homelab
homelab copied to clipboard
timtorChen
feat: implement bgp and gateway api
This PR implement my first trial of BGP and Gateway API.
Major changes:
Remove the metalllb-system.
Upgrate cilium version to 1.17 to support Gateway spec.addresses.
Change ingress-nginx Loadbalancer IP to 192.168.33.2 (allocated by cilium)
add bgp config (k8s and mikrotik terrafrom)
ingress-nginx is kept for https backend
Minor: Remove most of Ingress object, but keep ingrss-nginx
--- kubernetes/argo-system Kustomization: flux-system/1-argo-system HelmRelease: argo-system/argo-workflows
+++ kubernetes/argo-system Kustomization: flux-system/1-argo-system HelmRelease: argo-system/argo-workflows
@@ -77,17 +77,12 @@
tag: v3.6.5
server:
authModes:
- sso
deploymentAnnotations:
secret.reloader.stakater.com/reload: argo-workflows-secret
- ingress:
- enabled: true
- hosts:
- - workflows.timtor.dev
- ingressClassName: nginx
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
--- kubernetes/argo-system Kustomization: flux-system/1-argo-system HTTPRoute: argo-system/argo-workflows-server
+++ kubernetes/argo-system Kustomization: flux-system/1-argo-system HTTPRoute: argo-system/argo-workflows-server
@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-argo-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: argo-workflows-server
+ namespace: argo-system
+spec:
+ hostnames:
+ - workflows.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: argo-workflows-server
+ port: 2746
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/argo-system Kustomization: flux-system/1-argo-system HTTPRoute: argo-system/argo-workflows-server-http-rediect
+++ kubernetes/argo-system Kustomization: flux-system/1-argo-system HTTPRoute: argo-system/argo-workflows-server-http-rediect
@@ -0,0 +1,27 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-argo-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: argo-workflows-server-http-rediect
+ namespace: argo-system
+spec:
+ hostnames:
+ - workflows.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/kromgo Kustomization: flux-system/5-kromgo HelmRelease: kromgo/kromgo
+++ kubernetes/kromgo Kustomization: flux-system/5-kromgo HelmRelease: kromgo/kromgo
@@ -46,33 +46,60 @@
rollingUpdate:
unavailable: 1
strategy: RollingUpdate
type: deployment
defaultPodOptions:
automountServiceAccountToken: false
- ingress:
- main:
- className: nginx
- hosts:
- - host: kromgo.timtor.dev
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: main
- port: 8080
persistence:
kromgo-config:
advancedMounts:
main:
main:
- path: /kromgo/config.yaml
readOnly: true
subPath: config.yaml
name: kromgo-config
type: configMap
+ route:
+ http-redirect:
+ enabled: true
+ hostnames:
+ - kromgo.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ main:
+ enabled: true
+ hostnames:
+ - kromgo.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: kromgo
+ port: 8080
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
service:
main:
controller: main
ports:
http:
port: 8080
--- kubernetes/kromgo Kustomization: flux-system/5-kromgo CiliumNetworkPolicy: kromgo/kromgo-app-policy
+++ kubernetes/kromgo Kustomization: flux-system/5-kromgo CiliumNetworkPolicy: kromgo/kromgo-app-policy
@@ -12,12 +12,22 @@
matchLabels:
app.kubernetes.io/name: kromgo
ingress:
- fromEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: ingress-nginx
+ toPorts:
+ - ports:
+ - port: '8080'
+ protocol: TCP
+- endpointSelector:
+ matchLabels:
+ app.kubernetes.io/name: kromgo
+ ingress:
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '8080'
protocol: TCP
- egress:
- toEndpoints:
--- kubernetes/metallb-system Kustomization: flux-system/1-metallb-system Namespace: flux-system/metallb-system
+++ kubernetes/metallb-system Kustomization: flux-system/1-metallb-system Namespace: flux-system/metallb-system
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: Namespace
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 1-metallb-system
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- pod-security.kubernetes.io/audit: privileged
- pod-security.kubernetes.io/enforce: privileged
- pod-security.kubernetes.io/warn: privileged
- name: metallb-system
-
--- kubernetes/metallb-system Kustomization: flux-system/1-metallb-system HelmRepository: metallb-system/metallb
+++ kubernetes/metallb-system Kustomization: flux-system/1-metallb-system HelmRepository: metallb-system/metallb
@@ -1,13 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 1-metallb-system
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: metallb
- namespace: metallb-system
-spec:
- interval: 24h
- url: https://metallb.github.io/metallb
-
--- kubernetes/metallb-system Kustomization: flux-system/1-metallb-system HelmRelease: metallb-system/metallb
+++ kubernetes/metallb-system Kustomization: flux-system/1-metallb-system HelmRelease: metallb-system/metallb
@@ -1,30 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 1-metallb-system
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: metallb
- namespace: metallb-system
-spec:
- chart:
- spec:
- chart: metallb
- sourceRef:
- kind: HelmRepository
- name: metallb
- version: 0.14.9
- install:
- crds: CreateReplace
- interval: 1h
- maxHistory: 1
- upgrade:
- crds: CreateReplace
- values:
- crds:
- enabled: true
- speaker:
- frr:
- enabled: false
-
--- kubernetes/metallb-system Kustomization: flux-system/1-metallb-system IPAddressPool: metallb-system/default
+++ kubernetes/metallb-system Kustomization: flux-system/1-metallb-system IPAddressPool: metallb-system/default
@@ -1,13 +0,0 @@
----
-apiVersion: metallb.io/v1beta1
-kind: IPAddressPool
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 1-metallb-system
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: default
- namespace: metallb-system
-spec:
- addresses:
- - 192.168.253.100/32
-
--- kubernetes/metallb-system Kustomization: flux-system/1-metallb-system L2Advertisement: metallb-system/default
+++ kubernetes/metallb-system Kustomization: flux-system/1-metallb-system L2Advertisement: metallb-system/default
@@ -1,15 +0,0 @@
----
-apiVersion: metallb.io/v1beta1
-kind: L2Advertisement
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 1-metallb-system
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: default
- namespace: metallb-system
-spec:
- interfaces:
- - eth0
- ipAddressPools:
- - default
-
--- kubernetes/ingress-nginx Kustomization: flux-system/3-ingress-nginx HelmRelease: ingress-nginx/ingress-nginx
+++ kubernetes/ingress-nginx Kustomization: flux-system/3-ingress-nginx HelmRelease: ingress-nginx/ingress-nginx
@@ -85,13 +85,13 @@
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
service:
externalIPs:
- - 192.168.253.100
+ - 192.168.33.2
externalTrafficPolicy: Local
type: LoadBalancer
updateStrategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
--- kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph Ingress: rook-ceph/s3-fast
+++ kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph Ingress: rook-ceph/s3-fast
@@ -1,23 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 2-rook-ceph
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: s3-fast
- namespace: rook-ceph
-spec:
- ingressClassName: nginx
- rules:
- - host: s3-fast.timtor.dev
- http:
- paths:
- - backend:
- service:
- name: rook-ceph-rgw-fast
- port:
- number: 8080
- path: /
- pathType: Prefix
-
--- kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/ceph-dashboard
+++ kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/ceph-dashboard
@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 2-rook-ceph
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: ceph-dashboard
+ namespace: rook-ceph
+spec:
+ hostnames:
+ - ceph.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: rook-ceph-mgr-dashboard
+ port: 7000
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/ceph-dashboard-http-redirect
+++ kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/ceph-dashboard-http-redirect
@@ -0,0 +1,27 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 2-rook-ceph
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: ceph-dashboard-http-redirect
+ namespace: rook-ceph
+spec:
+ hostnames:
+ - ceph.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/s3-fast
+++ kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/s3-fast
@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 2-rook-ceph
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: s3-fast
+ namespace: rook-ceph
+spec:
+ hostnames:
+ - s3-fast.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: rook-ceph-rgw-fast
+ port: 8080
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/s3-fast-http-redirect
+++ kubernetes/rook-ceph Kustomization: flux-system/2-rook-ceph HTTPRoute: rook-ceph/s3-fast-http-redirect
@@ -0,0 +1,27 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 2-rook-ceph
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: s3-fast-http-redirect
+ namespace: rook-ceph
+spec:
+ hostnames:
+ - s3-fast.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system HelmRelease: kube-system/cilium
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system HelmRelease: kube-system/cilium
@@ -11,33 +11,41 @@
chart:
spec:
chart: cilium
sourceRef:
kind: HelmRepository
name: cilium
- version: 1.16.6
+ version: 1.17.10
interval: 1h
maxHistory: 1
values:
+ bgpControlPlane:
+ enabled: true
cgroup:
autoMount:
enabled: false
hostRoot: /sys/fs/cgroup
envoy:
enabled: true
+ gatewayAPI:
+ enabled: true
+ gatewayClass:
+ create: auto
hubble:
enabled: true
relay:
enabled: true
ui:
enabled: true
ipam:
mode: kubernetes
k8sServiceHost: localhost
k8sServicePort: 7445
kubeProxyReplacement: true
+ nodePort:
+ enabled: true
securityContext:
capabilities:
ciliumAgent:
- CHOWN
- KILL
- NET_ADMIN
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system GitRepository: kube-system/gateway-api-crd
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system GitRepository: kube-system/gateway-api-crd
@@ -0,0 +1,19 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: gateway-api-crd
+ namespace: kube-system
+spec:
+ ignore: |
+ /*
+ !/config/crd/standard
+ !/config/crd/experimental/gateway.networking.k8s.io_tlsroutes.yaml
+ interval: 1m
+ ref:
+ tag: v1.3.0
+ url: https://github.com/kubernetes-sigs/gateway-api
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system Kustomization: kube-system/gateway-api-crd
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system Kustomization: kube-system/gateway-api-crd
@@ -0,0 +1,16 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: gateway-api-crd
+ namespace: kube-system
+spec:
+ interval: 10m0s
+ prune: false
+ sourceRef:
+ kind: GitRepository
+ name: gateway-api-crd
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumBGPClusterConfig: flux-system/cilium-bgp
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumBGPClusterConfig: flux-system/cilium-bgp
@@ -0,0 +1,23 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPClusterConfig
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cilium-bgp
+spec:
+ bgpInstances:
+ - localASN: 65001
+ name: homelab-talos-cluster
+ peers:
+ - name: mikrotik
+ peerASN: 65000
+ peerAddress: 192.168.248.1
+ peerConfigRef:
+ name: cilium-peer
+ nodeSelector:
+ matchExpressions:
+ - key: node-role.kubernetes.io/control-plane
+ operator: DoesNotExist
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumBGPPeerConfig: flux-system/cilium-peer
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumBGPPeerConfig: flux-system/cilium-peer
@@ -0,0 +1,22 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPPeerConfig
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cilium-peer
+spec:
+ families:
+ - advertisements:
+ matchLabels:
+ advertise: bgp
+ afi: ipv4
+ safi: unicast
+ gracefulRestart:
+ enabled: true
+ restartTimeSeconds: 15
+ timers:
+ holdTimeSeconds: 9
+ keepAliveTimeSeconds: 3
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumBGPAdvertisement: flux-system/shared-bgpadvertisements
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumBGPAdvertisement: flux-system/shared-bgpadvertisements
@@ -0,0 +1,20 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPAdvertisement
+metadata:
+ labels:
+ advertise: bgp
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: shared-bgpadvertisements
+spec:
+ advertisements:
+ - advertisementType: Service
+ selector:
+ matchExpressions:
+ - key: dummy
+ operator: DoesNotExist
+ service:
+ addresses:
+ - LoadBalancerIP
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system Certificate: kube-system/timtor.dev-wildcard-certificate
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system Certificate: kube-system/timtor.dev-wildcard-certificate
@@ -0,0 +1,18 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: timtor.dev-wildcard-certificate
+ namespace: kube-system
+spec:
+ dnsNames:
+ - timtor.dev
+ - '*.timtor.dev'
+ issuerRef:
+ kind: ClusterIssuer
+ name: timtor.dev-le-dns01
+ secretName: timtor.dev-wildcard-certificate-secret
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system GatewayClass: flux-system/cilium
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system GatewayClass: flux-system/cilium
@@ -0,0 +1,12 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cilium
+spec:
+ controllerName: io.cilium/gateway-controller
+ description: The default Cilium GatewayClass
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system Gateway: kube-system/cilium-default
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system Gateway: kube-system/cilium-default
@@ -0,0 +1,34 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: cilium-default
+ namespace: kube-system
+spec:
+ addresses:
+ - type: IPAddress
+ value: 192.168.33.1
+ gatewayClassName: cilium
+ listeners:
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: http
+ port: 80
+ protocol: HTTP
+ - allowedRoutes:
+ namespaces:
+ from: All
+ name: https
+ port: 443
+ protocol: HTTPS
+ tls:
+ certificateRefs:
+ - group: ''
+ kind: Secret
+ name: timtor.dev-wildcard-certificate-secret
+ mode: Terminate
+
--- kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumLoadBalancerIPPool: flux-system/shared-pool
+++ kubernetes/kube-system Kustomization: flux-system/1-kube-system CiliumLoadBalancerIPPool: flux-system/shared-pool
@@ -0,0 +1,17 @@
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumLoadBalancerIPPool
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 1-kube-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: shared-pool
+spec:
+ allowFirstLastIPs: 'No'
+ blocks:
+ - cidr: 192.168.33.0/24
+ serviceSelector:
+ matchExpressions:
+ - key: dummy
+ operator: DoesNotExist
+
--- kubernetes/grafana Kustomization: flux-system/5-grafana HelmRelease: grafana/grafana
+++ kubernetes/grafana Kustomization: flux-system/5-grafana HelmRelease: grafana/grafana
@@ -114,17 +114,12 @@
ha_peer_timeout: 15s
ha_peers: grafana-alerting:9094
image:
registry: docker.io
repository: grafana/grafana
tag: 12.0.1
- ingress:
- enabled: true
- hosts:
- - grafana.timtor.dev
- ingressClassName: nginx
plugins:
- grafana-synthetic-monitoring-app
podAnnotations:
secret.reloader.stakater.com/reload: grafana-secret
replicas: 2
resources:
--- kubernetes/grafana Kustomization: flux-system/5-grafana CiliumNetworkPolicy: grafana/grafana-app-policy
+++ kubernetes/grafana Kustomization: flux-system/5-grafana CiliumNetworkPolicy: grafana/grafana-app-policy
@@ -9,15 +9,14 @@
namespace: grafana
specs:
- endpointSelector:
matchLabels:
app.kubernetes.io/name: grafana
ingress:
- - fromEndpoints:
- - matchLabels:
- k8s:io.kubernetes.pod.namespace: ingress-nginx
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '3000'
protocol: TCP
- egress:
- toEndpoints:
--- kubernetes/grafana Kustomization: flux-system/5-grafana HTTPRoute: grafana/grafana
+++ kubernetes/grafana Kustomization: flux-system/5-grafana HTTPRoute: grafana/grafana
@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 5-grafana
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: grafana
+ namespace: grafana
+spec:
+ hostnames:
+ - grafana.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: grafana
+ port: 80
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/grafana Kustomization: flux-system/5-grafana HTTPRoute: grafana/grafana-http-redirect
+++ kubernetes/grafana Kustomization: flux-system/5-grafana HTTPRoute: grafana/grafana-http-redirect
@@ -0,0 +1,27 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 5-grafana
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: grafana-http-redirect
+ namespace: grafana
+spec:
+ hostnames:
+ - grafana.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/unifi-controller Kustomization: flux-system/5-unifi-controller HelmRelease: unifi-controller/unifi-controller
+++ kubernetes/unifi-controller Kustomization: flux-system/5-unifi-controller HelmRelease: unifi-controller/unifi-controller
@@ -90,12 +90,13 @@
subPath: data
type: persistentVolumeClaim
tmp:
globalMounts:
- path: /tmp
type: emptyDir
+ route: {}
service:
main:
controller: main
ports:
http:
port: 8443
--- kubernetes/miniflux Kustomization: flux-system/6-miniflux HelmRelease: miniflux/miniflux
+++ kubernetes/miniflux Kustomization: flux-system/6-miniflux HelmRelease: miniflux/miniflux
@@ -88,32 +88,59 @@
automountServiceAccountToken: false
securityContext:
fsGroup: 65534
replicas: 1
strategy: RollingUpdate
type: deployment
- ingress:
- main:
- className: nginx
- hosts:
- - host: rss.timtor.dev
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: main
- port: 8080
persistence:
secret:
type: custom
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: miniflux-secret
+ route:
+ http-redirect:
+ enabled: true
+ hostnames:
+ - rss.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ main:
+ enabled: true
+ hostnames:
+ - rss.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: miniflux
+ port: 8080
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
service:
main:
controller: main
ports:
http:
port: 8080
--- kubernetes/miniflux Kustomization: flux-system/6-miniflux CiliumNetworkPolicy: miniflux/miniflux-app-policy
+++ kubernetes/miniflux Kustomization: flux-system/6-miniflux CiliumNetworkPolicy: miniflux/miniflux-app-policy
@@ -9,15 +9,14 @@
namespace: miniflux
specs:
- endpointSelector:
matchLabels:
app.kubernetes.io/name: miniflux
ingress:
- - fromEndpoints:
- - matchLabels:
- k8s:io.kubernetes.pod.namespace: ingress-nginx
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '8080'
protocol: TCP
- egress:
- toEndpoints:
--- kubernetes/mydata/immich Kustomization: flux-system/6-immich HelmRelease: mydata/immich
+++ kubernetes/mydata/immich Kustomization: flux-system/6-immich HelmRelease: mydata/immich
@@ -181,25 +181,12 @@
defaultPodOptions:
automountServiceAccountToken: false
securityContext:
fsGroup: 65534
global:
nameOverride: immich
- ingress:
- main:
- annotations:
- nginx.ingress.kubernetes.io/proxy-body-size: '0'
- className: nginx
- hosts:
- - host: photo.timtor.dev
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: server
- port: 3001
persistence:
cache:
accessMode: ReadWriteMany
advancedMounts:
machine-learning:
main:
@@ -223,12 +210,50 @@
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: immich-secret
+ route:
+ http-redirect:
+ enabled: true
+ hostnames:
+ - photo.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ main:
+ enabled: true
+ hostnames:
+ - photo.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: immich
+ port: 3001
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
service:
machine-learning:
controller: machine-learning
ports:
http:
port: 3003
--- kubernetes/mydata/immich Kustomization: flux-system/6-immich CiliumNetworkPolicy: mydata/immich-app-policy
+++ kubernetes/mydata/immich Kustomization: flux-system/6-immich CiliumNetworkPolicy: mydata/immich-app-policy
@@ -14,19 +14,16 @@
matchLabels:
app.kubernetes.io/name: immich
ingress:
- {}
- endpointSelector:
matchLabels:
- app.kubernetes.io/component: server
app.kubernetes.io/name: immich
ingress:
- - fromEndpoints:
- - matchLabels:
- app.kubernetes.io/name: ingress-nginx
- k8s:io.kubernetes.pod.namespace: ingress-nginx
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '3001'
protocol: TCP
- egress:
- toEndpoints:
--- kubernetes/mydata/navidrome Kustomization: flux-system/6-navidrome HelmRelease: mydata/navidrome
+++ kubernetes/mydata/navidrome Kustomization: flux-system/6-navidrome HelmRelease: mydata/navidrome
@@ -61,23 +61,12 @@
pod:
securityContext:
fsGroup: 65534
replicas: 1
strategy: Recreate
type: deployment
- ingress:
- main:
- className: nginx
- hosts:
- - host: music.timtor.dev
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: main
- port: 4533
persistence:
cache:
accessMode: ReadWriteOnce
advancedMounts:
main:
main:
@@ -97,12 +86,50 @@
advancedMounts:
main:
main:
- path: /db
existingClaim: navidrome-db
type: persistentVolumeClaim
+ route:
+ http-redirect:
+ enabled: true
+ hostnames:
+ - music.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ main:
+ enabled: true
+ hostnames:
+ - music.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: navidrome
+ port: 4533
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
service:
main:
controller: main
ports:
http:
port: 4533
--- kubernetes/mydata/navidrome Kustomization: flux-system/6-navidrome CiliumNetworkPolicy: mydata/navidrome-policy
+++ kubernetes/mydata/navidrome Kustomization: flux-system/6-navidrome CiliumNetworkPolicy: mydata/navidrome-policy
@@ -9,15 +9,13 @@
namespace: mydata
specs:
- endpointSelector:
matchLabels:
app.kubernetes.io/name: navidrome
ingress:
- - fromEndpoints:
- - matchLabels:
- app.kubernetes.io/name: ingress-nginx
- k8s:io.kubernetes.pod.namespace: ingress-nginx
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '4533'
protocol: TCP
--- kubernetes/mydata/nextcloud Kustomization: flux-system/6-nextcloud HelmRelease: mydata/nextcloud
+++ kubernetes/mydata/nextcloud Kustomization: flux-system/6-nextcloud HelmRelease: mydata/nextcloud
@@ -98,25 +98,12 @@
fsGroup: 33
replicas: 2
rollingUpdate:
unavailable: 1
strategy: RollingUpdate
type: deployment
- ingress:
- main:
- annotations:
- nginx.ingress.kubernetes.io/proxy-body-size: '0'
- className: nginx
- hosts:
- - host: drive.timtor.dev
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: main
- port: 8080
persistence:
apache-extra-config:
globalMounts:
- path: /etc/apache2/conf-enabled/extra.conf
subPath: extra.conf
items:
@@ -181,12 +168,50 @@
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: nextcloud-secret
+ route:
+ http-redirect:
+ enabled: true
+ hostnames:
+ - drive.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ main:
+ enabled: true
+ hostnames:
+ - drive.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: nextcloud
+ port: 8080
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
service:
main:
controller: main
ports:
http:
port: 8080
--- kubernetes/mydata/nextcloud Kustomization: flux-system/6-nextcloud CiliumNetworkPolicy: mydata/nextcloud-app-policy
+++ kubernetes/mydata/nextcloud Kustomization: flux-system/6-nextcloud CiliumNetworkPolicy: mydata/nextcloud-app-policy
@@ -9,16 +9,14 @@
namespace: mydata
specs:
- endpointSelector:
matchLabels:
app.kubernetes.io/name: nextcloud
ingress:
- - fromEndpoints:
- - matchLabels:
- app.kubernetes.io/name: ingress-nginx
- k8s:io.kubernetes.pod.namespace: ingress-nginx
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '8080'
protocol: TCP
- egress:
- toEndpoints:
--- kubernetes/vaultwarden Kustomization: flux-system/6-vaultwarden HelmRelease: vaultwarden/vaultwarden
+++ kubernetes/vaultwarden Kustomization: flux-system/6-vaultwarden HelmRelease: vaultwarden/vaultwarden
@@ -85,28 +85,12 @@
value: '1'
securityContext:
fsGroup: 65534
replicas: 1
strategy: Recreate
type: deployment
- ingress:
- main:
- className: nginx
- hosts:
- - host: vault.timtor.dev
- paths:
- - path: /
- pathType: Prefix
- service:
- identifier: main
- port: 8080
- - path: /notifications/hub
- pathType: Prefix
- service:
- identifier: main
- port: 8080
persistence:
data:
existingClaim: vaultwarden-data
globalMounts:
- path: /data
type: persistentVolumeClaim
@@ -115,12 +99,50 @@
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: vaultwarden-secret
+ route:
+ http-redirect:
+ enabled: true
+ hostnames:
+ - vault.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ main:
+ enabled: true
+ hostnames:
+ - vault.timtor.dev
+ kind: HTTPRoute
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: vaultwarden
+ port: 8080
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
service:
main:
controller: main
ports:
http:
port: 8080
--- kubernetes/vaultwarden Kustomization: flux-system/6-vaultwarden CiliumNetworkPolicy: vaultwarden/vaultwarden-policy
+++ kubernetes/vaultwarden Kustomization: flux-system/6-vaultwarden CiliumNetworkPolicy: vaultwarden/vaultwarden-policy
@@ -9,15 +9,14 @@
namespace: vaultwarden
specs:
- endpointSelector:
matchLabels:
app.kubernetes.io/name: vaultwarden
ingress:
- - fromEndpoints:
- - matchLabels:
- k8s:io.kubernetes.pod.namespace: ingress-nginx
+ - fromEntities:
+ - ingress
toPorts:
- ports:
- port: '8080'
protocol: TCP
- egress:
- toEndpoints:
--- kubernetes/flux-system Kustomization: flux-system/0-flux-system Kustomization: flux-system/1-metallb-system
+++ kubernetes/flux-system Kustomization: flux-system/0-flux-system Kustomization: flux-system/1-metallb-system
@@ -1,17 +0,0 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1
-kind: Kustomization
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: 0-flux-system
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: 1-metallb-system
- namespace: flux-system
-spec:
- interval: 10m0s
- path: /kubernetes/metallb-system
- prune: false
- sourceRef:
- kind: GitRepository
- name: homelab
-
--- kubernetes/flux-system Kustomization: flux-system/0-flux-system HTTPRoute: flux-system/webhook-receiver
+++ kubernetes/flux-system Kustomization: flux-system/0-flux-system HTTPRoute: flux-system/webhook-receiver
@@ -0,0 +1,26 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 0-flux-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: webhook-receiver
+ namespace: flux-system
+spec:
+ hostnames:
+ - flux.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ rules:
+ - backendRefs:
+ - kind: Service
+ name: webhook-receiver
+ port: 80
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- kubernetes/flux-system Kustomization: flux-system/0-flux-system HTTPRoute: flux-system/webhook-receiver-http-redirect
+++ kubernetes/flux-system Kustomization: flux-system/0-flux-system HTTPRoute: flux-system/webhook-receiver-http-redirect
@@ -0,0 +1,27 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+ labels:
+ kustomize.toolkit.fluxcd.io/name: 0-flux-system
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: webhook-receiver-http-redirect
+ namespace: flux-system
+spec:
+ hostnames:
+ - flux.timtor.dev
+ parentRefs:
+ - name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ rules:
+ - filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
--- HelmRelease: miniflux/miniflux Ingress: miniflux/miniflux
+++ HelmRelease: miniflux/miniflux Ingress: miniflux/miniflux
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: miniflux
- labels:
- app.kubernetes.io/instance: miniflux
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: miniflux
- namespace: miniflux
-spec:
- ingressClassName: nginx
- rules:
- - host: rss.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: miniflux
- port:
- number: 8080
-
--- HelmRelease: miniflux/miniflux HTTPRoute: miniflux/miniflux-http-redirect
+++ HelmRelease: miniflux/miniflux HTTPRoute: miniflux/miniflux-http-redirect
@@ -0,0 +1,31 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: miniflux-http-redirect
+ labels:
+ app.kubernetes.io/instance: miniflux
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: miniflux
+ namespace: miniflux
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ hostnames:
+ - rss.timtor.dev
+ rules:
+ - backendRefs: null
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+
--- HelmRelease: miniflux/miniflux HTTPRoute: miniflux/miniflux-main
+++ HelmRelease: miniflux/miniflux HTTPRoute: miniflux/miniflux-main
@@ -0,0 +1,32 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: miniflux-main
+ labels:
+ app.kubernetes.io/instance: miniflux
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: miniflux
+ namespace: miniflux
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - rss.timtor.dev
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: miniflux
+ namespace: miniflux
+ port: 8080
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- HelmRelease: kromgo/kromgo Ingress: kromgo/kromgo
+++ HelmRelease: kromgo/kromgo Ingress: kromgo/kromgo
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: kromgo
- labels:
- app.kubernetes.io/instance: kromgo
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: kromgo
- namespace: kromgo
-spec:
- ingressClassName: nginx
- rules:
- - host: kromgo.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: kromgo
- port:
- number: 8080
-
--- HelmRelease: kromgo/kromgo HTTPRoute: kromgo/kromgo-http-redirect
+++ HelmRelease: kromgo/kromgo HTTPRoute: kromgo/kromgo-http-redirect
@@ -0,0 +1,31 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: kromgo-http-redirect
+ labels:
+ app.kubernetes.io/instance: kromgo
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kromgo
+ namespace: kromgo
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ hostnames:
+ - kromgo.timtor.dev
+ rules:
+ - backendRefs: null
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+
--- HelmRelease: kromgo/kromgo HTTPRoute: kromgo/kromgo-main
+++ HelmRelease: kromgo/kromgo HTTPRoute: kromgo/kromgo-main
@@ -0,0 +1,32 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: kromgo-main
+ labels:
+ app.kubernetes.io/instance: kromgo
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: kromgo
+ namespace: kromgo
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - kromgo.timtor.dev
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: kromgo
+ namespace: kromgo
+ port: 8080
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- HelmRelease: mydata/navidrome Ingress: mydata/navidrome
+++ HelmRelease: mydata/navidrome Ingress: mydata/navidrome
@@ -1,24 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: navidrome
- labels:
- app.kubernetes.io/instance: navidrome
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: navidrome
- namespace: mydata
-spec:
- ingressClassName: nginx
- rules:
- - host: music.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: navidrome
- port:
- number: 4533
-
--- HelmRelease: mydata/navidrome HTTPRoute: mydata/navidrome-http-redirect
+++ HelmRelease: mydata/navidrome HTTPRoute: mydata/navidrome-http-redirect
@@ -0,0 +1,31 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: navidrome-http-redirect
+ labels:
+ app.kubernetes.io/instance: navidrome
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: navidrome
+ namespace: mydata
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ hostnames:
+ - music.timtor.dev
+ rules:
+ - backendRefs: null
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+
--- HelmRelease: mydata/navidrome HTTPRoute: mydata/navidrome-main
+++ HelmRelease: mydata/navidrome HTTPRoute: mydata/navidrome-main
@@ -0,0 +1,32 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: navidrome-main
+ labels:
+ app.kubernetes.io/instance: navidrome
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: navidrome
+ namespace: mydata
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - music.timtor.dev
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: navidrome
+ namespace: mydata
+ port: 4533
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- HelmRelease: mydata/immich Ingress: mydata/immich
+++ HelmRelease: mydata/immich Ingress: mydata/immich
@@ -1,26 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: immich
- labels:
- app.kubernetes.io/instance: immich
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: immich
- annotations:
- nginx.ingress.kubernetes.io/proxy-body-size: '0'
- namespace: mydata
-spec:
- ingressClassName: nginx
- rules:
- - host: photo.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: immich
- port:
- number: 3001
-
--- HelmRelease: mydata/immich HTTPRoute: mydata/immich-http-redirect
+++ HelmRelease: mydata/immich HTTPRoute: mydata/immich-http-redirect
@@ -0,0 +1,31 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: immich-http-redirect
+ labels:
+ app.kubernetes.io/instance: immich
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: immich
+ namespace: mydata
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ hostnames:
+ - photo.timtor.dev
+ rules:
+ - backendRefs: null
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+
--- HelmRelease: mydata/immich HTTPRoute: mydata/immich-main
+++ HelmRelease: mydata/immich HTTPRoute: mydata/immich-main
@@ -0,0 +1,32 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: immich-main
+ labels:
+ app.kubernetes.io/instance: immich
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: immich
+ namespace: mydata
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - photo.timtor.dev
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: immich
+ namespace: mydata
+ port: 3001
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- HelmRelease: vaultwarden/vaultwarden Ingress: vaultwarden/vaultwarden
+++ HelmRelease: vaultwarden/vaultwarden Ingress: vaultwarden/vaultwarden
@@ -1,31 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: vaultwarden
- labels:
- app.kubernetes.io/instance: vaultwarden
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: vaultwarden
- namespace: vaultwarden
-spec:
- ingressClassName: nginx
- rules:
- - host: vault.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: vaultwarden
- port:
- number: 8080
- - path: /notifications/hub
- pathType: Prefix
- backend:
- service:
- name: vaultwarden
- port:
- number: 8080
-
--- HelmRelease: vaultwarden/vaultwarden HTTPRoute: vaultwarden/vaultwarden-http-redirect
+++ HelmRelease: vaultwarden/vaultwarden HTTPRoute: vaultwarden/vaultwarden-http-redirect
@@ -0,0 +1,31 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: vaultwarden-http-redirect
+ labels:
+ app.kubernetes.io/instance: vaultwarden
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: vaultwarden
+ namespace: vaultwarden
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ hostnames:
+ - vault.timtor.dev
+ rules:
+ - backendRefs: null
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+
--- HelmRelease: vaultwarden/vaultwarden HTTPRoute: vaultwarden/vaultwarden-main
+++ HelmRelease: vaultwarden/vaultwarden HTTPRoute: vaultwarden/vaultwarden-main
@@ -0,0 +1,32 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: vaultwarden-main
+ labels:
+ app.kubernetes.io/instance: vaultwarden
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: vaultwarden
+ namespace: vaultwarden
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - vault.timtor.dev
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: vaultwarden
+ namespace: vaultwarden
+ port: 8080
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-config
@@ -13,42 +13,63 @@
debug: 'false'
debug-verbose: ''
enable-policy: default
policy-cidr-match-mode: ''
operator-prometheus-serve-addr: :9963
enable-metrics: 'true'
+ enable-envoy-config: 'true'
+ envoy-config-retry-interval: 15s
+ enable-gateway-api: 'true'
+ enable-gateway-api-secrets-sync: 'true'
+ enable-gateway-api-proxy-protocol: 'false'
+ enable-gateway-api-app-protocol: 'false'
+ enable-gateway-api-alpn: 'false'
+ gateway-api-xff-num-trusted-hops: '0'
+ gateway-api-service-externaltrafficpolicy: Cluster
+ gateway-api-secrets-namespace: cilium-secrets
+ gateway-api-hostnetwork-enabled: 'false'
+ gateway-api-hostnetwork-nodelabelselector: ''
+ enable-policy-secrets-sync: 'true'
+ policy-secrets-only-from-secrets-namespace: 'true'
+ policy-secrets-namespace: cilium-secrets
enable-ipv4: 'true'
enable-ipv6: 'false'
custom-cni-conf: 'false'
enable-bpf-clock-probe: 'false'
monitor-aggregation: medium
monitor-aggregation-interval: 5s
monitor-aggregation-flags: all
bpf-map-dynamic-size-ratio: '0.0025'
bpf-policy-map-max: '16384'
bpf-lb-map-max: '65536'
bpf-lb-external-clusterip: 'false'
+ bpf-lb-source-range-all-types: 'false'
+ bpf-lb-algorithm-annotation: 'false'
+ bpf-lb-mode-annotation: 'false'
+ bpf-distributed-lru: 'false'
bpf-events-drop-enabled: 'true'
bpf-events-policy-verdict-enabled: 'true'
bpf-events-trace-enabled: 'true'
preallocate-bpf-maps: 'false'
cluster-name: default
cluster-id: '0'
routing-mode: tunnel
tunnel-protocol: vxlan
+ tunnel-source-port-range: 0-0
service-no-backend-response: reject
enable-l7-proxy: 'true'
enable-ipv4-masquerade: 'true'
enable-ipv4-big-tcp: 'false'
enable-ipv6-big-tcp: 'false'
enable-ipv6-masquerade: 'true'
enable-tcx: 'true'
datapath-mode: veth
enable-masquerade-to-route-source: 'false'
enable-xt-socket-fallback: 'true'
install-no-conntrack-iptables-rules: 'false'
+ iptables-random-fully: 'false'
auto-direct-node-routes: 'false'
direct-routing-skip-unreachable: 'false'
enable-local-redirect-policy: 'false'
enable-runtime-device-detection: 'true'
kube-proxy-replacement: 'true'
kube-proxy-replacement-healthz-bind-address: ''
@@ -56,23 +77,26 @@
nodeport-addresses: ''
enable-health-check-nodeport: 'true'
enable-health-check-loadbalancer-ip: 'false'
node-port-bind-protection: 'true'
enable-auto-protect-node-port-range: 'true'
bpf-lb-acceleration: disabled
+ enable-experimental-lb: 'false'
enable-svc-source-range-check: 'true'
enable-l2-neigh-discovery: 'true'
arping-refresh-period: 30s
k8s-require-ipv4-pod-cidr: 'false'
k8s-require-ipv6-pod-cidr: 'false'
enable-k8s-networkpolicy: 'true'
+ enable-endpoint-lockdown-on-policy-overflow: 'false'
write-cni-conf-when-ready: /host/etc/cni/net.d/05-cilium.conflist
cni-exclusive: 'true'
cni-log-file: /var/run/cilium/cilium-cni.log
enable-endpoint-health-checking: 'true'
enable-health-checking: 'true'
+ health-check-icmp-failure-threshold: '3'
enable-well-known-identities: 'false'
enable-node-selector-labels: 'false'
synchronize-k8s-nodes: 'true'
operator-api-serve-addr: 127.0.0.1:9234
enable-hubble: 'true'
hubble-socket-path: /var/run/cilium/hubble.sock
@@ -82,34 +106,36 @@
hubble-disable-tls: 'false'
hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
ipam: kubernetes
ipam-cilium-node-update-rate: 15s
+ default-lb-service-ipam: lbipam
egress-gateway-reconciliation-trigger-interval: 1s
enable-vtep: 'false'
vtep-endpoint: ''
vtep-cidr: ''
vtep-mask: ''
vtep-mac: ''
+ enable-bgp-control-plane: 'true'
+ bgp-secrets-namespace: kube-system
+ enable-bgp-control-plane-status-report: 'true'
procfs: /host/proc
bpf-root: /sys/fs/bpf
cgroup-root: /sys/fs/cgroup
enable-k8s-terminating-endpoint: 'true'
enable-sctp: 'false'
- k8s-client-qps: '10'
- k8s-client-burst: '20'
remove-cilium-node-taints: 'true'
set-cilium-node-taints: 'true'
set-cilium-is-up-condition: 'true'
unmanaged-pod-watcher-interval: '15'
dnsproxy-enable-transparent-mode: 'true'
dnsproxy-socket-linger-timeout: '10'
tofqdns-dns-reject-response-code: refused
tofqdns-enable-dns-compression: 'true'
- tofqdns-endpoint-max-ip-per-hostname: '50'
+ tofqdns-endpoint-max-ip-per-hostname: '1000'
tofqdns-idle-connection-grace-period: 0s
tofqdns-max-deferred-connection-deletes: '10000'
tofqdns-proxy-response-max-delay: 100ms
agent-not-ready-taint-key: node.cilium.io/agent-not-ready
mesh-auth-enabled: 'true'
mesh-auth-queue-size: '1024'
@@ -119,15 +145,22 @@
proxy-xff-num-trusted-hops-egress: '0'
proxy-connect-timeout: '2'
proxy-initial-fetch-timeout: '30'
proxy-max-requests-per-connection: '0'
proxy-max-connection-duration-seconds: '0'
proxy-idle-timeout-seconds: '60'
+ proxy-max-concurrent-retries: '128'
+ http-retry-count: '3'
external-envoy-proxy: 'true'
envoy-base-id: '0'
+ envoy-access-log-buffer-size: '4096'
envoy-keep-cap-netbindservice: 'false'
max-connected-clusters: '255'
clustermesh-enable-endpoint-sync: 'false'
clustermesh-enable-mcs-api: 'false'
nat-map-stats-entries: '32'
nat-map-stats-interval: 30s
+ enable-internal-traffic-policy: 'true'
+ enable-lb-ipam: 'true'
+ enable-non-default-deny-policies: 'true'
+ enable-source-ip-verification: 'true'
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/cilium-envoy-config
@@ -3,8 +3,8 @@
kind: ConfigMap
metadata:
name: cilium-envoy-config
namespace: kube-system
data:
bootstrap-config.json: |
- {"admin":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}},"bootstrapExtensions":[{"name":"envoy.bootstrap.internal_listener","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.bootstrap.internal_listener.v3.InternalListener"}}],"dynamicResources":{"cdsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"},"ldsConfig":{"apiConfigSource":{"apiType":"GRPC","grpcServices":[{"envoyGrpc":{"clusterName":"xds-grpc-cilium"}}],"setNodeOnFirstMessageOnly":true,"transportApiVersion":"V3"},"initialFetchTimeout":"30s","resourceApiVersion":"V3"}},"node":{"cluster":"ingress-cluster","id":"host~127.0.0.1~no-id~localdomain"},"overloadManager":{"resourceMonitors":[{"name":"envoy.resource_monitors.global_downstream_max_connections","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.resource_monitors.downstream_connections.v3.DownstreamConnectionsConfig","max_active_downstream_connections":"50000"}}]},"staticResources":{"clusters":[{"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"egress-cluster","type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"useDownstreamProtocolConfig":{}}}},{"cleanupInterval":"2.500s","connectTimeout":"2s","lbPolicy":"CLUSTER_PROVIDED","name":"ingress-cluster-tls","transportSocket":{"name":"cilium.tls_wrapper","typedConfig":{"@type":"type.googleapis.com/cilium.UpstreamTlsWrapperContext"}},"type":"ORIGINAL_DST","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","commonHttpProtocolOptions":{"idleTimeout":"60s","maxConnectionDuration":"0s","maxRequestsPerConnection":0},"upstreamHttpProtocolOptions":{},"useDownstreamProtocolConfig":{}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"xds-grpc-cilium","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/xds.sock"}}}}]}]},"name":"xds-grpc-cilium","type":"STATIC","typedExtensionProtocolOptions":{"envoy.extensions.upstreams.http.v3.HttpProtocolOptions":{"@type":"type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions","explicitHttpConfig":{"http2ProtocolOptions":{}}}}},{"connectTimeout":"2s","loadAssignment":{"clusterName":"/envoy-admin","endpoints":[{"lbEndpoints":[{"endpoint":{"address":{"pipe":{"path":"/var/run/cilium/envoy/sockets/admin.sock"}}}}]}]},"name":"/envoy-admin","type":"STATIC"}],"listeners":[{"address":{"socketAddress":{"address":"0.0.0.0","portValue":9964}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtualHosts":[{"domains":["*"],"name":"prometheus_metrics_route","routes":[{"match":{"prefix":"/metrics"},"name":"prometheus_metrics_route","route":{"cluster":"/envoy-admin","prefixRewrite":"/stats/prometheus"}}]}]},"statPrefix":"envoy-prometheus-metrics-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-prometheus-metrics-listener"},{"address":{"socketAddress":{"address":"127.0.0.1","portValue":9878}},"filterChains":[{"filters":[{"name":"envoy.filters.network.http_connection_manager","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager","httpFilters":[{"name":"envoy.filters.http.router","typedConfig":{"@type":"type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"}}],"internalAddressConfig":{"cidrRanges":[{"addressPrefix":"10.0.0.0","prefixLen":8},{"addressPrefix":"172.16.0.0","prefixLen":12},{"addressPrefix":"192.168.0.0","prefixLen":16},{"addressPrefix":"127.0.0.1","prefixLen":32}]},"routeConfig":{"virtual_hosts":[{"domains":["*"],"name":"health","routes":[{"match":{"prefix":"/healthz"},"name":"health","route":{"cluster":"/envoy-admin","prefixRewrite":"/ready"}}]}]},"statPrefix":"envoy-health-listener","streamIdleTimeout":"0s"}}]}],"name":"envoy-health-listener"}]}}
[Diff truncated by flux-local]
--- HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-relay-config
+++ HelmRelease: kube-system/cilium ConfigMap: kube-system/hubble-relay-config
@@ -3,12 +3,11 @@
kind: ConfigMap
metadata:
name: hubble-relay-config
namespace: kube-system
data:
config.yaml: "cluster-name: default\npeer-service: \"hubble-peer.kube-system.svc.cluster.local.:443\"\
- \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\ndial-timeout: \nretry-timeout:\
- \ \nsort-buffer-len-max: \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file:\
- \ /var/lib/hubble-relay/tls/client.crt\ntls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key\n\
- tls-hubble-server-ca-files: /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\n\
- disable-server-tls: true\n"
+ \nlisten-address: :4245\ngops: true\ngops-port: \"9893\"\nretry-timeout: \nsort-buffer-len-max:\
+ \ \nsort-buffer-drain-timeout: \ntls-hubble-client-cert-file: /var/lib/hubble-relay/tls/client.crt\n\
+ tls-hubble-client-key-file: /var/lib/hubble-relay/tls/client.key\ntls-hubble-server-ca-files:\
+ \ /var/lib/hubble-relay/tls/hubble-server-ca.crt\n\ndisable-server-tls: true\n"
--- HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium ClusterRole: kube-system/cilium-operator
@@ -53,12 +53,13 @@
- update
- patch
- apiGroups:
- ''
resources:
- namespaces
+ - secrets
verbs:
- get
- list
- watch
- apiGroups:
- ''
@@ -66,12 +67,16 @@
- services
- endpoints
verbs:
- get
- list
- watch
+ - create
+ - update
+ - delete
+ - patch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumclusterwidenetworkpolicies
verbs:
@@ -135,12 +140,19 @@
- update
- get
- list
- watch
- delete
- patch
+- apiGroups:
+ - cilium.io
+ resources:
+ - ciliumbgpclusterconfigs/status
+ - ciliumbgppeerconfigs/status
+ verbs:
+ - update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
@@ -181,12 +193,13 @@
resources:
- ciliumloadbalancerippools
- ciliumpodippools
- ciliumbgppeeringpolicies
- ciliumbgpclusterconfigs
- ciliumbgpnodeconfigoverrides
+ - ciliumbgppeerconfigs
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
@@ -205,7 +218,40 @@
resources:
- leases
verbs:
- create
- get
- update
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gatewayclasses
+ - gateways
+ - tlsroutes
+ - httproutes
+ - grpcroutes
+ - referencegrants
+ - referencepolicies
+ verbs:
+ - get
+ - list
+ - watch
+- apiGroups:
+ - gateway.networking.k8s.io
+ resources:
+ - gatewayclasses/status
+ - gateways/status
+ - httproutes/status
+ - grpcroutes/status
+ - tlsroutes/status
+ verbs:
+ - update
+ - patch
+- apiGroups:
+ - multicluster.x-k8s.io
+ resources:
+ - serviceimports
+ verbs:
+ - get
+ - list
+ - watch
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium
@@ -25,15 +25,17 @@
app.kubernetes.io/name: cilium-agent
app.kubernetes.io/part-of: cilium
spec:
securityContext:
appArmorProfile:
type: Unconfined
+ seccompProfile:
+ type: Unconfined
containers:
- name: cilium-agent
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
imagePullPolicy: IfNotPresent
command:
- cilium-agent
args:
- --config-dir=/tmp/cilium/config-map
startupProbe:
@@ -55,12 +57,14 @@
path: /healthz
port: 9879
scheme: HTTP
httpHeaders:
- name: brief
value: 'true'
+ - name: require-k8s-connectivity
+ value: 'false'
periodSeconds: 30
successThreshold: 1
failureThreshold: 10
timeoutSeconds: 5
readinessProbe:
httpGet:
@@ -179,13 +183,13 @@
mountPath: /var/lib/cilium/tls/hubble
readOnly: true
- name: tmp
mountPath: /tmp
initContainers:
- name: config
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
imagePullPolicy: IfNotPresent
command:
- cilium-dbg
- build-config
env:
- name: K8S_NODE_NAME
@@ -204,13 +208,13 @@
value: '7445'
volumeMounts:
- name: tmp
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
- name: apply-sysctl-overwrites
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
imagePullPolicy: IfNotPresent
env:
- name: BIN_PATH
value: /opt/cni/bin
command:
- sh
@@ -234,13 +238,13 @@
- SYS_ADMIN
- SYS_CHROOT
- SYS_PTRACE
drop:
- ALL
- name: mount-bpf-fs
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
imagePullPolicy: IfNotPresent
args:
- mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf
command:
- /bin/bash
- -c
@@ -250,13 +254,13 @@
privileged: true
volumeMounts:
- name: bpf-maps
mountPath: /sys/fs/bpf
mountPropagation: Bidirectional
- name: clean-cilium-state
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
imagePullPolicy: IfNotPresent
command:
- /init-container.sh
env:
- name: CILIUM_ALL_STATE
valueFrom:
@@ -298,13 +302,13 @@
- name: cilium-cgroup
mountPath: /sys/fs/cgroup
mountPropagation: HostToContainer
- name: cilium-run
mountPath: /var/run/cilium
- name: install-cni-binaries
- image: quay.io/cilium/cilium:v1.16.6@sha256:1e0896b1c4c188b4812c7e0bed7ec3f5631388ca88325c1391a0ef9172c448da
+ image: quay.io/cilium/cilium:v1.17.10@sha256:d93cda710570df64dcb849807bd163013903143d74d5a4ebf16e1a659146c0d3
imagePullPolicy: IfNotPresent
command:
- /install-plugin.sh
resources:
requests:
cpu: 100m
--- HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy
+++ HelmRelease: kube-system/cilium DaemonSet: kube-system/cilium-envoy
@@ -28,22 +28,21 @@
spec:
securityContext:
appArmorProfile:
type: Unconfined
containers:
- name: cilium-envoy
- image: quay.io/cilium/cilium-envoy:v1.30.9-1737073743-40a016d11c0d863b772961ed0168eea6fe6b10a5@sha256:a69dfe0e54b24b0ff747385c8feeae0612cfbcae97bfcc8ee42a773bb3f69c88
+ image: quay.io/cilium/cilium-envoy:v1.34.10-1760767433-887ebe7d6ccc2a9dc8c73f6ae4927283283b507e@sha256:78a7c6ceb4135680eb94ed1ca80b1be00647878e6694522f8380cc2a8b99e434
imagePullPolicy: IfNotPresent
command:
- /usr/bin/cilium-envoy-starter
args:
- --
- -c /var/run/cilium/envoy/bootstrap-config.json
- --base-id 0
- --log-level info
- - --log-format [%Y-%m-%d %T.%e][%t][%l][%n] [%g:%#] %v
startupProbe:
httpGet:
host: 127.0.0.1
path: /healthz
port: 9878
scheme: HTTP
--- HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
+++ HelmRelease: kube-system/cilium Deployment: kube-system/cilium-operator
@@ -30,13 +30,13 @@
name: cilium-operator
app.kubernetes.io/part-of: cilium
app.kubernetes.io/name: cilium-operator
spec:
containers:
- name: cilium-operator
- image: quay.io/cilium/operator-generic:v1.16.6@sha256:13d32071d5a52c069fb7c35959a56009c6914439adc73e99e098917646d154fc
+ image: quay.io/cilium/operator-generic:v1.17.10@sha256:09cee355c86b8c50d43ecc8f63cedc5d4a8597aa41be72a63ca4479c31c2f2be
imagePullPolicy: IfNotPresent
command:
- cilium-operator-generic
args:
- --config-dir=/tmp/cilium/config-map
- --debug=$(CILIUM_DEBUG)
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay
+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-relay
@@ -33,13 +33,13 @@
capabilities:
drop:
- ALL
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
- image: quay.io/cilium/hubble-relay:v1.16.6@sha256:ca8dcaa5a81a37743b1397ba2221d16d5d63e4a47607584f1bf50a3b0882bf3b
+ image: quay.io/cilium/hubble-relay:v1.17.10@sha256:da6747dd2bccc2901693b49ed4a687723f8d5c1e37d40fb95ea04910d31eaab2
imagePullPolicy: IfNotPresent
command:
- hubble-relay
args:
- serve
ports:
--- HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui
+++ HelmRelease: kube-system/cilium Deployment: kube-system/hubble-ui
@@ -31,13 +31,13 @@
runAsUser: 1001
priorityClassName: null
serviceAccountName: hubble-ui
automountServiceAccountToken: true
containers:
- name: frontend
- image: quay.io/cilium/hubble-ui:v0.13.1@sha256:e2e9313eb7caf64b0061d9da0efbdad59c6c461f6ca1752768942bfeda0796c6
+ image: quay.io/cilium/hubble-ui:v0.13.3@sha256:661d5de7050182d495c6497ff0b007a7a1e379648e60830dd68c4d78ae21761d
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 8081
livenessProbe:
httpGet:
@@ -52,13 +52,13 @@
mountPath: /etc/nginx/conf.d/default.conf
subPath: nginx.conf
- name: tmp-dir
mountPath: /tmp
terminationMessagePolicy: FallbackToLogsOnError
- name: backend
- image: quay.io/cilium/hubble-ui-backend:v0.13.1@sha256:0e0eed917653441fded4e7cdb096b7be6a3bddded5a2dd10812a27b1fc6ed95b
+ image: quay.io/cilium/hubble-ui-backend:v0.13.3@sha256:db1454e45dc39ca41fbf7cad31eec95d99e5b9949c39daaad0fa81ef29d56953
imagePullPolicy: IfNotPresent
env:
- name: EVENTS_SERVER_PORT
value: '8090'
- name: FLOWS_API_ADDR
value: hubble-relay:80
--- HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets
+++ HelmRelease: kube-system/cilium Namespace: kube-system/cilium-secrets
@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-gateway-secrets
+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-gateway-secrets
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-gateway-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kube-system/cilium Role: kube-system/cilium-bgp-control-plane-secrets
+++ HelmRelease: kube-system/cilium Role: kube-system/cilium-bgp-control-plane-secrets
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-bgp-control-plane-secrets
+ namespace: kube-system
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets
+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-tlsinterception-secrets
@@ -0,0 +1,18 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-tlsinterception-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - get
+ - list
+ - watch
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-gateway-secrets
+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-gateway-secrets
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-operator-gateway-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - update
+ - patch
+
--- HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets
+++ HelmRelease: kube-system/cilium Role: cilium-secrets/cilium-operator-tlsinterception-secrets
@@ -0,0 +1,19 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: cilium-operator-tlsinterception-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+rules:
+- apiGroups:
+ - ''
+ resources:
+ - secrets
+ verbs:
+ - create
+ - delete
+ - update
+ - patch
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-gateway-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-gateway-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-gateway-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-gateway-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-bgp-control-plane-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: kube-system/cilium-bgp-control-plane-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-bgp-control-plane-secrets
+ namespace: kube-system
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-bgp-control-plane-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-tlsinterception-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-tlsinterception-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-gateway-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-gateway-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-operator-gateway-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-operator-gateway-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium-operator
+ namespace: kube-system
+
--- HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets
+++ HelmRelease: kube-system/cilium RoleBinding: cilium-secrets/cilium-operator-tlsinterception-secrets
@@ -0,0 +1,17 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+ name: cilium-operator-tlsinterception-secrets
+ namespace: cilium-secrets
+ labels:
+ app.kubernetes.io/part-of: cilium
+roleRef:
+ apiGroup: rbac.authorization.k8s.io
+ kind: Role
+ name: cilium-operator-tlsinterception-secrets
+subjects:
+- kind: ServiceAccount
+ name: cilium-operator
+ namespace: kube-system
+
--- HelmRelease: metallb-system/metallb ServiceAccount: metallb-system/metallb-controller
+++ HelmRelease: metallb-system/metallb ServiceAccount: metallb-system/metallb-controller
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: metallb-controller
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
-
--- HelmRelease: metallb-system/metallb ServiceAccount: metallb-system/metallb-speaker
+++ HelmRelease: metallb-system/metallb ServiceAccount: metallb-system/metallb-speaker
@@ -1,12 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
- name: metallb-speaker
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: speaker
-
--- HelmRelease: metallb-system/metallb ConfigMap: metallb-system/metallb-excludel2
+++ HelmRelease: metallb-system/metallb ConfigMap: metallb-system/metallb-excludel2
@@ -1,27 +0,0 @@
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
- name: metallb-excludel2
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-data:
- excludel2.yaml: |
- announcedInterfacesToExclude:
- - ^docker.*
- - ^cbr.*
- - ^dummy.*
- - ^virbr.*
- - ^lxcbr.*
- - ^veth.*
- - ^lo$
- - ^cali.*
- - ^tunl.*
- - ^flannel.*
- - ^kube-ipvs.*
- - ^cni.*
- - ^nodelocaldns.*
-
--- HelmRelease: metallb-system/metallb ClusterRole: metallb-system/metallb:controller
+++ HelmRelease: metallb-system/metallb ClusterRole: metallb-system/metallb:controller
@@ -1,86 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: metallb:controller
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-rules:
-- apiGroups:
- - ''
- resources:
- - services
- - namespaces
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - nodes
- verbs:
- - list
-- apiGroups:
- - ''
- resources:
- - services/status
- verbs:
- - update
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- resourceNames:
- - metallb-webhook-configuration
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - admissionregistration.k8s.io
- resources:
- - validatingwebhookconfigurations
- verbs:
- - list
- - watch
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- resourceNames:
- - bfdprofiles.metallb.io
- - bgpadvertisements.metallb.io
- - bgppeers.metallb.io
- - ipaddresspools.metallb.io
- - l2advertisements.metallb.io
- - communities.metallb.io
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - apiextensions.k8s.io
- resources:
- - customresourcedefinitions
- verbs:
- - list
- - watch
-
--- HelmRelease: metallb-system/metallb ClusterRole: metallb-system/metallb:speaker
+++ HelmRelease: metallb-system/metallb ClusterRole: metallb-system/metallb:speaker
@@ -1,44 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
- name: metallb:speaker
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-rules:
-- apiGroups:
- - ''
- resources:
- - services
- - endpoints
- - nodes
- - namespaces
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - discovery.k8s.io
- resources:
- - endpointslices
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - events
- verbs:
- - create
- - patch
-- apiGroups:
- - metallb.io
- resources:
- - servicel2statuses
- - servicel2statuses/status
- verbs:
- - '*'
-
--- HelmRelease: metallb-system/metallb ClusterRoleBinding: metallb-system/metallb:controller
+++ HelmRelease: metallb-system/metallb ClusterRoleBinding: metallb-system/metallb:controller
@@ -1,18 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: metallb:controller
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-subjects:
-- kind: ServiceAccount
- name: metallb-controller
- namespace: metallb-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: metallb:controller
-
--- HelmRelease: metallb-system/metallb ClusterRoleBinding: metallb-system/metallb:speaker
+++ HelmRelease: metallb-system/metallb ClusterRoleBinding: metallb-system/metallb:speaker
@@ -1,18 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
- name: metallb:speaker
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-subjects:
-- kind: ServiceAccount
- name: metallb-speaker
- namespace: metallb-system
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: ClusterRole
- name: metallb:speaker
-
--- HelmRelease: metallb-system/metallb Role: metallb-system/metallb-pod-lister
+++ HelmRelease: metallb-system/metallb Role: metallb-system/metallb-pod-lister
@@ -1,83 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: metallb-pod-lister
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-rules:
-- apiGroups:
- - ''
- resources:
- - pods
- verbs:
- - list
- - get
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - configmaps
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - bfdprofiles
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - bgppeers
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - l2advertisements
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - bgpadvertisements
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - ipaddresspools
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - communities
- verbs:
- - get
- - list
- - watch
-
--- HelmRelease: metallb-system/metallb Role: metallb-system/metallb-controller
+++ HelmRelease: metallb-system/metallb Role: metallb-system/metallb-controller
@@ -1,94 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
- name: metallb-controller
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-rules:
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - create
- - get
- - list
- - watch
-- apiGroups:
- - ''
- resources:
- - secrets
- resourceNames:
- - metallb-memberlist
- verbs:
- - list
-- apiGroups:
- - apps
- resources:
- - deployments
- resourceNames:
- - metallb-controller
- verbs:
- - get
-- apiGroups:
- - ''
- resources:
- - secrets
- verbs:
- - create
- - delete
- - get
- - list
- - patch
- - update
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - ipaddresspools
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - bgppeers
- verbs:
- - get
- - list
-- apiGroups:
- - metallb.io
- resources:
- - bgpadvertisements
- verbs:
- - get
- - list
-- apiGroups:
- - metallb.io
- resources:
- - l2advertisements
- verbs:
- - get
- - list
-- apiGroups:
- - metallb.io
- resources:
- - communities
- verbs:
- - get
- - list
- - watch
-- apiGroups:
- - metallb.io
- resources:
- - bfdprofiles
- verbs:
- - get
- - list
- - watch
-
--- HelmRelease: metallb-system/metallb RoleBinding: metallb-system/metallb-pod-lister
+++ HelmRelease: metallb-system/metallb RoleBinding: metallb-system/metallb-pod-lister
@@ -1,18 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: metallb-pod-lister
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: metallb-pod-lister
-subjects:
-- kind: ServiceAccount
- name: metallb-speaker
-
--- HelmRelease: metallb-system/metallb RoleBinding: metallb-system/metallb-controller
+++ HelmRelease: metallb-system/metallb RoleBinding: metallb-system/metallb-controller
@@ -1,18 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
- name: metallb-controller
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-roleRef:
- apiGroup: rbac.authorization.k8s.io
- kind: Role
- name: metallb-controller
-subjects:
-- kind: ServiceAccount
- name: metallb-controller
-
--- HelmRelease: metallb-system/metallb Service: metallb-system/metallb-webhook-service
+++ HelmRelease: metallb-system/metallb Service: metallb-system/metallb-webhook-service
@@ -1,19 +0,0 @@
----
-apiVersion: v1
-kind: Service
-metadata:
- name: metallb-webhook-service
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-spec:
- ports:
- - port: 443
- targetPort: 9443
- selector:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/component: controller
-
--- HelmRelease: metallb-system/metallb DaemonSet: metallb-system/metallb-speaker
+++ HelmRelease: metallb-system/metallb DaemonSet: metallb-system/metallb-speaker
@@ -1,117 +0,0 @@
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
- name: metallb-speaker
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: speaker
-spec:
- updateStrategy:
- type: RollingUpdate
- selector:
- matchLabels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/component: speaker
- template:
- metadata:
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/component: speaker
- spec:
- serviceAccountName: metallb-speaker
- terminationGracePeriodSeconds: 0
- hostNetwork: true
- volumes:
- - name: memberlist
- secret:
- secretName: metallb-memberlist
- defaultMode: 420
- - name: metallb-excludel2
- configMap:
- defaultMode: 256
- name: metallb-excludel2
- containers:
- - name: speaker
- image: quay.io/metallb/speaker:v0.14.9
- args:
- - --port=7472
- - --log-level=info
- env:
- - name: METALLB_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: METALLB_HOST
- valueFrom:
- fieldRef:
- fieldPath: status.hostIP
- - name: METALLB_ML_BIND_ADDR
- valueFrom:
- fieldRef:
- fieldPath: status.podIP
- - name: METALLB_ML_LABELS
- value: app.kubernetes.io/name=metallb,app.kubernetes.io/component=speaker
- - name: METALLB_ML_BIND_PORT
- value: '7946'
- - name: METALLB_ML_SECRET_KEY_PATH
- value: /etc/ml_secret_key
- - name: METALLB_POD_NAME
- valueFrom:
- fieldRef:
- fieldPath: metadata.name
- ports:
- - name: monitoring
- containerPort: 7472
- - name: memberlist-tcp
- containerPort: 7946
- protocol: TCP
- - name: memberlist-udp
- containerPort: 7946
- protocol: UDP
- livenessProbe:
- httpGet:
- path: /metrics
- port: monitoring
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- readinessProbe:
- httpGet:
- path: /metrics
- port: monitoring
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- securityContext:
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- capabilities:
- drop:
- - ALL
- add:
- - NET_RAW
- volumeMounts:
- - name: memberlist
- mountPath: /etc/ml_secret_key
- - name: metallb-excludel2
- mountPath: /etc/metallb
- nodeSelector:
- kubernetes.io/os: linux
- tolerations:
- - key: node-role.kubernetes.io/master
- effect: NoSchedule
- operator: Exists
- - key: node-role.kubernetes.io/control-plane
- effect: NoSchedule
- operator: Exists
-
--- HelmRelease: metallb-system/metallb Deployment: metallb-system/metallb-controller
+++ HelmRelease: metallb-system/metallb Deployment: metallb-system/metallb-controller
@@ -1,86 +0,0 @@
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
- name: metallb-controller
- namespace: metallb-system
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/component: controller
-spec:
- strategy:
- type: RollingUpdate
- selector:
- matchLabels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/component: controller
- template:
- metadata:
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/component: controller
- spec:
- serviceAccountName: metallb-controller
- terminationGracePeriodSeconds: 0
- securityContext:
- fsGroup: 65534
- runAsNonRoot: true
- runAsUser: 65534
- containers:
- - name: controller
- image: quay.io/metallb/controller:v0.14.9
- args:
- - --port=7472
- - --log-level=info
- - --tls-min-version=VersionTLS12
- env:
- - name: METALLB_ML_SECRET_NAME
- value: metallb-memberlist
- - name: METALLB_DEPLOYMENT
- value: metallb-controller
- ports:
- - name: monitoring
- containerPort: 7472
- - containerPort: 9443
- name: webhook-server
- protocol: TCP
- volumeMounts:
- - mountPath: /tmp/k8s-webhook-server/serving-certs
- name: cert
- readOnly: true
- livenessProbe:
- httpGet:
- path: /metrics
- port: monitoring
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- readinessProbe:
- httpGet:
- path: /metrics
- port: monitoring
- initialDelaySeconds: 10
- periodSeconds: 10
- timeoutSeconds: 1
- successThreshold: 1
- failureThreshold: 3
- securityContext:
- allowPrivilegeEscalation: false
- readOnlyRootFilesystem: true
- capabilities:
- drop:
- - ALL
- nodeSelector:
- kubernetes.io/os: linux
- volumes:
- - name: cert
- secret:
- defaultMode: 420
- secretName: metallb-webhook-cert
-
--- HelmRelease: metallb-system/metallb ValidatingWebhookConfiguration: metallb-system/metallb-webhook-configuration
+++ HelmRelease: metallb-system/metallb ValidatingWebhookConfiguration: metallb-system/metallb-webhook-configuration
@@ -1,131 +0,0 @@
----
-apiVersion: admissionregistration.k8s.io/v1
-kind: ValidatingWebhookConfiguration
-metadata:
- name: metallb-webhook-configuration
- labels:
- app.kubernetes.io/name: metallb
- app.kubernetes.io/instance: metallb
- app.kubernetes.io/managed-by: Helm
-webhooks:
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: metallb-webhook-service
- namespace: metallb-system
- path: /validate-metallb-io-v1beta2-bgppeer
- failurePolicy: Fail
- name: bgppeervalidationwebhook.metallb.io
- rules:
- - apiGroups:
- - metallb.io
- apiVersions:
- - v1beta2
- operations:
- - CREATE
- - UPDATE
- resources:
- - bgppeers
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: metallb-webhook-service
- namespace: metallb-system
- path: /validate-metallb-io-v1beta1-ipaddresspool
- failurePolicy: Fail
- name: ipaddresspoolvalidationwebhook.metallb.io
- rules:
- - apiGroups:
- - metallb.io
- apiVersions:
- - v1beta1
- operations:
- - CREATE
- - UPDATE
- resources:
- - ipaddresspools
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: metallb-webhook-service
- namespace: metallb-system
- path: /validate-metallb-io-v1beta1-bgpadvertisement
- failurePolicy: Fail
- name: bgpadvertisementvalidationwebhook.metallb.io
- rules:
- - apiGroups:
- - metallb.io
- apiVersions:
- - v1beta1
- operations:
- - CREATE
- - UPDATE
- resources:
- - bgpadvertisements
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: metallb-webhook-service
- namespace: metallb-system
- path: /validate-metallb-io-v1beta1-community
- failurePolicy: Fail
- name: communityvalidationwebhook.metallb.io
- rules:
- - apiGroups:
- - metallb.io
- apiVersions:
- - v1beta1
- operations:
- - CREATE
- - UPDATE
- resources:
- - communities
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: metallb-webhook-service
- namespace: metallb-system
- path: /validate-metallb-io-v1beta1-bfdprofile
- failurePolicy: Fail
- name: bfdprofilevalidationwebhook.metallb.io
- rules:
- - apiGroups:
- - metallb.io
- apiVersions:
- - v1beta1
- operations:
- - CREATE
- - DELETE
- resources:
- - bfdprofiles
- sideEffects: None
-- admissionReviewVersions:
- - v1
- clientConfig:
- service:
- name: metallb-webhook-service
- namespace: metallb-system
- path: /validate-metallb-io-v1beta1-l2advertisement
- failurePolicy: Fail
- name: l2advertisementvalidationwebhook.metallb.io
- rules:
- - apiGroups:
- - metallb.io
- apiVersions:
- - v1beta1
- operations:
- - CREATE
- - UPDATE
- resources:
- - l2advertisements
- sideEffects: None
-
--- HelmRelease: ingress-nginx/ingress-nginx Service: ingress-nginx/ingress-nginx-controller
+++ HelmRelease: ingress-nginx/ingress-nginx Service: ingress-nginx/ingress-nginx-controller
@@ -10,13 +10,13 @@
app.kubernetes.io/component: controller
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
type: LoadBalancer
externalIPs:
- - 192.168.253.100
+ - 192.168.33.2
externalTrafficPolicy: Local
ipFamilyPolicy: SingleStack
ipFamilies:
- IPv4
ports:
- name: http
--- HelmRelease: argo-system/argo-workflows Ingress: argo-system/argo-workflows-server
+++ HelmRelease: argo-system/argo-workflows Ingress: argo-system/argo-workflows-server
@@ -1,27 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: argo-workflows-server
- namespace: argo-system
- labels:
- app.kubernetes.io/name: argo-workflows-server
- app.kubernetes.io/instance: argo-workflows
- app.kubernetes.io/component: server
- app: server
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/part-of: argo-workflows
-spec:
- ingressClassName: nginx
- rules:
- - host: workflows.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: argo-workflows-server
- port:
- number: 2746
-
--- HelmRelease: grafana/grafana ConfigMap: grafana/grafana
+++ HelmRelease: grafana/grafana ConfigMap: grafana/grafana
@@ -50,13 +50,13 @@
[paths]
data = /var/lib/grafana/
logs = /var/log/grafana
plugins = /var/lib/grafana/plugins
provisioning = /etc/grafana/provisioning
[server]
- domain = grafana.timtor.dev
+ domain = ''
root_url = https://grafana.timtor.dev
[unified_alerting]
enabled = true
ha_advertise_address = ${POD_IP}:9094
ha_listen_address = ${POD_IP}:9094
ha_peer_timeout = 15s
--- HelmRelease: grafana/grafana Ingress: grafana/grafana
+++ HelmRelease: grafana/grafana Ingress: grafana/grafana
@@ -1,23 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: grafana
- namespace: grafana
- labels:
- app.kubernetes.io/name: grafana
- app.kubernetes.io/instance: grafana
-spec:
- ingressClassName: nginx
- rules:
- - host: grafana.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: grafana
- port:
- number: 80
-
--- HelmRelease: mydata/nextcloud Ingress: mydata/nextcloud
+++ HelmRelease: mydata/nextcloud Ingress: mydata/nextcloud
@@ -1,26 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
- name: nextcloud
- labels:
- app.kubernetes.io/instance: nextcloud
- app.kubernetes.io/managed-by: Helm
- app.kubernetes.io/name: nextcloud
- annotations:
- nginx.ingress.kubernetes.io/proxy-body-size: '0'
- namespace: mydata
-spec:
- ingressClassName: nginx
- rules:
- - host: drive.timtor.dev
- http:
- paths:
- - path: /
- pathType: Prefix
- backend:
- service:
- name: nextcloud
- port:
- number: 8080
-
--- HelmRelease: mydata/nextcloud HTTPRoute: mydata/nextcloud-http-redirect
+++ HelmRelease: mydata/nextcloud HTTPRoute: mydata/nextcloud-http-redirect
@@ -0,0 +1,31 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: nextcloud-http-redirect
+ labels:
+ app.kubernetes.io/instance: nextcloud
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: nextcloud
+ namespace: mydata
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: http
+ hostnames:
+ - drive.timtor.dev
+ rules:
+ - backendRefs: null
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+ filters:
+ - requestRedirect:
+ scheme: https
+ statusCode: 301
+ type: RequestRedirect
+
--- HelmRelease: mydata/nextcloud HTTPRoute: mydata/nextcloud-main
+++ HelmRelease: mydata/nextcloud HTTPRoute: mydata/nextcloud-main
@@ -0,0 +1,32 @@
+---
+apiVersion: gateway.networking.k8s.io/v1alpha2
+kind: HTTPRoute
+metadata:
+ name: nextcloud-main
+ labels:
+ app.kubernetes.io/instance: nextcloud
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/name: nextcloud
+ namespace: mydata
+spec:
+ parentRefs:
+ - group: gateway.networking.k8s.io
+ kind: Gateway
+ name: cilium-default
+ namespace: kube-system
+ sectionName: https
+ hostnames:
+ - drive.timtor.dev
+ rules:
+ - backendRefs:
+ - group: ''
+ kind: Service
+ name: nextcloud
+ namespace: mydata
+ port: 8080
+ weight: 1
+ matches:
+ - path:
+ type: PathPrefix
+ value: /
+