firewall for autoscale group

hetzner/instances-web.tf

@@ -16,7 +16,7 @@ module "web" {
   vm_security_group = [hcloud_firewall.web.id]
 
   vm_params = merge(var.kubernetes, {
-    lbv4   = local.lbv4
+    lbv4   = local.ipv4_vip
     labels = "node.kubernetes.io/role=web,node.kubernetes.io/disktype=ssd"
   })
 }

hetzner/modules/templates/worker.yaml.tpl

@@ -36,7 +36,7 @@ machine:
           slot: 0
 cluster:
   controlPlane:
-    endpoint: https://${ipv4_vip}:6443
+    endpoint: https://${lbv4}:6443
   clusterName: ${cluster_name}
   network:
     dnsDomain: ${domain}

hetzner/network-secgroup.tf

@@ -129,3 +129,38 @@ resource "hcloud_firewall" "worker" {
     source_ips = ["::/0"]
   }
 }
+
+resource "hcloud_firewall" "autoscale" {
+  name   = "worker-auto-scale"
+  labels = merge(var.tags, { type = "infra", label = "worker-auto-scale" })
+
+  # apply_to {
+  #   label_selector = "hcloud/node-group=worker-hel"
+  # }
+
+  rule {
+    direction  = "in"
+    protocol   = "icmp"
+    source_ips = [var.vpc_main_cidr, "::/0"]
+  }
+  rule {
+    direction  = "in"
+    protocol   = "udp"
+    port       = "any"
+    source_ips = [var.vpc_main_cidr]
+  }
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "any"
+    source_ips = [var.vpc_main_cidr]
+  }
+
+  # cilium health
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "4240"
+    source_ips = ["::/0"]
+  }
+}

hetzner/versions.tf

@@ -2,12 +2,8 @@ terraform {
   required_providers {
     hcloud = {
       source  = "hetznercloud/hcloud"
-      version = "~> 1.26.2"
+      version = "1.26.2"
     }
-    # talos = {
-    #   source  = "terraform.borancar.com/borancar/talos"
-    #   version = ">= 0.1"
-    # }
   }
-  required_version = ">= 0.15"
+  required_version = ">= 1.0"
 }