hetzner-k3s 0.5.8 → 0.6.0.pre2

data/lib/hetzner/k3s/cli.rb

@@ -1,7 +1,8 @@
 # frozen_string_literal: true
 
 require 'thor'
-require 'http'
+require 'openssl'
+require 'httparty'
 require 'sshkey'
 require 'ipaddr'
 require 'open-uri'
@@ -27,14 +28,14 @@ module Hetzner
       option :config_file, required: true
       def create_cluster
         configuration.validate action: :create
-        Cluster.new(configuration:).create
+        Cluster.new(configuration: configuration).create
       end
 
       desc 'delete-cluster', 'Delete an existing k3s cluster in Hetzner Cloud'
       option :config_file, required: true
       def delete_cluster
         configuration.validate action: :delete
-        Cluster.new(configuration:).delete
+        Cluster.new(configuration: configuration).delete
       end
 
       desc 'upgrade-cluster', 'Upgrade an existing k3s cluster in Hetzner Cloud to a new version'
@@ -43,7 +44,7 @@ module Hetzner
       option :force, default: 'false'
       def upgrade_cluster
         configuration.validate action: :upgrade
-        Cluster.new(configuration:).upgrade(new_k3s_version: options[:new_k3s_version], config_file: options[:config_file])
+        Cluster.new(configuration: configuration).upgrade(new_k3s_version: options[:new_k3s_version], config_file: options[:config_file])
       end
 
       desc 'releases', 'List available k3s releases'
@@ -59,7 +60,7 @@ module Hetzner
 
       def configuration
         @configuration ||= begin
-          config = ::Hetzner::Configuration.new(options:)
+          config = ::Hetzner::Configuration.new(options: options)
           @hetzner_token = config.hetzner_token
           config
         end

data/lib/hetzner/k3s/cluster.rb

@@ -4,7 +4,7 @@ require 'net/ssh'
 require 'securerandom'
 require 'base64'
 require 'timeout'
-require 'subprocess'
+require 'fileutils'
 
 require_relative '../infra/client'
 require_relative '../infra/firewall'
@@ -35,7 +35,8 @@ class Cluster
     @masters_location = configuration['location']
     @verify_host_key = configuration.fetch('verify_host_key', false)
     @servers = []
-    @networks = configuration['ssh_allowed_networks']
+    @ssh_networks = configuration['ssh_allowed_networks']
+    @api_networks = configuration['api_allowed_networks']
     @enable_encryption = configuration.fetch('enable_encryption', false)
     @kube_api_server_args = configuration.fetch('kube_api_server_args', [])
     @kube_scheduler_args = configuration.fetch('kube_scheduler_args', [])
@@ -82,17 +83,17 @@ class Cluster
               :masters_config, :worker_node_pools,
               :masters_location, :public_ssh_key_path,
               :hetzner_token, :new_k3s_version,
-              :config_file, :verify_host_key, :networks, :private_ssh_key_path,
+              :config_file, :verify_host_key, :ssh_networks, :private_ssh_key_path,
               :enable_encryption, :kube_api_server_args, :kube_scheduler_args,
               :kube_controller_manager_args, :kube_cloud_controller_manager_args,
-              :kubelet_args, :kube_proxy_args
+              :kubelet_args, :kube_proxy_args, :api_networks
 
   def find_worker_node_pools(configuration)
     configuration.fetch('worker_node_pools', [])
   end
 
   def latest_k3s_version
-    response = HTTP.get('https://api.github.com/repos/k3s-io/k3s/tags').body
+    response = HTTParty.get('https://api.github.com/repos/k3s-io/k3s/tags').body
     JSON.parse(response).first['name']
   end
 
@@ -102,22 +103,22 @@ class Cluster
   end
 
   def delete_placement_groups
-    Hetzner::PlacementGroup.new(hetzner_client:, cluster_name:).delete
+    Hetzner::PlacementGroup.new(hetzner_client: hetzner_client, cluster_name: cluster_name).delete
 
     worker_node_pools.each do |pool|
       pool_name = pool['name']
-      Hetzner::PlacementGroup.new(hetzner_client:, cluster_name:, pool_name:).delete
+      Hetzner::PlacementGroup.new(hetzner_client: hetzner_client, cluster_name: cluster_name, pool_name: pool_name).delete
     end
   end
 
   def delete_resources
-    Hetzner::LoadBalancer.new(hetzner_client:, cluster_name:).delete(high_availability: (masters.size > 1))
+    Hetzner::LoadBalancer.new(hetzner_client: hetzner_client, cluster_name: cluster_name).delete(high_availability: (masters.size > 1))
 
-    Hetzner::Firewall.new(hetzner_client:, cluster_name:).delete(all_servers)
+    Hetzner::Firewall.new(hetzner_client: hetzner_client, cluster_name: cluster_name).delete(all_servers)
 
-    Hetzner::Network.new(hetzner_client:, cluster_name:).delete
+    Hetzner::Network.new(hetzner_client: hetzner_client, cluster_name: cluster_name, existing_network: existing_network).delete
 
-    Hetzner::SSHKey.new(hetzner_client:, cluster_name:).delete(public_ssh_key_path:)
+    Hetzner::SSHKey.new(hetzner_client: hetzner_client, cluster_name: cluster_name).delete(public_ssh_key_path: public_ssh_key_path)
 
     delete_placement_groups
     delete_servers
@@ -195,7 +196,21 @@ class Cluster
   def master_script(master)
     server = master == first_master ? ' --cluster-init ' : " --server https://#{api_server_ip}:6443 "
     flannel_interface = find_flannel_interface(master)
-    flannel_wireguard = enable_encryption ? ' --flannel-backend=wireguard ' : ' '
+
+    available_k3s_releases = Hetzner::Configuration.available_releases
+    wireguard_native_min_version_index = available_k3s_releases.find_index('v1.23.6+k3s1')
+    selected_version_index = available_k3s_releases.find_index(k3s_version)
+
+    flannel_wireguard = if enable_encryption
+                          if selected_version_index >= wireguard_native_min_version_index
+                            ' --flannel-backend=wireguard-native '
+                          else
+                            ' --flannel-backend=wireguard '
+                          end
+                        else
+                          ' '
+                        end
+
     extra_args = "#{kube_api_server_args_list} #{kube_scheduler_args_list} #{kube_controller_manager_args_list} #{kube_cloud_controller_manager_args_list} #{kubelet_args_list} #{kube_proxy_args_list}"
     taint = schedule_workloads_on_masters? ? ' ' : ' --node-taint CriticalAddonsOnly=true:NoExecute '
 
@@ -293,7 +308,7 @@ class Cluster
           namespace: 'kube-system'
           name: 'hcloud'
         stringData:
-          network: "#{cluster_name}"
+          network: "#{existing_network || cluster_name}"
           token: "#{configuration.hetzner_token}"
       EOF
     BASH
@@ -313,7 +328,7 @@ class Cluster
     puts
     puts 'Deploying k3s System Upgrade Controller...'
 
-    cmd = 'kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/download/v0.8.1/system-upgrade-controller.yaml'
+    cmd = 'kubectl apply -f https://github.com/rancher/system-upgrade-controller/releases/download/v0.9.1/system-upgrade-controller.yaml'
 
     run cmd, kubeconfig_path: kubeconfig_path
 
@@ -340,7 +355,7 @@ class Cluster
 
     run cmd, kubeconfig_path: kubeconfig_path
 
-    cmd = 'kubectl apply -f https://raw.githubusercontent.com/hetznercloud/csi-driver/v1.6.0/deploy/kubernetes/hcloud-csi.yml'
+    cmd = 'kubectl apply -f https://raw.githubusercontent.com/hetznercloud/csi-driver/master/deploy/kubernetes/hcloud-csi.yml'
 
     run cmd, kubeconfig_path: kubeconfig_path
 
@@ -408,7 +423,7 @@ class Cluster
 
     masters.each do |master|
       master_private_ip = master['private_net'][0]['ip']
-      sans << " --tls-san=#{master_private_ip} "
+      sans += " --tls-san=#{master_private_ip} "
     end
 
     sans
@@ -458,7 +473,7 @@ class Cluster
 
   def placement_group_id(pool_name = nil)
     @placement_groups ||= {}
-    @placement_groups[pool_name || '__masters__'] ||= Hetzner::PlacementGroup.new(hetzner_client:, cluster_name:, pool_name:).create
+    @placement_groups[pool_name || '__masters__'] ||= Hetzner::PlacementGroup.new(hetzner_client: hetzner_client, cluster_name: cluster_name, pool_name: pool_name).create
   end
 
   def master_instance_type
@@ -470,15 +485,15 @@ class Cluster
   end
 
   def firewall_id
-    @firewall_id ||= Hetzner::Firewall.new(hetzner_client:, cluster_name:).create(high_availability: (masters_count > 1), networks:)
+    @firewall_id ||= Hetzner::Firewall.new(hetzner_client: hetzner_client, cluster_name: cluster_name).create(high_availability: (masters_count > 1), ssh_networks: ssh_networks, api_networks: api_networks)
   end
 
   def network_id
-    @network_id ||= Hetzner::Network.new(hetzner_client:, cluster_name:).create(location: masters_location)
+    @network_id ||= Hetzner::Network.new(hetzner_client: hetzner_client, cluster_name: cluster_name, existing_network: existing_network).create(location: masters_location)
   end
 
   def ssh_key_id
-    @ssh_key_id ||= Hetzner::SSHKey.new(hetzner_client:, cluster_name:).create(public_ssh_key_path:)
+    @ssh_key_id ||= Hetzner::SSHKey.new(hetzner_client: hetzner_client, cluster_name: cluster_name).create(public_ssh_key_path: public_ssh_key_path)
   end
 
   def master_definitions_for_create
@@ -489,13 +504,13 @@ class Cluster
         instance_type: master_instance_type,
         instance_id: "master#{i + 1}",
         location: masters_location,
-        placement_group_id:,
-        firewall_id:,
-        network_id:,
-        ssh_key_id:,
-        image:,
-        additional_packages:,
-        additional_post_create_commands:
+        placement_group_id: placement_group_id,
+        firewall_id: firewall_id,
+        network_id: network_id,
+        ssh_key_id: ssh_key_id,
+        image: image,
+        additional_packages: additional_packages,
+        additional_post_create_commands: additional_post_create_commands
       }
     end
 
@@ -529,12 +544,12 @@ class Cluster
         instance_id: "pool-#{worker_node_pool_name}-worker#{i + 1}",
         placement_group_id: placement_group_id(worker_node_pool_name),
         location: worker_location,
-        firewall_id:,
-        network_id:,
-        ssh_key_id:,
-        image:,
-        additional_packages:,
-        additional_post_create_commands:
+        firewall_id: firewall_id,
+        network_id: network_id,
+        ssh_key_id: ssh_key_id,
+        image: image,
+        additional_packages: additional_packages,
+        additional_post_create_commands: additional_post_create_commands
       }
     end
 
@@ -542,7 +557,7 @@ class Cluster
   end
 
   def create_load_balancer
-    Hetzner::LoadBalancer.new(hetzner_client:, cluster_name:).create(location: masters_location, network_id:)
+    Hetzner::LoadBalancer.new(hetzner_client: hetzner_client, cluster_name: cluster_name).create(location: masters_location, network_id: network_id)
   end
 
   def server_configs
@@ -562,7 +577,7 @@ class Cluster
 
     threads = server_configs.map do |server_config|
       Thread.new do
-        servers << Hetzner::Server.new(hetzner_client:, cluster_name:).create(**server_config)
+        servers << Hetzner::Server.new(hetzner_client: hetzner_client, cluster_name: cluster_name).create(**server_config)
       end
     end
 
@@ -584,7 +599,7 @@ class Cluster
   def delete_servers
     threads = all_servers.map do |server|
       Thread.new do
-        Hetzner::Server.new(hetzner_client:, cluster_name:).delete(server_name: server['name'])
+        Hetzner::Server.new(hetzner_client: hetzner_client, cluster_name: cluster_name).delete(server_name: server['name'])
       end
     end
 
@@ -642,4 +657,8 @@ class Cluster
   def hetzner_client
     configuration.hetzner_client
   end
+
+  def existing_network
+    configuration['existing_network']
+  end
 end

data/lib/hetzner/k3s/configuration.rb

@@ -2,8 +2,8 @@
 
 module Hetzner
   class Configuration
-    GITHUB_DELIM_LINKS = ','.freeze
-    GITHUB_LINK_REGEX = /<([^>]+)>; rel=\"([^\"]+)\"/
+    GITHUB_DELIM_LINKS = ','
+    GITHUB_LINK_REGEX = /<([^>]+)>; rel="([^"]+)"/
 
     attr_reader :hetzner_client
 
@@ -52,7 +52,7 @@ module Hetzner
         releases = page_releases
         link_header = response.headers['link']
 
-        while !link_header.nil?
+        until link_header.nil?
           next_page_url = extract_next_github_page_url(link_header)
 
           break if next_page_url.nil?
@@ -67,10 +67,10 @@ module Hetzner
         releases.sort
       end
     rescue StandardError
-      if defined?errors
-        errors << 'Cannot fetch the releases with Hetzner API, please try again later'
+      if defined? errors
+        errors << 'Cannot fetch the releases with Github API, please try again later. This may be due to API rate limits.'
       else
-        puts 'Cannot fetch the releases with Hetzner API, please try again later'
+        puts 'Cannot fetch the releases with Github API, please try again later. This may be due to API rate limits.'
       end
     end
 
@@ -92,21 +92,20 @@ module Hetzner
       configuration
     end
 
-    private
-
-    attr_reader :configuration, :errors, :options
+    private_class_method
 
     def self.fetch_releases(url)
-      response = HTTP.get(url)
+      response = HTTParty.get(url)
       [response, JSON.parse(response.body).map { |hash| hash['name'] }]
     end
 
     def self.extract_next_github_page_url(link_header)
       link_header.split(GITHUB_DELIM_LINKS).each do |link|
         GITHUB_LINK_REGEX.match(link.strip) do |match|
-          url_part, meta_part = match[1], match[2]
+          url_part = match[1]
+          meta_part = match[2]
           next if !url_part || !meta_part
-          return url_part if meta_part == "next"
+          return url_part if meta_part == 'next'
         end
       end
 
@@ -115,17 +114,22 @@ module Hetzner
 
     def self.assign_url_part(meta_part, url_part)
       case meta_part
-      when "next"
+      when 'next'
         url_part
       end
     end
 
+    private
+
+    attr_reader :configuration, :errors, :options
+
     def validate_create
       validate_public_ssh_key
       validate_private_ssh_key
       validate_ssh_allowed_networks
+      validate_api_allowed_networks
       validate_masters_location
-      validate_k3s_version
+      # validate_k3s_version
       validate_masters
       validate_worker_node_pools
       validate_verify_host_key
@@ -137,11 +141,12 @@ module Hetzner
       validate_kube_cloud_controller_manager_args
       validate_kubelet_args
       validate_kube_proxy_args
+      validate_existing_network
     end
 
     def validate_upgrade
       validate_kubeconfig_path_must_exist
-      validate_new_k3s_version
+      # validate_new_k3s_version
     end
 
     def validate_public_ssh_key
@@ -165,11 +170,11 @@ module Hetzner
       errors << 'Invalid Private SSH key path'
     end
 
-    def validate_ssh_allowed_networks
-      networks ||= configuration['ssh_allowed_networks']
+    def validate_networks(configuration_option, access_type)
+      networks ||= configuration[configuration_option]
 
       if networks.nil? || networks.empty?
-        errors << 'At least one network/IP range must be specified for SSH access'
+        errors << "At least one network/IP range must be specified for #{access_type} access"
         return
       end
 
@@ -181,7 +186,7 @@ module Hetzner
 
       unless invalid_networks.empty?
         invalid_networks.each do |network|
-          errors << "The network #{network} is an invalid range"
+          errors << "The #{access_type} network #{network} is an invalid range"
         end
       end
 
@@ -191,7 +196,7 @@ module Hetzner
 
       unless invalid_ranges.empty?
         invalid_ranges.each do |_network|
-          errors << 'Please use the CIDR notation for the networks to avoid ambiguity'
+          errors << 'Please use the CIDR notation for the #{access_type} networks to avoid ambiguity'
         end
       end
 
@@ -199,13 +204,30 @@ module Hetzner
 
       current_ip = URI.open('http://whatismyip.akamai.com').read
 
-      current_ip_networks = networks.detect do |network|
+      current_ip_network = networks.detect do |network|
         IPAddr.new(network).include?(current_ip)
       rescue StandardError
         false
       end
 
-      errors << "Your current IP #{current_ip} is not included into any of the networks you've specified, so we won't be able to SSH into the nodes" unless current_ip_networks
+      unless current_ip_network
+        case access_type
+        when "SSH"
+          errors << "Your current IP #{current_ip} is not included into any of the #{access_type} networks you've specified, so we won't be able to SSH into the nodes "
+        when "API"
+          errors << "Your current IP #{current_ip} is not included into any of the #{access_type} networks you've specified, so we won't be able to connect to the Kubernetes API"
+        end
+      end
+    end
+
+
+    def validate_ssh_allowed_networks
+      return
+      validate_networks('ssh_allowed_networks', 'SSH')
+    end
+
+    def validate_api_allowed_networks
+      validate_networks('api_allowed_networks', 'API')
     end
 
     def validate_masters_location
@@ -379,7 +401,7 @@ module Hetzner
 
       begin
         token = hetzner_token
-        @hetzner_client = Hetzner::Client.new(token:)
+        @hetzner_client = Hetzner::Client.new(token: token)
         response = hetzner_client.get('/locations')
         error_code = response.dig('error', 'code')
         @valid = error_code != 'unauthorized'
@@ -450,5 +472,15 @@ module Hetzner
       @errors << 'Cannot fetch server types with Hetzner API, please try again later'
       false
     end
+
+    def validate_existing_network
+      return unless configuration['existing_network']
+
+      existing_network = Hetzner::Network.new(hetzner_client: hetzner_client, cluster_name: configuration['cluster_name'], existing_network: configuration['existing_network']).get
+
+      return if existing_network
+
+      @errors << "You have specified that you want to use the existing network named '#{configuration['existing_network']} but this network doesn't exist"
+    end
   end
 end

data/lib/hetzner/k3s/version.rb

@@ -2,6 +2,6 @@
 
 module Hetzner
   module K3s
-    VERSION = '0.5.8'
+    VERSION = '0.6.0.pre2'
   end
 end

data/lib/hetzner/utils.rb

@@ -1,5 +1,10 @@
 # frozen_string_literal: true
 
+Net::SSH::Transport::Algorithms::ALGORITHMS.values.each { |algs| algs.reject! { |a| a =~ /^ecd(sa|h)-sha2/ } }
+Net::SSH::KnownHosts::SUPPORTED_TYPE.reject! { |t| t =~ /^ecd(sa|h)-sha2/ }
+
+require 'childprocess'
+
 module Utils
   CMD_FILE_PATH = '/tmp/cli.cmd'
 
@@ -19,8 +24,6 @@ module Utils
   end
 
   def run(command, kubeconfig_path:)
-    env = ENV.to_hash.merge({ 'KUBECONFIG' => kubeconfig_path })
-
     write_file CMD_FILE_PATH, <<-CONTENT
     set -euo pipefail
     #{command}
@@ -29,20 +32,19 @@ module Utils
     FileUtils.chmod('+x', CMD_FILE_PATH)
 
     begin
-      process = nil
+      process = ChildProcess.build('bash', '-c', CMD_FILE_PATH)
+      process.io.inherit!
+      process.environment['KUBECONFIG'] = kubeconfig_path
+      process.environment['HCLOUD_TOKEN'] = ENV.fetch('HCLOUD_TOKEN', '')
 
       at_exit do
-        process&.send_signal('SIGTERM')
+        process.stop
       rescue Errno::ESRCH, Interrupt
         # ignore
       end
 
-      Subprocess.check_call(['bash', '-c', CMD_FILE_PATH], env:) do |p|
-        process = p
-      end
-    rescue Subprocess::NonZeroExit
-      puts 'Command failed: non-zero exit code'
-      exit 1
+      process.start
+      process.wait
     rescue Interrupt
       puts 'Command interrupted'
       exit 1
@@ -86,6 +88,13 @@ module Utils
       end
     end
     output.chop
+  # rescue StandardError => e
+  #   p [e.class, e.message]
+  #   retries += 1
+  #   retry unless retries > 15 || e.message =~ /Bad file descriptor/
+  rescue Timeout::Error, IOError, Errno::EBADF
+    retries += 1
+    retry unless retries > 15
   rescue Net::SSH::Disconnect => e
     retries += 1
     retry unless retries > 15 || e.message =~ /Too many authentication failures/