d-b.ca/db-cd
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

migrate from ingress-nginx to gateway-api

Browse Source
This commit is contained in:
Drew Bowering
2026-02-04 14:30:51 -07:00
parent c214ae7de8
commit d716c4bb6d
20 changed files with 224 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
apps/kustomize/web/base/gateway/backendtlspolicy.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
name: web-gw
spec:
targetRefs:
- kind: Service
name: web
group: ""
validation:
caCertificateRefs:
- kind: ConfigMap
name: brds-bundle
group: ""

8
apps/kustomize/web/base/gateway/gateway.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
annotations:
cert-manager.io/issuer: web-gw-issuer
name: web-gw
spec:
gatewayClassName: cilium

15
apps/kustomize/web/base/gateway/issuer.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: web-gw-issuer
spec:
acme:
email: drew@brds.ca
privateKeySecretRef:
name: web-gw-issuer
solvers:
- http01:
gatewayHTTPRoute:
parentRefs:
- name: web-gw
kind: Gateway

12
apps/kustomize/web/base/gateway/referencegrant.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: web-gw
spec:
from:
- group: gateway.networking.k8s.io
kind: Gateway
namespace: gateway-prod
to:
- group: ""
kind: Secret

15
apps/kustomize/web/base/gateway/routes/http-v4.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: web-http-v4
spec:
rules:
- filters:
- requestRedirect:
scheme: https
statusCode: 301
type: RequestRedirect
matches:
- path:
type: PathPrefix
value: /

20
apps/kustomize/web/base/gateway/routes/http.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: web-http
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: web-gw
sectionName: http
rules:
- filters:
- requestRedirect:
scheme: https
statusCode: 301
type: RequestRedirect
matches:
- path:
type: PathPrefix
value: /

15
apps/kustomize/web/base/gateway/routes/https-v4.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: web-https-v4
spec:
rules:
- backendRefs:
- group: ""
kind: Service
name: web
port: 443
matches:
- path:
type: PathPrefix
value: /

20
apps/kustomize/web/base/gateway/routes/https.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: web-https
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: web-gw
sectionName: https
rules:
- backendRefs:
- group: ""
kind: Service
name: web
port: 443
matches:
- path:
type: PathPrefix
value: /

9
apps/kustomize/web/base/kustomization.yaml
View File

@@ -2,7 +2,14 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- gateway/routes/http.yaml
- gateway/routes/http-v4.yaml
- gateway/routes/https.yaml
- gateway/routes/https-v4.yaml
- gateway/backendtlspolicy.yaml
- gateway/gateway.yaml
- gateway/issuer.yaml
- gateway/referencegrant.yaml
- web/deployment.yaml - web/deployment.yaml
- web/ingress.yaml
- web/service.yaml - web/service.yaml
- web/web-backend-tls.yaml - web/web-backend-tls.yaml

11
apps/kustomize/web/base/web/ingress.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
acme.cert-manager.io/http01-ingress-class: nginx
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
name: web
labels:
app: web
spec:
ingressClassName: nginx

10
apps/kustomize/web/envs/stage/gateway/backendtlspolicy.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: gateway.networking.k8s.io/v1
kind: BackendTLSPolicy
metadata:
name: web-gw
spec:
validation:
hostname: stage.d-b.ca
subjectAltNames:
- type: Hostname
hostname: stage.d-b.ca

26
apps/kustomize/web/envs/stage/gateway/gateway.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: web-gw
spec:
addresses:
- value: 2600:70ff:b815:802:88eb:2ce8:86c9:564c
listeners:
- name: http
hostname: stage.d-b.ca
port: 80
protocol: HTTP
allowedRoutes:
namespaces:
from: Same
- name: https
hostname: stage.d-b.ca
port: 443
protocol: HTTPS
allowedRoutes:
namespaces:
from: Same
tls:
mode: Terminate
certificateRefs:
- name: web-tls

7
apps/kustomize/web/envs/stage/gateway/issuer.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: web-gw-issuer
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory

13
apps/kustomize/web/envs/stage/gateway/routes/http-v4.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: web-http-v4
spec:
hostnames:
- stage.d-b.ca
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: v4-gw
namespace: gateway-prod
sectionName: dbca-web-stage-http

7
apps/kustomize/web/envs/stage/gateway/routes/http.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: web-http
spec:
hostnames:
- stage.d-b.ca

13
apps/kustomize/web/envs/stage/gateway/routes/https-v4.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: web-https-v4
spec:
hostnames:
- stage.d-b.ca
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: v4-gw
namespace: gateway-prod
sectionName: dbca-web-stage-https

7
apps/kustomize/web/envs/stage/gateway/routes/https.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: web-https
spec:
hostnames:
- stage.d-b.ca

9
apps/kustomize/web/envs/stage/kustomization.yaml
View File

@@ -3,8 +3,15 @@ kind: Kustomization
resources: resources:
- ../../base - ../../base
- namespace.yaml
patches: patches:
- path: web/ingress.yaml - path: gateway/routes/http.yaml
- path: gateway/routes/http-v4.yaml
- path: gateway/routes/https.yaml
- path: gateway/routes/https-v4.yaml
- path: gateway/backendtlspolicy.yaml
- path: gateway/gateway.yaml
- path: gateway/issuer.yaml
- path: web/web-backend-tls.yaml - path: web/web-backend-tls.yaml
- path: web/web-image.yaml - path: web/web-image.yaml

6
apps/kustomize/web/envs/stage/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: dbca-web-stage
labels:
brds.ca/localca: enabled

30
apps/kustomize/web/envs/stage/web/ingress.yaml
View File

@@ -1,30 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/auth-url: |-
http://ak-outpost-forward-auth-proxy-default.iam.svc.k8s.ho.brds.ca:9000/outpost.goauthentik.io/auth/nginx
nginx.ingress.kubernetes.io/auth-signin: |-
https://stage.d-b.ca/outpost.goauthentik.io/start?rd=$scheme://$http_host$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: |-
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-entitlements,X-authentik-email,X-authentik-name,X-authentik-uid
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
name: web
spec:
rules:
- host: stage.d-b.ca
http:
paths:
- backend:
service:
name: web
port:
name: https
path: /
pathType: Prefix
tls:
- hosts:
- stage.d-b.ca
secretName: web-tls