I would like to share with you my manifest to deploy Unifi Controller to my homelab k8s cluster. The config is based on this thread on unifi community forum
I wanted to deploy Unifi Controller, this way to easily control config.gateway.json which can persist the non-standard config for router. Without config.gateway.json, the BGP configuration is lost after the router restart. I wanted the BGP config for MetalLB
This manifest has several assumptions:
- the TLS certificate is obtain via cert-manager
- MetalLB is installed on cluster
- BGP is configured manually on USG-PRO-4 router
- Traefik is controlling the ingresses
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
|
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: unifi-cert
spec:
secretName: unifi-cert-secret
dnsNames:
- xxx.com
- unifi.xxx.com
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
group: cert-manager.io
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nfs-unifi
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 8Gi
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: unifi-controller
spec:
replicas: 1
selector:
matchLabels:
name: unifi-controller
template:
metadata:
name: unifi-controller
labels:
name: unifi-controller
spec:
volumes:
- name: nfs-unifi
persistentVolumeClaim:
claimName: nfs-unifi
- name: unifi-cert
secret:
secretName: unifi-cert-secret
- name: config
configMap:
name: config-gateway
items:
- key: config.gateway.json
path: config.gateway.json
containers:
- name: unifi-controller
image: 'jacobalberty/unifi:v7.4.156'
env:
- name: TZ
value: "Europe/Warsaw"
- name: UNIFI_STDOUT
value: "true"
ports:
- containerPort: 3478
protocol: UDP
- containerPort: 10001
protocol: UDP
- containerPort: 8080
protocol: TCP
- containerPort: 8443
protocol: TCP
- containerPort: 8843
protocol: TCP
- containerPort: 8880
protocol: TCP
- containerPort: 6789
protocol: TCP
volumeMounts:
- name: nfs-unifi
mountPath: /unifi
- name: unifi-cert
mountPath: /unifi/cert
readOnly: true
- name: config
mountPath: /unifi/data/sites/default
readOnly: true
---
kind: Service
apiVersion: v1
metadata:
name: lb-unifi
annotations:
metallb.universe.tf/allow-shared-ip: 'true'
spec:
ports:
- name: '8080'
protocol: TCP
port: 8080
targetPort: 8080
- name: '8443'
protocol: TCP
port: 8443
targetPort: 8443
- name: '8843'
protocol: TCP
port: 8843
targetPort: 8843
- name: '8880'
protocol: TCP
port: 8880
targetPort: 8880
- name: '6789'
protocol: TCP
port: 6789
targetPort: 6789
selector:
name: unifi-controller
type: LoadBalancer
loadBalancerIP: 192.168.1.82
---
kind: Service
apiVersion: v1
metadata:
name: lb-unifi-udp
annotations:
metallb.universe.tf/allow-shared-ip: 'true'
spec:
ports:
- name: '3478'
protocol: UDP
port: 3478
targetPort: 3478
- name: '10001'
protocol: UDP
port: 10001
targetPort: 10001
selector:
name: unifi-controller
type: LoadBalancer
loadBalancerIP: 192.168.1.82
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: unifi-controller
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`unifi.xxx.com`)
services:
- name: lb-unifi
port: 8443
scheme: https
---
apiVersion: v1
kind: ConfigMap
metadata:
name: config-gateway
data:
config.gateway.json: |
{
"protocols": {
"bgp": {
"64501": {
"neighbor": {
"192.168.1.51": { "remote-as": "64500" },
"192.168.1.52": { "remote-as": "64500" },
"192.168.1.53": { "remote-as": "64500" }
},
"parameters": {
"router-id": "192.168.1.1"
}
}
}
}
}
|
