network overhaul

kubernetes/apps/kube-system/cilium/app/helm-values.yml

@@ -25,7 +25,7 @@ envoy:
   enable: false
 ipam:
   mode: kubernetes
-ipv4NativeRoutingCIDR: 10.244.0.0/16
+ipv4NativeRoutingCIDR: 10.3.0.0/16
 k8sServiceHost: 127.0.0.1
 k8sServicePort: 7445
 kubeProxyReplacement: true

kubernetes/apps/kube-system/cilium/config/l2.yaml

@@ -6,9 +6,7 @@ metadata:
   name: l2-policy
 spec:
   loadBalancerIPs: true
-  # interfaces: ["^enp.*|^eth.*|^ens.*|^eno.*"]
   interfaces: ["^eno+|^enp+|^bond+"]
-  # interfaces: ["^bond+"]
   nodeSelector:
     matchLabels:
       kubernetes.io/os: linux
@@ -21,6 +19,4 @@ metadata:
 spec:
   allowFirstLastIPs: "Yes"
   blocks:
-    - # Controller VIP: 192.168.42.120
-      start: 10.1.1.30
-      stop: 10.1.1.49
+    - cidr: "10.5.0.0/16"

kubernetes/apps/network/external-dns/app/unifi/externalsecret.yaml

@@ -0,0 +1,20 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: external-dns-unifi
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: external-dns-unifi-secret
+    template:
+      engineVersion: v2
+      data:
+        EXTERNAL_DNS_UNIFI_USER: "{{ .username }}"
+        EXTERNAL_DNS_UNIFI_PASS: "{{ .password }}"
+  dataFrom:
+    - extract:
+        key: external-dns-unifi

kubernetes/apps/network/external-dns/app/unifi/helmrelease.yaml

@@ -0,0 +1,72 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app external-dns-unifi
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: external-dns
+      version: 1.15.0
+      sourceRef:
+        kind: HelmRepository
+        name: external-dns
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    fullnameOverride: *app
+    # logLevel: debug
+    provider:
+      name: webhook
+      webhook:
+        image:
+          repository: ghcr.io/kashalls/external-dns-unifi-webhook
+          tag: v0.3.4@sha256:28dc00c7a21f9571d43181fcc0dd3de59e291741f27bc075d7e06378876b2974
+        env:
+          - name: UNIFI_HOST
+            value: https://10.33.44.1
+          - name: UNIFI_USER
+            valueFrom:
+              secretKeyRef:
+                name: &secret external-dns-unifi-secret
+                key: EXTERNAL_DNS_UNIFI_USER
+          - name: UNIFI_PASS
+            valueFrom:
+              secretKeyRef:
+                name: *secret
+                key: EXTERNAL_DNS_UNIFI_PASS
+          - name: LOG_LEVEL
+            value: "debug"
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: http-webhook
+          initialDelaySeconds: 10
+          timeoutSeconds: 5
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: http-webhook
+          initialDelaySeconds: 10
+          timeoutSeconds: 5
+    extraArgs:
+      - --ignore-ingress-tls-spec
+    triggerLoopOnEvent: true
+    policy: sync
+    sources: ["ingress", "service"]
+    txtOwnerId: theshire
+    txtPrefix: k8s.theshire.
+    domainFilters: ["theshire.internal"]
+    serviceMonitor:
+      enabled: true
+    podAnnotations:
+      secret.reloader.stakater.com/reload: *secret

kubernetes/apps/network/external-dns/app/unifi/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml

kubernetes/apps/network/external-dns/ks.yaml

@@ -44,3 +44,25 @@ spec:
   wait: true
   dependsOn:
     - name: external-secrets-stores
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app external-dns-unifi
+  namespace: flux-system
+spec:
+  targetNamespace: network
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: external-secrets-stores
+  path: ./kubernetes/apps/network/external-dns/unifi
+  prune: false
+  sourceRef:
+    kind: GitRepository
+    name: theshire
+  wait: true
+  interval: 30m
+  timeout: 5m

kubernetes/apps/tailscale/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./tailscale/ks.yaml

kubernetes/apps/tailscale/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tailscale
+  annotations:
+    kustomize.toolkit.fluxcd.io/prune: disabled

kubernetes/apps/tailscale/tailscale/cluster/proxygroup.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: kernel-org-tun
+spec:
+  statefulSet:
+    pod:
+      tailscaleContainer:
+        resources:
+          limits:
+            kernel.org/tun: 1
+        securityContext:
+          allowPrivilegeEscalation: false
+          runAsUser: 0
+          capabilities:
+            drop: ["ALL"]
+            add: ["NET_ADMIN", "NET_RAW"]
+          seccompProfile: { type: Unconfined }
+      tailscaleInitContainer:
+        securityContext:
+          privileged: true
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule

kubernetes/apps/tailscale/tailscale/externalsecret.yaml

@@ -0,0 +1,15 @@
+---
+# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: k8s-operator-oauth
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: k8s-operator-oauth-secret
+  dataFrom:
+    - extract:
+        key: k8s-operator-oauth

kubernetes/apps/tailscale/tailscale/ks.yaml

@@ -0,0 +1,40 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app tailscale-operator
+  namespace: flux-system
+spec:
+  targetNamespace: tailscale
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/apps/tailscale/tailscale/operator
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: theshire
+  wait: false
+  interval: 30m
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app tailscale-cluster
+  namespace: flux-system
+spec:
+  targetNamespace: tailscale
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: tailscale-operator
+  path: ./kubernetes/apps/tailscale/tailscale/cluster
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: theshire
+  wait: false
+  interval: 30m

kubernetes/apps/tailscale/tailscale/operator/helmrelease.yaml

@@ -0,0 +1,35 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: tailscale-operator
+  namespace: tailscale
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: tailscale-operator
+      version: 1.78.3
+      sourceRef:
+        kind: HelmRepository
+        name: tailscale
+        namespace: flux-system
+      interval: 30m
+  install:
+    crds: CreateReplace
+  upgrade:
+    crds: CreateReplace
+  values:
+    operatorConfig:
+      defaultTags:
+        - "tag:k8s-operator-theshire"
+      hostname: theshire
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
+    proxyConfig:
+      defaultTags: "tag:k8s-theshire"
+    apiServerProxyConfig:
+      mode: "true"

kubernetes/bootstrap/talos/talconfig.yaml

@@ -6,13 +6,18 @@ clusterName: theshire
 talosVersion: v1.9.0
 # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet
 kubernetesVersion: 1.31.4
-endpoint: "https://10.1.1.57:6444"
-
-additionalApiServerCertSans:
-  - 10.1.1.57
-
-additionalMachineCertSans:
-  - 10.1.1.57
+endpoint: "https://10.1.1.8:6443"
+additionalApiServerCertSans: &sans
+  - 10.1.1.8  # VIP
+  - 10.1.1.57 # haproxy loadbalancer
+additionalMachineCertSans: *sans
+clusterPodNets:
+  # - "10.244.0.0/16"
+  - "10.3.0.0/16"
+clusterSvcNets:
+  # - "10.96.0.0/12"
+  - "10.4.0.0/16"
+## Cilium LBPool CIDR 10.1.1.30-49 --> 10.5.0.0/16
 
 nodes:
   - hostname: bilbo
@@ -24,6 +29,8 @@ nodes:
     networkInterfaces:
       - interface: eno1
         dhcp: true
+        vip:
+          ip: 10.1.1.8
     schematic:
       customization:
         extraKernelArgs:
@@ -41,6 +48,8 @@ nodes:
     networkInterfaces:
       - interface: eno1
         dhcp: true
+        vip:
+          ip: 10.1.1.8
     schematic:
       customization:
         extraKernelArgs:
@@ -58,6 +67,8 @@ nodes:
     networkInterfaces:
       - interface: eno1
         dhcp: true
+        vip:
+          ip: 10.1.1.8
     schematic:
       customization:
         extraKernelArgs: