diff --git a/hetzner/deployments/cilium.yaml b/hetzner/deployments/cilium.yaml index 2d2e8e4..642b54a 100644 --- a/hetzner/deployments/cilium.yaml +++ b/hetzner/deployments/cilium.yaml @@ -1,6 +1,6 @@ --- -k8sServiceHost: "172.16.0.5" +k8sServiceHost: "172.16.0.10" k8sServicePort: "6443" agent: diff --git a/hetzner/deployments/cilium_result.yaml b/hetzner/deployments/cilium_result.yaml index 06192e4..c20dbe9 100644 --- a/hetzner/deployments/cilium_result.yaml +++ b/hetzner/deployments/cilium_result.yaml @@ -540,7 +540,7 @@ spec: name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST - value: "172.16.0.5" + value: "172.16.0.10" - name: KUBERNETES_SERVICE_PORT value: "6443" image: "quay.io/cilium/cilium:v1.10.3@sha256:8419531c5d3677158802882bdfe2297915c43f2ebe3649551aaac22de9f6d565" @@ -627,7 +627,7 @@ spec: name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST - value: "172.16.0.5" + value: "172.16.0.10" - name: KUBERNETES_SERVICE_PORT value: "6443" image: "quay.io/cilium/cilium:v1.10.3@sha256:8419531c5d3677158802882bdfe2297915c43f2ebe3649551aaac22de9f6d565" @@ -783,7 +783,7 @@ spec: name: cilium-config optional: true - name: KUBERNETES_SERVICE_HOST - value: "172.16.0.5" + value: "172.16.0.10" - name: KUBERNETES_SERVICE_PORT value: "6443" image: "quay.io/cilium/operator-generic:v1.10.3@sha256:337ebf27eae4fbad51cc4baf9110b3ec6753320dd33075bc136e2a1865be5eb5" diff --git a/hetzner/instances-master.tf b/hetzner/instances-master.tf index cbeba34..78736b0 100644 --- a/hetzner/instances-master.tf +++ b/hetzner/instances-master.tf @@ -19,6 +19,7 @@ resource "hcloud_server" "controlplane" { merge(var.kubernetes, { name = "master-${count.index + 1}" type = count.index == 0 ? "init" : "controlplane" + ipv4_vip = cidrhost(hcloud_network_subnet.core.ip_range, 10) ipv4_local = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index) lbv4_local = hcloud_load_balancer_network.api.ip lbv4 = hcloud_load_balancer.api.ipv4 @@ -38,6 +39,17 @@ resource "hcloud_server" "controlplane" { } } +# +# Local floating ip +# +resource "hcloud_server_network" "controlplane" { + count = lookup(var.controlplane, "count", 0) > 0 ? 1 : 0 + server_id = hcloud_server.controlplane[0].id + subnet_id = hcloud_network_subnet.core.id + ip = cidrhost(hcloud_network_subnet.core.ip_range, 11) + alias_ips = [cidrhost(hcloud_network_subnet.core.ip_range, 10)] +} + resource "hcloud_load_balancer_target" "api" { count = lookup(var.controlplane, "count", 0) type = "server" diff --git a/hetzner/instances-web.tf b/hetzner/instances-web.tf index 80bc9ae..6b413fd 100644 --- a/hetzner/instances-web.tf +++ b/hetzner/instances-web.tf @@ -16,6 +16,7 @@ module "web" { vm_security_group = [hcloud_firewall.web.id] vm_params = merge(var.kubernetes, { - lbv4 = hcloud_load_balancer_network.api.ip + lbv4 = hcloud_load_balancer_network.api.ip + labels = "node.kubernetes.io/role=web" }) } diff --git a/hetzner/instances-workers.tf b/hetzner/instances-workers.tf index d5ef1c2..6fbd56a 100644 --- a/hetzner/instances-workers.tf +++ b/hetzner/instances-workers.tf @@ -16,6 +16,7 @@ module "worker" { vm_security_group = [hcloud_firewall.worker.id] vm_params = merge(var.kubernetes, { - lbv4 = hcloud_load_balancer_network.api.ip + lbv4 = hcloud_load_balancer_network.api.ip + labels = "node.kubernetes.io/role=worker" }) } diff --git a/hetzner/modules/templates/worker.yaml.tpl b/hetzner/modules/templates/worker.yaml.tpl index 7cbf3dd..372590f 100644 --- a/hetzner/modules/templates/worker.yaml.tpl +++ b/hetzner/modules/templates/worker.yaml.tpl @@ -10,6 +10,7 @@ machine: node-ip: "${ipv4}" cloud-provider: external rotate-server-certificates: true + node-labels: "${labels}" network: hostname: "${name}" interfaces: diff --git a/hetzner/network-lb.tf b/hetzner/network-lb.tf index 8c43f5f..ec9c2c5 100644 --- a/hetzner/network-lb.tf +++ b/hetzner/network-lb.tf @@ -32,18 +32,43 @@ resource "hcloud_load_balancer_service" "api" { } } -resource "hcloud_load_balancer_service" "talos" { - load_balancer_id = hcloud_load_balancer.api.id - protocol = "tcp" - listen_port = 50000 - destination_port = 50000 - proxyprotocol = false +# resource "hcloud_load_balancer_service" "talos" { +# load_balancer_id = hcloud_load_balancer.api.id +# protocol = "tcp" +# listen_port = 50000 +# destination_port = 50000 +# proxyprotocol = false - health_check { - protocol = "tcp" - port = 50000 - interval = 30 - timeout = 5 - retries = 3 - } -} +# health_check { +# protocol = "tcp" +# port = 50000 +# interval = 30 +# timeout = 5 +# retries = 3 +# } +# } + +# resource "hcloud_load_balancer_service" "https" { +# load_balancer_id = hcloud_load_balancer.api.id +# protocol = "tcp" +# listen_port = 443 +# destination_port = 443 +# proxyprotocol = false + +# health_check { +# protocol = "http" +# port = 80 +# interval = 30 +# timeout = 5 +# retries = 3 +# http { +# path = "/healthz" +# } +# } +# } + +# resource "hcloud_load_balancer_target" "https" { +# type = "label_selector" +# load_balancer_id = hcloud_load_balancer.api.id +# label_selector = "label=web" +# } diff --git a/hetzner/network-secgroup.tf b/hetzner/network-secgroup.tf index 06d6655..5517c12 100644 --- a/hetzner/network-secgroup.tf +++ b/hetzner/network-secgroup.tf @@ -31,8 +31,7 @@ resource "hcloud_firewall" "controlplane" { direction = "in" protocol = "tcp" port = "50000" - source_ips = ["0.0.0.0/0", "::/0"] - # source_ips = var.whitelist_admins + source_ips = concat(var.whitelist_admins, [var.vpc_main_cidr]) } rule { direction = "in" @@ -54,6 +53,14 @@ resource "hcloud_firewall" "controlplane" { source_ips = ["0.0.0.0/0", "::/0"] # source_ips = var.whitelist_admins } + + # cilium health + rule { + direction = "in" + protocol = "tcp" + port = "4240" + source_ips = ["::/0"] + } } resource "hcloud_firewall" "web" { @@ -90,6 +97,14 @@ resource "hcloud_firewall" "web" { port = "443" source_ips = var.whitelist_web } + + # cilium health + rule { + direction = "in" + protocol = "tcp" + port = "4240" + source_ips = ["::/0"] + } } resource "hcloud_firewall" "worker" { @@ -113,4 +128,12 @@ resource "hcloud_firewall" "worker" { port = "any" source_ips = [var.vpc_main_cidr] } + + # cilium health + rule { + direction = "in" + protocol = "tcp" + port = "4240" + source_ips = ["::/0"] + } } diff --git a/hetzner/templates/controlplane.yaml.tpl b/hetzner/templates/controlplane.yaml.tpl index 6b1fa4c..336ecf4 100644 --- a/hetzner/templates/controlplane.yaml.tpl +++ b/hetzner/templates/controlplane.yaml.tpl @@ -8,6 +8,7 @@ machine: - "${lbv6}" - "${lbv4_local}" - "${ipv4_local}" + - "${ipv4_vip}" kubelet: extraArgs: node-ip: "${ipv4_local}" @@ -17,16 +18,14 @@ machine: interfaces: - interface: eth1 dhcp: true + addresses: + - ${ipv4_vip} - interface: dummy0 addresses: - 169.254.2.53/32 - fd00::169:254:2:53/128 install: - disk: /dev/sda - bootloader: true wipe: false - extraKernelArgs: - - elevator=noop sysctls: net.core.somaxconn: 65535 net.core.netdev_max_backlog: 4096 @@ -38,7 +37,7 @@ machine: slot: 0 cluster: controlPlane: - endpoint: https://${lbv4}:6443 + endpoint: https://${ipv4_vip}:6443 network: dnsDomain: ${domain} podSubnets: ${format("[%s]",podSubnets)} @@ -56,6 +55,7 @@ cluster: - "${lbv6}" - "${lbv4_local}" - "${ipv4_local}" + - "${ipv4_vip}" extraArgs: feature-gates: IPv6DualStack=true controllerManager: