add gateway and certmanager

2026-05-05 12:53:27 -05:00
parent d8efb8557f
commit b26aff21fb
10 changed files with 126 additions and 80 deletions
--- a/clusters/k3s-dgx/infrastructure/cert-manager.yaml
+++ b/clusters/k3s-dgx/infrastructure/cert-manager.yaml
@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: cert-manager 
+spec:
+  interval: 10m
+  url: https://charts.jetstack.io
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.17.0
+      sourceRef:
+        kind: HelmRepository
+        name: cert-manager
+  interval: 10m
+  namespace: cert-manager
+  values:
+    installCRDs: true
+    global:
+      rbac:
+        create: true
+      leaderElection:
+        namespace: cert-manager
+    crds:
+      enabled: true
+    enableCertificateOwnerRef: true
+    config:
+      apiVersion: "controller.config.cert-manager.io/v1alpha1"
+      kind: "ControllerConfiguration"
+      enableGatewayAPI: true
+    prometheus:
+      enabled: false
--- a/clusters/k3s-dgx/infrastructure/envoy-gateway-class.yaml
+++ b/clusters/k3s-dgx/infrastructure/envoy-gateway-class.yaml
@@ -0,0 +1,6 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: envoy
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller  
--- a/clusters/k3s-dgx/infrastructure/envoy-gateway-system.yaml
+++ b/clusters/k3s-dgx/infrastructure/envoy-gateway-system.yaml
@@ -0,0 +1,34 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: envoy-gateway-system
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: OCIRepository
+metadata:
+  name: gateway-helm
+  namespace: envoy-gateway-system
+spec:
+  interval: 1h
+  url: oci://docker.io/envoyproxy/gateway-helm
+  layerSelector:
+    mediaType: "application/vnd.cncf.helm.chart.content.v1.tar+gzip"
+    operation: copy
+  ref:
+    tag: v1.7.2
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: envoy-gateway
+  namespace: envoy-gateway-system
+spec:
+  interval: 5m
+  releaseName: eg
+  chartRef:
+    kind: OCIRepository
+    name: gateway-helm
+  upgrade:
+    strategy:
+      name: RetryOnFailure
+      retryInterval: 5m
--- a/clusters/k3s-dgx/infrastructure/kustomization.yaml
+++ b/clusters/k3s-dgx/infrastructure/kustomization.yaml
@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cert-manager.yaml
+  - envoy-gateway.yaml
+  - envoy-gateway-class.yaml
--- a/clusters/k3s-dgx/kserve/gateway.yaml
+++ b/clusters/k3s-dgx/kserve/gateway.yaml
@@ -0,0 +1,33 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: envoy
+spec:
+  controllerName: gateway.envoyproxy.io/gatewayclass-controller
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: kserve-ingress-gateway
+  namespace: kserve
+spec:
+  gatewayClassName: envoy
+  listeners:
+    - name: http
+      protocol: HTTP
+      port: 80
+      allowedRoutes:
+        namespaces:
+          from: All
+    - name: https
+      protocol: HTTPS
+      port: 443
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - kind: Secret
+            name: kserve-ingress-gateway-tls
+            namespace: kserve
+      allowedRoutes:
+        namespaces:
+          from: All
--- a/clusters/k3s-dgx/kserve/istio-gateway.yaml
+++ b/clusters/k3s-dgx/kserve/istio-gateway.yaml
@@ -1,35 +0,0 @@
-apiVersion: networking.istio.io/v1beta1
-kind: Gateway
-metadata:
-  name: kserve-gateway
-  namespace: kserve
-spec:
-  selector:
-    istio: ingressgateway
-  servers:
-    - port:
-        number: 80
-        name: http
-        protocol: HTTP
-      hosts:
-        - "*"
---
-apiVersion: networking.istio.io/v1beta1
-kind: VirtualService
-metadata:
-  name: kserve-vs
-  namespace: kserve
-spec:
-  hosts:
-    - "*"
-  gateways:
-    - kserve-gateway
-  http:
-    - match:
-        - uri:
-            prefix: /v1/models/
-      route:
-        - destination:
-            host: kserve-default
-            port:
-              number: 80
--- a/clusters/k3s-dgx/kserve/kserve-controller.yaml
+++ b/clusters/k3s-dgx/kserve/kserve-controller.yaml
@@ -1,40 +0,0 @@
-apiVersion: source.toolkit.fluxcd.io/v1
-kind: HelmRepository
-metadata:
-  name: kserve
-  namespace: kserve
-spec:
-  interval: 10m
-  url: https://kserve.github.io/kserve
---
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: kserve
-  namespace: kserve
-spec:
-  interval: 10m
-  chart:
-    spec:
-      chart: kserve
-      version: "v0.12.0"
-      sourceRef:
-        kind: HelmRepository
-        name: kserve
-        namespace: kserve
-  values:
-    controller:
-      resources:
-        requests:
-          cpu: 500m
-          memory: 512Mi
-        limits:
-          cpu: 2
-          memory: 2Gi
-    config:
-      ingress:
-        className: istio
-    knative:
-      enabled: true
-    istio:
-      enabled: true
--- a/clusters/k3s-dgx/kserve/kserve-namespace.yaml
+++ b/clusters/k3s-dgx/kserve/kserve-namespace.yaml
@@ -2,6 +2,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
  name: kserve
-  labels:
-    istio-injection: enabled
-    serving.kserve.io/serving-runtime: "true"
--- a/clusters/k3s-dgx/kserve/kustomization.yaml
+++ b/clusters/k3s-dgx/kserve/kustomization.yaml
@@ -3,5 +3,4 @@ kind: Kustomization
 namespace: kserve
 resources:
  - kserve-namespace.yaml
-  - kserve-controller.yaml
-  - istio-gateway.yaml
+  - kserve-resources.yaml
--- a/clusters/k3s-dgx/kustomization.yaml
+++ b/clusters/k3s-dgx/kustomization.yaml
@@ -3,5 +3,6 @@ kind: Kustomization
 resources:
  - flux-system
  - gpu-support
+  - infrastructure
  # - kserve
  # - apps