Try to fix kubespan

scaleway/Makefile

@@ -20,7 +20,7 @@ create-templates:
 	@echo 'apiDomain: api.cluster.local'                       >> _cfgs/tfstate.vars
 	@yq eval '.cluster.network.dnsDomain' _cfgs/controlplane.yaml | awk '{ print "domain: "$$1}'       >> _cfgs/tfstate.vars
 	@yq eval '.cluster.clusterName' _cfgs/controlplane.yaml       | awk '{ print "clusterName: "$$1}'  >> _cfgs/tfstate.vars
-	@yq eval '.cluster.id' _cfgs/controlplane.yaml                | awk '{ print "clusterId: "$$1}'    >> _cfgs/tfstate.vars
+	@yq eval '.cluster.id' _cfgs/controlplane.yaml                | awk '{ print "clusterID: "$$1}'    >> _cfgs/tfstate.vars
 	@yq eval '.cluster.secret' _cfgs/controlplane.yaml            | awk '{ print "clusterSecret: "$$1}'>> _cfgs/tfstate.vars
 	@yq eval '.machine.token'  _cfgs/controlplane.yaml            | awk '{ print "tokenMachine: "$$1}' >> _cfgs/tfstate.vars
 	@yq eval '.machine.ca.crt' _cfgs/controlplane.yaml            | awk '{ print "caMachine: "$$1}'    >> _cfgs/tfstate.vars

scaleway/README.md

@@ -9,7 +9,7 @@ Local utilities
 
 ## Kubernetes addons
 
-* [cilium](https://github.com/cilium/cilium) 1.10.0
+* [cilium](https://github.com/cilium/cilium) 1.11.1
 * [kubelet-serving-cert-approver](https://github.com/alex1989hu/kubelet-serving-cert-approver)
 * [metrics-server](https://github.com/kubernetes-sigs/metrics-server) 0.5.0
 * [rancher.io/local-path](https://github.com/rancher/local-path-provisioner) 0.0.19
@@ -32,6 +32,13 @@ controlplane = {
     count = 1,
     type  = "DEV1-S"
 }
+
+instances = {
+  web_count            = 1,
+  web_instance_type    = "DEV1-S",
+  worker_count         = 1,
+  worker_instance_type = "DEV1-S",
+}
 ```
 
 And deploy the kubernetes master nodes

scaleway/instances-web.tf

@@ -8,6 +8,7 @@ resource "scaleway_instance_server" "web" {
   type              = lookup(var.instances, "web_instance_type", "DEV1-M")
   enable_ipv6       = true
   enable_dynamic_ip = true
+  security_group_id = scaleway_instance_security_group.web.id
   tags              = concat(var.tags, ["web"])
 
   private_network {

scaleway/network-secgroup.tf

@@ -5,7 +5,7 @@ resource "scaleway_instance_security_group" "controlplane" {
   outbound_default_policy = "accept"
 
   dynamic "inbound_rule" {
-    for_each = ["50000", "50001", "6443", "2379", "2380"]
+    for_each = ["50000", "6443", "2379", "2380"]
 
     content {
       action   = "accept"
@@ -15,7 +15,7 @@ resource "scaleway_instance_security_group" "controlplane" {
   }
 
   dynamic "inbound_rule" {
-    for_each = ["50000", "50001", "6443"]
+    for_each = ["50000", "6443"]
 
     content {
       action   = "accept"
@@ -25,8 +25,33 @@ resource "scaleway_instance_security_group" "controlplane" {
     }
   }
 
+  inbound_rule {
+    action   = "accept"
+    protocol = "ANY"
+    ip_range = local.main_subnet
+  }
+
+  # KubeSpan
+  inbound_rule {
+    action   = "accept"
+    protocol = "UDP"
+    port     = 51820
+  }
+  inbound_rule {
+    action   = "accept"
+    protocol = "UDP"
+    port     = 51820
+    ip_range = "::/0"
+  }
+}
+
+resource "scaleway_instance_security_group" "web" {
+  name                    = "web"
+  inbound_default_policy  = "drop"
+  outbound_default_policy = "accept"
+
   dynamic "inbound_rule" {
-    for_each = ["10250"]
+    for_each = ["80", "443"]
 
     content {
       action   = "accept"
@@ -37,65 +62,45 @@ resource "scaleway_instance_security_group" "controlplane" {
 
   inbound_rule {
     action   = "accept"
-    protocol = "UDP"
+    protocol = "ANY"
+    ip_range = local.main_subnet
   }
 
+  # KubeSpan
   inbound_rule {
     action   = "accept"
-    protocol = "ICMP"
+    protocol = "UDP"
+    port     = 51820
+  }
+  inbound_rule {
+    action   = "accept"
+    protocol = "UDP"
+    port     = 51820
+    ip_range = "::/0"
   }
 }
 
-# resource "scaleway_instance_security_group" "web" {
+resource "scaleway_instance_security_group" "worker" {
-#   name                    = "web"
+  name                    = "worker"
-#   inbound_default_policy  = "drop"
+  inbound_default_policy  = "drop"
-#   outbound_default_policy = "accept"
+  outbound_default_policy = "accept"
 
-#   dynamic "inbound_rule" {
+  inbound_rule {
-#     for_each = ["80", "443"]
+    action   = "accept"
+    protocol = "ANY"
+    ip_range = local.main_subnet
+  }
 
-#     content {
+  # KubeSpan
-#       action   = "accept"
+  inbound_rule {
-#       protocol = "TCP"
+    action   = "accept"
-#       port     = inbound_rule.value
+    protocol = "UDP"
-#     }
+    port     = 51820
-#   }
+  }
-
+  inbound_rule {
-#   dynamic "inbound_rule" {
+    action   = "accept"
-#     for_each = ["4240"]
+    protocol = "UDP"
-
+    port     = 51820
-#     content {
+    ip_range = "::/0"
-#       action   = "accept"
+  }
-#       protocol = "TCP"
+}
-#       port     = inbound_rule.value
-#       ip_range = "::/0"
-#     }
-#   }
-
-#   inbound_rule {
-#     action   = "accept"
-#     protocol = "ICMP"
-#   }
-# }
-
-# resource "scaleway_instance_security_group" "worker" {
-#   name                    = "worker"
-#   inbound_default_policy  = "drop"
-#   outbound_default_policy = "accept"
-
-#   dynamic "inbound_rule" {
-#     for_each = ["4240"]
-
-#     content {
-#       action   = "accept"
-#       protocol = "TCP"
-#       port     = inbound_rule.value
-#       ip_range = "::/0"
-#     }
-#   }
-
-#   inbound_rule {
-#     action   = "accept"
-#     protocol = "ICMP"
-#   }
-# }

scaleway/templates/controlplane.yaml.tpl

@@ -59,6 +59,9 @@ cluster:
     endpoint: https://${ipv4_vip}:6443
   discovery:
     enabled: true
+    registries:
+      service:
+        disabled: true
   network:
     dnsDomain: ${domain}
     podSubnets: ${format("%#v",split(",",podSubnets))}

scaleway/templates/web.yaml.tpl

@@ -53,6 +53,9 @@ cluster:
   clusterName: ${clusterName}
   discovery:
     enabled: true
+    registries:
+      service:
+        disabled: true
   network:
     dnsDomain: ${domain}
     serviceSubnets: ${format("%#v",split(",",serviceSubnets))}