wip: Gateway Setup

2026-03-13 16:05:15 +01:00
parent 6dc57af5ae
commit ae01e69fc2
32 changed files with 638 additions and 77 deletions
@@ -1,50 +1,41 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+# oauth2-proxy must be configured with --upstream=http://hubble-ui:80
+# so that it proxies authenticated requests to hubble-ui.
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
 metadata:
-  annotations:
-    nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
-    nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
-    oceanbox.io/expose: internal
  name: hubble-ui
  namespace: kube-system
 spec:
-  ingressClassName: nginx
+  parentRefs:
+  - name: shared-gateway
+    namespace: kube-system
+    sectionName: https-hel1
+  hostnames:
+  - hubble.hel1.oceanbox.io
  rules:
-    - host: hubble.hel1.oceanbox.io
-      http:
-        paths:
-          - backend:
-              service:
-                name: hubble-ui
-                port:
-                  number: 80
-            path: /
-            pathType: Prefix
+  - matches:
+    - path:
+        type: PathPrefix
+        value: "/"
+    backendRefs:
+    - name: oauth2-proxy
+      port: 80
 ---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
 metadata:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 8k
-    nginx.ingress.kubernetes.io/proxy-busy-buffers-size: 16k
-    oceanbox.io/expose: internal
-  name: hubble-ui-oauth2-proxy
+  name: allow-gateway-to-hubble-ui
  namespace: kube-system
 spec:
-  ingressClassName: nginx
-  rules:
-    - host: hubble.hel1.oceanbox.io
-      http:
-        paths:
-          - backend:
-              service:
-                name: oauth2-proxy
-                port:
-                  name: http
-            path: /oauth2
-            pathType: Prefix
-  tls:
-    - hosts:
-        - hubble.hel1.oceanbox.io
-      secretName: hubble-tls
+  endpointSelector:
+    matchLabels:
+      app.kubernetes.io/name: oauth2-proxy
+  ingress:
+  - fromCIDRSet:
+    - cidr: 10.0.0.0/8
+    - cidr: 172.16.0.0/12
+    - cidr: 192.168.0.0/16
+    - cidr: 100.64.0.0/12
+  - fromEndpoints:
+    - matchLabels:
+        "k8s:io.kubernetes.pod.namespace": kube-system
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-system
+  labels:
+    shared-gateway-access: "true"