hetzner-k3s 0.5.8 → 0.5.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c0d855f62ab9e222986d220edcdde203f7eb363ab725c8aa4e1f1389f2b251e2
-  data.tar.gz: 19d6a1ff6769cbec2207539d615d6a873eaede07aec9b15a43e6ef9d79101731
+  metadata.gz: 65fe7fa7e6bdeeb49175cfb92184ab320ef8ac40a3aa03f921f1e5fda1b172d7
+  data.tar.gz: 1448919374ef90f7614580251b28000c470b0ed7fba39724e8953f29f176c1bb
 SHA512:
-  metadata.gz: d8fdc127e71f790e530d3abf97ca30d22b28d75eff687e436d1351336595ae7ba912c0c947c8b1738ab9d50447e577c4be753db3c20a2bfbcca195fcc6a0d193
-  data.tar.gz: 5cb4203c6270f0e82b66049fefd7244aaeb42e1dd89e257a0e1ba4b126db04ed8adf27b715b10874248f6661b6fed3126e562913ec2342f086bbff4c717c329b
+  metadata.gz: 15f783adb7408a1df5c3e9a114d9dcbc61830ead33acb7bc162ca935b6cdcfe26507e2c404d48c831cae600fe765adc31e686b511c4f675c561d6eb9acabafd2
+  data.tar.gz: df10039025e735d6a73c84fb60516d70bc0aa48220db1bab9d99dd30caad87339ba6be83e2d3f1029f40f95719a6fcde5784956c86ef20d524b67d504f93920a

data/.rubocop.yml

@@ -1,4 +1,4 @@
-Gemspec/DateAssignment: # new in 1.10
+Gemspec/DeprecatedAttributeAssignment: # new in 1.10
   Enabled: true
 Gemspec/RequireMFA: # new in 1.23
   Enabled: true

data/README.md

@@ -44,7 +44,7 @@ Alternatively, if you don't want to set up a Ruby runtime but have Docker instal
 docker run --rm -it \
   -v ${PWD}:/cluster \
   -v ${HOME}/.ssh:/tmp/.ssh \
-  vitobotta/hetzner-k3s:v0.5.8 \
+  vitobotta/hetzner-k3s:v0.5.9 \
   create-cluster \
   --config-file /cluster/test.yaml
 ```
@@ -65,6 +65,8 @@ public_ssh_key_path: "~/.ssh/id_rsa.pub"
 private_ssh_key_path: "~/.ssh/id_rsa"
 ssh_allowed_networks:
   - 0.0.0.0/0
+api_allowed_networks:
+  - 0.0.0.0/0
 verify_host_key: false
 location: nbg1
 schedule_workloads_on_masters: false
@@ -104,6 +106,7 @@ enable_encryption: true
 # kube_proxy_args:
 # - arg1
 # - ...
+# existing_network: <specify if you want to use an existing network, otherwise one will be created for this cluster>
 
 ```
 
@@ -143,9 +146,11 @@ curl \
 	'https://api.hetzner.cloud/v1/images'
 ```
 
-Note that if you use a custom image, the creation of the servers may take longer than when using the default image.
+Notes:
 
-Also note: the option `verify_host_key` is by default set to `false` to disable host key verification. This is because sometimes when creating new servers, Hetzner may assign IP addresses that were previously used by other servers you owned in the past. Therefore the host key verification would fail. If you set this option to `true` and this happens, the tool won't be able to continue creating the cluster until you resolve the issue with one of the suggestions it will give you.
+- if you use a custom image, the creation of the servers may take longer than when using the default image
+- the option `verify_host_key` is by default set to `false` to disable host key verification. This is because sometimes when creating new servers, Hetzner may assign IP addresses that were previously used by other servers you owned in the past. Therefore the host key verification would fail. If you set this option to `true` and this happens, the tool won't be able to continue creating the cluster until you resolve the issue with one of the suggestions it will give you
+- the setting `api_allowed_networks` allows specifying which networks can access the Kubernetes API, but this only works with single master clusters currently. Multi-master HA clusters require a load balancer for the API, but load balancers are not yet covered by Hetzner's firewalls.
 
 Finally, to create the cluster run:
 

data/bin/build.sh

@@ -4,9 +4,9 @@ set -e
 
 IMAGE="vitobotta/hetzner-k3s"
 
-docker build -t ${IMAGE}:v0.5.8 \
+docker build -t ${IMAGE}:v0.5.9 \
   --platform=linux/amd64 \
-  --cache-from ${IMAGE}:v0.5.7 \
+  --cache-from ${IMAGE}:v0.5.8 \
   --build-arg BUILDKIT_INLINE_CACHE=1 .
 
-docker push vitobotta/hetzner-k3s:v0.5.8
+docker push vitobotta/hetzner-k3s:v0.5.9

data/lib/hetzner/infra/firewall.rb

@@ -7,9 +7,10 @@ module Hetzner
       @cluster_name = cluster_name
     end
 
-    def create(high_availability:, networks:)
+    def create(high_availability:, ssh_networks:, api_networks:)
       @high_availability = high_availability
-      @networks = networks
+      @ssh_networks = ssh_networks
+      @api_networks = api_networks
       puts
 
       if (firewall = find_firewall)
@@ -47,7 +48,7 @@ module Hetzner
 
     private
 
-    attr_reader :hetzner_client, :cluster_name, :firewall, :high_availability, :networks
+    attr_reader :hetzner_client, :cluster_name, :firewall, :high_availability, :ssh_networks, :api_networks
 
     def create_firewall_config
       rules = [
@@ -56,7 +57,7 @@ module Hetzner
           direction: 'in',
           protocol: 'tcp',
           port: '22',
-          source_ips: networks,
+          source_ips: ssh_networks,
           destination_ips: []
         },
         {
@@ -98,10 +99,7 @@ module Hetzner
           direction: 'in',
           protocol: 'tcp',
           port: '6443',
-          source_ips: [
-            '0.0.0.0/0',
-            '::/0'
-          ],
+          source_ips: api_networks,
           destination_ips: []
         }
       end

data/lib/hetzner/infra/network.rb

@@ -2,9 +2,10 @@
 
 module Hetzner
   class Network
-    def initialize(hetzner_client:, cluster_name:)
+    def initialize(hetzner_client:, cluster_name:, existing_network:)
       @hetzner_client = hetzner_client
       @cluster_name = cluster_name
+      @existing_network = existing_network
     end
 
     def create(location:)
@@ -29,9 +30,13 @@ module Hetzner
 
     def delete
       if (network = find_network)
-        puts 'Deleting network...'
-        hetzner_client.delete('/networks', network['id'])
-        puts '...network deleted.'
+        if network["name"] == existing_network
+          puts "Network existed before cluster, skipping."
+        else
+          puts 'Deleting network...'
+          hetzner_client.delete('/networks', network['id'])
+          puts '...network deleted.'
+        end
       else
         puts 'Network no longer exists, skipping.'
       end
@@ -39,9 +44,18 @@ module Hetzner
       puts
     end
 
+    def find_network
+      network_name = existing_network || cluster_name
+      hetzner_client.get('/networks')['networks'].detect { |network| network['name'] == network_name }
+    end
+
+    def get
+      find_network
+    end
+
     private
 
-    attr_reader :hetzner_client, :cluster_name, :location
+    attr_reader :hetzner_client, :cluster_name, :location, :existing_network
 
     def network_config
       {
@@ -56,9 +70,5 @@ module Hetzner
         ]
       }
     end
-
-    def find_network
-      hetzner_client.get('/networks')['networks'].detect { |network| network['name'] == cluster_name }
-    end
   end
 end

data/lib/hetzner/k3s/cluster.rb

@@ -35,7 +35,8 @@ class Cluster
     @masters_location = configuration['location']
     @verify_host_key = configuration.fetch('verify_host_key', false)
     @servers = []
-    @networks = configuration['ssh_allowed_networks']
+    @ssh_networks = configuration['ssh_allowed_networks']
+    @api_networks = configuration['api_allowed_networks']
     @enable_encryption = configuration.fetch('enable_encryption', false)
     @kube_api_server_args = configuration.fetch('kube_api_server_args', [])
     @kube_scheduler_args = configuration.fetch('kube_scheduler_args', [])
@@ -82,10 +83,10 @@ class Cluster
               :masters_config, :worker_node_pools,
               :masters_location, :public_ssh_key_path,
               :hetzner_token, :new_k3s_version,
-              :config_file, :verify_host_key, :networks, :private_ssh_key_path,
+              :config_file, :verify_host_key, :ssh_networks, :private_ssh_key_path,
               :enable_encryption, :kube_api_server_args, :kube_scheduler_args,
               :kube_controller_manager_args, :kube_cloud_controller_manager_args,
-              :kubelet_args, :kube_proxy_args
+              :kubelet_args, :kube_proxy_args, :api_networks
 
   def find_worker_node_pools(configuration)
     configuration.fetch('worker_node_pools', [])
@@ -115,7 +116,7 @@ class Cluster
 
     Hetzner::Firewall.new(hetzner_client:, cluster_name:).delete(all_servers)
 
-    Hetzner::Network.new(hetzner_client:, cluster_name:).delete
+    Hetzner::Network.new(hetzner_client:, cluster_name:, existing_network:).delete
 
     Hetzner::SSHKey.new(hetzner_client:, cluster_name:).delete(public_ssh_key_path:)
 
@@ -195,7 +196,21 @@ class Cluster
   def master_script(master)
     server = master == first_master ? ' --cluster-init ' : " --server https://#{api_server_ip}:6443 "
     flannel_interface = find_flannel_interface(master)
-    flannel_wireguard = enable_encryption ? ' --flannel-backend=wireguard ' : ' '
+
+    available_k3s_releases = Hetzner::Configuration.available_releases
+    wireguard_native_min_version_index = available_k3s_releases.find_index('v1.23.6+k3s1')
+    selected_version_index = available_k3s_releases.find_index(k3s_version)
+
+    flannel_wireguard = if enable_encryption
+      if selected_version_index >= wireguard_native_min_version_index
+        ' --flannel-backend=wireguard-native '
+      else
+        ' --flannel-backend=wireguard '
+      end
+    else
+      ' '
+    end
+
     extra_args = "#{kube_api_server_args_list} #{kube_scheduler_args_list} #{kube_controller_manager_args_list} #{kube_cloud_controller_manager_args_list} #{kubelet_args_list} #{kube_proxy_args_list}"
     taint = schedule_workloads_on_masters? ? ' ' : ' --node-taint CriticalAddonsOnly=true:NoExecute '
 
@@ -293,7 +308,7 @@ class Cluster
           namespace: 'kube-system'
           name: 'hcloud'
         stringData:
-          network: "#{cluster_name}"
+          network: "#{existing_network || cluster_name}"
           token: "#{configuration.hetzner_token}"
       EOF
     BASH
@@ -313,7 +328,7 @@ class Cluster
     puts
     puts 'Deploying k3s System Upgrade Controller...'
 
-    cmd = 'kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/download/v0.8.1/system-upgrade-controller.yaml'
+    cmd = 'kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/download/v0.9.1/system-upgrade-controller.yaml'
 
     run cmd, kubeconfig_path: kubeconfig_path
 
@@ -340,7 +355,7 @@ class Cluster
 
     run cmd, kubeconfig_path: kubeconfig_path
 
-    cmd = 'kubectl apply -f https://raw.githubusercontent.com/hetznercloud/csi-driver/v1.6.0/deploy/kubernetes/hcloud-csi.yml'
+    cmd = 'kubectl apply -f https://raw.githubusercontent.com/hetznercloud/csi-driver/master/deploy/kubernetes/hcloud-csi.yml'
 
     run cmd, kubeconfig_path: kubeconfig_path
 
@@ -470,11 +485,11 @@ class Cluster
   end
 
   def firewall_id
-    @firewall_id ||= Hetzner::Firewall.new(hetzner_client:, cluster_name:).create(high_availability: (masters_count > 1), networks:)
+    @firewall_id ||= Hetzner::Firewall.new(hetzner_client:, cluster_name:).create(high_availability: (masters_count > 1), ssh_networks:, api_networks:)
   end
 
   def network_id
-    @network_id ||= Hetzner::Network.new(hetzner_client:, cluster_name:).create(location: masters_location)
+    @network_id ||= Hetzner::Network.new(hetzner_client:, cluster_name:, existing_network:).create(location: masters_location)
   end
 
   def ssh_key_id
@@ -642,4 +657,8 @@ class Cluster
   def hetzner_client
     configuration.hetzner_client
   end
+
+  def existing_network
+    configuration["existing_network"]
+  end
 end

data/lib/hetzner/k3s/configuration.rb

@@ -2,8 +2,8 @@
 
 module Hetzner
   class Configuration
-    GITHUB_DELIM_LINKS = ','.freeze
-    GITHUB_LINK_REGEX = /<([^>]+)>; rel=\"([^\"]+)\"/
+    GITHUB_DELIM_LINKS = ','
+    GITHUB_LINK_REGEX = /<([^>]+)>; rel="([^"]+)"/
 
     attr_reader :hetzner_client
 
@@ -52,7 +52,7 @@ module Hetzner
         releases = page_releases
         link_header = response.headers['link']
 
-        while !link_header.nil?
+        until link_header.nil?
           next_page_url = extract_next_github_page_url(link_header)
 
           break if next_page_url.nil?
@@ -67,10 +67,10 @@ module Hetzner
         releases.sort
       end
     rescue StandardError
-      if defined?errors
-        errors << 'Cannot fetch the releases with Hetzner API, please try again later'
+      if defined? errors
+        errors << 'Cannot fetch the releases with Github API, please try again later. This may be due to API rate limits.'
       else
-        puts 'Cannot fetch the releases with Hetzner API, please try again later'
+        puts 'Cannot fetch the releases with Github API, please try again later. This may be due to API rate limits.'
       end
     end
 
@@ -104,9 +104,10 @@ module Hetzner
     def self.extract_next_github_page_url(link_header)
       link_header.split(GITHUB_DELIM_LINKS).each do |link|
         GITHUB_LINK_REGEX.match(link.strip) do |match|
-          url_part, meta_part = match[1], match[2]
+          url_part = match[1]
+          meta_part = match[2]
           next if !url_part || !meta_part
-          return url_part if meta_part == "next"
+          return url_part if meta_part == 'next'
         end
       end
 
@@ -115,7 +116,7 @@ module Hetzner
 
     def self.assign_url_part(meta_part, url_part)
       case meta_part
-      when "next"
+      when 'next'
         url_part
       end
     end
@@ -124,6 +125,7 @@ module Hetzner
       validate_public_ssh_key
       validate_private_ssh_key
       validate_ssh_allowed_networks
+      validate_api_allowed_networks
       validate_masters_location
       validate_k3s_version
       validate_masters
@@ -137,6 +139,7 @@ module Hetzner
       validate_kube_cloud_controller_manager_args
       validate_kubelet_args
       validate_kube_proxy_args
+      validate_existing_network
     end
 
     def validate_upgrade
@@ -165,11 +168,11 @@ module Hetzner
       errors << 'Invalid Private SSH key path'
     end
 
-    def validate_ssh_allowed_networks
-      networks ||= configuration['ssh_allowed_networks']
+    def validate_networks(configuration_option, access_type)
+      networks ||= configuration[configuration_option]
 
       if networks.nil? || networks.empty?
-        errors << 'At least one network/IP range must be specified for SSH access'
+        errors << "At least one network/IP range must be specified for #{access_type} access"
         return
       end
 
@@ -181,7 +184,7 @@ module Hetzner
 
       unless invalid_networks.empty?
         invalid_networks.each do |network|
-          errors << "The network #{network} is an invalid range"
+          errors << "The #{access_type} network #{network} is an invalid range"
         end
       end
 
@@ -191,7 +194,7 @@ module Hetzner
 
       unless invalid_ranges.empty?
         invalid_ranges.each do |_network|
-          errors << 'Please use the CIDR notation for the networks to avoid ambiguity'
+          errors << 'Please use the CIDR notation for the #{access_type} networks to avoid ambiguity'
         end
       end
 
@@ -199,13 +202,30 @@ module Hetzner
 
       current_ip = URI.open('http://whatismyip.akamai.com').read
 
-      current_ip_networks = networks.detect do |network|
+      current_ip_network = networks.detect do |network|
         IPAddr.new(network).include?(current_ip)
       rescue StandardError
         false
       end
 
-      errors << "Your current IP #{current_ip} is not included into any of the networks you've specified, so we won't be able to SSH into the nodes" unless current_ip_networks
+      unless current_ip_network
+        case access_type
+        when "SSH"
+          errors << "Your current IP #{current_ip} is not included into any of the #{access_type} networks you've specified, so we won't be able to SSH into the nodes "
+        when "API"
+          errors << "Your current IP #{current_ip} is not included into any of the #{access_type} networks you've specified, so we won't be able to connect to the Kubernetes API"
+        end
+      end
+    end
+
+
+    def validate_ssh_allowed_networks
+      return
+      validate_networks('ssh_allowed_networks', 'SSH')
+    end
+
+    def validate_api_allowed_networks
+      validate_networks('api_allowed_networks', 'API')
     end
 
     def validate_masters_location
@@ -450,5 +470,15 @@ module Hetzner
       @errors << 'Cannot fetch server types with Hetzner API, please try again later'
       false
     end
+
+    def validate_existing_network
+      if configuration["existing_network"]
+        existing_network = Hetzner::Network.new(hetzner_client:, cluster_name: configuration["cluster_name"], existing_network: configuration["existing_network"]).get
+
+        unless existing_network
+          @errors << "You have specified that you want to use the existing network named '#{configuration["existing_network"]} but this network doesn't exist"
+        end
+      end
+    end
   end
 end

data/lib/hetzner/k3s/version.rb

@@ -2,6 +2,6 @@
 
 module Hetzner
   module K3s
-    VERSION = '0.5.8'
+    VERSION = '0.5.9'
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: hetzner-k3s
 version: !ruby/object:Gem::Version
-  version: 0.5.8
+  version: 0.5.9
 platform: ruby
 authors:
 - Vito Botta
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2022-08-11 00:00:00.000000000 Z
+date: 2022-08-12 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt_pbkdf