platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

Compare commits

merge into: platform/manifests:main
Branches Tags
platform/manifests:main platform/manifests:renovate/kubernetes-ingress-1.x platform/manifests:renovate/jobset-0.x platform/manifests:renovate/registry.k8s.io-kueue-charts-kueue-0.x platform/manifests:renovate/spegel-0.x platform/manifests:renovate/rabbitmq-16.x platform/manifests:renovate/ghcr.io-juanfont-headscale-0.x platform/manifests:mrtz/cilium-hel1-gateway platform/manifests:automated/npins-update-20260130 platform/manifests:vcluster platform/manifests:attic platform/manifests:nexus platform/manifests:diadash platform/manifests:mrtz/beta platform/manifests:simkir/codex platform/manifests:mrtz/nixidy platform/manifests:nixidy platform/manifests:otel-policy platform/manifests:spmsa platform/manifests:priv-redis platform/manifests:wip platform/manifests:dev
...
pull from: platform/manifests:mrtz/cilium-hel1-gateway
Branches Tags
platform/manifests:main platform/manifests:renovate/kubernetes-ingress-1.x platform/manifests:renovate/jobset-0.x platform/manifests:renovate/registry.k8s.io-kueue-charts-kueue-0.x platform/manifests:renovate/spegel-0.x platform/manifests:renovate/rabbitmq-16.x platform/manifests:renovate/ghcr.io-juanfont-headscale-0.x platform/manifests:mrtz/cilium-hel1-gateway platform/manifests:automated/npins-update-20260130 platform/manifests:vcluster platform/manifests:attic platform/manifests:nexus platform/manifests:diadash platform/manifests:mrtz/beta platform/manifests:simkir/codex platform/manifests:mrtz/nixidy platform/manifests:nixidy platform/manifests:otel-policy platform/manifests:spmsa platform/manifests:priv-redis platform/manifests:wip platform/manifests:dev

1 Commits
main ... mrtz/cilium-hel1-gateway

Author SHA1 Message Date
mrtz ae01e69fc2 wip: Gateway Setup 2026-03-13 16:05:15 +01:00
32 changed files with 638 additions and 77 deletions
Expand all files Collapse all files
charts/docs/templates/httproute.yaml
Vendored
+46
View File
@@ -0,0 +1,46 @@
{{- if .Values.httpRoute.enabled -}}
{{- $fullName := include "docs.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: {{ $fullName }}
labels:
{{- include "docs.labels" . | nindent 4 }}
spec:
parentRefs:
{{- toYaml .Values.httpRoute.parentRefs | nindent 4 }}
{{- with .Values.httpRoute.hostnames }}
hostnames:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
{{- range .Values.httpRoute.rules }}
- {{- with .matches }}
matches:
{{- toYaml . | nindent 8 }}
{{- end }}
backendRefs:
- name: {{ $fullName }}
port: {{ $svcPort }}
{{- end }}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-gateway-to-{{ $fullName }}
labels:
{{- include "docs.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
{{- include "docs.selectorLabels" . | nindent 6 }}
ingress:
- fromCIDRSet:
{{- range .Values.clusterConfig.ingress_whitelist }}
- cidr: {{ . }}
{{- end }}
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": {{ .Release.Namespace }}
{{- end }}
charts/docs/values.yaml
+6 -1
View File
@@ -46,8 +46,13 @@ service:
type: ClusterIP
port: 8080
ingress:
enabled: true
enabled: false
className: nginx
httpRoute:
enabled: false
parentRefs: []
hostnames: []
rules: []
persistence:
enabled: false
size: 1G
charts/makai/templates/httproute.yaml
+46
View File
@@ -0,0 +1,46 @@
{{- if .Values.httpRoute.enabled -}}
{{- $fullName := include "makai.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: {{ $fullName }}
labels:
{{- include "makai.labels" . | nindent 4 }}
spec:
parentRefs:
{{- toYaml .Values.httpRoute.parentRefs | nindent 4 }}
{{- with .Values.httpRoute.hostnames }}
hostnames:
{{- toYaml . | nindent 4 }}
{{- end }}
rules:
{{- range .Values.httpRoute.rules }}
- {{- with .matches }}
matches:
{{- toYaml . | nindent 8 }}
{{- end }}
backendRefs:
- name: {{ $fullName }}
port: {{ $svcPort }}
{{- end }}
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-gateway-to-{{ $fullName }}
labels:
{{- include "makai.labels" . | nindent 4 }}
spec:
endpointSelector:
matchLabels:
{{- include "makai.selectorLabels" . | nindent 6 }}
ingress:
- fromCIDRSet:
{{- range .Values.clusterConfig.ingress_whitelist }}
- cidr: {{ . }}
{{- end }}
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": {{ .Release.Namespace }}
{{- end }}
charts/makai/values.yaml
+6 -1
View File
@@ -46,8 +46,13 @@ service:
type: ClusterIP
port: 8080
ingress:
enabled: true
enabled: false
className: nginx
httpRoute:
enabled: false
parentRefs: []
hostnames: []
rules: []
persistence:
enabled: false
size: 1G
helmfile.d/docs.yaml.gotmpl
+1
View File
@@ -11,6 +11,7 @@ releases:
condition: docs.enabled
values:
- ../values/docs/values/values.yaml
- ../values/docs/values/values.yaml.gotmpl
- ../values/docs/values/values-{{ .Environment.Name }}.yaml
postRenderer: ../bin/kustomizer
postRendererArgs:
helmfile.d/gitea.yaml.gotmpl
+1
View File
@@ -17,6 +17,7 @@ releases:
condition: gitea.enabled
values:
- ../values/gitea/values/values.yaml
- ../values/gitea/values/values.yaml.gotmpl
- ../values/gitea/values/values-{{ .Environment.Name }}.yaml
postRenderer: ../bin/kustomizer
postRendererArgs:
helmfile.d/makai.yaml.gotmpl
+1
View File
@@ -11,6 +11,7 @@ releases:
condition: makai.enabled
values:
- ../values/makai/values/values.yaml
- ../values/makai/values/values.yaml.gotmpl
- ../values/makai/values/values-{{ .Environment.Name }}.yaml
postRenderer: ../bin/kustomizer
postRendererArgs:
values/argo/manifests/argo.yaml
+1
View File
@@ -28,6 +28,7 @@ spec:
managedNamespaceMetadata:
labels:
component: sys
shared-gateway-access: "true"
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
values/argo/manifests/httproute.yaml
+40
View File
@@ -0,0 +1,40 @@
{{- if .Values.clusterConfig.gatewayAPI.enabled }}
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: argocd-server
namespace: argocd
spec:
parentRefs:
- name: shared-gateway
namespace: kube-system
sectionName: https-internal
hostnames:
- argocd.{{ .Values.clusterConfig.domain }}
rules:
- matches:
- path:
type: PathPrefix
value: "/"
backendRefs:
- name: argocd-server
port: 80
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-gateway-to-argocd
namespace: argocd
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: argocd-server
ingress:
- fromCIDRSet:
{{- range .Values.clusterConfig.ingress_whitelist }}
- cidr: {{ . }}
{{- end }}
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": argocd
{{- end }}
values/argo/values/argocd.yaml.gotmpl
+9 -2
View File
@@ -4,13 +4,16 @@ global:
## Ref: https://github.com/argoproj/argo-cd
##
configs:
{{- if .Values.argocd.anyNamespaces.enabled }}
params:
{{- if .Values.clusterConfig.gatewayAPI.enabled }}
server.insecure: "true"
{{- end }}
{{- if .Values.argocd.anyNamespaces.enabled }}
applicationsetcontroller.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
# TODO(kai): anyapp will disable PR review apps. Look into anyapp settings to fix it
applicationsetcontroller.enable.scm.providers: "false"
application.namespaces: "{{ .Values.argocd.anyNamespaces.glob }}"
{{- end }}
{{- end }}
cm:
application.resourceTrackingMethod: annotation+label
application.instanceLabelKey: app.kubernetes.io/instance
@@ -238,6 +241,9 @@ server:
serviceMonitor:
enabled: true
ingress:
{{- if .Values.clusterConfig.gatewayAPI.enabled }}
enabled: false
{{- else }}
enabled: true
ingressClassName: nginx
annotations:
@@ -254,6 +260,7 @@ server:
- secretName: argocd-tls
hosts:
- "argocd.{{ .Values.clusterConfig.domain }}"
{{- end }}
applicationSet:
metrics:
enabled: true
values/cilium/cilium-manifests/gateway.yaml
+55 -1
View File
@@ -13,7 +13,7 @@ spec:
annotations:
load-balancer.hetzner.cloud/location: hel1
load-balancer.hetzner.cloud/type: lb11
load-balancer.hetzner.cloud/name: load-balancer-2
load-balancer.hetzner.cloud/name: load-balancer-1
load-balancer.hetzner.cloud/use-private-ip: "true"
load-balancer.hetzner.cloud/uses-proxyprotocol: "true"
load-balancer.hetzner.cloud/http-redirect-https: "false"
@@ -42,6 +42,36 @@ spec:
selector:
matchLabels:
shared-gateway-access: "true"
- name: https-hel1
protocol: HTTPS
port: 443
hostname: "*.hel1.oceanbox.io"
tls:
certificateRefs:
- group: ''
kind: Secret
name: wildcard-hel1-oceanbox-io
allowedRoutes:
namespaces:
from: Selector
selector:
matchLabels:
shared-gateway-access: "true"
- name: https-internal
protocol: HTTPS
port: 443
hostname: "*.adm.hel1.obx"
tls:
certificateRefs:
- group: ''
kind: Secret
name: wildcard-adm-hel1-obx
allowedRoutes:
namespaces:
from: Selector
selector:
matchLabels:
shared-gateway-access: "true"
- name: ssh
protocol: TCP
port: 22
@@ -65,4 +95,28 @@ spec:
issuerRef:
name: letsencrypt-prod-dns01
kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-hel1-oceanbox-io
spec:
secretName: wildcard-hel1-oceanbox-io
dnsNames:
- "*.hel1.oceanbox.io"
issuerRef:
name: letsencrypt-prod-dns01
kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-adm-hel1-obx
spec:
secretName: wildcard-adm-hel1-obx
dnsNames:
- "*.adm.hel1.obx"
issuerRef:
name: ca-issuer
kind: ClusterIssuer
{{- end}}
values/docs/manifests/docs.yaml
+3
View File
@@ -28,6 +28,9 @@ spec:
- name: HELMFILE_FILE_PATH
value: docs.yaml.gotmpl
syncPolicy:
managedNamespaceMetadata:
labels:
shared-gateway-access: "true"
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
values/docs/manifests/gateway-routes.yaml
+1
View File
@@ -0,0 +1 @@
{{- /* HTTPRoute and CiliumNetworkPolicy are managed by the docs chart template */ -}}
values/docs/values/values.yaml.gotmpl
+46
View File
@@ -0,0 +1,46 @@
replicaCount: 1
image:
tag: "e9fd3fc6-debug"
env:
- name: APP_VERSION
value: "0.0.0"
- name: LOG_LEVEL
value: "1"
{{- if .Values.clusterConfig.gatewayAPI.enabled }}
ingress:
enabled: false
className: "nginx"
httpRoute:
enabled: true
parentRefs:
- name: shared-gateway
namespace: kube-system
sectionName: https
hostnames:
- docs.oceanbox.io
rules:
- matches:
- path:
type: PathPrefix
value: "/"
{{- else }}
ingress:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
nginx.ingress.kubernetes.io/ssl-redirect: "true"
oceanbox.io/expose: internal
hosts:
- host: docs.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
tls:
- hosts:
- docs.oceanbox.io
secretName: docs-tls
{{- end }}
values/drupal/manifests/ingress.yaml
+33 -27
View File
@@ -1,32 +1,38 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,172.19.255.0/24,100.64.0.0/12
labels:
app.kubernetes.io/component: drupal
name: drupal
namespace: fornix
spec:
ingressClassName: nginx
parentRefs:
- name: shared-gateway
namespace: kube-system
sectionName: https-hel1
hostnames:
- drupal.hel1.oceanbox.io
rules:
- host: drupal.hel1.oceanbox.io
http:
paths:
- backend:
service:
name: drupal
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- drupal.hel1.oceanbox.io
secretName: drupal-tls
- matches:
- path:
type: PathPrefix
value: "/"
backendRefs:
- name: drupal
port: 80
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-gateway-to-drupal
namespace: fornix
spec:
endpointSelector:
matchLabels:
app: drupal
ingress:
- fromCIDRSet:
{{- range .Values.clusterConfig.ingress_whitelist }}
- cidr: {{ . }}
{{- end }}
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": fornix
values/env-hel1.yaml
+2
View File
@@ -20,6 +20,8 @@ clusterConfig:
patterns: []
cidr: []
nodes: []
gatewayAPI:
enabled: true
ingress_whitelist:
- 10.0.0.0/8
- 172.16.0.0/12
values/env.yaml
+2
View File
@@ -20,6 +20,8 @@ clusterConfig:
- 192.168.0.0/16
- 172.19.255.0/24
- 100.64.0.0/12 # tailnet
gatewayAPI:
enabled: false
ingress_hostnetwork: false
ingress_hostport: false
ingress_nodeport: true
values/fornix/manifests/fornix.yaml
+3
View File
@@ -31,6 +31,9 @@ spec:
targetRevision: main
ref: values
syncPolicy:
managedNamespaceMetadata:
labels:
shared-gateway-access: "true"
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
values/fornix/manifests/gateway-routes.yaml
+38
View File
@@ -0,0 +1,38 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: fornix
namespace: fornix
spec:
parentRefs:
- name: shared-gateway
namespace: kube-system
sectionName: https-hel1
hostnames:
- fornix.hel1.oceanbox.io
rules:
- matches:
- path:
type: PathPrefix
value: "/"
backendRefs:
- name: fornix
port: 8085
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-gateway-to-fornix
namespace: fornix
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: fornix
ingress:
- fromCIDRSet:
{{- range .Values.clusterConfig.ingress_whitelist }}
- cidr: {{ . }}
{{- end }}
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": fornix
values/fornix/values/values.yaml
+1 -1
View File
@@ -3,7 +3,7 @@ drupalUrl: http://drupal
replicaCount: 1
ingress:
enabled: true
enabled: false
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
values/gatus/manifests/gatus.yaml
+1
View File
@@ -26,6 +26,7 @@ spec:
managedNamespaceMetadata:
labels:
component: sys
shared-gateway-access: "true"
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
values/gatus/manifests/ingress.yaml
+44 -3
View File
@@ -1,8 +1,48 @@
{{- if .Values.clusterConfig.gatewayAPI.enabled }}
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: gatus
namespace: uptime
spec:
parentRefs:
- name: shared-gateway
namespace: kube-system
sectionName: https-internal
hostnames:
- uptime.{{ .Values.clusterConfig.domain }}
rules:
- matches:
- path:
type: PathPrefix
value: "/"
backendRefs:
- name: gatus
port: 80
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-gateway-to-gatus
namespace: uptime
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: gatus
ingress:
- fromCIDRSet:
{{- range .Values.clusterConfig.ingress_whitelist }}
- cidr: {{ . }}
{{- end }}
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": uptime
{{- else }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: ca-issuer
cert-manager.io/cluster-issuer: {{ .Values.clusterConfig.ingress_clusterissuer }}
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/cors-allow-headers: Content-Type, x-gatus-cache
nginx.ingress.kubernetes.io/enable-cors: "true"
@@ -15,7 +55,7 @@ metadata:
spec:
ingressClassName: nginx
rules:
- host: uptime.adm.hel1.obx
- host: uptime.{{ .Values.clusterConfig.domain }}
http:
paths:
- backend:
@@ -27,5 +67,6 @@ spec:
pathType: ImplementationSpecific
tls:
- hosts:
- uptime.adm.hel1.obx
- uptime.{{ .Values.clusterConfig.domain }}
secretName: gatus-tls
{{- end }}
values/gitea/manifests/gateway-routes.yaml
+25
View File
@@ -14,11 +14,36 @@ spec:
- path:
type: PathPrefix
value: "/"
timeouts:
request: 600s
backendRequest: 600s
backendRefs:
- name: gitea-http
port: 3000
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-gateway-to-gitea
namespace: gitea
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: gitea
ingress:
- fromCIDRSet:
- cidr: 10.0.0.0/8
- cidr: 172.16.0.0/12
- cidr: 192.168.0.0/16
- cidr: 172.19.255.0/24
- cidr: 100.64.0.0/12
- cidr: 185.125.160.4/32
- cidr: 37.27.203.38/32
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": gitea
---
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
values/gitea/values/values.yaml.gotmpl
+8
View File
@@ -0,0 +1,8 @@
{{- /* Gateway API: disable ingress when cilium gateway is enabled (HTTPRoute is in manifests/gateway-routes.yaml) */ -}}
{{- if .Values.clusterConfig.gatewayAPI.enabled }}
ingress:
enabled: false
{{- else }}
ingress:
enabled: true
{{- end }}
values/makai/manifests/gateway-routes.yaml
+1
View File
@@ -0,0 +1 @@
{{- /* HTTPRoute and CiliumNetworkPolicy are managed by the makai chart template */ -}}
values/makai/manifests/makai.yaml
+3
View File
@@ -28,6 +28,9 @@ spec:
- name: HELMFILE_FILE_PATH
value: makai.yaml.gotmpl
syncPolicy:
managedNamespaceMetadata:
labels:
shared-gateway-access: "true"
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
values/makai/values/values.yaml.gotmpl
+46
View File
@@ -0,0 +1,46 @@
replicaCount: 1
image:
tag: "d5e61949-debug"
env:
- name: APP_VERSION
value: "0.0.0"
- name: LOG_LEVEL
value: "1"
{{- if .Values.clusterConfig.gatewayAPI.enabled }}
ingress:
enabled: false
className: "nginx"
httpRoute:
enabled: true
parentRefs:
- name: shared-gateway
namespace: kube-system
sectionName: https
hostnames:
- makai.oceanbox.io
rules:
- matches:
- path:
type: PathPrefix
value: "/"
{{- else }}
ingress:
enabled: true
className: "nginx"
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
nginx.ingress.kubernetes.io/ssl-redirect: "true"
oceanbox.io/expose: internal
hosts:
- host: makai.oceanbox.io
paths:
- path: /
pathType: ImplementationSpecific
tls:
- hosts:
- makai.oceanbox.io
secretName: makai-tls
{{- end }}
values/prometheus/manifests/httproutes.yaml
+118
View File
@@ -0,0 +1,118 @@
{{- if .Values.clusterConfig.gatewayAPI.enabled }}
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: grafana
namespace: prometheus
spec:
parentRefs:
- name: shared-gateway
namespace: kube-system
sectionName: https-internal
hostnames:
- grafana.{{ .Values.clusterConfig.domain }}
rules:
- matches:
- path:
type: PathPrefix
value: "/"
backendRefs:
- name: prometheus-grafana
port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: alertmanager
namespace: prometheus
spec:
parentRefs:
- name: shared-gateway
namespace: kube-system
sectionName: https-internal
hostnames:
- alertmanager.{{ .Values.clusterConfig.domain }}
rules:
- matches:
- path:
type: PathPrefix
value: "/"
backendRefs:
- name: prometheus-kube-prometheus-alertmanager
port: 9093
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: prometheus
namespace: prometheus
spec:
parentRefs:
- name: shared-gateway
namespace: kube-system
sectionName: https-internal
hostnames:
- prometheus.{{ .Values.clusterConfig.domain }}
rules:
- matches:
- path:
type: PathPrefix
value: "/"
backendRefs:
- name: prometheus-kube-prometheus-prometheus
port: 9090
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-gateway-to-grafana
namespace: prometheus
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: grafana
ingress:
- fromCIDRSet:
{{- range .Values.clusterConfig.ingress_whitelist }}
- cidr: {{ . }}
{{- end }}
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": prometheus
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-gateway-to-alertmanager
namespace: prometheus
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: alertmanager
ingress:
- fromCIDRSet:
{{- range .Values.clusterConfig.ingress_whitelist }}
- cidr: {{ . }}
{{- end }}
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": prometheus
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-gateway-to-prometheus
namespace: prometheus
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: prometheus
ingress:
- fromCIDRSet:
{{- range .Values.clusterConfig.ingress_whitelist }}
- cidr: {{ . }}
{{- end }}
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": prometheus
{{- end }}
values/prometheus/manifests/prometheus.yaml
+1
View File
@@ -26,6 +26,7 @@ spec:
managedNamespaceMetadata:
labels:
component: sys
shared-gateway-access: "true"
syncOptions:
- ServerSideApply=true
- CreateNamespace=true
values/prometheus/values/prometheus.yaml.gotmpl
+12
View File
@@ -67,6 +67,9 @@ alertmanager:
storage: {}
ingress:
{{- if .Values.clusterConfig.gatewayAPI.enabled }}
enabled: false
{{- else }}
enabled: true
ingressClassName: nginx
annotations:
@@ -84,6 +87,7 @@ alertmanager:
- secretName: alertmanager-general-tls
hosts:
- alertmanager.{{ .Values.clusterConfig.domain }}
{{- end }}
ingressPerReplica:
pathType: ImplementationSpecific
@@ -170,6 +174,9 @@ grafana:
size: 10Gi
{{- end }}
ingress:
{{- if .Values.clusterConfig.gatewayAPI.enabled }}
enabled: false
{{- else }}
enabled: true
ingressClassName: nginx
annotations:
@@ -188,6 +195,7 @@ grafana:
- secretName: grafana-general-tls
hosts:
- grafana.{{ .Values.clusterConfig.domain }}
{{- end }}
sidecar:
dashboards:
enabled: true
@@ -458,6 +466,9 @@ prometheus:
{{- end }}
ingress:
{{- if .Values.clusterConfig.gatewayAPI.enabled }}
enabled: false
{{- else }}
enabled: true
ingressClassName: nginx
annotations:
@@ -478,6 +489,7 @@ prometheus:
- secretName: prometheus-general-tls
hosts:
- prometheus.{{ .Values.clusterConfig.domain }}
{{- end }}
ingressPerReplica:
enabled: false
values/system/hel1/hubble-ui-ingress.yaml
+32 -41
View File
@@ -1,50 +1,41 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
# oauth2-proxy must be configured with --upstream=http://hubble-ui:80
# so that it proxies authenticated requests to hubble-ui.
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
annotations:
nginx.ingress.kubernetes.io/auth-signin: https://$host/oauth2/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
oceanbox.io/expose: internal
name: hubble-ui
namespace: kube-system
spec:
ingressClassName: nginx
parentRefs:
- name: shared-gateway
namespace: kube-system
sectionName: https-hel1
hostnames:
- hubble.hel1.oceanbox.io
rules:
- host: hubble.hel1.oceanbox.io
http:
paths:
- backend:
service:
name: hubble-ui
port:
number: 80
path: /
pathType: Prefix
- matches:
- path:
type: PathPrefix
value: "/"
backendRefs:
- name: oauth2-proxy
port: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
nginx.ingress.kubernetes.io/proxy-buffer-size: 8k
nginx.ingress.kubernetes.io/proxy-busy-buffers-size: 16k
oceanbox.io/expose: internal
name: hubble-ui-oauth2-proxy
name: allow-gateway-to-hubble-ui
namespace: kube-system
spec:
ingressClassName: nginx
rules:
- host: hubble.hel1.oceanbox.io
http:
paths:
- backend:
service:
name: oauth2-proxy
port:
name: http
path: /oauth2
pathType: Prefix
tls:
- hosts:
- hubble.hel1.oceanbox.io
secretName: hubble-tls
endpointSelector:
matchLabels:
app.kubernetes.io/name: oauth2-proxy
ingress:
- fromCIDRSet:
- cidr: 10.0.0.0/8
- cidr: 172.16.0.0/12
- cidr: 192.168.0.0/16
- cidr: 100.64.0.0/12
- fromEndpoints:
- matchLabels:
"k8s:io.kubernetes.pod.namespace": kube-system
values/system/hel1/kube-system-labels.yaml
+6
View File
@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: kube-system
labels:
shared-gateway-access: "true"