From 0dbb3c2e193879dd803d9065de9dd00becbe2b0c Mon Sep 17 00:00:00 2001
From: Lumpiasty <arek.dzski@gmail.com>
Date: Wed, 12 Feb 2025 00:16:46 +0100
Subject: [PATCH] Add cilium to flux

---
 infra/configs/bgp-cluster-config.yaml  |  62 +++++++++++++++
 infra/configs/loadbalancer-ippool.yaml |   8 ++
 infra/controllers/cilium.yaml          | 106 +++++++++++++++++++++++++
 infra/kustomization.yaml               |   3 +
 4 files changed, 179 insertions(+)
 create mode 100644 infra/configs/bgp-cluster-config.yaml
 create mode 100644 infra/configs/loadbalancer-ippool.yaml
 create mode 100644 infra/controllers/cilium.yaml

diff --git a/infra/configs/bgp-cluster-config.yaml b/infra/configs/bgp-cluster-config.yaml
new file mode 100644
index 0000000..355512d
--- /dev/null
+++ b/infra/configs/bgp-cluster-config.yaml
@@ -0,0 +1,62 @@
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPClusterConfig
+metadata:
+  name: router
+spec:
+  bgpInstances:
+    - name: "main"
+      localASN: 65000
+      peers:
+        - name: barracuda
+          peerASN: 65000
+          peerAddress: 2001:470:61a3:100:ffff:ffff:ffff:ffff
+          peerConfigRef:
+            name: cilium-peer
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPPeerConfig
+metadata:
+  name: cilium-peer
+spec:
+  timers:
+    keepAliveTimeSeconds: 3
+    holdTimeSeconds: 9
+    connectRetryTimeSeconds: 12
+  gracefulRestart:
+    enabled: true
+    restartTimeSeconds: 60
+  families:
+    - afi: ipv4
+      safi: unicast
+      advertisements:
+        matchLabels:
+          advertise: bgp
+    - afi: ipv6
+      safi: unicast
+      advertisements:
+        matchLabels:
+          advertise: bgp
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPAdvertisement
+metadata:
+  name: bgp-advertisements
+  labels:
+    advertise: bgp
+spec:
+  advertisements:
+    - advertisementType: "CiliumPodIPPool"
+      # Wanting to advertise all pools
+      # https://docs.cilium.io/en/v1.16/network/bgp-control-plane/bgp-control-plane-v2/#multipool-ipam
+      selector:
+        matchExpressions:
+          - { key: somekey, operator: NotIn, values: ["never-used-value"] }
+    - advertisementType: Service
+      service:
+        addresses:
+          # Not advertising ClusterIP - kubeproxyreplacement should? translate them directly to pod ips
+          # Not advertising ExternalIP - they should be reachable via static config
+          - LoadBalancerIP
+      selector:
+        matchExpressions:
+          - { key: somekey, operator: NotIn, values: ["never-used-value"] }
diff --git a/infra/configs/loadbalancer-ippool.yaml b/infra/configs/loadbalancer-ippool.yaml
new file mode 100644
index 0000000..b06b8c0
--- /dev/null
+++ b/infra/configs/loadbalancer-ippool.yaml
@@ -0,0 +1,8 @@
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "blue-pool"
+spec:
+  blocks:
+    - cidr: 10.44.0.0/16
+    - cidr: 2001:470:61a3:400::/112
diff --git a/infra/controllers/cilium.yaml b/infra/controllers/cilium.yaml
new file mode 100644
index 0000000..6465570
--- /dev/null
+++ b/infra/controllers/cilium.yaml
@@ -0,0 +1,106 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-system
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cilium
+  namespace: kube-system
+spec:
+  interval: 24h
+  url: https://helm.cilium.com/stable
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cilium
+  namespace: kube-system
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cilium
+      version: 1.16.6
+      sourceRef:
+        kind: HelmRepository
+        name: cilium
+        namespace: kube-system
+      interval: 12h
+  values:
+    # Talos specific
+    # https://www.talos.dev/v1.9/kubernetes-guides/network/deploying-cilium/
+    kubeProxyReplacement: true
+
+    securityContext:
+      capabilities:
+        ciliumAgent:
+          - CHOWN
+          - KILL
+          - NET_ADMIN
+          - NET_RAW
+          - IPC_LOCK
+          - SYS_ADMIN
+          - SYS_RESOURCE
+          - DAC_OVERRIDE
+          - FOWNER
+          - SETGID
+          - SETUID
+        cleanCiliumState:
+          - NET_ADMIN
+          - SYS_ADMIN
+          - SYS_RESOURCE
+
+    cgroup:
+      autoMount:
+        enabled: false
+      hostRoot: /sys/fs/cgroup
+
+    k8sServiceHost: localhost
+    k8sServicePort: 7445
+
+    # Homelab
+    routingMode: native
+    ipv6:
+      enabled: true
+
+    # Enable managing of IP Pools via CRD
+    ipam:
+      mode: multi-pool
+      operator:
+        autoCreateCiliumPodIPPools:
+          default:
+            # In line with controlplane.yml
+            ipv4:
+              cidrs:
+                - 10.42.0.0/16
+              maskSize: 24
+            ipv6:
+              cidrs:
+                - 2001:470:61a3:200::/104
+              maskSize: 120
+
+    # Disable masquerading, ipv4 is done at router level
+    enableIPv4Masquerade: false
+    enableIPv6Masquerade: false
+
+    # Enable peering announcing routes via BGP
+    bgpControlPlane:
+      enabled: true
+
+    # Decrease requests
+    resources:
+      requests:
+        cpu: 0
+
+    operator:
+      resources:
+        requests:
+          cpu: 0
+
+    envoy:
+      resources:
+        requests:
+          cpu: 0
diff --git a/infra/kustomization.yaml b/infra/kustomization.yaml
index add625b..9413a84 100644
--- a/infra/kustomization.yaml
+++ b/infra/kustomization.yaml
@@ -1,10 +1,13 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - controllers/cilium.yaml
   - controllers/nginx.yaml
   - controllers/dns-public.yaml
   - controllers/cert-manager.yaml
   - controllers/openebs.yaml
   - diskpools/zoma-dibaiyin-hdd.yaml
+  - configs/bgp-cluster-config.yaml
+  - configs/loadbalancer-ippool.yaml
   - configs/cluster-issuer.yaml
   - configs/single-hdd-sc.yaml