migrate from ingress-nginx to gateway-api

apps/kustomize/web/base/gateway/backendtlspolicy.yaml

@@ -0,0 +1,14 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  name: web-gw
+spec:
+  targetRefs:
+    - kind: Service
+      name: web
+      group: ""
+  validation:
+    caCertificateRefs:
+      - kind: ConfigMap
+        name: brds-bundle
+        group: ""

apps/kustomize/web/base/gateway/gateway.yaml

@@ -0,0 +1,8 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  annotations:
+    cert-manager.io/issuer: web-gw-issuer
+  name: web-gw
+spec:
+  gatewayClassName: cilium

apps/kustomize/web/base/gateway/issuer.yaml

@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: web-gw-issuer
+spec:
+  acme:
+    email: drew@brds.ca
+    privateKeySecretRef:
+      name: web-gw-issuer
+    solvers:
+      - http01:
+          gatewayHTTPRoute:
+            parentRefs:
+              - name: web-gw
+                kind: Gateway

apps/kustomize/web/base/gateway/referencegrant.yaml

@@ -0,0 +1,12 @@
+apiVersion: gateway.networking.k8s.io/v1beta1
+kind: ReferenceGrant
+metadata:
+  name: web-gw
+spec:
+  from:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      namespace: gateway-prod
+  to:
+    - group: ""
+      kind: Secret

apps/kustomize/web/base/gateway/routes/http-v4.yaml

@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-http-v4
+spec:
+  rules:
+    - filters:
+        - requestRedirect:
+            scheme: https
+            statusCode: 301
+          type: RequestRedirect
+      matches:
+        - path:
+            type: PathPrefix
+            value: /

apps/kustomize/web/base/gateway/routes/http.yaml

@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-http
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: web-gw
+      sectionName: http
+  rules:
+    - filters:
+        - requestRedirect:
+            scheme: https
+            statusCode: 301
+          type: RequestRedirect
+      matches:
+        - path:
+            type: PathPrefix
+            value: /

apps/kustomize/web/base/gateway/routes/https-v4.yaml

@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-https-v4
+spec:
+  rules:
+    - backendRefs:
+        - group: ""
+          kind: Service
+          name: web
+          port: 443
+      matches:
+        - path:
+            type: PathPrefix
+            value: /

apps/kustomize/web/base/gateway/routes/https.yaml

@@ -0,0 +1,20 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-https
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: web-gw
+      sectionName: https
+  rules:
+    - backendRefs:
+        - group: ""
+          kind: Service
+          name: web
+          port: 443
+      matches:
+        - path:
+            type: PathPrefix
+            value: /

apps/kustomize/web/base/kustomization.yaml

@@ -2,7 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
+  - gateway/routes/http.yaml
+  - gateway/routes/http-v4.yaml
+  - gateway/routes/https.yaml
+  - gateway/routes/https-v4.yaml
+  - gateway/backendtlspolicy.yaml
+  - gateway/gateway.yaml
+  - gateway/issuer.yaml
+  - gateway/referencegrant.yaml
   - web/deployment.yaml
-  - web/ingress.yaml
   - web/service.yaml
   - web/web-backend-tls.yaml

apps/kustomize/web/base/web/ingress.yaml

@@ -1,11 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    acme.cert-manager.io/http01-ingress-class: nginx
-    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
-  name: web
-  labels:
-    app: web
-spec:
-  ingressClassName: nginx

apps/kustomize/web/envs/stage/gateway/backendtlspolicy.yaml

@@ -0,0 +1,10 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: BackendTLSPolicy
+metadata:
+  name: web-gw
+spec:
+  validation:
+    hostname: stage.d-b.ca
+    subjectAltNames:
+      - type: Hostname
+        hostname: stage.d-b.ca

apps/kustomize/web/envs/stage/gateway/gateway.yaml

@@ -0,0 +1,26 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: web-gw
+spec:
+  addresses:
+    - value: 2600:70ff:b815:802:88eb:2ce8:86c9:564c
+  listeners:
+    - name: http
+      hostname: stage.d-b.ca
+      port: 80
+      protocol: HTTP
+      allowedRoutes:
+        namespaces:
+          from: Same
+    - name: https
+      hostname: stage.d-b.ca
+      port: 443
+      protocol: HTTPS
+      allowedRoutes:
+        namespaces:
+          from: Same
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: web-tls

apps/kustomize/web/envs/stage/gateway/issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: web-gw-issuer
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory

apps/kustomize/web/envs/stage/gateway/routes/http-v4.yaml

@@ -0,0 +1,13 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-http-v4
+spec:
+  hostnames:
+    - stage.d-b.ca
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: v4-gw
+      namespace: gateway-prod
+      sectionName: dbca-web-stage-http

apps/kustomize/web/envs/stage/gateway/routes/http.yaml

@@ -0,0 +1,7 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-http
+spec:
+  hostnames:
+    - stage.d-b.ca

apps/kustomize/web/envs/stage/gateway/routes/https-v4.yaml

@@ -0,0 +1,13 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-https-v4
+spec:
+  hostnames:
+    - stage.d-b.ca
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: v4-gw
+      namespace: gateway-prod
+      sectionName: dbca-web-stage-https

apps/kustomize/web/envs/stage/gateway/routes/https.yaml

@@ -0,0 +1,7 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: web-https
+spec:
+  hostnames:
+    - stage.d-b.ca

apps/kustomize/web/envs/stage/kustomization.yaml

@@ -3,8 +3,15 @@ kind: Kustomization
 
 resources:
   - ../../base
+  - namespace.yaml
 
 patches:
-  - path: web/ingress.yaml
+  - path: gateway/routes/http.yaml
+  - path: gateway/routes/http-v4.yaml
+  - path: gateway/routes/https.yaml
+  - path: gateway/routes/https-v4.yaml
+  - path: gateway/backendtlspolicy.yaml
+  - path: gateway/gateway.yaml
+  - path: gateway/issuer.yaml
   - path: web/web-backend-tls.yaml
   - path: web/web-image.yaml

apps/kustomize/web/envs/stage/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: dbca-web-stage
+  labels:
+    brds.ca/localca: enabled

apps/kustomize/web/envs/stage/web/ingress.yaml

@@ -1,30 +0,0 @@
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/auth-url: |-
-      http://ak-outpost-forward-auth-proxy-default.iam.svc.k8s.ho.brds.ca:9000/outpost.goauthentik.io/auth/nginx
-    nginx.ingress.kubernetes.io/auth-signin: |-
-      https://stage.d-b.ca/outpost.goauthentik.io/start?rd=$scheme://$http_host$escaped_request_uri
-    nginx.ingress.kubernetes.io/auth-response-headers: |-
-      Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid
-    nginx.ingress.kubernetes.io/auth-snippet: |
-      proxy_set_header X-Forwarded-Host $http_host;
-  name: web
-spec:
-  rules:
-    - host: stage.d-b.ca
-      http:
-        paths:
-          - backend:
-              service:
-                name: web
-                port:
-                  name: https
-            path: /
-            pathType: Prefix
-  tls:
-    - hosts:
-        - stage.d-b.ca
-      secretName: web-tls