From 842e60765c2cdf78a87a162bac3a1edcf2036428 Mon Sep 17 00:00:00 2001 From: Tyler Witlin Date: Sun, 31 Dec 2023 10:15:32 -0500 Subject: [PATCH] feat(sol): add cilium Signed-off-by: Tyler Witlin --- .../sol/apps/kube-system/cilium/app/bgp.yaml | 38 ++++++ .../kube-system/cilium/app/helmrelease.yaml | 129 ++++++++++++++++++ .../kube-system/cilium/app/kustomization.yaml | 7 + .../sol/apps/kube-system/cilium/ks.yaml | 21 +++ .../sol/apps/kube-system/kustomization.yaml | 1 + 5 files changed, 196 insertions(+) create mode 100644 kubernetes/sol/apps/kube-system/cilium/app/bgp.yaml create mode 100644 kubernetes/sol/apps/kube-system/cilium/app/helmrelease.yaml create mode 100644 kubernetes/sol/apps/kube-system/cilium/app/kustomization.yaml create mode 100644 kubernetes/sol/apps/kube-system/cilium/ks.yaml diff --git a/kubernetes/sol/apps/kube-system/cilium/app/bgp.yaml b/kubernetes/sol/apps/kube-system/cilium/app/bgp.yaml new file mode 100644 index 0000000000..17d1746e07 --- /dev/null +++ b/kubernetes/sol/apps/kube-system/cilium/app/bgp.yaml @@ -0,0 +1,38 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumbgppeeringpolicy_v2alpha1.json +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPPeeringPolicy +# comments courtesy of JJGadgets +# MAKE SURE CRDs ARE INSTALLED IN CLUSTER VIA cilium-config ConfigMap OR Cilium HelmRelease/values.yaml (bgpControlPlane.enabled: true), BEFORE THIS IS APPLIED! +# "CiliumBGPPeeringPolicy" Custom Resource will replace the old MetalLB BGP's "bgp-config" ConfigMap +# "CiliumBGPPeeringPolicy" is used with `bgpControlPlane.enabled: true` which uses GoBGP, NOT the old `bgp.enabled: true` which uses MetalLB +metadata: + name: bgp-loadbalancer-ip-main +spec: + nodeSelector: + matchLabels: + kubernetes.io/os: "linux" # match all Linux nodes, change this to match more granularly if more than 1 PeeringPolicy is to be used throughout cluster + virtualRouters: + - localASN: 64512 + exportPodCIDR: true + serviceSelector: # this replaces address-pools, instead of defining the range of IPs that can be assigned to LoadBalancer services, now services have to match below selectors for their LB IPs to be announced + matchExpressions: + - { + key: thisFakeSelector, + operator: NotIn, + values: ["will-match-and-announce-all-services"], + } + neighbors: + - peerAddress: "10.1.237.1/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation + peerASN: 64512 + - peerAddress: "10.1.237.4/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation + peerASN: 64512 +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cilium.io/ciliumloadbalancerippool_v2alpha1.json +apiVersion: "cilium.io/v2alpha1" +kind: CiliumLoadBalancerIPPool +metadata: + name: main-pool +spec: + cidrs: + - cidr: 10.0.44.1/24 diff --git a/kubernetes/sol/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/sol/apps/kube-system/cilium/app/helmrelease.yaml new file mode 100644 index 0000000000..191d9472e3 --- /dev/null +++ b/kubernetes/sol/apps/kube-system/cilium/app/helmrelease.yaml @@ -0,0 +1,129 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: cilium +spec: + interval: 30m + chart: + spec: + chart: cilium + version: 1.14.5 + sourceRef: + kind: HelmRepository + name: cilium + namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 5 + upgrade: + cleanupOnFail: true + remediation: + retries: 5 + values: + rollOutCiliumPods: true + securityContext: + privileged: true + autoDirectNodeRoutes: true + bpf: + masquerade: true + bgp: + enabled: false + cluster: + name: sol + id: 2 + containerRuntime: + integration: containerd + socketPath: /var/run/k3s/containerd/containerd.sock + endpointRoutes: + enabled: true + nodePort: + enabled: true + enableCiliumEndpointSlice: true + enableK8sEndpointSlice: true + enableIdentityMark: true + ingressController: + enabled: false + bgpControlPlane: + enabled: true + ipam: + mode: kubernetes + ipv4NativeRoutingCIDR: 10.143.0.0/16 + k8sServiceHost: 10.10.10.50 + k8sServicePort: 6443 + kubeProxyReplacement: true + kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 + l2announcements: + enabled: true + leaseDuration: 120s + leaseRenewDeadline: 60s + leaseRetryPeriod: 1s + loadBalancer: + algorithm: maglev + mode: dsr + serviceTopology: true + localRedirectPolicy: true + hubble: + enabled: true + metrics: + enabled: + - dns:query;ignoreAAAA + - drop + - tcp + - port-distribution + - icmp + - "flow:sourceContext=workload-name|reserved-identity;destinationContext=workload-name|reserved-identity" + - "httpV2:exemplars=true;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction;sourceContext=workload-name|reserved-identity;destinationContext=workload-name|reserved-identity" + serviceMonitor: + enabled: true + enableOpenMetrics: true + dashboards: + enabled: true + labelValue: "true" + annotations: + grafana_folder: Cilium + ui: + enabled: true + rollOutPods: true + replicas: 1 + ingress: + enabled: true + ingressClassName: internal + hosts: + - &host hubble.286k.co + tls: + - secretName: hubble-tls + hosts: + - *host + tls: + enabled: true + auto: + enabled: true + method: helm + relay: + enabled: true + rollOutPods: true + replicas: 1 + operator: + replicas: 1 + rollOutPods: true + prometheus: + enabled: true + serviceMonitor: + enabled: true + dashboards: + enabled: true + annotations: + grafana_folder: Cilium + prometheus: + enabled: true + serviceMonitor: + enabled: true + trustCRDsExist: true + dashboards: + enabled: false + annotations: + grafana_folder: Cilium + tunnel: disabled diff --git a/kubernetes/sol/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/sol/apps/kube-system/cilium/app/kustomization.yaml new file mode 100644 index 0000000000..332cb40dbc --- /dev/null +++ b/kubernetes/sol/apps/kube-system/cilium/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml + - ./bgp.yaml diff --git a/kubernetes/sol/apps/kube-system/cilium/ks.yaml b/kubernetes/sol/apps/kube-system/cilium/ks.yaml new file mode 100644 index 0000000000..59f1692711 --- /dev/null +++ b/kubernetes/sol/apps/kube-system/cilium/ks.yaml @@ -0,0 +1,21 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cilium + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/sol/apps/kube-system/cilium/app + prune: true + sourceRef: + kind: GitRepository + name: home-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/sol/apps/kube-system/kustomization.yaml b/kubernetes/sol/apps/kube-system/kustomization.yaml index 880a4a164e..2f065a42ac 100644 --- a/kubernetes/sol/apps/kube-system/kustomization.yaml +++ b/kubernetes/sol/apps/kube-system/kustomization.yaml @@ -6,5 +6,6 @@ resources: # Pre Flux-Kustomizations - ./namespace.yaml # Flux-Kustomizations + - ./cilium/ks.yaml - ./external-secrets/ks.yaml - ./metrics-server/ks.yaml