feat(sol): add cilium

Signed-off-by: Tyler Witlin <twitlin@witl.xyz>
coolguy1771 · Dec 31, 2023 · 842e607 · 842e607
1 parent 8f49794
commit 842e607
Show file tree

Hide file tree

Showing 5 changed files with 196 additions and 0 deletions.
diff --git a/kubernetes/sol/apps/kube-system/cilium/app/bgp.yaml b/kubernetes/sol/apps/kube-system/cilium/app/bgp.yaml
@@ -0,0 +1,38 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumbgppeeringpolicy_v2alpha1.json
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPPeeringPolicy
+# comments courtesy of JJGadgets
+# MAKE SURE CRDs ARE INSTALLED IN CLUSTER VIA cilium-config ConfigMap OR Cilium HelmRelease/values.yaml (bgpControlPlane.enabled: true), BEFORE THIS IS APPLIED!
+# "CiliumBGPPeeringPolicy" Custom Resource will replace the old MetalLB BGP's "bgp-config" ConfigMap
+# "CiliumBGPPeeringPolicy" is used with `bgpControlPlane.enabled: true` which uses GoBGP, NOT the old `bgp.enabled: true` which uses MetalLB
+metadata:
+  name: bgp-loadbalancer-ip-main
+spec:
+  nodeSelector:
+    matchLabels:
+      kubernetes.io/os: "linux" # match all Linux nodes, change this to match more granularly if more than 1 PeeringPolicy is to be used throughout cluster
+  virtualRouters:
+    - localASN: 64512
+      exportPodCIDR: true
+      serviceSelector: # this replaces address-pools, instead of defining the range of IPs that can be assigned to LoadBalancer services, now services have to match below selectors for their LB IPs to be announced
+        matchExpressions:
+          - {
+              key: thisFakeSelector,
+              operator: NotIn,
+              values: ["will-match-and-announce-all-services"],
+            }
+      neighbors:
+        - peerAddress: "10.1.237.1/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation
+          peerASN: 64512
+        - peerAddress: "10.1.237.4/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation
+          peerASN: 64512
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumloadbalancerippool_v2alpha1.json
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: main-pool
+spec:
+  cidrs:
+    - cidr: 10.0.44.1/24
diff --git a/kubernetes/sol/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/sol/apps/kube-system/cilium/app/helmrelease.yaml
@@ -0,0 +1,129 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: cilium
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cilium
+      version: 1.14.5
+      sourceRef:
+        kind: HelmRepository
+        name: cilium
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    remediation:
+      retries: 5
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 5
+  values:
+    rollOutCiliumPods: true
+    securityContext:
+      privileged: true
+    autoDirectNodeRoutes: true
+    bpf:
+      masquerade: true
+    bgp:
+      enabled: false
+    cluster:
+      name: sol
+      id: 2
+    containerRuntime:
+      integration: containerd
+      socketPath: /var/run/k3s/containerd/containerd.sock
+    endpointRoutes:
+      enabled: true
+    nodePort:
+      enabled: true
+    enableCiliumEndpointSlice: true
+    enableK8sEndpointSlice: true
+    enableIdentityMark: true
+    ingressController:
+      enabled: false
+    bgpControlPlane:
+      enabled: true
+    ipam:
+      mode: kubernetes
+    ipv4NativeRoutingCIDR: 10.143.0.0/16
+    k8sServiceHost: 10.10.10.50
+    k8sServicePort: 6443
+    kubeProxyReplacement: true
+    kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
+    l2announcements:
+      enabled: true
+      leaseDuration: 120s
+      leaseRenewDeadline: 60s
+      leaseRetryPeriod: 1s
+    loadBalancer:
+      algorithm: maglev
+      mode: dsr
+      serviceTopology: true
+    localRedirectPolicy: true
+    hubble:
+      enabled: true
+      metrics:
+        enabled:
+          - dns:query;ignoreAAAA
+          - drop
+          - tcp
+          - port-distribution
+          - icmp
+          - "flow:sourceContext=workload-name|reserved-identity;destinationContext=workload-name|reserved-identity"
+          - "httpV2:exemplars=true;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction;sourceContext=workload-name|reserved-identity;destinationContext=workload-name|reserved-identity"
+        serviceMonitor:
+          enabled: true
+        enableOpenMetrics: true
+        dashboards:
+          enabled: true
+          labelValue: "true"
+          annotations:
+            grafana_folder: Cilium
+      ui:
+        enabled: true
+        rollOutPods: true
+        replicas: 1
+        ingress:
+          enabled: true
+          ingressClassName: internal
+          hosts:
+            - &host hubble.286k.co
+          tls:
+            - secretName: hubble-tls
+              hosts:
+                - *host
+      tls:
+        enabled: true
+        auto:
+          enabled: true
+          method: helm
+      relay:
+        enabled: true
+        rollOutPods: true
+        replicas: 1
+    operator:
+      replicas: 1
+      rollOutPods: true
+      prometheus:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+      dashboards:
+        enabled: true
+        annotations:
+          grafana_folder: Cilium
+    prometheus:
+      enabled: true
+      serviceMonitor:
+        enabled: true
+        trustCRDsExist: true
+    dashboards:
+      enabled: false
+      annotations:
+        grafana_folder: Cilium
+    tunnel: disabled
diff --git a/kubernetes/sol/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/sol/apps/kube-system/cilium/app/kustomization.yaml
@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml
+  - ./bgp.yaml
diff --git a/kubernetes/sol/apps/kube-system/cilium/ks.yaml b/kubernetes/sol/apps/kube-system/cilium/ks.yaml
@@ -0,0 +1,21 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app cilium
+  namespace: flux-system
+spec:
+  targetNamespace: kube-system
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/sol/apps/kube-system/cilium/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
diff --git a/kubernetes/sol/apps/kube-system/kustomization.yaml b/kubernetes/sol/apps/kube-system/kustomization.yaml
@@ -6,5 +6,6 @@ resources:
   # Pre Flux-Kustomizations
   - ./namespace.yaml
   # Flux-Kustomizations
+  - ./cilium/ks.yaml
   - ./external-secrets/ks.yaml
   - ./metrics-server/ks.yaml