From 5ca27a832b6b8c32f36468fd5505ce26a1c7b23d Mon Sep 17 00:00:00 2001 From: Jan Novak Date: Wed, 1 Apr 2026 22:23:12 +0200 Subject: [PATCH] gitops: upgrade Cilium to 1.19.1, add fujarna app, flux web UI, OIDC RBAC, and experiments - Upgrade Cilium helm release from 1.18.5 to 1.19.1 with gatewayClass creation enabled - Escalate gitea CI service account to cluster-admin, add OIDC cluster-admin binding - Deploy fujarna app with full manifest set (deployment, service, PVC, httproutes, external secret) - Add Flux web UI via flux-operator OCI repository and helm release - Add experiments kustomization with test resources for gateway API and certificates Co-Authored-By: Claude Opus 4.6 --- .../00-rbac/clusterRoleBinding_gitea-ci.yaml | 12 +++- .../clusterrolebinding_oidc-admin.yaml | 15 +++++ .../cilium/helmrelelase_cilium.yaml | 4 +- .../certificate_operator-test-2.yaml | 17 ++++++ .../certificate_operator-test.yaml | 17 ++++++ .../experiments/deployment_operator-test.yaml | 30 ++++++++++ .../httproute_operator-test-notls.yaml | 25 ++++++++ .../experiments/httproute_operator-test.yaml | 24 ++++++++ .../experiments/referencegrant_default.yaml | 14 +++++ .../experiments/service_operator-test.yaml | 15 +++++ .../flux-system/extra-kustomizations.yaml | 13 ++++ .../flux-system/helmrelease_flux-web.yaml | 16 +++++ .../ocirepository_control-plane.yaml | 13 ++++ .../home-kubernetes/fujarna/deployment.yaml | 60 +++++++++++++++++++ .../externalsecret_gitea-registry.yaml | 22 +++++++ .../fujarna/httproute-notls.yaml | 30 ++++++++++ gitops/home-kubernetes/fujarna/httproute.yaml | 29 +++++++++ gitops/home-kubernetes/fujarna/ingress.yaml | 30 ++++++++++ gitops/home-kubernetes/fujarna/namespace.yaml | 4 ++ gitops/home-kubernetes/fujarna/pvc.yaml | 12 ++++ gitops/home-kubernetes/fujarna/service.yaml | 14 +++++ 21 files changed, 413 insertions(+), 3 deletions(-) create mode 100644 gitops/home-kubernetes/00-rbac/clusterrolebinding_oidc-admin.yaml create mode 100644 gitops/home-kubernetes/experiments/certificate_operator-test-2.yaml create mode 100644 gitops/home-kubernetes/experiments/certificate_operator-test.yaml create mode 100644 gitops/home-kubernetes/experiments/deployment_operator-test.yaml create mode 100644 gitops/home-kubernetes/experiments/httproute_operator-test-notls.yaml create mode 100644 gitops/home-kubernetes/experiments/httproute_operator-test.yaml create mode 100644 gitops/home-kubernetes/experiments/referencegrant_default.yaml create mode 100644 gitops/home-kubernetes/experiments/service_operator-test.yaml create mode 100644 gitops/home-kubernetes/flux-system/helmrelease_flux-web.yaml create mode 100644 gitops/home-kubernetes/flux-system/ocirepository_control-plane.yaml create mode 100644 gitops/home-kubernetes/fujarna/deployment.yaml create mode 100644 gitops/home-kubernetes/fujarna/externalsecret_gitea-registry.yaml create mode 100644 gitops/home-kubernetes/fujarna/httproute-notls.yaml create mode 100644 gitops/home-kubernetes/fujarna/httproute.yaml create mode 100644 gitops/home-kubernetes/fujarna/ingress.yaml create mode 100644 gitops/home-kubernetes/fujarna/namespace.yaml create mode 100644 gitops/home-kubernetes/fujarna/pvc.yaml create mode 100644 gitops/home-kubernetes/fujarna/service.yaml diff --git a/gitops/home-kubernetes/00-rbac/clusterRoleBinding_gitea-ci.yaml b/gitops/home-kubernetes/00-rbac/clusterRoleBinding_gitea-ci.yaml index 53ac34b..50a1d37 100644 --- a/gitops/home-kubernetes/00-rbac/clusterRoleBinding_gitea-ci.yaml +++ b/gitops/home-kubernetes/00-rbac/clusterRoleBinding_gitea-ci.yaml @@ -7,6 +7,14 @@ subjects: name: "gitea_ci@idm.home.hrajfrisbee.cz" # matches preferred_username claim apiGroup: rbac.authorization.k8s.io roleRef: + # kind: ClusterRole + # name: edit # scope down as needed + # apiGroup: rbac.authorization.k8s.io + + # this is obviously too much permissions + # but we can live with it for homelab kind: ClusterRole - name: edit # scope down as needed - apiGroup: rbac.authorization.k8s.io \ No newline at end of file + name: cluster-admin + apiGroup: rbac.authorization.k8s.io + + \ No newline at end of file diff --git a/gitops/home-kubernetes/00-rbac/clusterrolebinding_oidc-admin.yaml b/gitops/home-kubernetes/00-rbac/clusterrolebinding_oidc-admin.yaml new file mode 100644 index 0000000..72d8594 --- /dev/null +++ b/gitops/home-kubernetes/00-rbac/clusterrolebinding_oidc-admin.yaml @@ -0,0 +1,15 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: oidc-cluster-admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- apiGroup: rbac.authorization.k8s.io + kind: User + name: https://idm.home.hrajfrisbee.cz/oauth2/openid/k8s#35842461-a1c4-4ad6-8b29-697c5ddbfe84 +- apiGroup: rbac.authorization.k8s.io + kind: User + name: novakj@idm.home.hrajfrisbee.cz \ No newline at end of file diff --git a/gitops/home-kubernetes/cilium/helmrelelase_cilium.yaml b/gitops/home-kubernetes/cilium/helmrelelase_cilium.yaml index 59024f2..1d559d8 100644 --- a/gitops/home-kubernetes/cilium/helmrelelase_cilium.yaml +++ b/gitops/home-kubernetes/cilium/helmrelelase_cilium.yaml @@ -13,7 +13,7 @@ spec: kind: HelmRepository name: cilium namespace: flux-system - version: 1.18.5 + version: 1.19.1 interval: 5m0s values: cluster: @@ -35,6 +35,8 @@ spec: enabled: true gatewayAPI: enabled: true + gatewayClass: + create: "true" kubeProxyReplacement: true k8sServiceHost: 192.168.0.31 # or LB IP k8sServicePort: 6443 diff --git a/gitops/home-kubernetes/experiments/certificate_operator-test-2.yaml b/gitops/home-kubernetes/experiments/certificate_operator-test-2.yaml new file mode 100644 index 0000000..2402223 --- /dev/null +++ b/gitops/home-kubernetes/experiments/certificate_operator-test-2.yaml @@ -0,0 +1,17 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: operator-test-lab-home-hrajfrisbee-2 + namespace: default + annotations: + gateway-cert-operator.io/gateway-name: "cilium-gateway" + gateway-cert-operator.io/gateway-namespace: "kube-system" + +spec: + secretName: operator-test-lab-home-hrajfrisbee-2 + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: letsencrypt-prod + dnsNames: + - "operator-test-2.lab.home.hrajfrisbee.cz" \ No newline at end of file diff --git a/gitops/home-kubernetes/experiments/certificate_operator-test.yaml b/gitops/home-kubernetes/experiments/certificate_operator-test.yaml new file mode 100644 index 0000000..7ee6113 --- /dev/null +++ b/gitops/home-kubernetes/experiments/certificate_operator-test.yaml @@ -0,0 +1,17 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: operator-test-lab-home-hrajfrisbee + namespace: default + annotations: + gateway-cert-operator.io/gateway-name: "cilium-gateway" + gateway-cert-operator.io/gateway-namespace: "kube-system" + +spec: + secretName: operator-test-lab-home-hrajfrisbee + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: letsencrypt-prod + dnsNames: + - "operator-test.lab.home.hrajfrisbee.cz" \ No newline at end of file diff --git a/gitops/home-kubernetes/experiments/deployment_operator-test.yaml b/gitops/home-kubernetes/experiments/deployment_operator-test.yaml new file mode 100644 index 0000000..e487b57 --- /dev/null +++ b/gitops/home-kubernetes/experiments/deployment_operator-test.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: operator-test + namespace: default + labels: + app: operator-test +spec: + replicas: 1 + selector: + matchLabels: + app: operator-test + template: + metadata: + labels: + app: operator-test + spec: + containers: + - name: whoami + image: traefik/whoami + ports: + - containerPort: 80 + name: http + resources: + requests: + cpu: 10m + memory: 16Mi + limits: + memory: 32Mi diff --git a/gitops/home-kubernetes/experiments/httproute_operator-test-notls.yaml b/gitops/home-kubernetes/experiments/httproute_operator-test-notls.yaml new file mode 100644 index 0000000..43f2007 --- /dev/null +++ b/gitops/home-kubernetes/experiments/httproute_operator-test-notls.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: operator-test-redirect + namespace: default + labels: + app: operator-test +spec: + parentRefs: + - name: cilium-gateway + namespace: kube-system + sectionName: http + hostnames: + - operator-test.lab.home.hrajfrisbee.cz + rules: + - matches: + - path: + type: PathPrefix + value: / + filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 diff --git a/gitops/home-kubernetes/experiments/httproute_operator-test.yaml b/gitops/home-kubernetes/experiments/httproute_operator-test.yaml new file mode 100644 index 0000000..0e297c6 --- /dev/null +++ b/gitops/home-kubernetes/experiments/httproute_operator-test.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: operator-test + namespace: default + labels: + app: operator-test +spec: + parentRefs: + - name: cilium-gateway + namespace: kube-system + sectionName: auto-operator-test-lab-home-hrajfrisbee-operator-test-lab-home-hrajfrisbee-cz + hostnames: + - operator-test.lab.home.hrajfrisbee.cz + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: operator-test + namespace: default + port: 80 diff --git a/gitops/home-kubernetes/experiments/referencegrant_default.yaml b/gitops/home-kubernetes/experiments/referencegrant_default.yaml new file mode 100644 index 0000000..86078e3 --- /dev/null +++ b/gitops/home-kubernetes/experiments/referencegrant_default.yaml @@ -0,0 +1,14 @@ +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: allow-kube-system-gateway + namespace: default +spec: + from: + - group: gateway.networking.k8s.io + kind: Gateway + namespace: kube-system + to: + - group: "" + kind: Secret + name: operator-test-lab-home-hrajfrisbee diff --git a/gitops/home-kubernetes/experiments/service_operator-test.yaml b/gitops/home-kubernetes/experiments/service_operator-test.yaml new file mode 100644 index 0000000..9c47cff --- /dev/null +++ b/gitops/home-kubernetes/experiments/service_operator-test.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: operator-test + namespace: default +spec: + type: ClusterIP + selector: + app: operator-test + ports: + - port: 80 + targetPort: 80 + protocol: TCP + name: http diff --git a/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml b/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml index 02a68dd..6b82d68 100644 --- a/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml +++ b/gitops/home-kubernetes/flux-system/extra-kustomizations.yaml @@ -130,6 +130,19 @@ spec: sourceRef: kind: GitRepository name: flux-system +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: experiments + namespace: flux-system +spec: + interval: 10m0s + path: ./gitops/home-kubernetes/experiments + prune: true + sourceRef: + kind: GitRepository + name: flux-system # --- # apiVersion: kustomize.toolkit.fluxcd.io/v1 # kind: Kustomization diff --git a/gitops/home-kubernetes/flux-system/helmrelease_flux-web.yaml b/gitops/home-kubernetes/flux-system/helmrelease_flux-web.yaml new file mode 100644 index 0000000..c702e2d --- /dev/null +++ b/gitops/home-kubernetes/flux-system/helmrelease_flux-web.yaml @@ -0,0 +1,16 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: flux-web + namespace: flux-system +spec: + interval: 30m + releaseName: flux-web + chartRef: + kind: OCIRepository + name: flux-operator + values: + fullnameOverride: flux-web + installCRDs: true + web: + serverOnly: true \ No newline at end of file diff --git a/gitops/home-kubernetes/flux-system/ocirepository_control-plane.yaml b/gitops/home-kubernetes/flux-system/ocirepository_control-plane.yaml new file mode 100644 index 0000000..db3a085 --- /dev/null +++ b/gitops/home-kubernetes/flux-system/ocirepository_control-plane.yaml @@ -0,0 +1,13 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: OCIRepository +metadata: + name: flux-operator + namespace: flux-system +spec: + interval: 30m + url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator + layerSelector: + mediaType: "application/vnd.cncf.helm.chart.content.v1.tar+gzip" + operation: copy + ref: + semver: "0.x" \ No newline at end of file diff --git a/gitops/home-kubernetes/fujarna/deployment.yaml b/gitops/home-kubernetes/fujarna/deployment.yaml new file mode 100644 index 0000000..3722cec --- /dev/null +++ b/gitops/home-kubernetes/fujarna/deployment.yaml @@ -0,0 +1,60 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: fujarna + namespace: fujarna + labels: + app: fujarna +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: fujarna + template: + metadata: + labels: + app: fujarna + spec: + imagePullSecrets: + - name: gitea-registry + containers: + - name: fujarna + image: gitea.home.hrajfrisbee.cz/kacerr/fujarna:v0.0.2 + ports: + - containerPort: 8080 + name: http + env: + - name: PORT + value: "8080" + - name: TZ + value: Europe/Prague + volumeMounts: + - name: data + mountPath: /app/data + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi + readinessProbe: + httpGet: + path: /api/tournaments + port: 8080 + initialDelaySeconds: 2 + periodSeconds: 10 + timeoutSeconds: 3 + livenessProbe: + httpGet: + path: /api/tournaments + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 30 + timeoutSeconds: 5 + volumes: + - name: data + persistentVolumeClaim: + claimName: tournament-data diff --git a/gitops/home-kubernetes/fujarna/externalsecret_gitea-registry.yaml b/gitops/home-kubernetes/fujarna/externalsecret_gitea-registry.yaml new file mode 100644 index 0000000..dff2698 --- /dev/null +++ b/gitops/home-kubernetes/fujarna/externalsecret_gitea-registry.yaml @@ -0,0 +1,22 @@ +apiVersion: external-secrets.io/v1 +kind: ExternalSecret +metadata: + name: gitea-registry + namespace: fujarna +spec: + refreshInterval: 1h + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + target: + name: gitea-registry + creationPolicy: Owner + template: + type: kubernetes.io/dockerconfigjson + data: + .dockerconfigjson: "{{ .token }}" + data: + - secretKey: token + remoteRef: + key: k8s_home/gitea/container-registry + property: token diff --git a/gitops/home-kubernetes/fujarna/httproute-notls.yaml b/gitops/home-kubernetes/fujarna/httproute-notls.yaml new file mode 100644 index 0000000..db09778 --- /dev/null +++ b/gitops/home-kubernetes/fujarna/httproute-notls.yaml @@ -0,0 +1,30 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: fujarna-redirect + namespace: fujarna + labels: + app: fujarna + app.kubernetes.io/name: fujarna-httproute + app.kubernetes.io/instance: fujarna + app.kubernetes.io/version: '6.0' + app.kubernetes.io/component: httproute + app.kubernetes.io/part-of: fujarna +spec: + parentRefs: + - name: cilium-gateway + namespace: kube-system + sectionName: http + hostnames: + - fujarna.lab.home.hrajfrisbee.cz + rules: + - matches: + - path: + type: PathPrefix + value: / + filters: + - type: RequestRedirect + requestRedirect: + scheme: https + statusCode: 301 diff --git a/gitops/home-kubernetes/fujarna/httproute.yaml b/gitops/home-kubernetes/fujarna/httproute.yaml new file mode 100644 index 0000000..39ae35c --- /dev/null +++ b/gitops/home-kubernetes/fujarna/httproute.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: fujarna + namespace: fujarna + labels: + app: fujarna + app.kubernetes.io/name: fujarna-httproute + app.kubernetes.io/instance: fujarna + app.kubernetes.io/version: '6.0' + app.kubernetes.io/component: httproute + app.kubernetes.io/part-of: fujarna +spec: + parentRefs: + - name: cilium-gateway + namespace: kube-system + sectionName: lab-home-hrajfrisbee-https-wildcard + hostnames: + - fujarna.lab.home.hrajfrisbee.cz + rules: + - matches: + - path: + type: PathPrefix + value: / + backendRefs: + - name: fujarna + namespace: fujarna + port: 80 diff --git a/gitops/home-kubernetes/fujarna/ingress.yaml b/gitops/home-kubernetes/fujarna/ingress.yaml new file mode 100644 index 0000000..021392f --- /dev/null +++ b/gitops/home-kubernetes/fujarna/ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: fujarna + namespace: fujarna + annotations: + # WebSocket support - increase timeouts for live scoring connections + nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" + nginx.ingress.kubernetes.io/proxy-http-version: "1.1" + # Uncomment for cert-manager TLS: + # cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + ingressClassName: nginx # change to "traefik" for k3s default + rules: + - host: hrajfrisbee.cz # change to your domain + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: fujarna + port: + number: 80 + # Uncomment for TLS: + # tls: + # - hosts: + # - hrajfrisbee.cz + # secretName: fujarna-tls diff --git a/gitops/home-kubernetes/fujarna/namespace.yaml b/gitops/home-kubernetes/fujarna/namespace.yaml new file mode 100644 index 0000000..8c3efc4 --- /dev/null +++ b/gitops/home-kubernetes/fujarna/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: fujarna diff --git a/gitops/home-kubernetes/fujarna/pvc.yaml b/gitops/home-kubernetes/fujarna/pvc.yaml new file mode 100644 index 0000000..ebe9f84 --- /dev/null +++ b/gitops/home-kubernetes/fujarna/pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: tournament-data + namespace: fujarna +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + # storageClassName: local-path # uncomment to override cluster default diff --git a/gitops/home-kubernetes/fujarna/service.yaml b/gitops/home-kubernetes/fujarna/service.yaml new file mode 100644 index 0000000..83833c9 --- /dev/null +++ b/gitops/home-kubernetes/fujarna/service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: fujarna + namespace: fujarna +spec: + type: ClusterIP + selector: + app: fujarna + ports: + - port: 80 + targetPort: 8080 + protocol: TCP + name: http