BGP WIP

 * Set CIDR for bgp pool to the dhcp range from the unifi network
 * new unifi network 192.168.250.0/24 with dhcp 100-254
 * set start/end of pool to 192.168.250.100-192.168.250-254
 * set router peer to 192.168.250.1
 * fix traefik nodeselector
 * remove port forwarding from unifi

k8s/prod/cilium/bgp.yaml

@@ -0,0 +1,70 @@
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "example-pool"
+  labels:
+    pool: "blue"
+spec:
+  blocks:
+    #- cidr: 192.168.250.0/24 # Alternative notation with CIDR
+    #- cidr: 172.16.91.0/24 # Alternative notation with CIDR
+    - start: 192.168.250.100 # Start of the IP range
+      stop: 192.168.250.254 # End of the IP range
+
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumBGPAdvertisement
+metadata:
+  name: services
+  labels:
+    advertise: bgp # This label is used in the next step
+spec:
+  advertisements:
+    #- advertisementType: PodCIDR # This is optional and can be omitted if you don't want to advertise the Pod network
+    - advertisementType: Service
+      service:
+        addresses:
+          - ClusterIP
+          - LoadBalancerIP
+      selector:
+        matchLabels:
+          pool: "blue"
+      #selector:
+      #  matchExpressions:
+      #    # To enable BGP advertisement for all LoadBalancer services, you can use the following expression
+      #    # See https://docs.cilium.io/en/latest/network/bgp-control-plane/bgp-control-plane-v2/#multipool-ipam to learn why
+      #    - { key: somekey, operator: NotIn, values: [ 'never-used-value' ] }
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPPeerConfig
+metadata:
+    name: tor-rack-1
+spec:
+    gracefulRestart:
+        enabled: true
+        restartTimeSeconds: 15
+    families:
+        - afi: ipv4
+          safi: unicast
+          advertisements:
+              matchLabels:
+                  advertise: "bgp"
+---
+apiVersion: cilium.io/v2alpha1
+kind: CiliumBGPClusterConfig
+metadata:
+  name: tor-rack-1
+spec:
+  #nodeSelector:
+  #  matchLabels:
+  #    topology.kubernetes.io/region: berlin
+  #    topology.kubernetes.io/zone: rack-1
+  bgpInstances:
+    - name: "cloudfleet"
+      localASN: 65001 # The ASN number you want to use for your cluster
+      peers:
+        - name: unifi
+          peerASN: 65000 # Router's ASN number
+          peerAddress: "192.168.250.1" # Router's IP address
+          peerConfigRef:
+            name: tor-rack-1 # Reference to the peer configuration. We created this in the previous step

k8s/prod/traefik/lb.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-bgp
+  namespace: traefik
+  labels:
+    pool: blue
+spec:
+  type: LoadBalancer
+  ports:
+  - name: http
+    port: 80
+    targetPort: web
+  - name: https
+    port: 443
+    targetPort: websecure
+  selector:
+    app.kubernetes.io/instance: traefik-traefik
+    app.kubernetes.io/name: traefik

terraform/unifi/vlan_k8s_bgp.tf

@@ -0,0 +1,28 @@
+resource "unifi_network" "k8s_bgp" {
+  dhcp_dns                   = local.nextdns_servers
+  dhcp_enabled               = true
+  dhcp_relay_enabled         = false
+  dhcp_start                 = "192.168.250.100"
+  dhcp_stop                  = "192.168.250.254"
+  #dhcp_v6_dns                = []
+  #dhcp_v6_dns_auto           = true
+  #dhcp_v6_enabled            = false
+  #dhcp_v6_lease              = 86400
+  #dhcp_v6_start              = "::2"
+  #dhcp_v6_stop               = "::7d1"
+  dhcpd_boot_enabled         = false
+  igmp_snooping              = false
+  #ipv6_pd_start              = "::2"
+  #ipv6_pd_stop               = "::7d1"
+  #ipv6_ra_enable             = true
+  #ipv6_ra_preferred_lifetime = 14400
+  #ipv6_ra_valid_lifetime     = 0
+  #ipv6_ra_priority           = "high"
+  multicast_dns              = false
+  name                       = "K8S BGP"
+  purpose                    = "corporate"
+  site                       = "default"
+  subnet                     = "192.168.250.0/24"
+  vlan_id                    = 99
+  wan_dns                    = []
+}