myoung34 · myoung34 · Feb 18, 2025 · Feb 18, 2025
diff --git a/k8s/prod/cilium/README.md b/k8s/prod/cilium/README.md
@@ -0,0 +1,103 @@
+unifi FRR config example:
+
+Unifi -> settings -> routing -> BGP
+* Name: anything
+* device: udm pro
+* upload following config
+
+
+```
+router bgp 65000
+ bgp router-id 192.168.1.1
+
+ ! Define neighbors with remote AS
+ neighbor 192.168.1.19 remote-as 65001
+ neighbor 192.168.1.19 default-originate
+ neighbor 192.168.1.21 remote-as 65001
+ neighbor 192.168.1.21 default-originate
+ neighbor 192.168.1.22 remote-as 65001
+ neighbor 192.168.1.22 default-originate
+ neighbor 192.168.1.23 remote-as 65001
+ neighbor 192.168.1.23 default-originate
+ neighbor 192.168.1.24 remote-as 65001
+ neighbor 192.168.1.24 default-originate
+ neighbor 192.168.1.25 remote-as 65001
+ neighbor 192.168.1.25 default-originate
+ neighbor 192.168.1.26 remote-as 65001
+ neighbor 192.168.1.26 default-originate
+ neighbor 192.168.1.27 remote-as 65001
+ neighbor 192.168.1.27 default-originate
+
+ ! BGP address family
+ address-family ipv4 unicast
+  redistribute connected
+  redistribute kernel
+
+  ! Apply soft-reconfiguration and route-map per neighbor
+  neighbor 192.168.1.19 soft-reconfiguration inbound
+  neighbor 192.168.1.19 route-map ALLOW-ALL in
+  neighbor 192.168.1.21 soft-reconfiguration inbound
+  neighbor 192.168.1.21 route-map ALLOW-ALL in
+  neighbor 192.168.1.22 soft-reconfiguration inbound
+  neighbor 192.168.1.22 route-map ALLOW-ALL in
+  neighbor 192.168.1.23 soft-reconfiguration inbound
+  neighbor 192.168.1.23 route-map ALLOW-ALL in
+  neighbor 192.168.1.24 soft-reconfiguration inbound
+  neighbor 192.168.1.24 route-map ALLOW-ALL in
+  neighbor 192.168.1.25 soft-reconfiguration inbound
+  neighbor 192.168.1.25 route-map ALLOW-ALL in
+  neighbor 192.168.1.26 soft-reconfiguration inbound
+  neighbor 192.168.1.26 route-map ALLOW-ALL in
+  neighbor 192.168.1.27 soft-reconfiguration inbound
+  neighbor 192.168.1.27 route-map ALLOW-ALL in
+ exit-address-family
+
+! Define route-map
+route-map ALLOW-ALL permit 10
+!
+
+line vty
+!
+```
+
+To debug:
+
+From unifi UDM pro via SSH:
+
+```
+root@DreamMachinePro:~# systemctl status frr
+...
+
+root@DreamMachinePro:~# journalctl -xe --no-pager
+..
+
+root@DreamMachinePro:~# vtysh -c 'show ip bgp'
+BGP table version is 10, local router ID is 192.168.1.1, vrf id 0
+Default local pref 100, local AS 65000
+Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
+               i internal, r RIB-failure, S Stale, R Removed
+Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
+Origin codes:  i - IGP, e - EGP, ? - incomplete
+RPKI validation codes: V valid, I invalid, N Not found
+
+   Network          Next Hop            Metric LocPrf Weight Path
+*> 192.168.0.0/24   0.0.0.0                  0         32768 ?
+*> 192.168.1.0/24   0.0.0.0                  0         32768 ?
+*> 192.168.2.0/24   0.0.0.0                  0         32768 ?
+*> 192.168.3.0/24   0.0.0.0                  0         32768 ?
+*> 192.168.4.0/24   0.0.0.0                  0         32768 ?
+*> 192.168.5.0/26   0.0.0.0                  0         32768 ?
+*> 192.168.6.0/24   0.0.0.0                  0         32768 ?
+*= 192.168.250.100/32
+                    192.168.1.26                           0 65001 i
+*=                  192.168.1.25                           0 65001 i
+*=                  192.168.1.24                           0 65001 i
+*=                  192.168.1.27                           0 65001 i
+*=                  192.168.1.21                           0 65001 i
+*=                  192.168.1.22                           0 65001 i
+*=                  192.168.1.23                           0 65001 i
+*>                  192.168.1.19                           0 65001 i
+*> 209.30.118.0/23  0.0.0.0                  0         32768 ?
+
+Displayed  9 routes and 16 total paths
+```
diff --git a/k8s/prod/cilium/bgp.yaml b/k8s/prod/cilium/bgp.yaml
@@ -0,0 +1,49 @@
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: "traefik"
+  labels:
+    pool: "traefik"
+spec:
+  blocks:
+    - cidr: 192.168.250.100/32
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumBGPAdvertisement
+metadata:
+  name: services
+  labels:
+    advertise: bgp
+spec:
+  advertisements:
+    - advertisementType: Service
+      service:
+        addresses:
+          - LoadBalancerIP
+      selector:
+        matchLabels:
+          pool: "traefik"
+      #selector:
+      #  matchExpressions:
+      #    # To enable BGP advertisement for all LoadBalancer services, you can use the following expression
+      #    # See https://docs.cilium.io/en/latest/network/bgp-control-plane/bgp-control-plane-v2/#multipool-ipam to learn why
+      #    - { key: somekey, operator: NotIn, values: [ 'never-used-value' ] }
+---
+apiVersion: "cilium.io/v2alpha1"
+kind: CiliumBGPPeeringPolicy
+metadata:
+  name: 01-traefik-bgp-peering-policy
+spec:
+  nodeSelector:
+    matchExpressions:
+      # match all nodes
+      - { key: somekey, operator: NotIn, values: ["never-used-value"] }
+  virtualRouters: # []CiliumBGPVirtualRouter
+    - localASN: 65001
+      serviceSelector:
+        matchExpressions:
+          - { key: somekey, operator: NotIn, values: ["never-used-value"] }
+      exportPodCIDR: false
+      neighbors:
+        - peerAddress: "192.168.0.1/32"
+          peerASN: 65000
diff --git a/k8s/prod/cilium/kustomization.yaml b/k8s/prod/cilium/kustomization.yaml
@@ -2,6 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: kube-system
 
+resources:
+  - bgp.yaml
+
 helmCharts:
   - name: cilium
     releaseName: cilium

diff --git a/k8s/prod/traefik/kustomization.yaml b/k8s/prod/traefik/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
   - namespace.yaml
   - vault.yaml
   - middleware.yaml
+  - lb.yaml
 
 helmCharts:
 - name: traefik

diff --git a/k8s/prod/traefik/lb.yaml b/k8s/prod/traefik/lb.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: traefik-bgp
+  namespace: traefik
+  labels:
+    pool: traefik
+spec:
+  type: LoadBalancer
+  ports:
+  - name: http
+    port: 80
+    targetPort: web
+  - name: https
+    port: 443
+    targetPort: websecure
+  selector:
+    app.kubernetes.io/instance: traefik-traefik
+    app.kubernetes.io/name: traefik
diff --git a/terraform/unifi/port_forward.tf b/terraform/unifi/port_forward.tf
@@ -1,6 +1,6 @@
 resource "unifi_port_forward" "http" {
   dst_port               = "80"
-  fwd_ip                 = "192.168.1.21"
+  fwd_ip                 = "192.168.250.100"
   fwd_port               = "80"
   name                   = "marcyoung.us"
   port_forward_interface = "wan"
@@ -9,7 +9,7 @@ resource "unifi_port_forward" "http" {
 
 resource "unifi_port_forward" "https" {
   dst_port               = "443"
-  fwd_ip                 = "192.168.1.21"
+  fwd_ip                 = "192.168.250.100"
   fwd_port               = "443"
   name                   = "marcyoung.us ssl"
   port_forward_interface = "wan"