From 8701a6ee6cf24e014af0753f57a828c677d544de Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Wed, 6 Oct 2021 02:56:27 +0200
Subject: [PATCH] cilium: Introduce new network provider to the clusters
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
After being super frustrated with calico and hetzner firewalls, 🤞
fingers crossed that his will hold up. This patch introduces cilium to
the gitops repository, sets up the firewall rules and adds the CLI to
koolbox.
---
cli/Dockerfile | 11 +++++++++
infrastructure/cilium/kustomization.yaml | 6 +++++
infrastructure/cilium/release.yaml | 30 ++++++++++++++++++++++++
infrastructure/cilium/repository.yaml | 7 ++++++
infrastructure/kustomization.yaml | 1 +
terraform/firewall.tf | 28 ++++++++++++++++++++++
6 files changed, 83 insertions(+)
create mode 100644 infrastructure/cilium/kustomization.yaml
create mode 100644 infrastructure/cilium/release.yaml
create mode 100644 infrastructure/cilium/repository.yaml
diff --git a/cli/Dockerfile b/cli/Dockerfile
index 4add00a0e..d7777c80a 100644
--- a/cli/Dockerfile
+++ b/cli/Dockerfile
@@ -53,6 +53,15 @@ ENV SOPS_RELEASE=${SOPS_RELEASE}
RUN curl -L https://github.com/mozilla/sops/releases/download/${SOPS_RELEASE}/sops-${SOPS_RELEASE}.linux > ./sops \
&& install -o root -g root -m 0755 sops /usr/local/bin/sops
+# Cilium CLI cache
+FROM docker.io/library/fedora:34 as cilium
+ARG CILIUM_RELEASE=latest
+ENV CILIUM_RELEASE=${CILIUM_RELEASE}
+
+RUN curl -L --remote-name-all https://github.com/cilium/cilium-cli/releases/${CILIUM_RELEASE}/download/cilium-linux-amd64.tar.gz{,.sha256sum} && \
+ sha256sum --check cilium-linux-amd64.tar.gz.sha256sum && \
+ tar xzvfC cilium-linux-amd64.tar.gz /usr/local/bin
+
# Actual start of container build
FROM docker.io/library/fedora:34
@@ -89,12 +98,14 @@ COPY --from=hcloud /usr/local/bin/hcloud /usr/local/bin/hcloud
COPY --from=helm /usr/local/bin/helm /usr/local/bin/helm
COPY --from=flux /usr/local/bin/flux /usr/local/bin/flux
COPY --from=sops /usr/local/bin/sops /usr/local/bin/sops
+COPY --from=cilium /usr/local/bin/cilium /usr/local/bin/cilium
RUN true \
&& echo "command -v flux >/dev/null && . <(flux completion bash)" >> /root/.bashrc \
&& echo "command -v kubectl >/dev/null && . <(kubectl completion bash)" >> /root/.bashrc \
&& echo "command -v helm >/dev/null && . <(helm completion bash)" >> /root/.bashrc \
&& echo "command -v hcloud >/dev/null && . <(hcloud completion bash)" >> /root/.bashrc \
+ && echo "command -v cilium >/dev/null && . <(cilium completion bash)" >> /root/.bashrc \
&& true
# Create workspace
diff --git a/infrastructure/cilium/kustomization.yaml b/infrastructure/cilium/kustomization.yaml
new file mode 100644
index 000000000..7da405581
--- /dev/null
+++ b/infrastructure/cilium/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+ - repository.yaml
+ - release.yaml
diff --git a/infrastructure/cilium/release.yaml b/infrastructure/cilium/release.yaml
new file mode 100644
index 000000000..0725c9acd
--- /dev/null
+++ b/infrastructure/cilium/release.yaml
@@ -0,0 +1,30 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+ name: cilium
+ namespace: kube-system
+spec:
+ releaseName: cilium
+ chart:
+ spec:
+ chart: cilium
+ sourceRef:
+ kind: HelmRepository
+ name: cilium
+ version: 1.10.4
+ interval: 5m
+ values:
+ l7Proxy: false
+ encryption:
+ enabled: true
+ type: wireguard
+ hubble:
+ relay:
+ enabled: false
+ ui:
+ enabled: false
+ prometheus:
+ enabled: true
+ operator:
+ prometheus:
+ enabled: true
diff --git a/infrastructure/cilium/repository.yaml b/infrastructure/cilium/repository.yaml
new file mode 100644
index 000000000..16b7b9540
--- /dev/null
+++ b/infrastructure/cilium/repository.yaml
@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+ name: cilium
+spec:
+ interval: 30m
+ url: https://helm.cilium.io/
diff --git a/infrastructure/kustomization.yaml b/infrastructure/kustomization.yaml
index 8d3320ce6..6c97dbb92 100644
--- a/infrastructure/kustomization.yaml
+++ b/infrastructure/kustomization.yaml
@@ -1,6 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
+ - cilium
# kyverno
- hcloud-csi
- rook
diff --git a/terraform/firewall.tf b/terraform/firewall.tf
index 39e8b028e..2bec9c95f 100644
--- a/terraform/firewall.tf
+++ b/terraform/firewall.tf
@@ -54,6 +54,34 @@ resource "hcloud_firewall" "k8s-node" {
port = "9000-9999"
source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
}
+ rule {
+ description = "Prometheus operator metrics"
+ direction = "in"
+ protocol = "tcp"
+ port = "8472"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ }
+ rule {
+ description = "Cilium VXLAN"
+ direction = "in"
+ protocol = "udp"
+ port = "8472"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ }
+ rule {
+ description = "Cilium health checks"
+ direction = "in"
+ protocol = "tcp"
+ port = "4240"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ }
+ rule {
+ description = "Cilium Wireguard"
+ direction = "in"
+ protocol = "udp"
+ port = "51871"
+ source_ips = [for s in concat(module.nodes.ipv4_addresses) : "${s}/32"]
+ }
}
--
GitLab