hetzner-k3s 0.5.6 → 0.5.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 59601611401c4cb51de78a2890261cd05a1c026479c3e33fcf351f0b3ffb93d1
-  data.tar.gz: 46c62ab747e5a43e61b271c8de150ef4a29ed496128725cf417d950cd351bc49
+  metadata.gz: 65fe7fa7e6bdeeb49175cfb92184ab320ef8ac40a3aa03f921f1e5fda1b172d7
+  data.tar.gz: 1448919374ef90f7614580251b28000c470b0ed7fba39724e8953f29f176c1bb
 SHA512:
-  metadata.gz: 5be97d9b3445445a81fd7f5f4387c2503a10acedb3000acb78473ce8a9d8793149a84a2354a24a6de9996a19eb9288c6989a9fa28d81bf5729b753b144c28d07
-  data.tar.gz: 41e54dc8f26485c5c4ed431301a844a727f31bc6672d9e829f3c95b23d687dcae19eb157017a56f72c3ec3d97303034575c5b353d8a82d17b8c8f56deff17366
+  metadata.gz: 15f783adb7408a1df5c3e9a114d9dcbc61830ead33acb7bc162ca935b6cdcfe26507e2c404d48c831cae600fe765adc31e686b511c4f675c561d6eb9acabafd2
+  data.tar.gz: df10039025e735d6a73c84fb60516d70bc0aa48220db1bab9d99dd30caad87339ba6be83e2d3f1029f40f95719a6fcde5784956c86ef20d524b67d504f93920a

data/.rubocop.yml

@@ -1,4 +1,4 @@
-Gemspec/DateAssignment: # new in 1.10
+Gemspec/DeprecatedAttributeAssignment: # new in 1.10
   Enabled: true
 Gemspec/RequireMFA: # new in 1.23
   Enabled: true
@@ -119,3 +119,17 @@ Metrics/ParameterLists:
 Style/FrozenStringLiteralComment:
   Exclude:
     - exe/hetzner-k3s
+Lint/RefinementImportMethods: # new in 1.27
+  Enabled: true
+Security/CompoundHash: # new in 1.28
+  Enabled: true
+Style/EnvHome: # new in 1.29
+  Enabled: true
+Style/FetchEnvVar: # new in 1.28
+  Enabled: true
+Style/NestedFileDirname: # new in 1.26
+  Enabled: true
+Style/ObjectThen: # new in 1.28
+  Enabled: true
+Style/RedundantInitialize: # new in 1.27
+  Enabled: true

data/.ruby-version

@@ -1 +1 @@
-3.1.0
+ruby-3.1.2

data/Dockerfile

@@ -1,4 +1,4 @@
-FROM ruby:3.1.0-alpine
+FROM ruby:3.1.2-alpine
 
 RUN apk update --no-cache \
   && apk add build-base git openssh-client curl bash

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    hetzner-k3s (0.5.6)
+    hetzner-k3s (0.5.7)
       bcrypt_pbkdf
       ed25519
       http
@@ -30,7 +30,7 @@ GEM
       http-cookie (~> 1.0)
       http-form_data (~> 2.2)
       http-parser (~> 1.2.0)
-    http-cookie (1.0.4)
+    http-cookie (1.0.5)
       domain_name (~> 0.5)
     http-form_data (2.3.0)
     http-parser (1.2.3)
@@ -39,7 +39,7 @@ GEM
     parallel (1.21.0)
     parser (3.1.0.0)
       ast (~> 2.4.1)
-    public_suffix (4.0.6)
+    public_suffix (4.0.7)
     rainbow (3.1.1)
     rake (12.3.3)
     regexp_parser (2.2.0)
@@ -74,7 +74,7 @@ GEM
     thor (1.2.1)
     unf (0.1.4)
       unf_ext
-    unf_ext (0.0.8)
+    unf_ext (0.0.8.2)
     unicode-display_width (2.1.0)
 
 PLATFORMS
@@ -87,4 +87,4 @@ DEPENDENCIES
   rubocop
 
 BUNDLED WITH
-   2.3.4
+   2.3.14

data/README.md

@@ -16,6 +16,8 @@ Using this tool, creating a highly available k3s cluster with 3 masters for the
 
 See roadmap [here](https://github.com/vitobotta/hetzner-k3s/projects/1) for the features planned or in progress.
 
+Also see this [wiki page](https://github.com/vitobotta/hetzner-k3s/wiki/Tutorial:---Setting-up-a-cluster) for a tutorial on how to set up a cluster with the most common setup to get you started.
+
 ## Requirements
 
 All that is needed to use this tool is
@@ -26,7 +28,7 @@ All that is needed to use this tool is
 
 ## Installation
 
-Once you have the Ruby runtime up and running (3.1.0 or newer), you just need to install the gem:
+Once you have the Ruby runtime up and running (3.1.2 or newer), you just need to install the gem:
 
 ```bash
 gem install hetzner-k3s
@@ -39,7 +41,12 @@ This will install the `hetzner-k3s` executable in your PATH.
 Alternatively, if you don't want to set up a Ruby runtime but have Docker installed, you can use a container. Run the following from inside the directory where you have the config file for the cluster (described in the next section):
 
 ```bash
-docker run --rm -it -v ${PWD}:/cluster -v ${HOME}/.ssh:/tmp/.ssh vitobotta/hetzner-k3s:v0.5.6 create-cluster --config-file /cluster/test.yaml
+docker run --rm -it \
+  -v ${PWD}:/cluster \
+  -v ${HOME}/.ssh:/tmp/.ssh \
+  vitobotta/hetzner-k3s:v0.5.9 \
+  create-cluster \
+  --config-file /cluster/test.yaml
 ```
 
 Replace `test.yaml` with the name of your config file.
@@ -58,6 +65,8 @@ public_ssh_key_path: "~/.ssh/id_rsa.pub"
 private_ssh_key_path: "~/.ssh/id_rsa"
 ssh_allowed_networks:
   - 0.0.0.0/0
+api_allowed_networks:
+  - 0.0.0.0/0
 verify_host_key: false
 location: nbg1
 schedule_workloads_on_masters: false
@@ -73,6 +82,11 @@ worker_node_pools:
   instance_count: 2
 additional_packages:
 - somepackage
+post_create_commands:
+- apt update
+- apt upgrade -y
+- apt autoremove -y
+- shutdown -r now
 enable_encryption: true
 # kube_api_server_args:
 # - arg1
@@ -92,6 +106,7 @@ enable_encryption: true
 # kube_proxy_args:
 # - arg1
 # - ...
+# existing_network: <specify if you want to use an existing network, otherwise one will be created for this cluster>
 
 ```
 
@@ -131,9 +146,11 @@ curl \
 	'https://api.hetzner.cloud/v1/images'
 ```
 
-Note that if you use a custom image, the creation of the servers may take longer than when using the default image.
+Notes:
 
-Also note: the option `verify_host_key` is by default set to `false` to disable host key verification. This is because sometimes when creating new servers, Hetzner may assign IP addresses that were previously used by other servers you owned in the past. Therefore the host key verification would fail. If you set this option to `true` and this happens, the tool won't be able to continue creating the cluster until you resolve the issue with one of the suggestions it will give you.
+- if you use a custom image, the creation of the servers may take longer than when using the default image
+- the option `verify_host_key` is by default set to `false` to disable host key verification. This is because sometimes when creating new servers, Hetzner may assign IP addresses that were previously used by other servers you owned in the past. Therefore the host key verification would fail. If you set this option to `true` and this happens, the tool won't be able to continue creating the cluster until you resolve the issue with one of the suggestions it will give you
+- the setting `api_allowed_networks` allows specifying which networks can access the Kubernetes API, but this only works with single master clusters currently. Multi-master HA clusters require a load balancer for the API, but load balancers are not yet covered by Hetzner's firewalls.
 
 Finally, to create the cluster run:
 
@@ -159,6 +176,8 @@ The `create-cluster` command can be run any number of times with the same config
 
 To add one or more nodes to a node pool, just change the instance count in the configuration file for that node pool and re-run the create command.
 
+**Important**: if you are increasing the size of a node pool created prior to v0.5.7, please see [this thread](https://github.com/vitobotta/hetzner-k3s/issues/80).
+
 ### Scaling down a node pool
 
 To make a node pool smaller:
@@ -194,7 +213,6 @@ Note that the API server will briefly be unavailable during the upgrade of the c
 
 To check the upgrade progress, run `watch kubectl get nodes -owide`. You will see the masters being upgraded one per time, followed by the worker nodes.
 
-
 ### What to do if the upgrade doesn't go smoothly
 
 If the upgrade gets stuck for some reason, or it doesn't upgrade all the nodes:
@@ -220,7 +238,8 @@ I have noticed that sometimes I need to re-run the upgrade command a couple of t
 You can also check the logs of the system upgrade controller's pod:
 
 ```bash
-kubectl -n system-upgrade logs -f $(kubectl -n system-upgrade get pod -l pod-template-hash -o jsonpath="{.items[0].metadata.name}")
+kubectl -n system-upgrade \
+  logs -f $(kubectl -n system-upgrade get pod -l pod-template-hash -o jsonpath="{.items[0].metadata.name}")
 ```
 
 A final note about upgrades is that if for some reason the upgrade gets stuck after upgrading the masters and before upgrading the worker nodes, just cleaning up the resources as described above might not be enough. In that case also try running the following to tell the upgrade job for the workers that the masters have already been upgraded, so the upgrade can continue for the workers:
@@ -229,6 +248,15 @@ A final note about upgrades is that if for some reason the upgrade gets stuck af
 kubectl label node <master1> <master2> <master2> plan.upgrade.cattle.io/k3s-server=upgraded
 ```
 
+## Upgrading the OS on nodes
+
+- consider adding a temporary node during the process if you don't have enough spare capacity in the cluster
+- drain one node
+- update etc
+- reboot
+- uncordon
+- proceed with the next node
+
 ## Deleting a cluster
 
 To delete a cluster, running
@@ -263,7 +291,7 @@ I set `load-balancer.hetzner.cloud/hostname` to a valid hostname that I configur
 
 The annotation `load-balancer.hetzner.cloud/use-private-ip: "true"` ensures that the communication between the load balancer and the nodes happens through the private network, so we don't have to open any ports on the nodes (other than the port 6443 for the Kubernetes API server).
 
-The other annotations should be self explanatory. You can find a list of the available annotations here.
+The other annotations should be self explanatory. You can find a list of the available annotations [here](https://pkg.go.dev/github.com/hetznercloud/hcloud-cloud-controller-manager/internal/annotation).
 
 ## Persistent volumes
 
@@ -279,6 +307,10 @@ I recommend that you create a separate Hetzner project for each cluster, because
 
 Please create a PR if you want to propose any changes, or open an issue if you are having trouble with the tool - I will do my best to help if I can.
 
+Contributors:
+
+- [TitanFighter](https://github.com/TitanFighter) for [this awesome tutorial](https://github.com/vitobotta/hetzner-k3s/wiki/Tutorial:---Setting-up-a-cluster)
+
 ## License
 
 The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).

data/bin/build.sh

@@ -2,13 +2,11 @@
 
 set -e
 
-
-
 IMAGE="vitobotta/hetzner-k3s"
 
-docker build -t ${IMAGE}:v0.5.6 \
+docker build -t ${IMAGE}:v0.5.9 \
   --platform=linux/amd64 \
-  --cache-from ${IMAGE}:v0.5.5 \
+  --cache-from ${IMAGE}:v0.5.8 \
   --build-arg BUILDKIT_INLINE_CACHE=1 .
 
-docker push vitobotta/hetzner-k3s:v0.5.6
+docker push vitobotta/hetzner-k3s:v0.5.9

data/hetzner-k3s.gemspec

@@ -12,7 +12,7 @@ Gem::Specification.new do |spec|
   spec.description   = 'A CLI to create a Kubernetes cluster in Hetzner Cloud very quickly using k3s.'
   spec.homepage      = 'https://github.com/vitobotta/hetzner-k3s'
   spec.license       = 'MIT'
-  spec.required_ruby_version = Gem::Requirement.new('>= 3.1.0')
+  spec.required_ruby_version = Gem::Requirement.new('>= 3.1.2')
 
   # spec.metadata["allowed_push_host"] = "TODO: Set to 'http://mygemserver.com'"
 

data/lib/hetzner/infra/firewall.rb

@@ -7,9 +7,10 @@ module Hetzner
       @cluster_name = cluster_name
     end
 
-    def create(high_availability:, networks:)
+    def create(high_availability:, ssh_networks:, api_networks:)
       @high_availability = high_availability
-      @networks = networks
+      @ssh_networks = ssh_networks
+      @api_networks = api_networks
       puts
 
       if (firewall = find_firewall)
@@ -47,7 +48,7 @@ module Hetzner
 
     private
 
-    attr_reader :hetzner_client, :cluster_name, :firewall, :high_availability, :networks
+    attr_reader :hetzner_client, :cluster_name, :firewall, :high_availability, :ssh_networks, :api_networks
 
     def create_firewall_config
       rules = [
@@ -56,7 +57,7 @@ module Hetzner
           direction: 'in',
           protocol: 'tcp',
           port: '22',
-          source_ips: networks,
+          source_ips: ssh_networks,
           destination_ips: []
         },
         {
@@ -98,10 +99,7 @@ module Hetzner
           direction: 'in',
           protocol: 'tcp',
           port: '6443',
-          source_ips: [
-            '0.0.0.0/0',
-            '::/0'
-          ],
+          source_ips: api_networks,
           destination_ips: []
         }
       end

data/lib/hetzner/infra/network.rb

@@ -2,9 +2,10 @@
 
 module Hetzner
   class Network
-    def initialize(hetzner_client:, cluster_name:)
+    def initialize(hetzner_client:, cluster_name:, existing_network:)
       @hetzner_client = hetzner_client
       @cluster_name = cluster_name
+      @existing_network = existing_network
     end
 
     def create(location:)
@@ -29,9 +30,13 @@ module Hetzner
 
     def delete
       if (network = find_network)
-        puts 'Deleting network...'
-        hetzner_client.delete('/networks', network['id'])
-        puts '...network deleted.'
+        if network["name"] == existing_network
+          puts "Network existed before cluster, skipping."
+        else
+          puts 'Deleting network...'
+          hetzner_client.delete('/networks', network['id'])
+          puts '...network deleted.'
+        end
       else
         puts 'Network no longer exists, skipping.'
       end
@@ -39,9 +44,18 @@ module Hetzner
       puts
     end
 
+    def find_network
+      network_name = existing_network || cluster_name
+      hetzner_client.get('/networks')['networks'].detect { |network| network['name'] == network_name }
+    end
+
+    def get
+      find_network
+    end
+
     private
 
-    attr_reader :hetzner_client, :cluster_name, :location
+    attr_reader :hetzner_client, :cluster_name, :location, :existing_network
 
     def network_config
       {
@@ -56,9 +70,5 @@ module Hetzner
         ]
       }
     end
-
-    def find_network
-      hetzner_client.get('/networks')['networks'].detect { |network| network['name'] == cluster_name }
-    end
   end
 end

data/lib/hetzner/infra/server.rb

@@ -7,13 +7,20 @@ module Hetzner
       @cluster_name = cluster_name
     end
 
-    def create(location:, instance_type:, instance_id:, firewall_id:, network_id:, ssh_key_id:, placement_group_id:, image:, additional_packages: [])
+    def create(location:, instance_type:, instance_id:, firewall_id:, network_id:, ssh_key_id:, placement_group_id:, image:, additional_packages: [], additional_post_create_commands: [])
+      @location = location
+      @instance_type = instance_type
+      @instance_id = instance_id
+      @firewall_id = firewall_id
+      @network_id = network_id
+      @ssh_key_id = ssh_key_id
+      @placement_group_id = placement_group_id
+      @image = image
       @additional_packages = additional_packages
+      @additional_post_create_commands = additional_post_create_commands
 
       puts
 
-      server_name = "#{cluster_name}-#{instance_type}-#{instance_id}"
-
       if (server = find_server(server_name))
         puts "Server #{server_name} already exists, skipping."
         puts
@@ -22,44 +29,16 @@ module Hetzner
 
       puts "Creating server #{server_name}..."
 
-      server_config = {
-        name: server_name,
-        location:,
-        image:,
-        firewalls: [
-          { firewall: firewall_id }
-        ],
-        networks: [
-          network_id
-        ],
-        server_type: instance_type,
-        ssh_keys: [
-          ssh_key_id
-        ],
-        user_data:,
-        labels: {
-          cluster: cluster_name,
-          role: (server_name =~ /master/ ? 'master' : 'worker')
-        },
-        placement_group: placement_group_id
-      }
-
-      response = hetzner_client.post('/servers', server_config)
-      response_body = response.body
-
-      server = JSON.parse(response_body)['server']
+      if (server = make_request)
+        puts "...server #{server_name} created."
+        puts
 
-      unless server
+        server
+      else
         puts "Error creating server #{server_name}. Response details below:"
         puts
         p response
-        return
       end
-
-      puts "...server #{server_name} created."
-      puts
-
-      server
     end
 
     def delete(server_name:)
@@ -74,30 +53,78 @@ module Hetzner
 
     private
 
-    attr_reader :hetzner_client, :cluster_name, :additional_packages
+    attr_reader :hetzner_client, :cluster_name, :location, :instance_type, :instance_id, :firewall_id, :network_id, :ssh_key_id, :placement_group_id, :image, :additional_packages, :additional_post_create_commands
 
     def find_server(server_name)
       hetzner_client.get('/servers?sort=created:desc')['servers'].detect { |network| network['name'] == server_name }
     end
 
     def user_data
-      packages = ['fail2ban', 'wireguard']
+      packages = %w[fail2ban wireguard]
       packages += additional_packages if additional_packages
       packages = "'#{packages.join("', '")}'"
 
+      post_create_commands = [
+        'crontab -l > /etc/cron_bkp',
+        'echo "@reboot echo true > /etc/ready" >> /etc/cron_bkp',
+        'crontab /etc/cron_bkp',
+        'sed -i \'s/[#]*PermitRootLogin yes/PermitRootLogin prohibit-password/g\' /etc/ssh/sshd_config',
+        'sed -i \'s/[#]*PasswordAuthentication yes/PasswordAuthentication no/g\' /etc/ssh/sshd_config',
+        'systemctl restart sshd',
+        'systemctl stop systemd-resolved',
+        'systemctl disable systemd-resolved',
+        'rm /etc/resolv.conf',
+        'echo \'nameserver 1.1.1.1\' > /etc/resolv.conf',
+        'echo \'nameserver 1.0.0.1\' >> /etc/resolv.conf'
+      ]
+
+      post_create_commands += additional_post_create_commands if additional_post_create_commands
+
+      post_create_commands += ['shutdown -r now'] if post_create_commands.grep(/shutdown|reboot/).grep_v(/@reboot/).empty?
+
+      post_create_commands = "  - #{post_create_commands.join("\n  - ")}"
+
       <<~YAML
         #cloud-config
         packages: [#{packages}]
         runcmd:
-          - sed -i 's/[#]*PermitRootLogin yes/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
-          - sed -i 's/[#]*PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
-          - systemctl restart sshd
-          - systemctl stop systemd-resolved
-          - systemctl disable systemd-resolved
-          - rm /etc/resolv.conf
-          - echo "nameserver 1.1.1.1" > /etc/resolv.conf
-          - echo "nameserver 1.0.0.1" >> /etc/resolv.conf
+        #{post_create_commands}
       YAML
     end
+
+    def server_name
+      @server_name ||= "#{cluster_name}-#{instance_type}-#{instance_id}"
+    end
+
+    def server_config
+      @server_config ||= {
+        name: server_name,
+        location:,
+        image:,
+        firewalls: [
+          { firewall: firewall_id }
+        ],
+        networks: [
+          network_id
+        ],
+        server_type: instance_type,
+        ssh_keys: [
+          ssh_key_id
+        ],
+        user_data:,
+        labels: {
+          cluster: cluster_name,
+          role: (server_name =~ /master/ ? 'master' : 'worker')
+        },
+        placement_group: placement_group_id
+      }
+    end
+
+    def make_request
+      response = hetzner_client.post('/servers', server_config)
+      response_body = response.body
+
+      JSON.parse(response_body)['server']
+    end
   end
 end