feat(networking): try out envoy

kubernetes/apps/networking/echo-server/app/helmrelease.yaml

@@ -77,6 +77,19 @@ spec:
                 service:
                   identifier: app
                   port: http
+    route:
+      envoy:
+        enabled: true
+        parentRefs:
+          - name: envoy-external
+            namespace: networking
+            sectionName: https
+        hostnames:
+          - "echo-envoy.ktwo.io"
+        rules:
+          - backendRefs:
+              - port: *port
+                name: *app
     service:
       app:
         controller: *app

kubernetes/apps/networking/envoy/app/helmrelease.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: envoy
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: gateway-helm
+      version: v0.0.0-latest
+      sourceRef:
+        kind: HelmRepository
+        name: envoy-proxy
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    deployment:
+      envoyGateway:
+        image:
+          repository: docker.io/envoyproxy/gateway
+          tag: v1.2.4
+        rbac:
+          cluster: true

kubernetes/apps/networking/envoy/app/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # renovate: depName=envoyproxy/gateway datasource=github-releases
+  - https://github.com/envoyproxy/gateway/releases/download/v1.1.4/install.yaml
+  - ./helmrelease.yaml

kubernetes/apps/networking/envoy/external/gateway.yaml

@@ -0,0 +1,47 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: envoy-external
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller
+  parametersRef:
+    group: gateway.envoyproxy.io
+    kind: EnvoyProxy
+    name: config
+    namespace: networking
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: envoy-external
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: external-envoy.ktwo.io
+spec:
+  gatewayClassName: envoy
+  infrastructure:
+    annotations:
+      # when using gateway-apis in cilium it also creates a service
+      # with a different name and tries to take this IP.
+      # the problem is the service created by cilium is not the one used by envoy.
+      # therefore, the service is disabled
+      lbipam.cilium.io/ips: 192.168.20.90
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      hostname: "*.ktwo.io"
+      allowedRoutes:
+        namespaces:
+          from: All
+    - name: https
+      protocol: HTTPS
+      port: 443
+      hostname: "*.ktwo.io"
+      allowedRoutes:
+        namespaces:
+          from: All
+      tls:
+        certificateRefs:
+          - kind: Secret
+            name: wildcard-tls

kubernetes/apps/networking/envoy/external/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./gateway.yaml

kubernetes/apps/networking/envoy/internal/kustomization.yaml

@@ -0,0 +1,4 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: []

kubernetes/apps/networking/envoy/ks.yaml

@@ -0,0 +1,66 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app envoy
+  namespace: flux-system
+spec:
+  targetNamespace: networking
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cert-manager-issuers
+  path: ./kubernetes/apps/networking/envoy/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: k8s-gitops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app envoy-external
+  namespace: flux-system
+spec:
+  targetNamespace: networking
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: envoy
+  path: ./kubernetes/apps/networking/envoy/external
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: k8s-gitops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 15m
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app envoy-internal
+  namespace: flux-system
+spec:
+  targetNamespace: networking
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: envoy
+  path: ./kubernetes/apps/networking/envoy/internal
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: k8s-gitops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 15m

kubernetes/apps/networking/kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   - ./namespace.yaml
   - ./cloudflared/ks.yaml
   - ./echo-server/ks.yaml
+  - ./envoy/ks.yaml
   - ./external-dns/ks.yaml
   - ./multus/ks.yaml
   - ./nginx/ks.yaml

kubernetes/flux/repositories/helm/stevehipwell.yaml → kubernetes/flux/repositories/helm/envoy-proxy.yaml

@@ -2,9 +2,9 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: stevehipwell
+  name: envoy-proxy
   namespace: flux-system
 spec:
   type: oci
   interval: 5m
-  url: oci://ghcr.io/stevehipwell/helm-charts
+  url: oci://docker.io/envoyproxy

kubernetes/flux/repositories/helm/kustomization.yaml

@@ -8,11 +8,10 @@ resources:
   - ./cilium.yaml
   - ./cloudnative-pg.yaml
   - ./coredns.yaml
-  - ./deliveryhero.yaml
   - ./emqx.yaml
+  - ./envoy-proxy.yaml
   - ./external-dns.yaml
   - ./external-secrets.yaml
-  - ./fairwinds.yaml
   - ./grafana.yaml
   - ./ingress-nginx.yaml
   - ./intel.yaml
@@ -28,4 +27,3 @@ resources:
   - ./rook-ceph.yaml
   - ./spegel.yaml
   - ./stakater.yaml
-  - ./stevehipwell.yaml