Merge pull request #1644 from kube-hetzner/staging

Upgrade Networking, Security, and Automation Components

Author: mysticaltech

.gitignore

@@ -41,3 +41,4 @@ kustomization.yaml
 *kustomization_backup.yaml
 kube.tf
 .terraform.lock.hcl
+issue_fix.patch

agents.tf

@@ -45,17 +45,25 @@ module "agents" {
 locals {
   k3s-agent-config = { for k, v in local.agent_nodes : k => merge(
     {
-      node-name     = module.agents[k].name
-      server        = "https://${var.use_control_plane_lb ? hcloud_load_balancer_network.control_plane.*.ip[0] : module.control_planes[keys(module.control_planes)[0]].private_ipv4_address}:6443"
-      token         = local.k3s_token
-      kubelet-arg   = concat(local.kubelet_arg, var.k3s_global_kubelet_args, var.k3s_agent_kubelet_args, v.kubelet_args)
+      node-name = module.agents[k].name
+      server    = "https://${var.use_control_plane_lb ? hcloud_load_balancer_network.control_plane.*.ip[0] : module.control_planes[keys(module.control_planes)[0]].private_ipv4_address}:6443"
+      token     = local.k3s_token
+      kubelet-arg = concat(
+        local.kubelet_arg,
+        var.k3s_global_kubelet_args,
+        var.k3s_agent_kubelet_args,
+        v.kubelet_args
+      )
       flannel-iface = local.flannel_iface
       node-ip       = module.agents[k].private_ipv4_address
       node-label    = v.labels
       node-taint    = v.taints
     },
     var.agent_nodes_custom_config,
-    (v.selinux == true ? { selinux = true } : {})
+    # Force selinux=false if disable_selinux = true.
+    var.disable_selinux
+    ? { selinux = false }
+    : (v.selinux == true ? { selinux = true } : {})
   ) }
 }
 

control_planes.tf

@@ -60,7 +60,12 @@ resource "hcloud_load_balancer_network" "control_plane" {
   load_balancer_id        = hcloud_load_balancer.control_plane.*.id[0]
   subnet_id               = hcloud_network_subnet.control_plane.*.id[0]
   enable_public_interface = var.control_plane_lb_enable_public_interface
-  ip                      = cidrhost(hcloud_network_subnet.control_plane.*.ip_range[0], 1)
+
+  # To ensure backwards compatibility, we ignore changes to the IP address
+  # as before it was set manually.
+  lifecycle {
+    ignore_changes = [ip]
+  }
 }
 
 resource "hcloud_load_balancer_target" "control_plane" {
@@ -103,15 +108,19 @@ locals {
       advertise-address           = module.control_planes[k].private_ipv4_address
       node-label                  = v.labels
       node-taint                  = v.taints
-      selinux                     = true
+      selinux                     = var.disable_selinux ? false : (v.selinux == true ? true : false)
       cluster-cidr                = var.cluster_ipv4_cidr
       service-cidr                = var.service_ipv4_cidr
       cluster-dns                 = var.cluster_dns_ipv4
       write-kubeconfig-mode       = "0644" # needed for import into rancher
     },
     lookup(local.cni_k3s_settings, var.cni_plugin, {}),
     var.use_control_plane_lb ? {
-      tls-san = concat([hcloud_load_balancer.control_plane.*.ipv4[0], hcloud_load_balancer_network.control_plane.*.ip[0]], var.additional_tls_sans)
+      tls-san = concat([
+        hcloud_load_balancer.control_plane.*.ipv4[0],
+        hcloud_load_balancer_network.control_plane.*.ip[0],
+        var.kubeconfig_server_address != "" ? var.kubeconfig_server_address : null
+      ], var.additional_tls_sans)
       } : {
       tls-san = concat([
         module.control_planes[k].ipv4_address

docs/terraform.md

@@ -116,14 +116,14 @@
 | <a name="input_cilium_ipv4_native_routing_cidr"></a> [cilium\_ipv4\_native\_routing\_cidr](#input\_cilium\_ipv4\_native\_routing\_cidr) | Used when Cilium is configured in native routing mode. The CNI assumes that the underlying network stack will forward packets to this destination without the need to apply SNAT. Default: value of "cluster\_ipv4\_cidr" | `string` | `null` | no |
 | <a name="input_cilium_routing_mode"></a> [cilium\_routing\_mode](#input\_cilium\_routing\_mode) | Set native-routing mode ("native") or tunneling mode ("tunnel"). | `string` | `"tunnel"` | no |
 | <a name="input_cilium_values"></a> [cilium\_values](#input\_cilium\_values) | Additional helm values file to pass to Cilium as 'valuesContent' at the HelmChart. | `string` | `""` | no |
-| <a name="input_cilium_version"></a> [cilium\_version](#input\_cilium\_version) | Version of Cilium. See https://github.com/cilium/cilium/releases for the available versions. | `string` | `"1.15.1"` | no |
+| <a name="input_cilium_version"></a> [cilium\_version](#input\_cilium\_version) | Version of Cilium. See https://github.com/cilium/cilium/releases for the available versions. | `string` | `"1.17.0"` | no |
 | <a name="input_cluster_autoscaler_extra_args"></a> [cluster\_autoscaler\_extra\_args](#input\_cluster\_autoscaler\_extra\_args) | Extra arguments for the Cluster Autoscaler deployment. | `list(string)` | `[]` | no |
 | <a name="input_cluster_autoscaler_image"></a> [cluster\_autoscaler\_image](#input\_cluster\_autoscaler\_image) | Image of Kubernetes Cluster Autoscaler for Hetzner Cloud to be used. | `string` | `"registry.k8s.io/autoscaling/cluster-autoscaler"` | no |
 | <a name="input_cluster_autoscaler_log_level"></a> [cluster\_autoscaler\_log\_level](#input\_cluster\_autoscaler\_log\_level) | Verbosity level of the logs for cluster-autoscaler | `number` | `4` | no |
 | <a name="input_cluster_autoscaler_log_to_stderr"></a> [cluster\_autoscaler\_log\_to\_stderr](#input\_cluster\_autoscaler\_log\_to\_stderr) | Determines whether to log to stderr or not | `bool` | `true` | no |
 | <a name="input_cluster_autoscaler_server_creation_timeout"></a> [cluster\_autoscaler\_server\_creation\_timeout](#input\_cluster\_autoscaler\_server\_creation\_timeout) | Timeout (in minutes) until which a newly created server/node has to become available before giving up and destroying it. | `number` | `15` | no |
 | <a name="input_cluster_autoscaler_stderr_threshold"></a> [cluster\_autoscaler\_stderr\_threshold](#input\_cluster\_autoscaler\_stderr\_threshold) | Severity level above which logs are sent to stderr instead of stdout | `string` | `"INFO"` | no |
-| <a name="input_cluster_autoscaler_version"></a> [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version) | Version of Kubernetes Cluster Autoscaler for Hetzner Cloud. Should be aligned with Kubernetes version. Available versions for the official image can be found at https://explore.ggcr.dev/?repo=registry.k8s.io%2Fautoscaling%2Fcluster-autoscaler. | `string` | `"v1.31.5"` | no |
+| <a name="input_cluster_autoscaler_version"></a> [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version) | Version of Kubernetes Cluster Autoscaler for Hetzner Cloud. Should be aligned with Kubernetes version. Available versions for the official image can be found at https://explore.ggcr.dev/?repo=registry.k8s.io%2Fautoscaling%2Fcluster-autoscaler. | `string` | `"v1.32.0"` | no |
 | <a name="input_cluster_dns_ipv4"></a> [cluster\_dns\_ipv4](#input\_cluster\_dns\_ipv4) | Internal Service IPv4 address of core-dns. | `string` | `"10.43.0.10"` | no |
 | <a name="input_cluster_ipv4_cidr"></a> [cluster\_ipv4\_cidr](#input\_cluster\_ipv4\_cidr) | Internal Pod CIDR, used for the controller and currently for calico/cilium. | `string` | `"10.42.0.0/16"` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster. | `string` | `"k3s"` | no |

init.tf

@@ -258,17 +258,13 @@ resource "null_resource" "kustomization" {
 
   # Upload the csi-driver config (ignored if csi is disabled)
   provisioner "file" {
-    content = templatefile(
+    content = var.disable_hetzner_csi ? "" : templatefile(
       "${path.module}/templates/hcloud-csi.yaml.tpl",
       {
-        # local.csi_version is null when disable_hetzner_csi = true
-        # In that case, we set it to "*" so that the templatefile() can handle it,
-        # because tempaltefile() does not support null values. Moreover, coalesce() doesn't
-        # support empty strings either.
-        # The entire file is ignored by kustomization.yaml anyway if disable_hetzner_csi = true.
         version = coalesce(local.csi_version, "*")
         values  = indent(4, trimspace(local.hetzner_csi_values))
-    })
+      }
+    )
     destination = "/var/post_install/hcloud-csi.yaml"
   }
 

locals.tf

@@ -1055,5 +1055,12 @@ cloudinit_runcmd_common = <<EOT
 
 # Cleanup some logs
 - [truncate, '-s', '0', '/var/log/audit/audit.log']
+
+# Add logic to truly disable SELinux if disable_selinux = true.
+# We'll do it by appending to cloudinit_runcmd_common.
+%{if var.disable_selinux}
+- [sed, '-i', '-E', 's/^SELINUX=[a-z]+/SELINUX=disabled/', '/etc/selinux/config']
+- [setenforce, '0']
+%{endif}
 EOT
 }

modules/host/main.tf

@@ -236,3 +236,38 @@ WantedBy=multi-user.target
 
   depends_on = [hcloud_server.server]
 }
+
+# Resource to toggle transactional-update.timer based on automatically_upgrade_os setting
+resource "null_resource" "os_upgrade_toggle" {
+  triggers = {
+    os_upgrade_state = var.automatically_upgrade_os ? "enabled" : "disabled"
+    server_id        = hcloud_server.server.id
+  }
+
+  connection {
+    user           = "root"
+    private_key    = var.ssh_private_key
+    agent_identity = local.ssh_agent_identity
+    host           = hcloud_server.server.ipv4_address
+    port           = var.ssh_port
+  }
+
+  provisioner "remote-exec" {
+    inline = [
+      <<-EOT
+      if [ "${var.automatically_upgrade_os}" = "true" ]; then
+        echo "automatically_upgrade_os changed to true, enabling transactional-update.timer"
+        systemctl enable --now transactional-update.timer || true
+      else
+        echo "automatically_upgrade_os changed to false, disabling transactional-update.timer"
+        systemctl disable --now transactional-update.timer || true
+      fi
+      EOT
+    ]
+  }
+
+  depends_on = [
+    hcloud_server.server,
+    null_resource.registries
+  ]
+}

variables.tf

@@ -278,7 +278,7 @@ variable "cluster_autoscaler_image" {
 
 variable "cluster_autoscaler_version" {
   type        = string
-  default     = "v1.31.5"
+  default     = "v1.32.0"
   description = "Version of Kubernetes Cluster Autoscaler for Hetzner Cloud. Should be aligned with Kubernetes version. Available versions for the official image can be found at https://explore.ggcr.dev/?repo=registry.k8s.io%2Fautoscaling%2Fcluster-autoscaler."
 }
 
@@ -725,7 +725,7 @@ variable "cilium_values" {
 
 variable "cilium_version" {
   type        = string
-  default     = "1.15.1"
+  default     = "1.17.0"
   description = "Version of Cilium. See https://github.com/cilium/cilium/releases for the available versions."
 }