd + namespace: argocd +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: argocd-server + ingress: + - fromCIDRSet: + {{- range .Values.clusterConfig.ingress_whitelist }} + - cidr: {{ . }} + {{- end }} + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": argocd +{{- end }} diff --git a/values/argo/values/argocd.yaml.gotmpl b/values/argo/values/argocd.yaml.gotmpl index cc7d316e..0f9d0635 100644 --- a/values/argo/values/argocd.yaml.gotmpl +++ b/values/argo/values/argocd.yaml.gotmpl @@ -4,13 +4,16 @@ global: ## Ref: https://github.com/argoproj/argo-cd ## configs: - {{- if .Values.argocd.anyNamespaces.enabled }} params: + {{- if .Values.clusterConfig.gatewayAPI.enabled }} + server.insecure: "true" + {{- end }} + {{- if .Values.argocd.anyNamespaces.enabled }} applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}" # TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it applicationsetcontroller.enable.scm.providers: "false" application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}" - {{- end }} + {{- end }} cm: application.resourceTrackingMethod: annotation+label application.instanceLabelKey: app.kubernetes.io/instance @@ -238,6 +241,9 @@ server: serviceMonitor: enabled: true ingress: + {{- if .Values.clusterConfig.gatewayAPI.enabled }} + enabled: false + {{- else }} enabled: true ingressClassName: nginx annotations: @@ -254,6 +260,7 @@ server: - secretName: argocd-tls hosts: - "argocd.{{ .Values.clusterConfig.domain }}" + {{- end }} applicationSet: metrics: enabled: true diff --git a/values/cilium/cilium-manifests/gateway.yaml b/values/cilium/cilium-manifests/gateway.yaml index cdedc678..eeef4fb6 100644 --- a/values/cilium/cilium-manifests/gateway.yaml +++ b/values/cilium/cilium-manifests/gateway.yaml @@ -13,7 +13,7 @@ spec: annotations: load-balancer.hetzner.cloud/location: hel1 load-balancer.hetzner.cloud/type: lb11 - load-balancer.hetzner.cloud/name: load-balancer-2 + load-balancer.hetzner.cloud/name: load-balancer-1 load-balancer.hetzner.cloud/use-private-ip: "true" load-balancer.hetzner.cloud/uses-proxyprotocol: "true" load-balancer.hetzner.cloud/http-redirect-https: "false" @@ -42,6 +42,36 @@ spec: selector: matchLabels: shared-gateway-access: "true" + - name: https-hel1 + protocol: HTTPS + port: 443 + hostname: "*.hel1.oceanbox.io" + tls: + certificateRefs: + - group: '' + kind: Secret + name: wildcard-hel1-oceanbox-io + allowedRoutes: + namespaces: + from: Selector + selector: + matchLabels: + shared-gateway-access: "true" + - name: https-internal + protocol: HTTPS + port: 443 + hostname: "*.adm.hel1.obx" + tls: + certificateRefs: + - group: '' + kind: Secret + name: wildcard-adm-hel1-obx + allowedRoutes: + namespaces: + from: Selector + selector: + matchLabels: + shared-gateway-access: "true" - name: ssh protocol: TCP port: 22 @@ -65,4 +95,28 @@ spec: issuerRef: name: letsencrypt-prod-dns01 kind: ClusterIssuer +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-hel1-oceanbox-io +spec: + secretName: wildcard-hel1-oceanbox-io + dnsNames: + - "*.hel1.oceanbox.io" + issuerRef: + name: letsencrypt-prod-dns01 + kind: ClusterIssuer +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-adm-hel1-obx +spec: + secretName: wildcard-adm-hel1-obx + dnsNames: + - "*.adm.hel1.obx" + issuerRef: + name: ca-issuer + kind: ClusterIssuer {{- end}} diff --git a/values/docs/manifests/docs.yaml b/values/docs/manifests/docs.yaml index 9fb9b46b..f23f2688 100644 --- a/values/docs/manifests/docs.yaml +++ b/values/docs/manifests/docs.yaml @@ -28,6 +28,9 @@ spec: - name: HELMFILE_FILE_PATH value: docs.yaml.gotmpl syncPolicy: + managedNamespaceMetadata: + labels: + shared-gateway-access: "true" syncOptions: - CreateNamespace=true - ApplyOutOfSyncOnly=true diff --git a/values/docs/manifests/gateway-routes.yaml b/values/docs/manifests/gateway-routes.yaml new file mode 100644 index 00000000..934c3fd9 --- /dev/null +++ b/values/docs/manifests/gateway-routes.yaml @@ -0,0 +1 @@ +{{- /* HTTPRoute and CiliumNetworkPolicy are managed by the docs chart template */ -}} diff --git a/values/docs/values/values.yaml.gotmpl b/values/docs/values/values.yaml.gotmpl new file mode 100644 index 00000000..d4f110ed --- /dev/null +++ b/values/docs/values/values.yaml.gotmpl @@ -0,0 +1,46 @@ +replicaCount: 1 +image: + tag: "e9fd3fc6-debug" +env: + - name: APP_VERSION + value: "0.0.0" + - name: LOG_LEVEL + value: "1" +{{- if .Values.clusterConfig.gatewayAPI.enabled }} +ingress: + enabled: false + className: "nginx" +httpRoute: + enabled: true + parentRefs: + - name: shared-gateway + namespace: kube-system + sectionName: https + hostnames: + - docs.oceanbox.io + rules: + - matches: + - path: + type: PathPrefix + value: "/" +{{- else }} +ingress: + enabled: true + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/backend-protocol: HTTP + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/proxy-buffer-size: 128k + nginx.ingress.kubernetes.io/ssl-redirect: "true" + oceanbox.io/expose: internal + hosts: + - host: docs.oceanbox.io + paths: + - path: / + pathType: ImplementationSpecific + tls: + - hosts: + - docs.oceanbox.io + secretName: docs-tls +{{- end }} diff --git a/values/drupal/manifests/ingress.yaml b/values/drupal/manifests/ingress.yaml index 04b51df9..588d24a9 100644 --- a/values/drupal/manifests/ingress.yaml +++ b/values/drupal/manifests/ingress.yaml @@ -1,32 +1,38 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute metadata: - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production - nginx.ingress.kubernetes.io/backend-protocol: HTTP - nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/proxy-read-timeout: "600" - nginx.ingress.kubernetes.io/proxy-send-timeout: "600" - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,100.64.0.0/12 - labels: - app.kubernetes.io/component: drupal name: drupal namespace: fornix spec: - ingressClassName: nginx + parentRefs: + - name: shared-gateway + namespace: kube-system + sectionName: https-hel1 + hostnames: + - drupal.hel1.oceanbox.io rules: - - host: drupal.hel1.oceanbox.io - http: - paths: - - backend: - service: - name: drupal - port: - number: 80 - path: / - pathType: Prefix - tls: - - hosts: - - drupal.hel1.oceanbox.io - secretName: drupal-tls + - matches: + - path: + type: PathPrefix + value: "/" + backendRefs: + - name: drupal + port: 80 +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-gateway-to-drupal + namespace: fornix +spec: + endpointSelector: + matchLabels: + app: drupal + ingress: + - fromCIDRSet: + {{- range .Values.clusterConfig.ingress_whitelist }} + - cidr: {{ . }} + {{- end }} + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": fornix diff --git a/values/env-hel1.yaml b/values/env-hel1.yaml index a78379b5..fdba0e39 100644 --- a/values/env-hel1.yaml +++ b/values/env-hel1.yaml @@ -20,6 +20,8 @@ clusterConfig: patterns: [] cidr: [] nodes: [] + gatewayAPI: + enabled: true ingress_whitelist: - 10.0.0.0/8 - 172.16.0.0/12 diff --git a/values/env.yaml b/values/env.yaml index cdfebb2c..558837ab 100644 --- a/values/env.yaml +++ b/values/env.yaml @@ -20,6 +20,8 @@ clusterConfig: - 192.168.0.0/16 - 172.19.255.0/24 - 100.64.0.0/12 # tailnet + gatewayAPI: + enabled: false ingress_hostnetwork: false ingress_hostport: false ingress_nodeport: true diff --git a/values/fornix/manifests/fornix.yaml b/values/fornix/manifests/fornix.yaml index 4743635e..7b9bd59a 100644 --- a/values/fornix/manifests/fornix.yaml +++ b/values/fornix/manifests/fornix.yaml @@ -31,6 +31,9 @@ spec: targetRevision: main ref: values syncPolicy: + managedNamespaceMetadata: + labels: + shared-gateway-access: "true" syncOptions: - CreateNamespace=true - ApplyOutOfSyncOnly=true diff --git a/values/fornix/manifests/gateway-routes.yaml b/values/fornix/manifests/gateway-routes.yaml new file mode 100644 index 00000000..e08d9a45 --- /dev/null +++ b/values/fornix/manifests/gateway-routes.yaml @@ -0,0 +1,38 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: fornix + namespace: fornix +spec: + parentRefs: + - name: shared-gateway + namespace: kube-system + sectionName: https-hel1 + hostnames: + - fornix.hel1.oceanbox.io + rules: + - matches: + - path: + type: PathPrefix + value: "/" + backendRefs: + - name: fornix + port: 8085 +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-gateway-to-fornix + namespace: fornix +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: fornix + ingress: + - fromCIDRSet: + {{- range .Values.clusterConfig.ingress_whitelist }} + - cidr: {{ . }} + {{- end }} + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": fornix diff --git a/values/fornix/values/values.yaml b/values/fornix/values/values.yaml index d316cea0..9b962a6c 100644 --- a/values/fornix/values/values.yaml +++ b/values/fornix/values/values.yaml @@ -3,7 +3,7 @@ drupalUrl: http://drupal replicaCount: 1 ingress: - enabled: true + enabled: false className: "nginx" annotations: cert-manager.io/cluster-issuer: letsencrypt-production diff --git a/values/gatus/manifests/gatus.yaml b/values/gatus/manifests/gatus.yaml index a96b7c5e..d8f88f68 100644 --- a/values/gatus/manifests/gatus.yaml +++ b/values/gatus/manifests/gatus.yaml @@ -26,6 +26,7 @@ spec: managedNamespaceMetadata: labels: component: sys + shared-gateway-access: "true" syncOptions: - CreateNamespace=true - ApplyOutOfSyncOnly=true diff --git a/values/gatus/manifests/ingress.yaml b/values/gatus/manifests/ingress.yaml index 22f734ec..0023dbdd 100644 --- a/values/gatus/manifests/ingress.yaml +++ b/values/gatus/manifests/ingress.yaml @@ -1,8 +1,48 @@ +{{- if .Values.clusterConfig.gatewayAPI.enabled }} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: gatus + namespace: uptime +spec: + parentRefs: + - name: shared-gateway + namespace: kube-system + sectionName: https-internal + hostnames: + - uptime.{{ .Values.clusterConfig.domain }} + rules: + - matches: + - path: + type: PathPrefix + value: "/" + backendRefs: + - name: gatus + port: 80 +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-gateway-to-gatus + namespace: uptime +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: gatus + ingress: + - fromCIDRSet: + {{- range .Values.clusterConfig.ingress_whitelist }} + - cidr: {{ . }} + {{- end }} + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": uptime +{{- else }} apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - cert-manager.io/cluster-issuer: ca-issuer + cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }} nginx.ingress.kubernetes.io/backend-protocol: HTTP nginx.ingress.kubernetes.io/cors-allow-headers: Content-Type, x-gatus-cache nginx.ingress.kubernetes.io/enable-cors: "true" @@ -15,7 +55,7 @@ metadata: spec: ingressClassName: nginx rules: - - host: uptime.adm.hel1.obx + - host: uptime.{{ .Values.clusterConfig.domain }} http: paths: - backend: @@ -27,5 +67,6 @@ spec: pathType: ImplementationSpecific tls: - hosts: - - uptime.adm.hel1.obx + - uptime.{{ .Values.clusterConfig.domain }} secretName: gatus-tls +{{- end }} diff --git a/values/gitea/manifests/gateway-routes.yaml b/values/gitea/manifests/gateway-routes.yaml index 3a61aba5..fe3b0c26 100644 --- a/values/gitea/manifests/gateway-routes.yaml +++ b/values/gitea/manifests/gateway-routes.yaml @@ -14,11 +14,36 @@ spec: - path: type: PathPrefix value: "/" + timeouts: + request: 600s + backendRequest: 600s backendRefs: - name: gitea-http port: 3000 --- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-gateway-to-gitea + namespace: gitea +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: gitea + ingress: + - fromCIDRSet: + - cidr: 10.0.0.0/8 + - cidr: 172.16.0.0/12 + - cidr: 192.168.0.0/16 + - cidr: 172.19.255.0/24 + - cidr: 100.64.0.0/12 + - cidr: 185.125.160.4/32 + - cidr: 37.27.203.38/32 + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": gitea +--- apiVersion: gateway.networking.k8s.io/v1alpha2 kind: TCPRoute metadata: diff --git a/values/gitea/values/values.yaml.gotmpl b/values/gitea/values/values.yaml.gotmpl new file mode 100644 index 00000000..58be07d2 --- /dev/null +++ b/values/gitea/values/values.yaml.gotmpl @@ -0,0 +1,8 @@ +{{- /* Gateway API: disable ingress when cilium gateway is enabled (HTTPRoute is in manifests/gateway-routes.yaml) */ -}} +{{- if .Values.clusterConfig.gatewayAPI.enabled }} +ingress: + enabled: false +{{- else }} +ingress: + enabled: true +{{- end }} diff --git a/values/makai/manifests/gateway-routes.yaml b/values/makai/manifests/gateway-routes.yaml new file mode 100644 index 00000000..eb378d66 --- /dev/null +++ b/values/makai/manifests/gateway-routes.yaml @@ -0,0 +1 @@ +{{- /* HTTPRoute and CiliumNetworkPolicy are managed by the makai chart template */ -}} diff --git a/values/makai/manifests/makai.yaml b/values/makai/manifests/makai.yaml index 3285c7ad..c7f21f06 100644 --- a/values/makai/manifests/makai.yaml +++ b/values/makai/manifests/makai.yaml @@ -28,6 +28,9 @@ spec: - name: HELMFILE_FILE_PATH value: makai.yaml.gotmpl syncPolicy: + managedNamespaceMetadata: + labels: + shared-gateway-access: "true" syncOptions: - CreateNamespace=true - ApplyOutOfSyncOnly=true diff --git a/values/makai/values/values.yaml.gotmpl b/values/makai/values/values.yaml.gotmpl new file mode 100644 index 00000000..8774cb90 --- /dev/null +++ b/values/makai/values/values.yaml.gotmpl @@ -0,0 +1,46 @@ +replicaCount: 1 +image: + tag: "d5e61949-debug" +env: + - name: APP_VERSION + value: "0.0.0" + - name: LOG_LEVEL + value: "1" +{{- if .Values.clusterConfig.gatewayAPI.enabled }} +ingress: + enabled: false + className: "nginx" +httpRoute: + enabled: true + parentRefs: + - name: shared-gateway + namespace: kube-system + sectionName: https + hostnames: + - makai.oceanbox.io + rules: + - matches: + - path: + type: PathPrefix + value: "/" +{{- else }} +ingress: + enabled: true + className: "nginx" + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + nginx.ingress.kubernetes.io/backend-protocol: HTTP + nginx.ingress.kubernetes.io/enable-cors: "true" + nginx.ingress.kubernetes.io/proxy-buffer-size: 128k + nginx.ingress.kubernetes.io/ssl-redirect: "true" + oceanbox.io/expose: internal + hosts: + - host: makai.oceanbox.io + paths: + - path: / + pathType: ImplementationSpecific + tls: + - hosts: + - makai.oceanbox.io + secretName: makai-tls +{{- end }} diff --git a/values/prometheus/manifests/httproutes.yaml b/values/prometheus/manifests/httproutes.yaml new file mode 100644 index 00000000..e7e235e2 --- /dev/null +++ b/values/prometheus/manifests/httproutes.yaml @@ -0,0 +1,118 @@ +{{- if .Values.clusterConfig.gatewayAPI.enabled }} +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: grafana + namespace: prometheus +spec: + parentRefs: + - name: shared-gateway + namespace: kube-system + sectionName: https-internal + hostnames: + - grafana.{{ .Values.clusterConfig.domain }} + rules: + - matches: + - path: + type: PathPrefix + value: "/" + backendRefs: + - name: prometheus-grafana + port: 80 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: alertmanager + namespace: prometheus +spec: + parentRefs: + - name: shared-gateway + namespace: kube-system + sectionName: https-internal + hostnames: + - alertmanager.{{ .Values.clusterConfig.domain }} + rules: + - matches: + - path: + type: PathPrefix + value: "/" + backendRefs: + - name: prometheus-kube-prometheus-alertmanager + port: 9093 +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: prometheus + namespace: prometheus +spec: + parentRefs: + - name: shared-gateway + namespace: kube-system + sectionName: https-internal + hostnames: + - prometheus.{{ .Values.clusterConfig.domain }} + rules: + - matches: + - path: + type: PathPrefix + value: "/" + backendRefs: + - name: prometheus-kube-prometheus-prometheus + port: 9090 +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-gateway-to-grafana + namespace: prometheus +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: grafana + ingress: + - fromCIDRSet: + {{- range .Values.clusterConfig.ingress_whitelist }} + - cidr: {{ . }} + {{- end }} + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": prometheus +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-gateway-to-alertmanager + namespace: prometheus +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: alertmanager + ingress: + - fromCIDRSet: + {{- range .Values.clusterConfig.ingress_whitelist }} + - cidr: {{ . }} + {{- end }} + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": prometheus +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: allow-gateway-to-prometheus + namespace: prometheus +spec: + endpointSelector: + matchLabels: + app.kubernetes.io/name: prometheus + ingress: + - fromCIDRSet: + {{- range .Values.clusterConfig.ingress_whitelist }} + - cidr: {{ . }} + {{- end }} + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": prometheus +{{- end }} diff --git a/values/prometheus/manifests/prometheus.yaml b/values/prometheus/manifests/prometheus.yaml index ea7bab67..9c1a9917 100644 --- a/values/prometheus/manifests/prometheus.yaml +++ b/values/prometheus/manifests/prometheus.yaml @@ -26,6 +26,7 @@ spec: managedNamespaceMetadata: labels: component: sys + shared-gateway-access: "true" syncOptions: - ServerSideApply=true - CreateNamespace=true diff --git a/values/prometheus/values/prometheus.yaml.gotmpl b/values/prometheus/values/prometheus.yaml.gotmpl index 79a4db69..2c0f2433 100644 --- a/values/prometheus/values/prometheus.yaml.gotmpl +++ b/values/prometheus/values/prometheus.yaml.gotmpl @@ -67,6 +67,9 @@ alertmanager: storage: {} ingress: + {{- if .Values.clusterConfig.gatewayAPI.enabled }} + enabled: false + {{- else }} enabled: true ingressClassName: nginx annotations: @@ -84,6 +87,7 @@ alertmanager: - secretName: alertmanager-general-tls hosts: - alertmanager.{{ .Values.clusterConfig.domain }} + {{- end }} ingressPerReplica: pathType: ImplementationSpecific @@ -170,6 +174,9 @@ grafana: size: 10Gi {{- end }} ingress: + {{- if .Values.clusterConfig.gatewayAPI.enabled }} + enabled: false + {{- else }} enabled: true ingressClassName: nginx annotations: @@ -188,6 +195,7 @@ grafana: - secretName: grafana-general-tls hosts: - grafana.{{ .Values.clusterConfig.domain }} + {{- end }} sidecar: dashboards: enabled: true @@ -458,6 +466,9 @@ prometheus: {{- end }} ingress: + {{- if .Values.clusterConfig.gatewayAPI.enabled }} + enabled: false + {{- else }} enabled: true ingressClassName: nginx annotations: @@ -478,6 +489,7 @@ prometheus: - secretName: prometheus-general-tls hosts: - prometheus.{{ .Values.clusterConfig.domain }} + {{- end }} ingressPerReplica: enabled: false diff --git a/values/system/hel1/hubble-ui-ingress.yaml b/values/system/hel1/hubble-ui-ingress.yaml index b14da61f..cd4ea521 100644 --- a/values/system/hel1/hubble-ui-ingress.yaml +++ b/values/system/hel1/hubble-ui-ingress.yaml @@ -1,50 +1,41 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress +# oauth2-proxy must be configured with --upstream=http://hubble-ui:80 +# so that it proxies authenticated requests to hubble-ui. +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute metadata: - annotations: - nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri - nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth - oceanbox.io/expose: internal name: hubble-ui namespace: kube-system spec: - ingressClassName: nginx + parentRefs: + - name: shared-gateway + namespace: kube-system + sectionName: https-hel1 + hostnames: + - hubble.hel1.oceanbox.io rules: - - host: hubble.hel1.oceanbox.io - http: - paths: - - backend: - service: - name: hubble-ui - port: - number: 80 - path: / - pathType: Prefix + - matches: + - path: + type: PathPrefix + value: "/" + backendRefs: + - name: oauth2-proxy + port: 80 --- -apiVersion: networking.k8s.io/v1 -kind: Ingress +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy metadata: - annotations: - cert-manager.io/cluster-issuer: letsencrypt-production - nginx.ingress.kubernetes.io/proxy-buffer-size: 8k - nginx.ingress.kubernetes.io/proxy-busy-buffers-size: 16k - oceanbox.io/expose: internal - name: hubble-ui-oauth2-proxy + name: allow-gateway-to-hubble-ui namespace: kube-system spec: - ingressClassName: nginx - rules: - - host: hubble.hel1.oceanbox.io - http: - paths: - - backend: - service: - name: oauth2-proxy - port: - name: http - path: /oauth2 - pathType: Prefix - tls: - - hosts: - - hubble.hel1.oceanbox.io - secretName: hubble-tls + endpointSelector: + matchLabels: + app.kubernetes.io/name: oauth2-proxy + ingress: + - fromCIDRSet: + - cidr: 10.0.0.0/8 + - cidr: 172.16.0.0/12 + - cidr: 192.168.0.0/16 + - cidr: 100.64.0.0/12 + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": kube-system diff --git a/values/system/hel1/kube-system-labels.yaml b/values/system/hel1/kube-system-labels.yaml new file mode 100644 index 00000000..6587cba1 --- /dev/null +++ b/values/system/hel1/kube-system-labels.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kube-system + labels: + shared-gateway-access: "true"