Randoooom · Randoooom · Sep 8, 2025 · Aug 23, 2025 · Aug 23, 2025 · Aug 23, 2025
diff --git a/.gitsecret/paths/mapping.cfg b/.gitsecret/paths/mapping.cfg
@@ -1,20 +1,22 @@
-bootstrap/.tfvars:c59bda3fb513eba7e5e6120e02e87b80029f25cc98c93221eb2d99543020082b
+bootstrap/.tfvars:83081bb1ce10cc4de7a203841c123e60708e327f17802e4a8fd187613d4882f4
 bootstrap/.env:3793cde571fad0241a4f0db335639628e23b819f9d25faf375f56d9ccaa833b4
 bootstrap/network/.tfvars:d73c94a2a910dd569d65520c92b5cc326b02b3109fbe6db2b0276fe258856037
 bootstrap/nodes/.tfvars:d73c94a2a910dd569d65520c92b5cc326b02b3109fbe6db2b0276fe258856037
 bootstrap/talos/.tfvars:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 bootstrap/kubernetes-base/.tfvars:a977002750bf7f9c9c54170318d0339b9613bd5c6319771d10d4fa151d59f360
 bootstrap/bastion/.tfvars:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 bootstrap/kubernetes-full/.tfvars:bf3d0052abdb32d1bf817bcebbc42f16aba73be4a492b27d074f8f4a0034a6ea
-bootstrap/zitadel/.tfvars:7e5659619a1f5291374f810e341e2e431726b2d45e25342544cef59aaec9977f
 bootstrap/storage/.tfvars:9be541e805ac5327d4388aebc55b66ddf0d252826b64c91061ccfc8818b806ab
 bootstrap/mail/.tfvars:78f36831ee591ccaa2ee5e36384e10c55af37b7b7d45e45de5780d783daf6c8e
 bootstrap/forgejo/.tfvars:5a3644e635316695848ff645db21b142c46f5814a69f2fd88b22a85a06b7d43d
 bootstrap/cni/.tfvars:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
 bootstrap/databases/.tfvars:d7427cfaefe5e1533c7f5d359ce59a9388acbcc3a43eee8f57369d57d53664a6
-bootstrap/monitoring/.tfvars:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
+bootstrap/monitoring/.tfvars:1fba86f67d89bf0be7a91b1340ba667fbb2a91ece56ea039ad399dc3e71a01b8
 gitops/templates/forgejo-runner/secrets/forgejo-runner-token.yaml:33ebd61a116468ade762bd6f40ccf39203df8b6b79ff99a3a5c6038ce1e2e846
-gitops/templates/feedback-fusion/secrets/feedback-fusion-config.yaml:40d5622a64e25442669d3557132cd10311af08d7cfbe41eb91388499e57a92fd
-gitops/templates/feedback-fusion/secrets/feedback-fusion-dashboard-config.yaml:aded3b3c42e18a6059d14dbb57004cd4d45bc94231646d243c1f765a63b2b955
+gitops/templates/feedback-fusion/secrets/feedback-fusion-config.yaml:d8ae48d8e6d9e48e58544540a9de4aca1596479247008952b5cae629ebb820e7
+gitops/templates/feedback-fusion/secrets/feedback-fusion-dashboard-config.yaml:5b916b41311fae423da3aa2b70ab0a803388c95a441f306e42464c54ca9037e4
 gitops/templates/event/secrets/surrealdb-credentials.yaml:bb264af1a0b593d4d0a1e8a1b1501e5c0e5cbf9bffb5442de82aeb0ce55c0227
 gitops/templates/dawarich/secrets/config.yaml:5e732977afa1674c91997ef43596053e9b67a101548d1a8c634bfbecd1d289bb
+bootstrap/csi/.tfvars:e7507fc2b6a8b10f81389918e7d6f8fa65262273d5b06a8410c85a0f963ba4f6
+bootstrap/entra/.tfvars:8936d30a5b7021c5e33b1d20279006928f36c2215163fc64e2ba90f80e891e43
+bootstrap/gateway/.tfvars:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
diff --git a/bootstrap/.env.secret b/bootstrap/.env.secret
diff --git a/bootstrap/.tfvars.secret b/bootstrap/.tfvars.secret
diff --git a/bootstrap/bastion/.tfvars.secret b/bootstrap/bastion/.tfvars.secret
diff --git a/bootstrap/cni/.tfvars.secret b/bootstrap/cni/.tfvars.secret
diff --git a/bootstrap/cni/ingress.tf b/bootstrap/cni/ingress.tf
diff --git a/bootstrap/cni/main.tf b/bootstrap/cni/main.tf
@@ -21,9 +21,14 @@ resource "helm_release" "cilium" {
   values = [yamlencode({
     ipam = {
       mode = "kubernetes"
+
+      operator = {
+        clusterPoolIPv4PodCIDRList = [var.pod_subnet_block]
+      }
     }
 
-    kubeProxyReplacement = true
+    kubeProxyReplacement                = true
+    kubeProxyReplacementHealthzBindAddr = "0.0.0.0:10256"
 
     securityContext = {
       capabilities = {
@@ -51,8 +56,6 @@ resource "helm_release" "cilium" {
       enabled = true
     }
 
-    kubeProxyReplacementHealthzBindAddr = "0.0.0.0:10256"
-
     encryption = {
       enabled        = true
       nodeEncryption = true
@@ -95,15 +98,6 @@ resource "helm_release" "cilium" {
 
       ui = {
         enabled = true
-
-        ingress = {
-          className = "internal"
-          enabled   = true
-          hosts     = ["hubble.internal.${var.cluster_domain}"]
-          annotations = {
-            "external-dns.alpha.kubernetes.io/cloudflare-proxied" = "false"
-          }
-        }
       }
 
       metrics = {
@@ -121,118 +115,55 @@ resource "helm_release" "cilium" {
         }
       }
     }
-
-    gatewayAPI = {
-      enabled    = true
-      enableAlpn = true
-      hostNetwork = {
-        enabled = true
-      }
-    }
   })]
 }
 
-resource "kubectl_manifest" "cilium_gateway" {
-  yaml_body = yamlencode({
-    apiVersion = "gateway.networking.k8s.io/v1"
-    kind       = "Gateway"
-    metadata = {
-      name = "cilium"
-      annotations = {
-        "cert-manager.io/cluster-issuer"          = "letsencrypt"
-        "external-dns.alpha.kubernetes.io/target" = local.loadbalancer_ip
-      }
-    }
-    spec = {
-      gatewayClassName = "cilium"
-      listeners = [
-        {
-          name     = "http"
-          protocol = "HTTP"
-          port     = var.services.http.node_port
-        },
-        {
-          name     = "https"
-          protocol = "HTTPS"
-          port     = var.services.https.node_port
-          hostname = "*.${var.cluster_domain}"
-
-          allowedRoutes = {
-            namespaces = {
-              from = "All"
-            }
-          }
-
-          tls = {
-            certificateRefs = [
-              {
-                name  = "gateway-cluster-tls"
-                kind  = "Secret"
-                group = ""
-              }
-            ]
-          }
-        },
-        {
-          name     = "https-public"
-          protocol = "HTTPS"
-          port     = var.services.https.node_port
-          hostname = "*.${var.public_domain}"
-
-          allowedRoutes = {
-            namespaces = {
-              from = "All"
-            }
-          }
-
-          tls = {
-            certificateRefs = [
-              {
-                name  = "gateway-public-tls"
-                kind  = "Secret"
-                group = ""
-              }
-            ]
-          }
-        }
-      ]
-    }
-  })
-}
-
-resource "kubectl_manifest" "gateway_https_redirect" {
-  depends_on = [kubectl_manifest.cilium_gateway]
+resource "kubectl_manifest" "hubble_route" {
+  depends_on = [helm_release.cilium]
 
   yaml_body = yamlencode({
     apiVersion = "gateway.networking.k8s.io/v1"
     kind       = "HTTPRoute"
     metadata = {
-      name = "https-redirect"
+      name      = "hubble"
+      namespace = kubernetes_namespace.cilium.metadata[0].name
     }
     spec = {
       parentRefs = [
         {
-          name        = "cilium"
-          sectionName = "http"
+          name        = "private"
+          sectionName = "https"
+          namespace   = "default"
         }
       ]
-      hostnames = [
-        "*.${var.cluster_domain}",
-        "*.${var.public_domain}"
-      ]
+      hostnames = ["hubble.internal.${var.cluster_domain}"]
       rules = [
         {
-          filters = [
+          matches = [
             {
-              type = "RequestRedirect"
-              requestRedirect = {
-                scheme     = "https"
-                statusCode = 301
+              path = {
+                type  = "PathPrefix"
+                value = "/"
               }
             }
           ]
+          backendRefs = [
+            {
+              name = "hubble-ui"
+              port = 80
+            }
+          ]
         }
       ]
     }
   })
 }
+
+module "hubble-oidc" {
+  source = "${var.module_path}/envoy-oidc-security-policy"
+
+  cluster_name = var.cluster_name
+  route        = "hubble"
+  hostname     = "hubble.internal.${var.cluster_domain}"
+  namespace    = kubernetes_namespace.cilium.metadata[0].name
+}
diff --git a/bootstrap/cni/nlb.tf b/bootstrap/cni/nlb.tf
@@ -1,5 +1,6 @@
+
 locals {
-  loadbalancer_ip = [for ip in oci_network_load_balancer_network_load_balancer.this.ip_addresses : ip.ip_address if ip.is_public][0]
+  public_loadbalancer_ip = [for ip in oci_network_load_balancer_network_load_balancer.this.ip_addresses : ip.ip_address if ip.is_public][0]
 }
 
 resource "oci_network_load_balancer_network_load_balancer" "this" {
@@ -13,7 +14,7 @@ resource "oci_network_load_balancer_network_load_balancer" "this" {
 
 
 resource "oci_network_load_balancer_backend_set" "services" {
-  for_each = var.services
+  for_each = var.public_services
 
   name                     = "${replace(each.key, "_", "-")}-bs" # Eindeutiger Name pro Service, z.B. "http-bs"
   network_load_balancer_id = oci_network_load_balancer_network_load_balancer.this.id
@@ -30,7 +31,7 @@ resource "oci_network_load_balancer_backend_set" "services" {
 
 # Erstellt für jeden Service einen eigenen Listener
 resource "oci_network_load_balancer_listener" "services" {
-  for_each = var.services
+  for_each = var.public_services
 
   network_load_balancer_id = oci_network_load_balancer_network_load_balancer.this.id
   name                     = replace(each.key, "_", "-")
@@ -43,8 +44,8 @@ resource "oci_network_load_balancer_listener" "services" {
 
 resource "oci_network_load_balancer_backend" "nodes" {
   for_each = {
-    for pair in setproduct(keys(var.services), var.worker) : "${pair[0]}-${pair[1].id}" => {
-      service     = var.services[pair[0]]
+    for pair in setproduct(keys(var.public_services), var.worker) : "${pair[0]}-${pair[1].id}" => {
+      service     = var.public_services[pair[0]]
       service_key = pair[0]
       worker      = pair[1]
     }

diff --git a/bootstrap/cni/outputs.tf b/bootstrap/cni/outputs.tf
@@ -1,30 +1,4 @@
-output "loadbalancer_ip" {
+output "public_loadbalancer_ip" {
   sensitive = true
-  value     = local.loadbalancer_ip
+  value     = local.public_loadbalancer_ip
 }
-
-output "ca_volume" {
-  value = {
-    name = "certificates"
-    configMap = {
-      name     = "cluster-authority"
-      optional = false
-      items = [
-        {
-          key  = "root-certs.pem"
-          path = "root-certs.pem"
-        }
-      ]
-    }
-  }
-}
-
-output "ca_volume_mount" {
-  value = {
-    name      = "certificates"
-    readOnly  = true
-    mountPath = "/etc/ssl/certs/root-certs.pem"
-    subPath   = "root-certs.pem"
-  }
-}
-
diff --git a/bootstrap/cni/security.tf b/bootstrap/cni/security.tf
@@ -5,7 +5,7 @@ resource "oci_core_network_security_group" "nlb" {
 }
 
 resource "oci_core_network_security_group_security_rule" "service_ingress" {
-  for_each = var.services
+  for_each = var.public_services
 
   network_security_group_id = oci_core_network_security_group.nlb.id
   direction                 = "INGRESS"

diff --git a/bootstrap/cni/terragrunt.hcl b/bootstrap/cni/terragrunt.hcl
@@ -10,6 +10,10 @@ include "kubernetes" {
   path = find_in_parent_folders("kubernetes.hcl")
 }
 
+include "entra" {
+  path = find_in_parent_folders("entra.hcl")
+}
+
 dependency "talos" {
   config_path = "${get_terragrunt_dir()}/../talos"
 }
@@ -26,6 +30,7 @@ inputs = {
   kubeconfig    = dependency.talos.outputs.kubeconfig
 
   public_subnet = dependency.network.outputs.public_subnet
+  private_subnet = dependency.network.outputs.subnet
   vcn_id        = dependency.network.outputs.vcn_id
 
   worker       = dependency.nodes.outputs.worker

diff --git a/bootstrap/cni/variables.tf b/bootstrap/cni/variables.tf
@@ -2,18 +2,12 @@ variable "public_subnet" {
   type = string
 }
 
-variable "cluster_domain" {
+variable "private_subnet" {
   type = string
 }
 
-variable "cloudflare_api_token" {
-  type      = string
-  sensitive = true
-}
-
-variable "acme_email" {
-  type      = string
-  sensitive = true
+variable "cluster_domain" {
+  type = string
 }
 
 variable "worker" {
@@ -56,3 +50,7 @@ variable "remote_wireguard_cidr" {
 variable "public_domain" {
   type = string
 }
+
+variable "pod_subnet_block" {
+  type = string
+}
diff --git a/bootstrap/csi/.tfvars.secret b/bootstrap/csi/.tfvars.secret