feat(k8s/magiclove/cilium): replace l2 announcements with bgp

Author: uhthomas

k8s/magiclove/cilium/BUILD.bazel

@@ -4,7 +4,9 @@ cue_library(
     name = "cue_cilium_library",
     srcs = [
         "certificate_list.cue",
-        "cilium_l2_announcement_policy_list.cue",
+        "cilium_bgp_advertisement_list.cue",
+        "cilium_bgp_cluster_config_list.cue",
+        "cilium_bgp_peer_config_list.cue",
         "cilium_load_balancer_ip_pool_list.cue",
         "cluster_role_binding_list.cue",
         "cluster_role_list.cue",

k8s/magiclove/cilium/README.md

@@ -41,3 +41,24 @@ the target version.
 ❯ cue import -l "strings.ToLower(kind)" --list -R cilium-1.14.0.yaml cilium-1.16.1.yaml
 ❯ diff -urN cilium-1.14.0.cue cilium-1.16.1.cue > out.diff
 ```
+
+## BGP
+
+```frr
+router bgp 65000
+  bgp router-id 172.16.0.1
+  no bgp ebgp-requires-policy
+
+  neighbor magiclove peer-group
+  neighbor magiclove remote-as 65100
+
+  neighbor 172.16.0.110 peer-group magiclove
+  neighbor 172.16.0.120 peer-group magiclove
+  neighbor 172.16.0.130 peer-group magiclove
+
+  address-family ipv4 unicast
+    neighbor magiclove next-hop-self
+    neighbor magiclove soft-reconfiguration inbound
+  exit-address-family
+exit
+```

k8s/magiclove/cilium/cilium_bgp_advertisement_list.cue

@@ -0,0 +1,28 @@
+package cilium
+
+import ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
+
+#CiliumBGPAdvertisementList: ciliumv2.#CiliumBGPAdvertisementList & {
+	apiVersion: "cilium.io/v2"
+	kind:       "CiliumBGPAdvertisementList"
+	items: [...{
+		apiVersion: "cilium.io/v2"
+		kind:       "CiliumBGPAdvertisement"
+	}]
+}
+
+#CiliumBGPAdvertisementList: items: [{
+	metadata: {
+		name: "default"
+		labels: advertise: "bgp"
+	}
+	spec: advertisements: [{
+		advertisementType: ciliumv2.#BGPServiceAdvert
+		service: addresses: [ciliumv2.#BGPLoadBalancerIPAddr]
+		selector: matchExpressions: [{
+			key:      "somekey"
+			operator: "NotIn"
+			values: ["never-used-value"]
+		}]
+	}]
+}]

k8s/magiclove/cilium/cilium_bgp_cluster_config_list.cue

@@ -0,0 +1,29 @@
+package cilium
+
+import ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
+
+#CiliumBGPClusterConfigList: ciliumv2.#CiliumBGPClusterConfigList & {
+	apiVersion: "cilium.io/v2"
+	kind:       "CiliumBGPClusterConfigList"
+	items: [...{
+		apiVersion: "cilium.io/v2"
+		kind:       "CiliumBGPClusterConfig"
+	}]
+}
+
+#CiliumBGPClusterConfigList: items: [{
+	metadata: name: "default"
+	spec: {
+		nodeSelector: matchLabels: "kubernetes.io/hostname": "dice"
+		bgpInstances: [{
+			name:     "cilium"
+			localASN: 65100
+			peers: [{
+				name:        "unifi"
+				peerASN:     65000
+				peerAddress: "172.16.0.1"
+				peerConfigRef: name: "default"
+			}]
+		}]
+	}
+}]

k8s/magiclove/cilium/cilium_bgp_peer_config_list.cue

@@ -0,0 +1,21 @@
+package cilium
+
+import ciliumv2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
+
+#CiliumBGPPeerConfigList: ciliumv2.#CiliumBGPPeerConfigList & {
+	apiVersion: "cilium.io/v2"
+	kind:       "CiliumBGPPeerConfigList"
+	items: [...{
+		apiVersion: "cilium.io/v2"
+		kind:       "CiliumBGPPeerConfig"
+	}]
+}
+
+#CiliumBGPPeerConfigList: items: [{
+	metadata: name: "default"
+	spec: families: [{
+		afi:  "ipv4"
+		safi: "unicast"
+		advertisements: matchLabels: advertise: "bgp"
+	}]
+}]

k8s/magiclove/cilium/cilium_l2_announcement_policy_list.cue

@@ -252,7 +252,16 @@ import "k8s.io/api/core/v1"
 		"l2-announcements-lease-duration": "30s"
 		"l2-announcements-renew-deadline": "10s"
 		"l2-announcements-retry-period":   "1s"
-		"k8s-client-qps":                  "50"
-		"k8s-client-burst":                "150"
+
+		// https://docs.cilium.io/en/latest/network/bgp-control-plane/bgp-control-plane/
+		"enable-bgp-control-plane":               "true"
+		"bgp-secrets-namespace":                  #Namespace
+		"enable-bgp-control-plane-status-report": "true"
+		"bgp-router-id-allocation-mode":          "default"
+		"bgp-router-id-allocation-ip-pool":       ""
+		"enable-bgp-legacy-origin-attribute":     "false"
+
+		"k8s-client-qps":   "50"
+		"k8s-client-burst": "150"
 	}
 }]

k8s/magiclove/cilium/config_map_list.cue

@@ -25,7 +25,9 @@ import (
 
 _items: [
 	#CertificateList.items,
-	#CiliumL2AnnouncementPolicyList.items,
+	#CiliumBGPAdvertisementList.items,
+	#CiliumBGPClusterConfigList.items,
+	#CiliumBGPPeerConfigList.items,
 	#CiliumLoadBalancerIPPoolList.items,
 	#ClusterRoleBindingList.items,
 	#ClusterRoleList.items,

k8s/magiclove/cilium/list.cue

@@ -17,13 +17,26 @@ import rbacv1 "k8s.io/api/rbac/v1"
 		labels: "app.kubernetes.io/part-of": "cilium"
 	}
 	roleRef: {
-		apiGroup: "rbac.authorization.k8s.io"
+		apiGroup: rbacv1.#GroupName
 		kind:     "Role"
 		name:     "cilium-config-agent"
 	}
 	subjects: [{
-		kind:      "ServiceAccount"
-		name:      "cilium"
-		namespace: #Namespace
+		kind: rbacv1.#ServiceAccountKind
+		name: "cilium"
+	}]
+}, {
+	metadata: {
+		name: "cilium-bgp-control-plane-secrets"
+		labels: "app.kubernetes.io/part-of": "cilium"
+	}
+	roleRef: {
+		apiGroup: rbacv1.#GroupName
+		kind:     "Role"
+		name:     "cilium-bgp-control-plane-secrets"
+	}
+	subjects: [{
+		kind: rbacv1.#ServiceAccountKind
+		name: "cilium"
 	}]
 }]

k8s/magiclove/cilium/role_binding_list.cue

@@ -21,4 +21,14 @@ import rbacv1 "k8s.io/api/rbac/v1"
 		resources: ["configmaps"]
 		verbs: ["get", "list", "watch"]
 	}]
+}, {
+	metadata: {
+		name: "cilium-bgp-control-plane-secrets"
+		labels: "app.kubernetes.io/part-of": "cilium"
+	}
+	rules: [{
+		apiGroups: [""]
+		resources: ["secrets"]
+		verbs: ["get", "list", "watch"]
+	}]
 }]