Networking

2025-10-29 17:42:47 +00:00 · 2021-08-18 13:57:55 +03:00
parent bde1b7769d
commit 3385750a01
6 changed files with 76 additions and 63 deletions
--- a/hetzner/instances-master.tf
+++ b/hetzner/instances-master.tf
@@ -15,20 +15,18 @@ resource "hcloud_server" "controlplane" {
    ip         = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index)
  }

-  # user_data = templatefile("${path.module}/templates/controlplane.yaml",
-  #   merge(var.kubernetes, {
-  #     name           = "master-${count.index + 1}"
-  #     type           = count.index == 0 ? "init" : "controlplane"
-  #     ipv4_local     = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index)
-  #     # ipv4           = hcloud_server.controlplane[count.index].ipv4_address
-  #     # ipv6           = hcloud_server.controlplane[count.index].ipv6_address
-  #     lbv4_local     = hcloud_load_balancer_network.api.ip
-  #     lbv4           = hcloud_load_balancer.api.ipv4
-  #     lbv6           = hcloud_load_balancer.api.ipv6
-  #     hcloud_network = hcloud_network.main.id
-  #     hcloud_token   = var.hcloud_token
-  #   })
-  # )
+  user_data = templatefile("${path.module}/templates/controlplane.yaml",
+    merge(var.kubernetes, {
+      name           = "master-${count.index + 1}"
+      type           = count.index == 0 ? "init" : "controlplane"
+      ipv4_local     = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index)
+      lbv4_local     = hcloud_load_balancer_network.api.ip
+      lbv4           = hcloud_load_balancer.api.ipv4
+      lbv6           = hcloud_load_balancer.api.ipv6
+      hcloud_network = hcloud_network.main.id
+      hcloud_token   = var.hcloud_token
+    })
+  )

  lifecycle {
    ignore_changes = [
@@ -47,32 +45,34 @@ resource "hcloud_load_balancer_target" "api" {
  server_id        = hcloud_server.controlplane[count.index].id
 }

-resource "local_file" "controlplane" {
-  count = lookup(var.controlplane, "count", 0)
-  content = templatefile("${path.module}/templates/controlplane.yaml",
-    merge(var.kubernetes, {
-      name           = "master-${count.index + 1}"
-      type           = count.index == 0 ? "init" : "controlplane"
-      ipv4_local     = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index)
-      ipv4           = hcloud_server.controlplane[count.index].ipv4_address
-      ipv6           = hcloud_server.controlplane[count.index].ipv6_address
-      lbv4_local     = hcloud_load_balancer_network.api.ip
-      lbv4           = hcloud_load_balancer.api.ipv4
-      lbv6           = hcloud_load_balancer.api.ipv6
-      hcloud_network = hcloud_network.main.id
-      hcloud_token   = var.hcloud_token
-    })
-  )
-  filename        = "_cfgs/controlplane-${count.index + 1}.yaml"
-  file_permission = "0640"
+#
+# Secure push talos config to the node
+#

-  depends_on = [hcloud_server.controlplane]
-}
+# resource "local_file" "controlplane" {
+#   count = lookup(var.controlplane, "count", 0)
+#   content = templatefile("${path.module}/templates/controlplane.yaml",
+#     merge(var.kubernetes, {
+#       name           = "master-${count.index + 1}"
+#       type           = count.index == 0 ? "init" : "controlplane"
+#       ipv4_local     = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index)
+#       lbv4_local     = hcloud_load_balancer_network.api.ip
+#       lbv4           = hcloud_load_balancer.api.ipv4
+#       lbv6           = hcloud_load_balancer.api.ipv6
+#       hcloud_network = hcloud_network.main.id
+#       hcloud_token   = var.hcloud_token
+#     })
+#   )
+#   filename        = "_cfgs/controlplane-${count.index + 1}.yaml"
+#   file_permission = "0640"

-resource "null_resource" "controlplane" {
-  count = lookup(var.controlplane, "count", 0)
-  provisioner "local-exec" {
-    command = "sleep 60 && talosctl apply-config --insecure --nodes ${hcloud_server.controlplane[count.index].ipv4_address} --file _cfgs/controlplane-${count.index + 1}.yaml"
-  }
-  depends_on = [hcloud_load_balancer_target.api, local_file.controlplane]
-}
+#   depends_on = [hcloud_server.controlplane]
+# }
+
+# resource "null_resource" "controlplane" {
+#   count = lookup(var.controlplane, "count", 0)
+#   provisioner "local-exec" {
+#     command = "sleep 60 && talosctl apply-config --insecure --nodes ${hcloud_server.controlplane[count.index].ipv4_address} --file _cfgs/controlplane-${count.index + 1}.yaml"
+#   }
+#   depends_on = [hcloud_load_balancer_target.api, local_file.controlplane]
+# }
--- a/hetzner/modules/templates/worker.yaml.tpl
+++ b/hetzner/modules/templates/worker.yaml.tpl
@@ -13,24 +13,17 @@ machine:
  network:
    hostname: "${name}"
    interfaces:
-      - interface: eth0
-        dhcp: true
      - interface: eth1
        dhcp: true
      - interface: dummy0
-        cidr: "169.254.2.53/32"
-      - interface: dummy0
-        cidr: "fd00::169:254:2:53/128"
+        addresses:
+          - 169.254.2.53/32
+          - fd00::169:254:2:53/128
  sysctls:
    net.core.somaxconn: 65535
    net.core.netdev_max_backlog: 4096
  install:
-    disk: /dev/sda
-    extraKernelArgs:
-      - elevator=noop
-    image: ghcr.io/talos-systems/installer:v0.10.3
-    bootloader: true
-    wipe: true
+    wipe: false
  systemDiskEncryption:
    ephemeral:
      provider: luks2
--- a/hetzner/modules/worker/main.tf
+++ b/hetzner/modules/worker/main.tf
@@ -32,12 +32,12 @@ resource "hcloud_server" "worker" {
  }

  # IPv6 hack
-  provisioner "local-exec" {
-    command = "echo '${templatefile("${path.module}/../templates/worker-patch.json.tpl", { ipv6_address = self.ipv6_address })}' > _cfgs/${var.vm_name}${count.index + 1}.patch"
-  }
-  provisioner "local-exec" {
-    command = "sleep 120 && talosctl --talosconfig _cfgs/talosconfig patch --nodes ${cidrhost(var.subnet, var.vm_ip_start + count.index)} machineconfig --patch-file _cfgs/${var.vm_name}${count.index + 1}.patch"
-  }
+  # provisioner "local-exec" {
+  #   command = "echo '${templatefile("${path.module}/../templates/worker-patch.json.tpl", { ipv6_address = self.ipv6_address })}' > _cfgs/${var.vm_name}${count.index + 1}.patch"
+  # }
+  # provisioner "local-exec" {
+  #   command = "sleep 120 && talosctl --talosconfig _cfgs/talosconfig patch --nodes ${cidrhost(var.subnet, var.vm_ip_start + count.index)} machineconfig --patch-file _cfgs/${var.vm_name}${count.index + 1}.patch"
+  # }
 }

 # resource "local_file" "worker" {
--- a/hetzner/network-secgroup.tf
+++ b/hetzner/network-secgroup.tf
@@ -82,13 +82,13 @@ resource "hcloud_firewall" "web" {
    direction  = "in"
    protocol   = "tcp"
    port       = "80"
-    source_ips = var.whitelist_admins
+    source_ips = var.whitelist_web
  }
  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "443"
-    source_ips = var.whitelist_admins
+    source_ips = var.whitelist_web
  }
 }

--- a/hetzner/templates/controlplane.yaml.tpl
+++ b/hetzner/templates/controlplane.yaml.tpl
@@ -15,8 +15,6 @@ machine:
  network:
    hostname: "${name}"
    interfaces:
-      - interface: eth0
-        dhcp: true
      - interface: eth1
        dhcp: true
      - interface: dummy0
--- a/hetzner/variables.tf
+++ b/hetzner/variables.tf
@@ -79,7 +79,29 @@ variable "tags" {
 }

 variable "whitelist_admins" {
-  default = ["0.0.0.0/0", "::/0"]
+  description = "Whitelist for administrators"
+  default     = ["0.0.0.0/0", "::/0"]
+}
+
+variable "whitelist_web" {
+  description = "Whitelist for web (default Cloudflare network)"
+  default = [
+    "173.245.48.0/20",
+    "103.21.244.0/22",
+    "103.22.200.0/22",
+    "103.31.4.0/22",
+    "141.101.64.0/18",
+    "108.162.192.0/18",
+    "190.93.240.0/20",
+    "188.114.96.0/20",
+    "197.234.240.0/22",
+    "198.41.128.0/17",
+    "162.158.0.0/15",
+    "172.64.0.0/13",
+    "131.0.72.0/22",
+    "104.16.0.0/13",
+    "104.24.0.0/14",
+  ]
 }

 # variable "robot_servers" {