terraform-hcloud-kube-hetzner icon indicating copy to clipboard operation
terraform-hcloud-kube-hetzner copied to clipboard

Published 20 hours ago verified publisher icon kube-hetzner

Setup bastion host

Open PurpleBooth opened this issue 2 years ago • 8 comments

Currently this does not work as we have no way to get rescue system in place so we can install MicroOS

PurpleBooth avatar Aug 02 '22 06:08 PurpleBooth

Beautiful code right there; I am sure @phaer will be inspired by it. There must be a way to make this work, like setup with the public interface, then just take it down, all via userdata, or remote-exec (unless am not seeing things clearly).

mysticaltech avatar Aug 02 '22 07:08 mysticaltech

@PurpleBooth As shared in the following comment, we can do private agents more simply, with bare Kubernetes, without having an additional bastion host. See my comment here https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner/issues/241#issuecomment-1203991195.

The simpler, the better! But definitely, I would love to hear your arguments if you don't agree.

mysticaltech avatar Aug 03 '22 14:08 mysticaltech

@PurpleBooth While merging the latest changes, I noticed that you were probably assuming that rebootmgr takes care of all reboots including dealing with kured. This is not the case, in order to disable kured, you have to add a REBOOT_METHOD=none to the transactional_update.conf file, located somewhere in /etc, see our cloud-init template file.

More on this here https://en.opensuse.org/Kubic:Update_and_Reboot#Reboot_Strategy_Options and https://github.com/openSUSE/transactional-update/blob/master/etc/transactional-update.conf.

mysticaltech avatar Aug 30 '22 01:08 mysticaltech

Now I understand better what this is, thanks to your topology description. It also made me realize that node upgrades, k3s upgrades, and container fetching would disappear, which is not really ideal. Or am I mistaken?

mysticaltech avatar Aug 30 '22 11:08 mysticaltech

Ah, they do have a gateway that the private subnet can route traffic to in all likelihood. So the nodes would not be cut out from OUT traffic (but needs to be tested, of course).

mysticaltech avatar Aug 30 '22 14:08 mysticaltech

@PurpleBooth Interesting article https://docs.hetzner.com/cloud/servers/getting-started/connecting-via-private-ip/

mysticaltech avatar Sep 06 '22 00:09 mysticaltech

I believe the next step here is to use snapshots made with "normal" nodes. So yes, the bastion setup will take longer, but that's a small initial price to pay for the added sec.

mysticaltech avatar Sep 06 '22 00:09 mysticaltech

Just stumbled on this, seems interesting, but probably not needed (at least for now) https://github.com/inlets/inlets-pro

mysticaltech avatar Sep 08 '22 12:09 mysticaltech

@PurpleBooth I will close this PR for now, because it has stalled and the base is significantly outdated. But the branch will remain, so it can be picked up again later without issue.

mysticaltech avatar Oct 21 '22 00:10 mysticaltech