Can disable lb

2025-10-29 17:42:47 +00:00 · 2021-08-18 21:31:15 +03:00
parent a4a7c84197
commit 8db35bd49e
6 changed files with 42 additions and 36 deletions
--- a/hetzner/instances-master.tf
+++ b/hetzner/instances-master.tf
@@ -19,11 +19,11 @@ resource "hcloud_server" "controlplane" {
    merge(var.kubernetes, {
      name           = "master-${count.index + 1}"
      type           = count.index == 0 ? "init" : "controlplane"
-      ipv4_vip       = cidrhost(hcloud_network_subnet.core.ip_range, 10)
+      ipv4_vip       = local.ipv4_vip
      ipv4_local     = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index)
-      lbv4_local     = hcloud_load_balancer_network.api.ip
-      lbv4           = hcloud_load_balancer.api.ipv4
-      lbv6           = hcloud_load_balancer.api.ipv6
+      lbv4_local     = local.lbv4_local
+      lbv4           = local.lbv4
+      lbv6           = local.lbv6
      hcloud_network = hcloud_network.main.id
      hcloud_token   = var.hcloud_token
    })
@@ -47,13 +47,13 @@ resource "hcloud_server_network" "controlplane" {
  server_id = hcloud_server.controlplane[0].id
  subnet_id = hcloud_network_subnet.core.id
  ip        = cidrhost(hcloud_network_subnet.core.ip_range, 11)
-  alias_ips = [cidrhost(hcloud_network_subnet.core.ip_range, 10)]
+  alias_ips = [local.ipv4_vip]
 }

 resource "hcloud_load_balancer_target" "api" {
-  count            = lookup(var.controlplane, "count", 0)
+  count            = local.lb_enable ? 1 : 0
  type             = "server"
-  load_balancer_id = hcloud_load_balancer.api.id
+  load_balancer_id = hcloud_load_balancer.api[0].id
  server_id        = hcloud_server.controlplane[count.index].id
 }

@@ -67,10 +67,11 @@ resource "hcloud_load_balancer_target" "api" {
 #     merge(var.kubernetes, {
 #       name           = "master-${count.index + 1}"
 #       type           = count.index == 0 ? "init" : "controlplane"
+#       ipv4_vip       = local.ipv4_vip
 #       ipv4_local     = cidrhost(hcloud_network_subnet.core.ip_range, 11 + count.index)
-#       lbv4_local     = hcloud_load_balancer_network.api.ip
-#       lbv4           = hcloud_load_balancer.api.ipv4
-#       lbv6           = hcloud_load_balancer.api.ipv6
+#       lbv4_local     = local.lbv4_local
+#       lbv4           = local.lbv4
+#       lbv6           = local.lbv6
 #       hcloud_network = hcloud_network.main.id
 #       hcloud_token   = var.hcloud_token
 #     })
--- a/hetzner/instances-web.tf
+++ b/hetzner/instances-web.tf
@@ -16,8 +16,7 @@ module "web" {
  vm_security_group = [hcloud_firewall.web.id]

  vm_params = merge(var.kubernetes, {
-    # lbv4   = hcloud_load_balancer_network.api.ip
-    lbv4   = cidrhost(hcloud_network_subnet.core.ip_range, 10)
-    labels = "node.kubernetes.io/role=web"
+    lbv4   = local.lbv4
+    labels = "node.kubernetes.io/role=web,node.kubernetes.io/disktype=ssd"
  })
 }
--- a/hetzner/instances-workers.tf
+++ b/hetzner/instances-workers.tf
@@ -16,8 +16,7 @@ module "worker" {
  vm_security_group = [hcloud_firewall.worker.id]

  vm_params = merge(var.kubernetes, {
-    # lbv4   = hcloud_load_balancer_network.api.ip
-    lbv4   = cidrhost(hcloud_network_subnet.core.ip_range, 10)
-    labels = "node.kubernetes.io/role=worker"
+    lbv4   = local.lbv4
+    labels = "node.kubernetes.io/role=worker,node.kubernetes.io/disktype=ssd"
  })
 }
--- a/hetzner/network-lb.tf
+++ b/hetzner/network-lb.tf
@@ -1,8 +1,20 @@

+locals {
+  lb_enable = lookup(var.controlplane, "type_lb", "") == "" ? false : true
+}
+
+locals {
+  ipv4_vip   = cidrhost(hcloud_network_subnet.core.ip_range, 10)
+  lbv4_local = cidrhost(hcloud_network_subnet.core.ip_range, 5)
+  lbv4       = local.lb_enable ? hcloud_load_balancer.api[0].ipv4 : cidrhost(hcloud_network_subnet.core.ip_range, 10)
+  lbv6       = local.lb_enable ? hcloud_load_balancer.api[0].ipv6 : cidrhost(hcloud_network_subnet.core.ip_range, 10)
+}
+
 resource "hcloud_load_balancer" "api" {
+  count              = local.lb_enable ? 1 : 0
  name               = "api"
  location           = var.regions[0]
-  load_balancer_type = "lb11"
+  load_balancer_type = lookup(var.controlplane, "type_lb", "lb11")
  labels             = merge(var.tags, { type = "infra" })

  provisioner "local-exec" {
@@ -11,13 +23,15 @@ resource "hcloud_load_balancer" "api" {
 }

 resource "hcloud_load_balancer_network" "api" {
-  load_balancer_id = hcloud_load_balancer.api.id
+  count            = local.lb_enable ? 1 : 0
+  load_balancer_id = hcloud_load_balancer.api[0].id
  subnet_id        = hcloud_network_subnet.core.id
-  ip               = cidrhost(hcloud_network_subnet.core.ip_range, 5)
+  ip               = local.lbv4_local
 }

 resource "hcloud_load_balancer_service" "api" {
-  load_balancer_id = hcloud_load_balancer.api.id
+  count            = local.lb_enable ? 1 : 0
+  load_balancer_id = hcloud_load_balancer.api[0].id
  protocol         = "tcp"
  listen_port      = 6443
  destination_port = 6443
--- a/hetzner/network-secgroup.tf
+++ b/hetzner/network-secgroup.tf
@@ -6,7 +6,7 @@ resource "hcloud_firewall" "controlplane" {
  rule {
    direction  = "in"
    protocol   = "icmp"
-    source_ips = ["0.0.0.0/0", "::/0"]
+    source_ips = [var.vpc_main_cidr, "::/0"]
  }
  rule {
    direction  = "in"
@@ -21,12 +21,6 @@ resource "hcloud_firewall" "controlplane" {
    source_ips = [var.vpc_main_cidr]
  }

-  # rule {
-  #   direction  = "in"
-  #   protocol   = "tcp"
-  #   port       = "22"
-  #   source_ips = var.whitelist_admins
-  # }
  rule {
    direction  = "in"
    protocol   = "tcp"
@@ -43,15 +37,13 @@ resource "hcloud_firewall" "controlplane" {
    direction  = "in"
    protocol   = "tcp"
    port       = "2380"
-    source_ips = ["0.0.0.0/0", "::/0"]
-    # source_ips = var.whitelist_admins
+    source_ips = ["0.0.0.0/0"]
  }
  rule {
    direction  = "in"
    protocol   = "tcp"
    port       = "6443"
-    source_ips = ["0.0.0.0/0", "::/0"]
-    # source_ips = var.whitelist_admins
+    source_ips = concat(var.whitelist_admins, [var.vpc_main_cidr, "${local.lbv4}/32"])
  }

  # cilium health
@@ -70,7 +62,7 @@ resource "hcloud_firewall" "web" {
  rule {
    direction  = "in"
    protocol   = "icmp"
-    source_ips = ["0.0.0.0/0", "::/0"]
+    source_ips = [var.vpc_main_cidr, "::/0"]
  }
  rule {
    direction  = "in"
@@ -114,7 +106,7 @@ resource "hcloud_firewall" "worker" {
  rule {
    direction  = "in"
    protocol   = "icmp"
-    source_ips = ["0.0.0.0/0", "::/0"]
+    source_ips = [var.vpc_main_cidr, "::/0"]
  }
  rule {
    direction  = "in"
--- a/hetzner/variables.tf
+++ b/hetzner/variables.tf
@@ -37,11 +37,12 @@ variable "vpc_vswitch_id" {
 }

 variable "controlplane" {
-  description = "Count of controlplanes"
+  description = "Property of controlplane"
  type        = map(any)
  default = {
-    count = 0,
-    type  = "cpx11"
+    count   = 0,
+    type    = "cpx11"
+    type_lb = ""
  }
 }