From d66573456c14c54dfa30d68c715d1aa4d3a2c5fe Mon Sep 17 00:00:00 2001
From: Arthur <arthur@arthurvardevanyan.com>
Date: Thu, 26 Dec 2024 00:01:48 +0000
Subject: [PATCH] feat(HomeAssistant): Dual NAD VLANs

---
 .../homeassistant/base/statefulset.yaml       | 10 ++-
 .../overlays/okd/egress-firewall.yaml         |  9 ++
 .../network/networkAttachmentDefinition.yaml  | 18 ++++
 .../nodeNetworkConfigurationPolicy.yaml       | 88 +++++++++++++++++++
 4 files changed, 123 insertions(+), 2 deletions(-)

diff --git a/kubernetes/homeassistant/base/statefulset.yaml b/kubernetes/homeassistant/base/statefulset.yaml
index e790be06..80d2e9b7 100644
--- a/kubernetes/homeassistant/base/statefulset.yaml
+++ b/kubernetes/homeassistant/base/statefulset.yaml
@@ -25,11 +25,17 @@ spec:
         enable.version-checker.io/homeassistant: "true"
         k8s.v1.cni.cncf.io/networks: |
           [{
+            "name": "br1-vlan3",
+            "namespace": "default",
+            "mac": "10:01:01:00:30:02",
+            "ips": ["10.101.3.2/24"],
+            "default-route": ["10.101.3.1"]
+          },
+          {
             "name": "br1",
             "namespace": "default",
             "mac": "10:00:00:00:01:35",
-            "ips": ["10.0.0.135/24"],
-            "default-route": ["10.0.0.1"]
+            "ips": ["10.0.0.135/24"]
           }]
     spec:
       securityContext:
diff --git a/kubernetes/homeassistant/overlays/okd/egress-firewall.yaml b/kubernetes/homeassistant/overlays/okd/egress-firewall.yaml
index 98ee8bbc..11ff766e 100644
--- a/kubernetes/homeassistant/overlays/okd/egress-firewall.yaml
+++ b/kubernetes/homeassistant/overlays/okd/egress-firewall.yaml
@@ -12,6 +12,15 @@ spec:
         nodeSelector:
           matchLabels:
             node-role.kubernetes.io/control-plane: ""
+    - type: Allow
+      to:
+        dnsName: mobile-apps.home-assistant.io
+    - type: Deny
+      to:
+        cidrSelector: 151.101.1.195/32
+    - type: Deny
+      to:
+        cidrSelector: 151.101.65.195/32
     - type: Allow
       to:
         dnsName: truenas.arthurvardevanyan.com
diff --git a/kubernetes/nmstate/overlays/okd/network/networkAttachmentDefinition.yaml b/kubernetes/nmstate/overlays/okd/network/networkAttachmentDefinition.yaml
index aa00bdd5..806b187f 100644
--- a/kubernetes/nmstate/overlays/okd/network/networkAttachmentDefinition.yaml
+++ b/kubernetes/nmstate/overlays/okd/network/networkAttachmentDefinition.yaml
@@ -15,3 +15,21 @@ spec:
     "topology":"localnet",
     "netAttachDefName": "default/br1"
     }'
+---
+apiVersion: "k8s.cni.cncf.io/v1"
+kind: NetworkAttachmentDefinition
+metadata:
+  name: br1-vlan3
+  namespace: default
+  annotations:
+    k8s.v1.cni.cncf.io/resourceName: bridge.network.kubevirt.io/br1-vlan3
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+    argocd.argoproj.io/sync-wave: "4"
+spec:
+  config: '{
+    "cniVersion": "0.3.1",
+    "name": "br1.2",
+    "type": "ovn-k8s-cni-overlay",
+    "topology":"localnet",
+    "netAttachDefName": "default/br1-vlan3"
+    }'
diff --git a/kubernetes/nmstate/overlays/okd/network/nodeNetworkConfigurationPolicy.yaml b/kubernetes/nmstate/overlays/okd/network/nodeNetworkConfigurationPolicy.yaml
index 4881750f..9b51a309 100644
--- a/kubernetes/nmstate/overlays/okd/network/nodeNetworkConfigurationPolicy.yaml
+++ b/kubernetes/nmstate/overlays/okd/network/nodeNetworkConfigurationPolicy.yaml
@@ -18,6 +18,7 @@ spec:
           dhcp: true
           enabled: true
         bridge:
+          allow-extra-patch-ports: true
           options:
             stp:
               enabled: false
@@ -50,6 +51,7 @@ spec:
           dhcp: true
           enabled: true
         bridge:
+          allow-extra-patch-ports: true
           options:
             stp:
               enabled: false
@@ -103,3 +105,89 @@ spec:
           dhcp: false
           enabled: false
         mtu: 9000
+---
+apiVersion: nmstate.io/v1
+kind: NodeNetworkConfigurationPolicy
+metadata:
+  name: vlan3-enp5s0
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  nodeSelector:
+    nic: enp5s0
+  desiredState:
+    interfaces:
+      - name: enp5s0.2
+        description: VLAN using enp5s0
+        type: vlan
+        state: up
+        ipv4:
+          dhcp: false
+          enabled: false
+        vlan:
+          base-iface: enp5s0
+          id: 3
+        mtu: 9000
+      - name: br1.3
+        description: OVS bridge with enp5s0.2 as a port
+        type: ovs-bridge
+        state: up
+        ipv4:
+          dhcp: true
+          enabled: true
+        bridge:
+          allow-extra-patch-ports: true
+          options:
+            stp:
+              enabled: false
+          port:
+            - name: enp5s0.2
+        mtu: 9000
+    ovn:
+      bridge-mappings:
+        - localnet: br1.3
+          bridge: br1.3
+          state: present
+---
+apiVersion: nmstate.io/v1
+kind: NodeNetworkConfigurationPolicy
+metadata:
+  name: vlan3-enp7s0
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+spec:
+  nodeSelector:
+    nic: enp7s0
+  desiredState:
+    interfaces:
+      - name: enp7s0.2
+        description: VLAN using enp7s0
+        type: vlan
+        state: up
+        ipv4:
+          dhcp: false
+          enabled: false
+        vlan:
+          base-iface: enp7s0
+          id: 3
+        mtu: 9000
+      - name: br1.3
+        description: OVS bridge with enp7s0.2 as a port
+        type: ovs-bridge
+        state: up
+        ipv4:
+          dhcp: true
+          enabled: true
+        bridge:
+          allow-extra-patch-ports: true
+          options:
+            stp:
+              enabled: false
+          port:
+            - name: enp7s0.2
+        mtu: 9000
+    ovn:
+      bridge-mappings:
+        - localnet: br1.3
+          bridge: br1.3
+          state: present