From b57e34b5bbfadde3c1aded7c59de69b2c9a9dd53 Mon Sep 17 00:00:00 2001
From: Max Pfeiffer <max@maxpfeiffer.ch>
Date: Fri, 19 Sep 2025 18:28:59 +0200
Subject: [PATCH 1/2] Configured Cilium load balancer and ArgoCD for HTTP
 access

---
 kubernetes/configuration.auto.tfvars.example  |  7 +++
 .../helm_charts/cilium-lb-config/Chart.yaml   | 23 +++++++++
 .../cilium-l2-announcement-policy.yaml        |  8 +++
 .../cilium-load-balancer-ip-pool.yaml         |  8 +++
 .../helm_charts/cilium-lb-config/values.yaml  |  3 ++
 kubernetes/helm_releases.tf                   | 51 ++++++++++++++++---
 kubernetes/providers.tf                       |  4 +-
 kubernetes/variables.tf                       | 13 +++++
 8 files changed, 109 insertions(+), 8 deletions(-)
 create mode 100644 kubernetes/helm_charts/cilium-lb-config/Chart.yaml
 create mode 100644 kubernetes/helm_charts/cilium-lb-config/templates/cilium-l2-announcement-policy.yaml
 create mode 100644 kubernetes/helm_charts/cilium-lb-config/templates/cilium-load-balancer-ip-pool.yaml
 create mode 100644 kubernetes/helm_charts/cilium-lb-config/values.yaml

diff --git a/kubernetes/configuration.auto.tfvars.example b/kubernetes/configuration.auto.tfvars.example
index a621685..7fbc0ac 100644
--- a/kubernetes/configuration.auto.tfvars.example
+++ b/kubernetes/configuration.auto.tfvars.example
@@ -1,3 +1,10 @@
 # Kubernetes
 kubernetes_config_path    = "~/.kube/config"
 Kubernetes_config_context = "admin@yourclustername"
+
+# Cilium Load Balancer
+cilium_load_balancer_ip_range_start = "192.168.10.95"
+cilium_load_balancer_ip_range_stop = "192.168.10.99"
+
+# ArgoCD
+argocd_domain = "argocd.local"
diff --git a/kubernetes/helm_charts/cilium-lb-config/Chart.yaml b/kubernetes/helm_charts/cilium-lb-config/Chart.yaml
new file mode 100644
index 0000000..c36e5a7
--- /dev/null
+++ b/kubernetes/helm_charts/cilium-lb-config/Chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v2
+name: cilium-lb-config
+description: Helm chart for installing Cilium load balancer configuration
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: "1.0"
\ No newline at end of file
diff --git a/kubernetes/helm_charts/cilium-lb-config/templates/cilium-l2-announcement-policy.yaml b/kubernetes/helm_charts/cilium-lb-config/templates/cilium-l2-announcement-policy.yaml
new file mode 100644
index 0000000..90a7889
--- /dev/null
+++ b/kubernetes/helm_charts/cilium-lb-config/templates/cilium-l2-announcement-policy.yaml
@@ -0,0 +1,8 @@
+apiVersion: cilium.io/v2alpha1
+kind: CiliumL2AnnouncementPolicy
+metadata:
+  name: default
+  namespace: kube-system
+spec:
+  externalIPs: true
+  loadBalancerIPs: true
\ No newline at end of file
diff --git a/kubernetes/helm_charts/cilium-lb-config/templates/cilium-load-balancer-ip-pool.yaml b/kubernetes/helm_charts/cilium-lb-config/templates/cilium-load-balancer-ip-pool.yaml
new file mode 100644
index 0000000..04e63e6
--- /dev/null
+++ b/kubernetes/helm_charts/cilium-lb-config/templates/cilium-load-balancer-ip-pool.yaml
@@ -0,0 +1,8 @@
+apiVersion: cilium.io/v2
+kind: CiliumLoadBalancerIPPool
+metadata:
+  name: default-pool
+spec:
+  blocks:
+    - start: {{ .Values.ciliumLoadBalancerIpRange.start}}
+      stop: {{ .Values.ciliumLoadBalancerIpRange.stop }}
diff --git a/kubernetes/helm_charts/cilium-lb-config/values.yaml b/kubernetes/helm_charts/cilium-lb-config/values.yaml
new file mode 100644
index 0000000..0d68f9d
--- /dev/null
+++ b/kubernetes/helm_charts/cilium-lb-config/values.yaml
@@ -0,0 +1,3 @@
+ciliumLoadBalancerIpRange:
+  start: ""
+  stop: ""
\ No newline at end of file
diff --git a/kubernetes/helm_releases.tf b/kubernetes/helm_releases.tf
index 6d1aa37..8be2152 100644
--- a/kubernetes/helm_releases.tf
+++ b/kubernetes/helm_releases.tf
@@ -1,9 +1,48 @@
 resource "helm_release" "argocd" {
-  name       = "argo-cd"
-  namespace = "argocd"
+  name             = "argo-cd"
+  namespace        = "argocd"
   create_namespace = true
-  chart      = "argo-cd"
-  version    = "8.3.1"
-  repository = "https://argoproj.github.io/argo-helm"
-  timeout    = 120
+  chart            = "argo-cd"
+  version          = "8.3.1"
+  repository       = "https://argoproj.github.io/argo-helm"
+  timeout          = 120
+  set = [
+    {
+      name  = "global.domain"
+      value = var.argocd_domain
+    },
+    {
+      name  = "configs.params.server\\.insecure"
+      value = "true"
+    },
+    {
+      name  = "server.ingress.enabled"
+      value = "true"
+    },
+    {
+      name  = "server.ingress.ingressClassName"
+      value = "cilium"
+    },
+    {
+      name  = "server.ingress.annotations.ingress\\.cilium\\.io/force-https"
+      value = "disabled"
+    },
+  ]
+}
+
+resource "helm_release" "cilium_lb_config" {
+  depends_on = [helm_release.argocd]
+  name       = "cilium-lb-config"
+  chart      = "${path.module}/helm_charts/cilium-lb-config"
+  timeout    = 60
+  set = [
+    {
+      name  = "ciliumLoadBalancerIpRange.start"
+      value = var.cilium_load_balancer_ip_range_start
+    },
+    {
+      name  = "ciliumLoadBalancerIpRange.stop"
+      value = var.cilium_load_balancer_ip_range_stop
+    },
+  ]
 }
diff --git a/kubernetes/providers.tf b/kubernetes/providers.tf
index 2d97573..bb3142e 100644
--- a/kubernetes/providers.tf
+++ b/kubernetes/providers.tf
@@ -1,10 +1,10 @@
 terraform {
-        required_providers {
+  required_providers {
     helm = {
       source  = "hashicorp/helm"
       version = "3.0.2"
     }
-        }
+  }
 }
 
 provider "helm" {
diff --git a/kubernetes/variables.tf b/kubernetes/variables.tf
index aebcf6b..34bd677 100644
--- a/kubernetes/variables.tf
+++ b/kubernetes/variables.tf
@@ -7,3 +7,16 @@ variable "Kubernetes_config_context" {
   type      = string
   sensitive = true
 }
+
+variable "cilium_load_balancer_ip_range_start" {
+  type      = string
+}
+
+variable "cilium_load_balancer_ip_range_stop" {
+  type      = string
+}
+
+variable "argocd_domain" {
+  type      = string
+}
+

From cbddb85247310864ce207bbbb45f2813216d580e Mon Sep 17 00:00:00 2001
From: Max Pfeiffer <max@maxpfeiffer.ch>
Date: Fri, 19 Sep 2025 18:45:28 +0200
Subject: [PATCH 2/2] Updated docs

---
 README.md | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 58cdd55..a44b7f0 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,9 @@
 # proxmox-talos-opentofu
-Proof of concept project using [OpenTofu](https://opentofu.org/) to install a Kubernetes cluster on a Proxmox VE
-hypervisor using [Talos Linux](https://www.talos.dev/).
+A turnkey Kubernetes cluster built with [Talos Linux](https://www.talos.dev/) running on a
+[Proxmox VE hypervisor](https://www.proxmox.com/en/products/proxmox-virtual-environment/overview).
+Provisioning is done with [OpenTofu](https://opentofu.org/).
+
+The Kubernetes cluster uses [Cilium](https://cilium.io/) as Container Network Interface (CNI).
 
 ## Requirements
 You need to have installed on your local machine:
@@ -8,10 +11,13 @@ You need to have installed on your local machine:
 * [kubectl](https://kubernetes.io/docs/reference/kubectl/) (for testing and cluster interaction)
 
 ## Provisioning
-The project is grouped in two modules:
+The project is grouped in two sections:
 * proxmox: provisioning of virtual machines, operating systems and Kubernetes cluster
 * kubernetes: provisioning of Kubernetes cluster resources
 
+You will have an [ArgoCD](https://argoproj.github.io/cd/) instance running in the cluster eventually. You can then
+install your applications using the GitOps approach. 
+
 ### Proxmox VE
 So you want first to provision the Proxmox part: create a `configuration.auto.tfvars` file based on the example and
 edit it so it suits your needs:
@@ -54,10 +60,15 @@ tofu init
 tofu plan
 tofu apply
 ```
+The [ArgoCD](https://argoproj.github.io/cd/) instance should be available under the `argocd_domain` you configured
+in your `configuration.auto.tfvars` file i.e., http://argocd.local.
 
 ## Information Sources
 * [Talos Linux documentation](https://www.talos.dev/v1.8/)
 * [Talos Linux Image Factory](https://factory.talos.dev/)
-* Terraform providers/modules
+* Terraform providers:
   * [terraform-provider-proxmox](https://github.com/Telmate/terraform-provider-proxmox)
   * [terraform-provider-talos](https://github.com/siderolabs/terraform-provider-talos)
+  * [terraform-provider-helm](https://github.com/hashicorp/terraform-provider-helm)
+* Helm charts:
+  * [ArgoCD](https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd)
\ No newline at end of file