Merge remote-tracking branch 'upstream/main' into feature/csi-configuration

mlinares1998 · mlinares1998 · commit 8f7895da7c14 · 2025-07-20T14:41:01.000+02:00
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 <div align="center">
 
-  <img src="https://avatars.githubusercontent.com/u/182015181" alt="logo" width="200" height="auto" />
+  <img src="https://avatars.githubusercontent.com/u/182015181" alt="logo" width="225" height="auto" />
   <h1>Hcloud Kubernetes</h1>
 
   <p>
@@ -43,7 +43,7 @@
 
 <!-- About the Project -->
 ## :star2: About the Project
-Hcloud Kubernetes is a Terraform module for deploying a fully declarative, managed Kubernetes cluster on Hetzner Cloud. It utilizes Talos, a secure, immutable, and minimal operating system specifically designed for Kubernetes, featuring a streamlined architecture with just 12 binaries and managed entirely through an API.
+Hcloud Kubernetes is a Terraform module for deploying a fully declarative, managed Kubernetes cluster on Hetzner Cloud. It utilizes Talos, a secure, immutable, and minimal operating system specifically designed for Kubernetes, featuring a streamlined architecture with only a handful of binaries and shared libraries. Just enough to run containerd and a small set of system services.
 
 This project is committed to production-grade configuration and lifecycle management, ensuring all components are set up for high availability. It includes a curated selection of widely used and officially recognized Kubernetes components. If you encounter any issues, suboptimal settings, or missing elements, please file an [issue](https://github.com/hcloud-k8s/terraform-hcloud-kubernetes/issues) to help us improve this project.
 
@@ -126,7 +126,7 @@ Talos Linux is a secure, minimal, and immutable OS for Kubernetes, removing SSH
 
 **Firewall Protection:** This module uses [Hetzner Cloud Firewalls](https://docs.hetzner.com/cloud/firewalls/) to manage external access to nodes. For internal pod-to-pod communication, support for Kubernetes Network Policies is provided through [Cilium CNI](https://docs.cilium.io/en/stable/network/kubernetes/policy/).
 
-**Encryption in Transit:** In this module, all pod network traffic is encrypted by default using [WireGuard via Cilium CNI](https://cilium.io/use-cases/transparent-encryption/). It includes automatic key rotation and efficient in-kernel encryption, covering all traffic types.
+**Encryption in Transit:** In this module, all pod network traffic is encrypted by default using [WireGuard (Default) or IPSec via Cilium CNI](https://cilium.io/use-cases/transparent-encryption/). It includes automatic key rotation and efficient in-kernel encryption, covering all traffic types.
 
 **Encryption at Rest:** In this module, the [STATE](https://www.talos.dev/latest/learn-more/architecture/#file-system-partitions) and [EPHEMERAL](https://www.talos.dev/latest/learn-more/architecture/#file-system-partitions) partitions are encrypted by default with [Talos Disk Encryption](https://www.talos.dev/latest/talos-guides/configuration/disk-encryption/) using LUKS2. Each node is secured with individual encryption keys derived from its unique `nodeID`.
 
@@ -429,6 +429,46 @@ kubectl delete storageclass hcloud-volumes
 storageclass.storage.k8s.io "hcloud-volumes" deleted
 ```
 
+<!-- Cilium Advanced Configuration -->
+<details>
+<summary><b>Cilium Advanced Configuration</b></summary>
+
+#### Cilium Transparent Encryption
+
+This module enables [Cilium Transparent Encryption](https://cilium.io/use-cases/transparent-encryption/) feature by default.  
+
+All pod network traffic is encrypted using WireGuard (Default) or  protocols, includes automatic key rotation and efficient in-kernel encryption, covering all traffic types.
+
+:bulb: Although WireGuard is the default option, Hetzner Cloud VMs supports AES-NI instruction set, making IPSec encryption more CPU-efficient compared to WireGuard. Consider enabling IPSec for CPU savings through hardware acceleration.
+
+IPSec mode supports RFC4106 AES-GCM encryption with 128, 192 and 256 bits key sizes.
+
+
+**:warning: IPSec encryption has the following limitations:**
+
+- No transparent encryption when chaining Cilium with other CNI plugins
+- Host Policies not supported with IPSec
+- Incompatible with BPF Host Routing (automatically disabled on switch)
+- IPv6-only clusters not supported
+- Maximum 65,535 nodes per cluster/clustermesh
+- Single CPU core limitation per IPSec tunnel may affect high-throughput scenarios
+
+*Source: [Cilium Documentation](https://docs.cilium.io/en/stable/security/network/encryption-ipsec/#limitations)*
+
+Example `kubernetes.tf` configuration:
+
+```hcl
+cilium_encryption_enabled = true                # Default true
+cilium_encryption_type    = "wireguard"         # wireguard (Default) | ipsec
+cilium_ipsec_algorithm    = "rfc4106(gcm(aes))" # IPSec AES key algorithm (Default rfc4106(gcm(aes)))
+cilium_ipsec_key_size     = 256                 # IPSec AES key size (Default 256)
+cilium_ipsec_key_id       = 1                   # IPSec key ID (Default 1)
+```
+
+##### IPSec Key Rotation
+
+Keys automatically rotate when `cilium_ipsec_key_id` is incremented (1-15 range, resets to 1 after 15).
+
 </details>
 
 <!-- Egress Gateway -->
@@ -800,11 +840,12 @@ The [Talos Terraform Provider](https://registry.terraform.io/providers/siderolab
 ### :white_check_mark: Version Compatibility Matrix
 | Hcloud K8s |  K8s  | Talos | Talos CCM | Hcloud CCM | Hcloud CSI | Long-horn | Cilium | Ingress NGINX | Cert Mgr. | Auto-scaler |
 | :--------: | :---: | :---: | :-------: | :--------: | :--------: | :-------: | :----: | :-----------: | :-------: | :---------: |
-|  (**2**)   | 1.32  |  1.9  |    1.9    |    1.23    |    2.12    |   1.8.1   |  1.17  |     4.12      |   1.17    |    9.45     |
+|  **(3)**   | 1.33  | 1.10  |   1.10    |    1.26    |    2.14    |   1.8.2   | (1.18) |     4.13      |   1.18    |    9.47     |
+|   **2**    | 1.32  |  1.9  |    1.9    |    1.23    |    2.12    |   1.8.1   |  1.17  |     4.12      |   1.17    |    9.45     |
 |   **1**    | 1.31  |  1.8  |    1.8    |    1.21    |    2.10    |    1.8    |  1.17  |     4.12      |   1.15    |    9.38     |
 |   **0**    | 1.30  |  1.7  |    1.6    |    1.20    |    2.9     |   1.7.1   |  1.16  |    4.10.1     |   1.14    |    9.37     |
 
-In this module, upgrades are conducted with care and conservatism. You will consistently receive the most tested and compatible releases of all components, avoiding the latest untested or incompatible releases that could disrupt your cluster.
+In this module, upgrades are conducted with care. You will consistently receive the most tested and compatible releases of all components, avoiding the latest untested or incompatible releases that could disrupt your cluster.
 
 > [!WARNING]
 > Do not change any software versions in this project on your own. Each component is tailored to ensure compatibility with new Kubernetes releases. This project specifies versions that are supported and have been thoroughly tested to work together.
@@ -823,12 +864,10 @@ In this module, upgrades are conducted with care and conservatism. You will cons
 
 <!-- Roadmap -->
 ## :compass: Roadmap
-* [ ] **Upgrade to Talos 1.9 and Kubernetes 1.32**<br>
+* [ ] **Upgrade to Talos 1.10 and Kubernetes 1.33**<br>
       Once all components have compatible versions, the upgrade can be performed.
-* [x] **Upgrade to Talos 1.8 and Kubernetes 1.31**<br>
+* [x] **Upgrade to Talos 1.9 and Kubernetes 1.32**<br>
       Once all components have compatible versions, the upgrade can be performed.
-* [ ] **Integrate native IPv6 for pod traffic**<br>
-      Completion requires Hetzner's addition of IPv6 support to cloud networks, expected at the beginning of 2025 as announced at Hetzner Summit 2024.
 
 <!-- Contributing -->
 ## :wave: Contributing
diff --git a/autoscaler.tf b/autoscaler.tf
@@ -28,10 +28,6 @@ data "helm_template" "cluster_autoscaler" {
   kube_version = var.kubernetes_version
 
   set = [
-    {
-      name  = "image.tag"
-      value = "v1.31.1"
-    },
     {
       name  = "cloudProvider"
       value = "hetzner"
diff --git a/cilium.tf b/cilium.tf
@@ -1,3 +1,48 @@
+locals {
+  # Cilium IPSec Configuration
+  cilium_ipsec_enabled = var.cilium_encryption_enabled && var.cilium_encryption_type == "ipsec"
+
+  # Key configuration when IPSec is enabled
+  cilium_ipsec_key_config = local.cilium_ipsec_enabled ? {
+    next_id = var.cilium_ipsec_key_id % 15 + 1
+    format  = "${var.cilium_ipsec_key_id}+ ${var.cilium_ipsec_algorithm} ${random_bytes.cilium_ipsec_key[0].hex} 128"
+  } : null
+
+  # Kubernetes Secret manifest
+  cilium_ipsec_keys_manifest = local.cilium_ipsec_enabled ? {
+    apiVersion = "v1"
+    kind       = "Secret"
+    type       = "Opaque"
+
+    metadata = {
+      name      = "cilium-ipsec-keys"
+      namespace = "kube-system"
+
+      annotations = {
+        "cilium.io/key-id"        = tostring(var.cilium_ipsec_key_id)
+        "cilium.io/key-algorithm" = var.cilium_ipsec_algorithm
+        "cilium.io/key-size"      = tostring(var.cilium_ipsec_key_size)
+      }
+    }
+
+    data = {
+      keys = base64encode(local.cilium_ipsec_key_config.format)
+    }
+  } : null
+}
+
+# Generate random key when IPSec is enabled
+resource "random_bytes" "cilium_ipsec_key" {
+  count  = local.cilium_ipsec_enabled ? 1 : 0
+  length = ((var.cilium_ipsec_key_size / 8) + 4) # AES Key + 4 bytes salt
+
+  # Keepers to force regeneration when key_id changes
+  keepers = {
+    key_id = var.cilium_ipsec_key_id
+  }
+}
+
+
 data "helm_template" "cilium" {
   name      = "cilium"
   namespace = "kube-system"
@@ -40,11 +85,10 @@ data "helm_template" "cilium" {
       name  = "bpf.masquerade"
       value = true
     },
-    # Netkit requires kernel >= 6.8
-    # {
-    #   name  = "bpf.datapathMode"
-    #   value = "netkit"
-    # },
+    {
+      name  = "bpf.datapathMode"
+      value = "netkit"
+    },
     {
       name  = "loadBalancer.acceleration"
       value = "native"
@@ -53,7 +97,15 @@ data "helm_template" "cilium" {
       name  = "installNoConntrackIptablesRules"
       value = true
     },
-
+    # IPSec
+    {
+      name  = "bpf.hostLegacyRouting"
+      value = local.cilium_ipsec_enabled
+    },
+    {
+      name  = "dnsProxy.enableTransparentMode"
+      value = true
+    },
     {
       name  = "egressGateway.enabled"
       value = var.cilium_egress_gateway_enabled
@@ -93,7 +145,7 @@ data "helm_template" "cilium" {
     yamlencode({
       encryption = {
         enabled = var.cilium_encryption_enabled
-        type    = "wireguard"
+        type    = var.cilium_encryption_type
       }
       hubble = {
         enabled = var.cilium_hubble_enabled
@@ -125,6 +177,10 @@ data "helm_template" "cilium" {
 locals {
   cilium_manifest = var.cilium_enabled ? {
     name     = "cilium"
-    contents = data.helm_template.cilium.manifest
+    contents = <<-EOF
+      ${yamlencode(local.cilium_ipsec_keys_manifest)}
+      ---
+      ${data.helm_template.cilium.manifest}
+    EOF
   } : null
 }
diff --git a/image.tf b/image.tf
@@ -36,6 +36,7 @@ locals {
 
   talos_image_extensions = distinct(
     concat(
+      ["siderolabs/qemu-guest-agent"],
       var.talos_image_extensions,
       var.longhorn_enabled ? local.talos_image_extentions_longhorn : []
     )
diff --git a/outputs.tf b/outputs.tf
@@ -68,3 +68,20 @@ output "worker_public_ipv6_list" {
   description = "Public IPv6 addresses of all worker nodes"
   value       = local.worker_public_ipv6_list
 }
+
+output "cilium_encryption_info" {
+  description = "Information about Cilium traffic encryption"
+  value = {
+    encryption_enabled = var.cilium_encryption_enabled
+    encryption_type    = var.cilium_encryption_type
+
+    ipsec = local.cilium_ipsec_enabled ? {
+      current_key_id = var.cilium_ipsec_key_id
+      next_key_id    = local.cilium_ipsec_key_config["next_id"]
+      algorithm      = var.cilium_ipsec_algorithm
+      key_size_bits  = var.cilium_ipsec_key_size
+      secret_name    = local.cilium_ipsec_keys_manifest.metadata["name"]
+      namespace      = local.cilium_ipsec_keys_manifest.metadata["namespace"]
+    } : {}
+  }
+}
diff --git a/packer/image_amd64.pkr.hcl b/packer/image_amd64.pkr.hcl
@@ -52,6 +52,10 @@ build {
       <<-EOT
         set -euo pipefail
 
+        # Discard the entire /dev/sda to free up space and make the snapshot smaller
+        echo 'Zeroing disk first before writing Talos image'
+        blkdiscard /dev/sda 2>/dev/null
+
         echo 'Download Talos ${var.talos_version} image (${var.talos_schematic_id})'
 
         wget \
diff --git a/packer/image_arm64.pkr.hcl b/packer/image_arm64.pkr.hcl
@@ -52,6 +52,10 @@ build {
       <<-EOT
         set -euo pipefail
 
+        # Discard the entire /dev/sda to free up space and make the snapshot smaller
+        echo 'Zeroing disk first before writing Talos image'
+        blkdiscard /dev/sda 2>/dev/null
+
         echo 'Download Talos ${var.talos_version} image (${var.talos_schematic_id})'
 
         wget \
diff --git a/variables.tf b/variables.tf
@@ -421,7 +421,7 @@ variable "cluster_autoscaler_helm_chart" {
 
 variable "cluster_autoscaler_helm_version" {
   type        = string
-  default     = "9.45.1"
+  default     = "9.46.6"
   description = "Version of the Cluster Autoscaler Helm chart to deploy."
 }
 
@@ -527,7 +527,7 @@ variable "packer_arm64_builder" {
 # Talos
 variable "talos_version" {
   type        = string
-  default     = "v1.8.4"
+  default     = "v1.9.6"
   description = "Specifies the version of Talos to be used in generated machine configurations."
 }
 
@@ -808,7 +808,7 @@ variable "talos_backup_schedule" {
 # Kubernetes
 variable "kubernetes_version" {
   type        = string
-  default     = "v1.31.4"
+  default     = "v1.32.4"
   description = "Specifies the Kubernetes version to deploy."
 }
 
@@ -1080,6 +1080,45 @@ variable "cilium_encryption_enabled" {
   description = "Enables transparent network encryption using Cilium within the Kubernetes cluster. When enabled, this feature provides added security for network traffic."
 }
 
+variable "cilium_encryption_type" {
+  type        = string
+  default     = "wireguard"
+  description = "Type of encryption to use for Cilium network encryption. Options: 'wireguard' or 'ipsec'."
+
+  validation {
+    condition     = contains(["wireguard", "ipsec"], var.cilium_encryption_type)
+    error_message = "Encryption type must be either 'wireguard' or 'ipsec'."
+  }
+}
+
+variable "cilium_ipsec_algorithm" {
+  type        = string
+  default     = "rfc4106(gcm(aes))"
+  description = "Cilium IPSec key algorithm."
+}
+
+variable "cilium_ipsec_key_size" {
+  type        = number
+  default     = 256
+  description = "AES key size in bits for IPSec encryption (128, 192, or 256). Only used when cilium_encryption_type is 'ipsec'."
+
+  validation {
+    condition     = contains([128, 192, 256], var.cilium_ipsec_key_size)
+    error_message = "IPSec key size must be 128, 192 or 256 bits."
+  }
+}
+
+variable "cilium_ipsec_key_id" {
+  type        = number
+  default     = 1
+  description = "IPSec key ID (1-15, increment manually for rotation). Only used when cilium_encryption_type is 'ipsec'."
+
+  validation {
+    condition     = var.cilium_ipsec_key_id >= 1 && var.cilium_ipsec_key_id <= 15 && floor(var.cilium_ipsec_key_id) == var.cilium_ipsec_key_id
+    error_message = "The IPSec key_id must be between 1 and 15."
+  }
+}
+
 variable "cilium_egress_gateway_enabled" {
   type        = bool
   default     = false

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,7 @@ locals {`
`36`	`36`
`37`	`37`	`talos_image_extensions = distinct(`
`38`	`38`	`concat(`
	`39`	`+ ["siderolabs/qemu-guest-agent"],`
`39`	`40`	`var.talos_image_extensions,`
`40`	`41`	`var.longhorn_enabled ? local.talos_image_extentions_longhorn : []`
`41`	`42`	`)`