From 75f6c62d0327c1ca04cd9c3d67e81be7257d7379 Mon Sep 17 00:00:00 2001
From: Dreaded_X <tim@huizinga.dev>
Date: Tue, 2 Dec 2025 02:21:16 +0100
Subject: [PATCH] feat: Let flux manage cilium after bootstrap

---
 bootstrap.sh                                  |  5 +++-
 clusters/testing/kustomization.yaml           |  1 +
 controllers/artifacts.yaml                    |  5 ++++
 controllers/cilium/base/helm-release.yaml     | 30 +++++++++++++++++++
 controllers/cilium/base/helm-repository.yaml  |  8 +++++
 controllers/cilium/base/kustomization.yaml    | 15 ++++++++++
 controllers/cilium/base/name-reference.yaml   |  6 ++++
 controllers/cilium/base/namespace.yaml        |  4 +++
 .../cilium/base/values.yaml                   |  5 ----
 controllers/cilium/cilium.yaml                | 15 ++++++++++
 .../cilium/production/kustomization.yaml      |  4 +++
 controllers/cilium/staging/kustomization.yaml | 10 +++++++
 controllers/cilium/staging/values.yaml        |  2 ++
 13 files changed, 104 insertions(+), 6 deletions(-)
 create mode 100644 controllers/cilium/base/helm-release.yaml
 create mode 100644 controllers/cilium/base/helm-repository.yaml
 create mode 100644 controllers/cilium/base/kustomization.yaml
 create mode 100644 controllers/cilium/base/name-reference.yaml
 create mode 100644 controllers/cilium/base/namespace.yaml
 rename cilium.yaml => controllers/cilium/base/values.yaml (90%)
 create mode 100644 controllers/cilium/cilium.yaml
 create mode 100644 controllers/cilium/production/kustomization.yaml
 create mode 100644 controllers/cilium/staging/kustomization.yaml
 create mode 100644 controllers/cilium/staging/values.yaml

diff --git a/bootstrap.sh b/bootstrap.sh
index de911ea..1f20a75 100755
--- a/bootstrap.sh
+++ b/bootstrap.sh
@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+root=$(git rev-parse --show-toplevel)
 
 tools=(talosctl cilium-cli yq helm)
 cilium_version=1.18.4
@@ -101,6 +102,7 @@ elif [ ! $count -eq 0 ]; then
 	echo " [Success]"
 fi
 
+cluster_env=$(kubectl get configmaps -n flux-system cluster-variables -o jsonpath={.data.cluster_env})
 if ! helm status -n kube-system cilium &> /dev/null; then
 	echo "Installing cilium..."
 	helm repo add cilium https://helm.cilium.io/ > /dev/null
@@ -110,7 +112,8 @@ if ! helm status -n kube-system cilium &> /dev/null; then
 		cilium/cilium \
 		--version ${cilium_version} \
 		--namespace kube-system \
-		--values cilium.yaml
+		--values ${root}/controllers/cilium/base/values.yaml \
+		--values ${root}/controllers/cilium/${cluster_env}/values.yaml
 fi
 
 cilium-cli status --wait
diff --git a/clusters/testing/kustomization.yaml b/clusters/testing/kustomization.yaml
index d7a665b..75f7ecc 100644
--- a/clusters/testing/kustomization.yaml
+++ b/clusters/testing/kustomization.yaml
@@ -3,6 +3,7 @@ kind: Kustomization
 resources:
   - flux-system/
   - ../../controllers/artifacts.yaml
+  - ../../controllers/cilium/cilium.yaml
   - ../../controllers/cert-manager/cert-manager.yaml
   - ../../configs/artifacts.yaml
   - ../../configs/letsencrypt/letsencrypt.yaml
diff --git a/controllers/artifacts.yaml b/controllers/artifacts.yaml
index 2bf3885..269eaec 100644
--- a/controllers/artifacts.yaml
+++ b/controllers/artifacts.yaml
@@ -9,6 +9,11 @@ spec:
       kind: GitRepository
       name: flux-system
   artifacts:
+    - name: cilium
+      originRevision: "@foundation"
+      copy:
+        - from: "@foundation/controllers/cilium/**"
+          to: "@artifact/"
     - name: cert-manager
       originRevision: "@foundation"
       copy:
diff --git a/controllers/cilium/base/helm-release.yaml b/controllers/cilium/base/helm-release.yaml
new file mode 100644
index 0000000..d5ad67c
--- /dev/null
+++ b/controllers/cilium/base/helm-release.yaml
@@ -0,0 +1,30 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cilium
+  namespace: cilium
+spec:
+  interval: 12h
+  targetNamespace: kube-system
+  install:
+    strategy:
+      name: RetryOnFailure
+      retryInterval: 2m
+  upgrade:
+    strategy:
+      name: RetryOnFailure
+      retryInterval: 3m
+  chart:
+    spec:
+      chart: cilium
+      version: "1.x"
+      sourceRef:
+        kind: HelmRepository
+        name: cilium
+      interval: 24h
+  valuesFrom:
+    - kind: ConfigMap
+      name: values-base
+    - kind: ConfigMap
+      name: values-overlay
+      optional: true
diff --git a/controllers/cilium/base/helm-repository.yaml b/controllers/cilium/base/helm-repository.yaml
new file mode 100644
index 0000000..1a07703
--- /dev/null
+++ b/controllers/cilium/base/helm-repository.yaml
@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cilium
+  namespace: cilium
+spec:
+  interval: 24h
+  url: https://helm.cilium.io
diff --git a/controllers/cilium/base/kustomization.yaml b/controllers/cilium/base/kustomization.yaml
new file mode 100644
index 0000000..6bf0ebd
--- /dev/null
+++ b/controllers/cilium/base/kustomization.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - helm-repository.yaml
+  - helm-release.yaml
+
+configurations:
+  - name-reference.yaml
+
+configMapGenerator:
+  - name: values-base
+    namespace: cilium
+    files:
+      - values.yaml
diff --git a/controllers/cilium/base/name-reference.yaml b/controllers/cilium/base/name-reference.yaml
new file mode 100644
index 0000000..a80be15
--- /dev/null
+++ b/controllers/cilium/base/name-reference.yaml
@@ -0,0 +1,6 @@
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease
diff --git a/controllers/cilium/base/namespace.yaml b/controllers/cilium/base/namespace.yaml
new file mode 100644
index 0000000..e4a1aca
--- /dev/null
+++ b/controllers/cilium/base/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cilium
diff --git a/cilium.yaml b/controllers/cilium/base/values.yaml
similarity index 90%
rename from cilium.yaml
rename to controllers/cilium/base/values.yaml
index 8543a11..35ae1cc 100644
--- a/cilium.yaml
+++ b/controllers/cilium/base/values.yaml
@@ -29,8 +29,3 @@ gatewayAPI:
   enabled: true
   enableAlpn: true
   enableAppProtocol: true
-operator:
-  replicas: 1
-hubble:
-  relay:
-    enabled: true
diff --git a/controllers/cilium/cilium.yaml b/controllers/cilium/cilium.yaml
new file mode 100644
index 0000000..f527099
--- /dev/null
+++ b/controllers/cilium/cilium.yaml
@@ -0,0 +1,15 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cilium
+  namespace: flux-system
+spec:
+  interval: 1h
+  retryInterval: 2m
+  timeout: 5m
+  sourceRef:
+    kind: ExternalArtifact
+    name: cilium
+  path: ./${cluster_env}
+  prune: true
+  wait: true
diff --git a/controllers/cilium/production/kustomization.yaml b/controllers/cilium/production/kustomization.yaml
new file mode 100644
index 0000000..27bb5cb
--- /dev/null
+++ b/controllers/cilium/production/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
diff --git a/controllers/cilium/staging/kustomization.yaml b/controllers/cilium/staging/kustomization.yaml
new file mode 100644
index 0000000..1aa23a6
--- /dev/null
+++ b/controllers/cilium/staging/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../base
+
+configMapGenerator:
+  - name: values-overlay
+    namespace: cilium
+    files:
+      - values.yaml
diff --git a/controllers/cilium/staging/values.yaml b/controllers/cilium/staging/values.yaml
new file mode 100644
index 0000000..e9e298a
--- /dev/null
+++ b/controllers/cilium/staging/values.yaml
@@ -0,0 +1,2 @@
+operator:
+  replicas: 1