cluster-api-provider-hetzner icon indicating copy to clipboard operation
cluster-api-provider-hetzner copied to clipboard
verified publisher icon syself

Make it possible to set advertise-address to the internal IP

Open rbjorklin opened this issue 2 years ago • 21 comments

/kind feature

Describe the solution you'd like I'm setting up my cluster with both private and public networks. Ideally I don't want it to default to expose every single service to the internet. It would be great to be able to configure advertise-address some way. This would allow for easy firewall configuration to only allow traffic on port 22 from the internet.

Anything else you would like to add: If this is already possible it would be great to have it documented somewhere.

Environment:

  • cluster-api-provider-hetzner version:
  • Kubernetes version: (use kubectl version)
  • OS (e.g. from /etc/os-release):

rbjorklin avatar Feb 26 '23 07:02 rbjorklin

I found a decent workaround temporarily

When you have private networks enabled, we know that the first thing attached to it will be the API load balancer. This internal address will be 10.0.0.2

Then we can set

controlPlaneEndpoint:
  host: "10.0.0.2"
  port: 443

on the HetznerCluster CRD.

If you want to be able to connect externally, you would need to add an A record of the public load balancer address to a domain name. Add this to the KubeadmControlPlane CRD.

  kubeadmConfigSpec:
    clusterConfiguration:
      apiServer:
        certSANs:
          - kubernetes.example.com

You would need to make sure the CAPI services can also access the cluster via the private address.

The downside of this is that I have to connect my cluster management node to the private network, which causes conflicts when I have more than one cluster.

BlakeB415 avatar Feb 28 '23 23:02 BlakeB415

I haven't worked out all the kinks yet but I've put together a little example repo to create a NAT gateway which side-steps this problem quite nicely.

rbjorklin avatar Mar 03 '23 06:03 rbjorklin

I haven't found out yet how you can create a cluster with inter cluster communication via private network and external access via dns name that is set as controlPlaneEndpoint. With other CAPI Providers (e.g. OpenStack) this is possible. Do i really need a nat gateway and disable public ip addresses for the hcloud machines?

simonostendorf avatar Jun 27 '23 14:06 simonostendorf

When https://github.com/canonical/cloud-init/issues/4263 is resolved, IMHO it should be somehow possible to set localAPIEndpoint.advertiseAddress via cloud-init jinja templating.

chess-knight avatar Jun 19 '24 12:06 chess-knight

@rbjorklin is this issue a duplicate of https://github.com/syself/cluster-api-provider-hetzner/issues/762 ?

guettli avatar Aug 15 '24 14:08 guettli

@rbjorklin is this issue a duplicate of #762 ?

@guettli I dont think that setting advertise-address (which is the initial feature request) has something to do with a pre-created cloud network. For me these are two different aspects. But I think that setting advertise-address is not a specific problem of CAPH, this should be discussed on CAPI level.

simonostendorf avatar Aug 15 '24 15:08 simonostendorf

@simonostendorf thank you for your answer. Do you know if there is an issue or PR for that on capi level?

I guess we can't do here much at the moment. Is it ok to close the issue?

guettli avatar Aug 16 '24 08:08 guettli

I wouldn't mind closing this. For my own use-case I would much prefer running a cluster on public only IPv6 addresses and protect my cluster through strict firewall rules.

rbjorklin avatar Aug 20 '24 23:08 rbjorklin