Initial Cilium Stack Implementation

Signed-off-by: Blake R <[email protected]>

README.md

@@ -17,3 +17,4 @@ See [the instructions](https://github.com/cnoe-io/idpbuilder?tab=readme-ov-file#
 - **[Localstack](./localstack-integration)**. Use [LocalStack](https://github.com/localstack/localstack) to test out cloud integrations.
 - **[Terraform Integrations](./terraform-integrations)**. Integrating Terraform with Reference Implementation.
 - **[Dapr Integration](./dapr-integrations)**. Integrating the Dapr APIs for Building Secure and Reliable Microservices .
+- **[Cilium Integration](./cilium-integration)**. Integrates Cilium, Tetragon and Hubble for networking.

cilium-integration/README.md

@@ -0,0 +1,17 @@
+# Cilium Integration
+
+`idpBuilder` is extensible to launch custom Crossplane patterns using package extensions. This stack contains the code for integrating Cilium with IDPBuilder.
+
+```bash
+idpbuilder create --package https://github.com/cnoe-io/stacks//cilium-integration
+```
+
+## What is installed?
+
+1. Cilium
+2. Hubble UI
+3. Tetragon
+
+Navigating to https://hubble.cnoe.localtest.me:8443/ will bring you to the Hubble UI where you can visualize the network traffic in the cluster.
+
+You can also run `kubectl logs -lapp.kubernetes.io/name=tetragon -n kube-system` to see processes running inside of the pods running from Tetragon. 

cilium-integration/cilium.yaml

@@ -0,0 +1,51 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cilium
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: 'https://helm.cilium.io/'
+    targetRevision: 1.16.1
+    helm:
+      releaseName: cilium
+      values: |
+        image:
+          pullPolicy: IfNotPresent
+        operator:
+          replicas: 1
+        ipam:
+          mode: kubernetes
+        hubble:
+          relay:
+            enabled: true
+          ui:
+            enabled: true
+    chart: cilium
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: false
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+  - kind: Secret
+    name: cilium-ca
+    jsonPointers:
+      - /data
+  - kind: Secret
+    name: hubble-relay-client-certs
+    jsonPointers:
+      - /data
+  - kind: Secret
+    name: hubble-server-certs
+    jsonPointers:
+      - /data

cilium-integration/hubble-ui-ingress/ingress.yaml

@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/backend-protocol: HTTP
+  name: hubble-ui-ingress
+  namespace: kube-system
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: hubble.cnoe.localtest.me
+    http:
+      paths:
+      - backend:
+          service:
+            name: hubble-ui
+            port:
+              number: 80
+        path: /
+        pathType: Prefix

cilium-integration/hubble-ui.yaml

@@ -0,0 +1,26 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: hubble-ui
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: cnoe://hubble-ui-ingress
+    targetRevision: HEAD
+    path: "."
+    directory:
+      recurse: true
+  destination:
+    server: "https://kubernetes.default.svc"
+    namespace: kube-system
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
+    automated: {}
+

cilium-integration/tetragon.yaml

@@ -0,0 +1,32 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: tetragon
+  namespace: argocd
+  labels:
+    env: dev
+  finalizers:
+    - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  source:
+    repoURL: 'https://helm.cilium.io/'
+    targetRevision: 1.2.0
+    helm:
+      releaseName: tetragon
+      values: |
+        tetragon:
+          exportFilename: /dev/stdout
+          exportAllowList: |-
+            {"event_set":["PROCESS_EXEC", "PROCESS_EXIT", "PROCESS_UPROBE"]}
+    chart: tetragon
+  destination:
+    server: 'https://kubernetes.default.svc'
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: false
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true