sans-self.org / infrastructure
this repo has no description
fork atom

Clean up infrastructure and harden deployments

Strip kube.tf from 1170 lines of tutorial boilerplate to ~115 lines
of active config. Pin kube-hetzner module to v2.18.5. Disable
Traefik HPA (pointless on single node). Consolidate duplicate
tarpit code into shared/, move ClusterIssuer out of pds/ into
shared/, remove unnecessary init containers, add security contexts
to knot container. Consistent tarpit path lists across ingresses.

sans-self.org ae4ec43e f76645cc

+314 -1109
+6 -1
CHANGELOG.md
··· 6 6 7 7 ## [Unreleased] 8 8 9 + ### Security 10 + - Harden knot SSH config and extend tarpit to knot HTTP routes (#19) 11 + - Add tarpit for vulnerability scanners hitting known exploit paths (#18) 12 + 9 13 ### Added 10 14 - Add daily S3 backup cronjob for Tangled knot data (#9) 11 15 - Add Tangled knot with Spindle CI/CD to k3s cluster (#1) 12 16 13 17 ### Fixed 14 - - Update PDS to v0.4.208 for OAuth metadata support (#13) 18 + - Fix PDS SQLite locking errors causing daily outages (#15) 15 19 - Update PDS to v0.4.208 for OAuth metadata support (#13) 16 20 17 21 ### Changed 22 + - Add health check that detects SQLite locking failures (#16) 18 23 - Move node SSH to port 2222 and expose knot Git SSH on port 22 (#14) 19 24 - Update knot hostname from git.sans-self.org to knot.sans-self.org (#12) 20 25 - Deploy Tangled knot to k3s cluster (#11)
+14
k8s/knot/configmap.yaml
··· 12 12 KNOT_REPO_SCAN_PATH: /home/git/repositories 13 13 KNOT_SERVER_DB_PATH: /home/git/data/knotserver.db 14 14 APPVIEW_ENDPOINT: https://tangled.org 15 + --- 16 + apiVersion: v1 17 + kind: ConfigMap 18 + metadata: 19 + name: sshd-hardening 20 + namespace: knot 21 + data: 22 + hardening.conf: | 23 + MaxAuthTries 1 24 + LoginGraceTime 10 25 + MaxStartups 3:50:10 26 + PermitRootLogin no 27 + KbdInteractiveAuthentication no 28 + AllowUsers git
+16 -10
k8s/knot/deployment.yaml
··· 16 16 app: knot 17 17 spec: 18 18 terminationGracePeriodSeconds: 30 19 - initContainers: 20 - - name: fix-permissions 21 - image: busybox:1.37 22 - command: ["sh", "-c", "mkdir -p /home/git/repositories /home/git/data && chown -R 1000:1000 /home/git"] 23 - volumeMounts: 24 - - name: data 25 - mountPath: /home/git 26 - securityContext: 27 - runAsUser: 0 28 - runAsNonRoot: false 29 19 containers: 30 20 - name: knot 31 21 image: tngl/knot:v1.10.0-alpha ··· 42 32 volumeMounts: 43 33 - name: data 44 34 mountPath: /home/git 35 + - name: sshd-hardening 36 + mountPath: /etc/ssh/sshd_config.d/hardening.conf 37 + subPath: hardening.conf 38 + readOnly: true 45 39 livenessProbe: 46 40 httpGet: 47 41 path: / ··· 54 48 port: 5555 55 49 initialDelaySeconds: 5 56 50 periodSeconds: 10 51 + securityContext: 52 + allowPrivilegeEscalation: false 53 + capabilities: 54 + drop: 55 + - ALL 56 + add: 57 + - NET_BIND_SERVICE 58 + - SETUID 59 + - SETGID 57 60 resources: 58 61 requests: 59 62 cpu: 100m ··· 65 68 - name: data 66 69 persistentVolumeClaim: 67 70 claimName: knot-data 71 + - name: sshd-hardening 72 + configMap: 73 + name: sshd-hardening
+8
k8s/knot/ingress.yaml
··· 19 19 tls: 20 20 secretName: knot-sans-self-org-tls 21 21 routes: 22 + # Tarpit for vulnerability scanners 23 + - match: Host(`knot.sans-self.org`) && (PathPrefix(`/wp-admin`) || PathPrefix(`/wp-login`) || PathPrefix(`/wp-content`) || PathPrefix(`/wp-includes`) || PathPrefix(`/wordpress`) || PathPrefix(`/.env`) || PathPrefix(`/.git`) || PathPrefix(`/phpmyadmin`) || PathPrefix(`/pma`) || PathPrefix(`/myadmin`) || PathPrefix(`/admin`) || PathPrefix(`/administrator`) || PathPrefix(`/cgi-bin`) || PathPrefix(`/actuator`) || PathPrefix(`/solr`) || PathPrefix(`/console`) || PathPrefix(`/vendor`) || PathPrefix(`/config`) || PathPrefix(`/backup`) || PathPrefix(`/debug`) || PathPrefix(`/server-status`) || PathPrefix(`/xmlrpc.php`)) 24 + kind: Rule 25 + priority: 200 26 + services: 27 + - name: tarpit 28 + port: 8080 29 + # Everything else 22 30 - match: Host(`knot.sans-self.org`) 23 31 kind: Rule 24 32 middlewares:
+1
k8s/knot/kustomization.yaml
··· 12 12 - network-policy.yaml 13 13 - ssh-ingress.yaml 14 14 - backup-cronjob.yaml 15 + - tarpit-deployment.yaml
+19
k8s/knot/network-policy.yaml
··· 32 32 ports: 33 33 - port: 5555 34 34 - port: 5444 35 + --- 36 + apiVersion: networking.k8s.io/v1 37 + kind: NetworkPolicy 38 + metadata: 39 + name: tarpit-ingress 40 + namespace: knot 41 + spec: 42 + podSelector: 43 + matchLabels: 44 + app: tarpit 45 + policyTypes: 46 + - Ingress 47 + ingress: 48 + - from: 49 + - namespaceSelector: 50 + matchLabels: 51 + kubernetes.io/metadata.name: traefik 52 + ports: 53 + - port: 8080
+62
k8s/knot/tarpit-deployment.yaml
··· 1 + apiVersion: apps/v1 2 + kind: Deployment 3 + metadata: 4 + name: tarpit 5 + namespace: knot 6 + spec: 7 + replicas: 1 8 + selector: 9 + matchLabels: 10 + app: tarpit 11 + template: 12 + metadata: 13 + labels: 14 + app: tarpit 15 + spec: 16 + securityContext: 17 + runAsUser: 65534 18 + runAsGroup: 65534 19 + runAsNonRoot: true 20 + containers: 21 + - name: tarpit 22 + image: python:3.13-alpine 23 + command: ["python3", "/scripts/tarpit.py"] 24 + ports: 25 + - containerPort: 8080 26 + volumeMounts: 27 + - name: script 28 + mountPath: /scripts 29 + readOnly: true 30 + securityContext: 31 + allowPrivilegeEscalation: false 32 + readOnlyRootFilesystem: true 33 + capabilities: 34 + drop: 35 + - ALL 36 + resources: 37 + requests: 38 + cpu: 5m 39 + memory: 16Mi 40 + limits: 41 + cpu: 50m 42 + memory: 32Mi 43 + livenessProbe: 44 + tcpSocket: 45 + port: 8080 46 + periodSeconds: 60 47 + volumes: 48 + - name: script 49 + configMap: 50 + name: tarpit-script 51 + --- 52 + apiVersion: v1 53 + kind: Service 54 + metadata: 55 + name: tarpit 56 + namespace: knot 57 + spec: 58 + selector: 59 + app: tarpit 60 + ports: 61 + - port: 8080 62 + targetPort: 8080
+9
k8s/kustomization.yaml
··· 2 2 kind: Kustomization 3 3 4 4 resources: 5 + - shared/cluster-issuer.yaml 5 6 - pds 6 7 - knot 7 8 ··· 17 18 namespace: knot 18 19 files: 19 20 - backup.sh=shared/backup.sh 21 + - name: tarpit-script 22 + namespace: pds 23 + files: 24 + - tarpit.py=shared/tarpit.py 25 + - name: tarpit-script 26 + namespace: knot 27 + files: 28 + - tarpit.py=shared/tarpit.py 20 29 21 30 secretGenerator: 22 31 - name: pds-s3-credentials
-15
k8s/pds/cert.yaml
··· 1 - apiVersion: cert-manager.io/v1 2 - kind: ClusterIssuer 3 - metadata: 4 - name: letsencrypt-prod 5 - spec: 6 - acme: 7 - server: https://acme-v02.api.letsencrypt.org/directory 8 - email: noivm@proton.me 9 - privateKeySecretRef: 10 - name: letsencrypt-prod 11 - solvers: 12 - - http01: 13 - ingress: 14 - ingressClassName: traefik 15 - --- 16 1 apiVersion: cert-manager.io/v1 17 2 kind: Certificate 18 3 metadata:
+24 -10
k8s/pds/deployment.yaml
··· 21 21 runAsUser: 1000 22 22 runAsGroup: 1000 23 23 runAsNonRoot: true 24 - initContainers: 25 - - name: fix-permissions 26 - image: busybox:1.37 27 - command: ["sh", "-c", "chown -R 1000:1000 /pds"] 28 - volumeMounts: 29 - - name: data 30 - mountPath: /pds 31 - securityContext: 32 - runAsUser: 0 33 - runAsNonRoot: false 34 24 containers: 35 25 - name: pds 36 26 image: ghcr.io/bluesky-social/pds:0.4.208 ··· 48 38 preStop: 49 39 exec: 50 40 command: ["sh", "-c", "sleep 5"] 41 + startupProbe: 42 + httpGet: 43 + path: /xrpc/_health 44 + port: 3000 45 + failureThreshold: 30 46 + periodSeconds: 2 47 + livenessProbe: 48 + exec: 49 + command: 50 + - sh 51 + - -c 52 + - "wget -q -O /dev/null -T 5 'http://localhost:3000/xrpc/com.atproto.repo.describeRepo?repo=did:plc:wydyrngmxbcsqdvhmd7whmye'" 53 + periodSeconds: 30 54 + timeoutSeconds: 10 55 + failureThreshold: 3 56 + readinessProbe: 57 + exec: 58 + command: 59 + - sh 60 + - -c 61 + - "wget -q -O /dev/null -T 5 'http://localhost:3000/xrpc/com.atproto.repo.describeRepo?repo=did:plc:wydyrngmxbcsqdvhmd7whmye'" 62 + periodSeconds: 10 63 + timeoutSeconds: 10 64 + failureThreshold: 2 51 65 securityContext: 52 66 allowPrivilegeEscalation: false 53 67 capabilities:
+7
k8s/pds/ingress.yaml
··· 29 29 tls: 30 30 secretName: sans-self-org-tls 31 31 routes: 32 + # Tarpit for vulnerability scanners 33 + - match: Host(`sans-self.org`) && (PathPrefix(`/wp-admin`) || PathPrefix(`/wp-login`) || PathPrefix(`/wp-content`) || PathPrefix(`/wp-includes`) || PathPrefix(`/wordpress`) || PathPrefix(`/.env`) || PathPrefix(`/.git`) || PathPrefix(`/phpmyadmin`) || PathPrefix(`/pma`) || PathPrefix(`/myadmin`) || PathPrefix(`/admin`) || PathPrefix(`/administrator`) || PathPrefix(`/cgi-bin`) || PathPrefix(`/actuator`) || PathPrefix(`/solr`) || PathPrefix(`/console`) || PathPrefix(`/vendor`) || PathPrefix(`/config`) || PathPrefix(`/backup`) || PathPrefix(`/debug`) || PathPrefix(`/server-status`) || PathPrefix(`/xmlrpc.php`)) 34 + kind: Rule 35 + priority: 200 36 + services: 37 + - name: tarpit 38 + port: 8080 32 39 # Admin and account creation — blocked externally 33 40 - match: Host(`sans-self.org`) && (PathPrefix(`/xrpc/com.atproto.admin`) || PathPrefix(`/xrpc/com.atproto.server.createAccount`)) 34 41 kind: Rule
+1
k8s/pds/kustomization.yaml
··· 11 11 - cert.yaml 12 12 - backup-cronjob.yaml 13 13 - network-policy.yaml 14 + - tarpit-deployment.yaml 14 15 15 16 generatorOptions: 16 17 disableNameSuffixHash: true
+19
k8s/pds/network-policy.yaml
··· 22 22 - podSelector: {} 23 23 ports: 24 24 - port: 3000 25 + --- 26 + apiVersion: networking.k8s.io/v1 27 + kind: NetworkPolicy 28 + metadata: 29 + name: tarpit-ingress 30 + namespace: pds 31 + spec: 32 + podSelector: 33 + matchLabels: 34 + app: tarpit 35 + policyTypes: 36 + - Ingress 37 + ingress: 38 + - from: 39 + - namespaceSelector: 40 + matchLabels: 41 + kubernetes.io/metadata.name: traefik 42 + ports: 43 + - port: 8080
+62
k8s/pds/tarpit-deployment.yaml
··· 1 + apiVersion: apps/v1 2 + kind: Deployment 3 + metadata: 4 + name: tarpit 5 + namespace: pds 6 + spec: 7 + replicas: 1 8 + selector: 9 + matchLabels: 10 + app: tarpit 11 + template: 12 + metadata: 13 + labels: 14 + app: tarpit 15 + spec: 16 + securityContext: 17 + runAsUser: 65534 18 + runAsGroup: 65534 19 + runAsNonRoot: true 20 + containers: 21 + - name: tarpit 22 + image: python:3.13-alpine 23 + command: ["python3", "/scripts/tarpit.py"] 24 + ports: 25 + - containerPort: 8080 26 + volumeMounts: 27 + - name: script 28 + mountPath: /scripts 29 + readOnly: true 30 + securityContext: 31 + allowPrivilegeEscalation: false 32 + readOnlyRootFilesystem: true 33 + capabilities: 34 + drop: 35 + - ALL 36 + resources: 37 + requests: 38 + cpu: 5m 39 + memory: 16Mi 40 + limits: 41 + cpu: 50m 42 + memory: 32Mi 43 + livenessProbe: 44 + tcpSocket: 45 + port: 8080 46 + periodSeconds: 60 47 + volumes: 48 + - name: script 49 + configMap: 50 + name: tarpit-script 51 + --- 52 + apiVersion: v1 53 + kind: Service 54 + metadata: 55 + name: tarpit 56 + namespace: pds 57 + spec: 58 + selector: 59 + app: tarpit 60 + ports: 61 + - port: 8080 62 + targetPort: 8080
+14
k8s/shared/cluster-issuer.yaml
··· 1 + apiVersion: cert-manager.io/v1 2 + kind: ClusterIssuer 3 + metadata: 4 + name: letsencrypt-prod 5 + spec: 6 + acme: 7 + server: https://acme-v02.api.letsencrypt.org/directory 8 + email: noivm@proton.me 9 + privateKeySecretRef: 10 + name: letsencrypt-prod 11 + solvers: 12 + - http01: 13 + ingress: 14 + ingressClassName: traefik
+22
k8s/shared/tarpit.py
··· 1 + from http.server import ThreadingHTTPServer, BaseHTTPRequestHandler 2 + import sys 3 + import time 4 + 5 + DELAY_SECONDS = 30 6 + 7 + 8 + class TarpitHandler(BaseHTTPRequestHandler): 9 + def _tarpit(self): 10 + time.sleep(DELAY_SECONDS) 11 + self.send_response(404) 12 + self.send_header("Content-Length", "0") 13 + self.send_header("Connection", "close") 14 + self.end_headers() 15 + 16 + do_GET = do_POST = do_HEAD = do_PUT = do_DELETE = do_OPTIONS = _tarpit 17 + 18 + def log_message(self, format, *args): 19 + print(f"tarpit: {self.client_address[0]} {args[0] if args else ''}", flush=True) 20 + 21 + 22 + ThreadingHTTPServer(("", 8080), TarpitHandler).serve_forever()
+30 -1073
kube.tf
··· 1 1 locals { 2 - # You have the choice of setting your Hetzner API token here or define the TF_VAR_hcloud_token env 3 - # within your shell, such as: export TF_VAR_hcloud_token=xxxxxxxxxxx 4 - # If you choose to define it in the shell, this can be left as is. 5 - 6 - # Your Hetzner token can be found in your Project > Security > API Token (Read & Write is required). 7 2 hcloud_token = "xxxxxxxxxxx" 8 3 } 9 4 ··· 13 8 } 14 9 hcloud_token = var.hcloud_token != "" ? var.hcloud_token : local.hcloud_token 15 10 16 - # Then fill or edit the below values. Only the first values starting with a * are obligatory; the rest can remain with their default values, or you 17 - # could adapt them to your needs. 11 + source = "kube-hetzner/kube-hetzner/hcloud" 12 + version = "2.18.5" 18 13 19 - # * source can be specified in multiple ways: 20 - # 1. For normal use, (the official version published on the Terraform Registry), use 21 - source = "kube-hetzner/kube-hetzner/hcloud" 22 - # When using the terraform registry as source, you can optionally specify a version number. 23 - # See https://registry.terraform.io/modules/kube-hetzner/kube-hetzner/hcloud for the available versions 24 - # version = "2.15.3" 25 - # 2. For local dev, path to the git repo 26 - # source = "../../kube-hetzner/" 27 - # 3. If you want to use the latest master branch (see https://developer.hashicorp.com/terraform/language/modules/sources#github), use 28 - # source = "github.com/kube-hetzner/terraform-hcloud-kube-hetzner" 29 - 30 - # Note that some values, notably "location" and "public_key" have no effect after initializing the cluster. 31 - # This is to keep Terraform from re-provisioning all nodes at once, which would lose data. If you want to update 32 - # those, you should instead change the value here and manually re-provision each node. Grep for "lifecycle". 33 - 34 - # Node management SSH on non-standard port; port 22 is used by Tangled knot 35 - ssh_port = 22222 36 - 37 - # * Your ssh public key 38 - ssh_public_key = file("./keypair/id_ed25519_homelab.pub") 39 - # * Your private key must be "ssh_private_key = null" when you want to use ssh-agent for a Yubikey-like device authentication or an SSH key-pair with a passphrase. 40 - # For more details on SSH see https://github.com/kube-hetzner/kube-hetzner/blob/master/docs/ssh.md 14 + # SSH — port 22 is used by Tangled knot, node management on 22222 15 + ssh_port = 22222 16 + ssh_public_key = file("./keypair/id_ed25519_homelab.pub") 41 17 ssh_private_key = file("./keypair/id_ed25519_homelab") 42 - # You can add additional SSH public Keys to grant other team members root access to your cluster nodes. 43 - # ssh_additional_public_keys = [] 44 18 45 - # You can also add additional SSH public Keys which are saved in the hetzner cloud by a label. 46 - # See https://docs.hetzner.cloud/#label-selector 47 - # ssh_hcloud_key_label = "role=admin" 48 - 49 - # If you use SSH agent and have issues with SSH connecting to your nodes, you can increase the number of auth tries (default is 2) 50 - # ssh_max_auth_tries = 10 51 - 52 - # If you want to use an ssh key that is already registered within hetzner cloud, you can pass its id. 53 - # If no id is passed, a new ssh key will be registered within hetzner cloud. 54 - # It is important that exactly this key is passed via `ssh_public_key` & `ssh_private_key` variables. 55 - # hcloud_ssh_key_id = "" 56 - 57 - # These can be customized, or left with the default values 58 - # * For Hetzner locations see https://docs.hetzner.com/general/others/data-centers-and-connection/ 59 - network_region = "eu-central" # change to `us-east` if location is ash 60 - 61 - # If you want to create the private network before calling this module, 62 - # you can do so and pass its id here. For example if you want to use a proxy 63 - # which only listens on your private network. Advanced use case. 64 - # 65 - # NOTE1: make sure to adapt network_ipv4_cidr, cluster_ipv4_cidr, and service_ipv4_cidr accordingly. 66 - # If your network is created with 10.0.0.0/8, and you use subnet 10.128.0.0/9 for your 67 - # non-k3s business, then adapting `network_ipv4_cidr = "10.0.0.0/9"` should be all you need. 68 - # 69 - # NOTE2: square brackets! This must be a list of length 1. 70 - # 71 - # existing_network_id = [hcloud_network.your_network.id] 72 - 73 - # If you must change the network CIDR you can do so below, but it is highly advised against. 74 - # network_ipv4_cidr = "10.0.0.0/8" 75 - 76 - # Using the default configuration you can only create a maximum of 42 agent-nodepools. 77 - # This is due to the creation of a subnet for each nodepool with CIDRs being in the shape of 10.[nodepool-index].0.0/16 which collides with k3s' cluster and service IP ranges (defaults below). 78 - # Furthermore the maximum number of nodepools (controlplane and agent) is 50, due to a hard limit of 50 subnets per network, see https://docs.hetzner.com/cloud/networks/faq/. 79 - # So to be able to create a maximum of 50 nodepools in total, the values below have to be changed to something outside that range, e.g. `10.200.0.0/16` and `10.201.0.0/16` for cluster and service respectively. 80 - 81 - # If you must change the cluster CIDR you can do so below, but it is highly advised against. 82 - # Never change this value after you already initialized a cluster. Complete cluster redeploy needed! 83 - # The cluster CIDR must be a part of the network CIDR! 84 - # cluster_ipv4_cidr = "10.42.0.0/16" 85 - 86 - # If you must change the service CIDR you can do so below, but it is highly advised against. 87 - # Never change this value after you already initialized a cluster. Complete cluster redeploy needed! 88 - # The service CIDR must be a part of the network CIDR! 89 - # service_ipv4_cidr = "10.43.0.0/16" 19 + network_region = "eu-central" 90 20 91 - # If you must change the service IPv4 address of core-dns you can do so below, but it is highly advised against. 92 - # Never change this value after you already initialized a cluster. Complete cluster redeploy needed! 93 - # The service IPv4 address must be part of the service CIDR! 94 - # cluster_dns_ipv4 = "10.43.0.10" 95 - 96 - # For the control planes, at least three nodes are the minimum for HA. Otherwise, you need to turn off the automatic upgrades (see README). 97 - # **It must always be an ODD number, never even!** Search the internet for "split-brain problem with etcd" or see https://rancher.com/docs/k3s/latest/en/installation/ha-embedded/ 98 - # For instance, one is ok (non-HA), two is not ok, and three is ok (becomes HA). It does not matter if they are in the same nodepool or not! So they can be in different locations and of various types. 99 - 100 - # Of course, you can choose any number of nodepools you want, with the location you want. The only constraint on the location is that you need to stay in the same network region, Europe, or the US. 101 - # For the server type, the minimum instance supported is cx23. If you want to use arm64 use cax11; see https://www.hetzner.com/cloud. 102 - 103 - # IMPORTANT: Before you create your cluster, you can do anything you want with the nodepools, but you need at least one of each, control plane and agent. 104 - # Once the cluster is up and running, you can change nodepool count and even set it to 0 (in the case of the first control-plane nodepool, the minimum is 1). 105 - # You can also rename it (if the count is 0), but do not remove a nodepool from the list. 106 - 107 - # You can safely add or remove nodepools at the end of each list. That is due to how subnets and IPs get allocated (FILO). 108 - # The maximum number of nodepools you can create combined for both lists is 50 (see above). 109 - # Also, before decreasing the count of any nodepools to 0, it's essential to drain and cordon the nodes in question. Otherwise, it will leave your cluster in a bad state. 110 - 111 - # Before initializing the cluster, you can change all parameters and add or remove any nodepools. You need at least one nodepool of each kind, control plane, and agent. 112 - # ⚠️ The nodepool names are entirely arbitrary, but all lowercase, no special characters or underscore (dashes are allowed), and they must be unique. 113 - 114 - # If you want to have a single node cluster, have one control plane nodepools with a count of 1, and one agent nodepool with a count of 0. 115 - 116 - # Please note that changing labels and taints after the first run will have no effect. If needed, you can do that through Kubernetes directly. 117 - 118 - # Multi-architecture clusters are OK for most use cases, as container underlying images tend to be multi-architecture too. 119 - 120 - # * Example below: 121 - 21 + # Single control-plane node (no HA — acceptable for this workload) 122 22 control_plane_nodepools = [ 123 23 { 124 24 name = "control-plane", ··· 132 32 133 33 agent_nodepools = [] 134 34 135 - # Add additional configuration options for control planes here. 136 - # E.g to enable monitoring for etcd, proxy etc: 137 - # control_planes_custom_config = { 138 - # etcd-expose-metrics = true, 139 - # kube-controller-manager-arg = "bind-address=0.0.0.0", 140 - # kube-proxy-arg ="metrics-bind-address=0.0.0.0", 141 - # kube-scheduler-arg = "bind-address=0.0.0.0", 142 - # } 35 + allow_scheduling_on_control_plane = true 143 36 144 - # Add additional configuration options for agent nodes and autoscaler nodes here. 145 - # E.g to enable monitoring for proxy: 146 - # agent_nodes_custom_config = { 147 - # kube-proxy-arg ="metrics-bind-address=0.0.0.0", 148 - # } 149 - 150 - # You can enable encrypted wireguard for the CNI by setting this to "true". Default is "false". 151 - # FYI, Hetzner says "Traffic between cloud servers inside a Network is private and isolated, but not automatically encrypted." 152 - # Source: https://docs.hetzner.com/cloud/networks/faq/#is-traffic-inside-hetzner-cloud-networks-encrypted 153 - # It works with all CNIs that we support. 154 - # Just note, that if Cilium with cilium_values, the responsibility of enabling of disabling Wireguard falls on you. 155 - # enable_wireguard = true 156 - 157 - # * LB location and type, the latter will depend on how much load you want it to handle, see https://www.hetzner.com/cloud/load-balancer 37 + # Load balancer 158 38 load_balancer_type = "lb11" 159 39 load_balancer_location = "nbg1" 160 40 161 - # Disable IPv6 for the load balancer, the default is false. 162 - # load_balancer_disable_ipv6 = true 163 - 164 - # Disables the public network of the load balancer. (default: false). 165 - # load_balancer_disable_public_network = true 166 - 167 - # Specifies the algorithm type of the load balancer. (default: round_robin). 168 - # load_balancer_algorithm_type = "least_connections" 169 - 170 - # Specifies the interval at which a health check is performed. Minimum is 3s (default: 15s). 171 - # load_balancer_health_check_interval = "5s" 172 - 173 - # Specifies the timeout of a single health check. Must not be greater than the health check interval. Minimum is 1s (default: 10s). 174 - # load_balancer_health_check_timeout = "3s" 175 - 176 - # Specifies the number of times a health check is retried before a target is marked as unhealthy. (default: 3) 177 - # load_balancer_health_check_retries = 3 178 - 179 - 180 - # Setup a NAT router, and automatically disable public ips on all control plane and agent nodes. 181 - # To use this, you must also set use_control_plane_lb = true, otherwise kubectl can never 182 - # reach the cluster. The NAT router will also function as bastion. This makes securing the cluster 183 - # easier, as all public traffic passes through a single strongly secured node. It does 184 - # however also introduce a single point of failure, so if you need high-availability on your 185 - # egress, you should consider other configurations. 186 - # 187 - # Hetzner removed the DHCP Router option from private networks on 2025-08-11, so the module 188 - # now ensures each node attached to the private network persists a default route via the 189 - # virtual gateway. No manual `ip route add` is required after reboots or DHCP renewals. 190 - # 191 - # 192 - # nat_router = { 193 - # server_type = "cax21" 194 - # location = "nbg1" 195 - # enable_sudo = false # optional, default to false. Set to true to add nat-router user to the sudo'ers. Note that ssh as root is disabled. 196 - # labels = {} # optionally add labels. 197 - # } 198 - 199 - 200 - ### The following values are entirely optional (and can be removed from this if unused) 201 - 202 - # You can refine a base domain name to be use in this form of nodename.base_domain for setting the reverse dns inside Hetzner 203 - # base_domain = "mycluster.example.com" 204 - 205 - # Cluster Autoscaler 206 - # Providing at least one map for the array enables the cluster autoscaler feature, default is disabled. 207 - # ⚠️ Based on how the autoscaler works with this project, you can only choose either x86 instances or ARM server types for ALL autoscaler nodepools. 208 - # If you are curious, it's ok to have a multi-architecture cluster, as most underlying container images are multi-architecture too. 209 - # 210 - # ⚠️ Setting labels and taints will only work on cluster-autoscaler images versions released after > 20 October 2023. Or images built from master after that date. 211 - # 212 - # * Example below: 213 - # autoscaler_nodepools = [ 214 - # { 215 - # name = "autoscaled-small" 216 - # server_type = "cx33" 217 - # location = "nbg1" 218 - # # Add the arg --enforce-node-group-min-size=true in the cluster_autoscaler_extra_args option below if you want min_nodes to be effective 219 - # min_nodes = 0 220 - # max_nodes = 5 221 - # labels = { 222 - # "node.kubernetes.io/role": "peak-workloads" 223 - # } 224 - # taints = [ 225 - # { 226 - # key= "node.kubernetes.io/role" 227 - # value= "peak-workloads" 228 - # effect= "NoExecute" 229 - # } 230 - # ] 231 - # # kubelet_args = ["kube-reserved=cpu=250m,memory=1500Mi,ephemeral-storage=1Gi", "system-reserved=cpu=250m,memory=300Mi"] 232 - # } 233 - # ] 234 - # 235 - # To disable public ips on your autoscaled nodes, uncomment the following lines: 236 - # autoscaler_disable_ipv4 = true 237 - # autoscaler_disable_ipv6 = true 238 - 239 - # ⚠️ Deprecated, will be removed after a new Cluster Autoscaler version has been released which support the new way of setting labels and taints. See above. 240 - # Add extra labels on nodes started by the Cluster Autoscaler 241 - # This argument is not used if autoscaler_nodepools is not set, because the Cluster Autoscaler is installed only if autoscaler_nodepools is set 242 - # autoscaler_labels = [ 243 - # "node.kubernetes.io/role=peak-workloads" 244 - # ] 245 - 246 - # Add extra taints on nodes started by the Cluster Autoscaler 247 - # This argument is not used if autoscaler_nodepools is not set, because the Cluster Autoscaler is installed only if autoscaler_nodepools is set 248 - # autoscaler_taints = [ 249 - # "node.kubernetes.io/role=specific-workloads:NoExecute" 250 - # ] 251 - 252 - # Configuration of the Cluster Autoscaler binary 253 - # 254 - # These arguments and variables are not used if autoscaler_nodepools is not set, because the Cluster Autoscaler is installed only if autoscaler_nodepools is set. 255 - # 256 - # Image and version of Kubernetes Cluster Autoscaler for Hetzner Cloud: 257 - # - cluster_autoscaler_image: Image of Kubernetes Cluster Autoscaler for Hetzner Cloud to be used. 258 - # The default is the official image from the Kubernetes project: registry.k8s.io/autoscaling/cluster-autoscaler 259 - # - cluster_autoscaler_version: Version of Kubernetes Cluster Autoscaler for Hetzner Cloud. Should be aligned with Kubernetes version. 260 - # Available versions for the official image can be found at https://explore.ggcr.dev/?repo=registry.k8s.io%2Fautoscaling%2Fcluster-autoscaler 261 - # 262 - # Logging related arguments are managed using separate variables: 263 - # - cluster_autoscaler_log_level: Controls the verbosity of logs (--v), the value is from 0 to 5, default is 4, for max debug info set it to 5. 264 - # - cluster_autoscaler_log_to_stderr: Determines whether to log to stderr (--logtostderr). 265 - # - cluster_autoscaler_stderr_threshold: Sets the threshold for logs that go to stderr (--stderrthreshold). 266 - # 267 - # Server/node creation timeout variable: 268 - # - cluster_autoscaler_server_creation_timeout: Sets the timeout (in minutes) until which a newly created server/node has to become available before giving up and destroying it (defaults to 15, unit is minutes) 269 - # 270 - # Example: 271 - # 272 - # cluster_autoscaler_image = "registry.k8s.io/autoscaling/cluster-autoscaler" 273 - # cluster_autoscaler_version = "v1.30.3" 274 - # cluster_autoscaler_log_level = 4 275 - # cluster_autoscaler_log_to_stderr = true 276 - # cluster_autoscaler_stderr_threshold = "INFO" 277 - # cluster_autoscaler_server_creation_timeout = 15 278 - 279 - # Additional Cluster Autoscaler binary configuration 280 - # 281 - # cluster_autoscaler_extra_args can be used for additional arguments. The default is an empty array. 282 - # 283 - # Please note that following arguments are managed by terraform-hcloud-kube-hetzner or the variables above and should not be set manually: 284 - # - --v=${var.cluster_autoscaler_log_level} 285 - # - --logtostderr=${var.cluster_autoscaler_log_to_stderr} 286 - # - --stderrthreshold=${var.cluster_autoscaler_stderr_threshold} 287 - # - --cloud-provider=hetzner 288 - # - --nodes ... 289 - # 290 - # See the Cluster Autoscaler FAQ for the full list of arguments: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/FAQ.md#what-are-the-parameters-to-ca 291 - # 292 - # Example: 293 - # 294 - # cluster_autoscaler_extra_args = [ 295 - # "--ignore-daemonsets-utilization=true", 296 - # "--enforce-node-group-min-size=true", 297 - # ] 298 - 299 - # Enable delete protection on compatible resources to prevent accidental deletion from the Hetzner Cloud Console. 300 - # This does not protect deletion from Terraform itself. 301 - # enable_delete_protection = { 302 - # floating_ip = true 303 - # load_balancer = true 304 - # volume = true 305 - # } 306 - 307 - # Enable etcd snapshot backups to S3 storage. 308 - # Just provide a map with the needed settings (according to your S3 storage provider) and backups to S3 will 309 - # be enabled (with the default settings for etcd snapshots). 310 - # Cloudflare's R2 offers 10GB, 10 million reads and 1 million writes per month for free. 311 - # For proper context, have a look at https://docs.k3s.io/datastore/backup-restore. 312 - # You also can use additional parameters from https://docs.k3s.io/cli/etcd-snapshot, such as `etc-s3-folder` 313 - # etcd_s3_backup = { 314 - # etcd-s3-endpoint = "xxxx.r2.cloudflarestorage.com" 315 - # etcd-s3-access-key = "<access-key>" 316 - # etcd-s3-secret-key = "<secret-key>" 317 - # etcd-s3-bucket = "k3s-etcd-snapshots" 318 - # etcd-s3-region = "<your-s3-bucket-region|usually required for aws>" 319 - # } 320 - 321 - # To enable Hetzner Storage Box support, you can enable csi-driver-smb, default is "false". 322 - # enable_csi_driver_smb = true 323 - # If you want to specify the version for csi-driver-smb, set it below - otherwise it'll use the latest version available. 324 - # See https://github.com/kubernetes-csi/csi-driver-smb/releases for the available versions. 325 - # csi_driver_smb_version = "v1.16.0" 326 - 327 - # To enable iscid without setting enable_longhorn = true, set enable_iscsid = true. You will need this if 328 - # you install your own version of longhorn outside of this module. 329 - # Default is false. If enable_longhorn=true, this variable is ignored and iscsid is enabled anyway. 330 - # enable_iscsid = true 331 - 332 - # To use local storage on the nodes, you can enable Longhorn, default is "false". 333 - # See a full recap on how to configure agent nodepools for longhorn here https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner/discussions/373#discussioncomment-3983159 334 - # Also see Longhorn best practices here https://gist.github.com/ifeulner/d311b2868f6c00e649f33a72166c2e5b 335 - enable_longhorn = false 336 - 337 - # By default, longhorn is pulled from https://charts.longhorn.io. 338 - # If you need a version of longhorn which assures compatibility with rancher you can set this variable to https://charts.rancher.io. 339 - # longhorn_repository = "https://charts.rancher.io" 340 - 341 - # The namespace for longhorn deployment, default is "longhorn-system". 342 - # longhorn_namespace = "longhorn-system" 343 - 344 - # The file system type for Longhorn, if enabled (ext4 is the default, otherwise you can choose xfs). 345 - # longhorn_fstype = "xfs" 346 - 347 - # how many replica volumes should longhorn create (default is 3). 348 - # longhorn_replica_count = 1 349 - 350 - # When you enable Longhorn, you can go with the default settings and just modify the above two variables OR you can add a longhorn_values variable 351 - # with all needed helm values, see towards the end of the file in the advanced section. You can also use longhorn_merge_values. 352 - # If that file is present, the system will use it during the deploy, if not it will use the default values with the two variable above that can be customized. 353 - # After the cluster is deployed, you can always use HelmChartConfig definition to tweak the configuration. 354 - 355 - # Also, you can choose to use a Hetzner volume with Longhorn. By default, it will use the nodes own storage space, but if you add an attribute of 356 - # longhorn_volume_size (⚠️ not a variable, just a possible agent nodepool attribute) with a value between 10 and 10240 GB to your agent nodepool definition, it will create and use the volume in question. 357 - # See the agent nodepool section for an example of how to do that. 358 - 359 - # To disable Hetzner CSI storage, you can set the following to "true", default is "false". 360 - # disable_hetzner_csi = true 361 - 362 - # If you want to use a specific Hetzner CCM and CSI version, set them below; otherwise, leave them as-is for the latest versions. 363 - # See https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases for the available versions. 364 - # hetzner_ccm_version = "" 365 - 366 - # By default, new installations use Helm to install Hetzner CCM. You can use the legacy deployment method (using `kubectl apply`) by setting `hetzner_ccm_use_helm = false`. 367 - hetzner_ccm_use_helm = true 368 - 369 - # See https://github.com/hetznercloud/csi-driver/releases for the available versions. 370 - # hetzner_csi_version = "" 371 - 372 - # If you want to specify the Kured version, set it below - otherwise it'll use the latest version available. 373 - # See https://github.com/kubereboot/kured/releases for the available versions. 374 - # kured_version = "" 375 - 376 - # Default is "traefik". 377 - # If you want to enable the Nginx (https://kubernetes.github.io/ingress-nginx/) or HAProxy ingress controller instead of Traefik, you can set this to "nginx" or "haproxy". 378 - # By the default we load optimal Traefik, Nginx or HAProxy ingress controller config for Hetzner, however you may need to tweak it to your needs, so to do, 379 - # we allow you to add a traefik_values, nginx_values or haproxy_values, see towards the end of this file in the advanced section. 380 - # You can also use *_merge_values to overlay defaults (or the *_values file if set). 381 - # After the cluster is deployed, you can always use HelmChartConfig definition to tweak the configuration. 382 - # If you want to disable both controllers set this to "none" 383 - # ingress_controller = "nginx" 384 - # Namespace in which to deploy the ingress controllers. Defaults to the ingress_controller variable, eg (haproxy, nginx, traefik) 385 - # ingress_target_namespace = "" 386 - 387 - # You can change the number of replicas for selected ingress controller here. The default 0 means autoselecting based on number of agent nodes (1 node = 1 replica, 2 nodes = 2 replicas, 3+ nodes = 3 replicas) 41 + # Ingress — Traefik, single replica (single node, HPA is pointless) 388 42 ingress_replica_count = 1 43 + traefik_autoscaling = false 389 44 390 - # Use the klipperLB (similar to metalLB), instead of the default Hetzner one, that has an advantage of dropping the cost of the setup. 391 - # Automatically "true" in the case of single node cluster (as it does not make sense to use the Hetzner LB in that situation). 392 - # It can work with any ingress controller that you choose to deploy. 393 - # Please note that because the klipperLB points to all nodes, we automatically allow scheduling on the control plane when it is active. 394 - # enable_klipper_metal_lb = "true" 45 + # Pinned to avoid schema breakage with newer chart versions 46 + traefik_version = "34.3.0" 395 47 396 - # If you want to configure additional arguments for traefik, enter them here as a list and in the form of traefik CLI arguments; see https://doc.traefik.io/traefik/reference/static-configuration/cli/ 397 - # They are the options that go into the additionalArguments section of the Traefik helm values file. 398 - # We already add "providers.kubernetesingress.ingressendpoint.publishedservice" by default so that Traefik works automatically with services such as External-DNS and ArgoCD. 399 - # Example: 400 - # traefik_additional_options = ["--log.level=DEBUG", "--tracing=true"] 401 - 402 - # By default traefik image tag is an empty string which uses latest image tag. 403 - # The default is "". 404 - # traefik_image_tag = "v3.0.0-beta5" 405 - 406 - # By default traefik is configured to redirect http traffic to https, you can set this to "false" to disable the redirection. 407 - # The default is true. 408 - # traefik_redirect_to_https = false 409 - 410 - # Enable or disable Horizontal Pod Autoscaler for traefik. 411 - # The default is true. 412 - # traefik_autoscaling = false 413 - 414 - # Enable or disable pod disruption budget for traefik. Values are maxUnavailable: 33% and minAvailable: 1. 415 - # The default is true. 416 - # traefik_pod_disruption_budget = false 417 - 418 - # Enable kubernetes gateway api (https://doc.traefik.io/traefik/providers/kubernetes-gateway/) provider support. 419 - # The default is false. 420 - # traefik_provider_kubernetes_gateway_enabled = true 421 - 422 - # Enable or disable default resource requests and limits for traefik. Values requested are 100m & 50Mi and limits 300m & 150Mi. 423 - # The default is true. 424 - # traefik_resource_limits = false 425 - 426 - # If you want to configure additional ports for traefik, enter them here as a list of objects with name, port, and exposedPort properties. 427 - # Example: 428 - # traefik_additional_ports = [{name = "example", port = 1234, exposedPort = 1234}] 429 - 430 - # Tangled knot SSH access (git clone git@knot.sans-self.org:handle/repo) 48 + # Tangled knot Git SSH passthrough (git clone git@knot.sans-self.org:handle/repo) 431 49 traefik_additional_ports = [{ name = "knot-ssh", port = 22, exposedPort = 22 }] 432 50 433 - # If you want to configure additional trusted IPs for traefik, enter them here as a list of IPs (strings). 434 - # Example for Cloudflare: 435 - # traefik_additional_trusted_ips = [ 436 - # "173.245.48.0/20", 437 - # "103.21.244.0/22", 438 - # "103.22.200.0/22", 439 - # "103.31.4.0/22", 440 - # "141.101.64.0/18", 441 - # "108.162.192.0/18", 442 - # "190.93.240.0/20", 443 - # "188.114.96.0/20", 444 - # "197.234.240.0/22", 445 - # "198.41.128.0/17", 446 - # "162.158.0.0/15", 447 - # "104.16.0.0/13", 448 - # "104.24.0.0/14", 449 - # "172.64.0.0/13", 450 - # "131.0.72.0/22", 451 - # "2400:cb00::/32", 452 - # "2606:4700::/32", 453 - # "2803:f800::/32", 454 - # "2405:b500::/32", 455 - # "2405:8100::/32", 456 - # "2a06:98c0::/29", 457 - # "2c0f:f248::/32" 458 - # ] 51 + # Storage — Hetzner CSI only, no Longhorn 52 + enable_longhorn = false 53 + hetzner_ccm_use_helm = true 459 54 460 - # If you want to disable the metric server set this to "false". Default is "true". 461 - # enable_metrics_server = false 462 - 463 - # If you want to enable the k3s built-in local-storage controller set this to "true". Default is "false". 464 - # Warning: When enabled together with the Hetzner CSI, there will be two default storage classes: "local-path" and "hcloud-volumes"! 465 - # Even if patched to remove the "default" label, the local-path storage class will be reset as default on each reboot of 466 - # the node where the controller runs. 467 - # This is not a problem if you explicitly define which storageclass to use in your PVCs. 468 - # Workaround if you don't want two default storage classes: leave this to false and add the local-path-provisioner helm chart 469 - # as an extra (https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner#adding-extras). 470 - # enable_local_storage = false 471 - 472 - allow_scheduling_on_control_plane = true 473 - 474 - # If you use both the Terraform-managed ingress LB AND CCM-managed LoadBalancer services, agents get registered to both. 475 - # Enable this to exclude agents from CCM LBs (adds node.kubernetes.io/exclude-from-external-load-balancers=true label). 476 - # WARNING: If allow_scheduling_on_control_plane=false, this leaves NO eligible targets for CCM LoadBalancer services. 477 - # exclude_agents_from_external_load_balancers = true 478 - 479 - # If you want to disable the automatic upgrade of k3s, you can set below to "false". 480 - # Ideally, keep it on, to always have the latest Kubernetes version, but lock the initial_k3s_channel to a kube major version, 481 - # of your choice, like v1.25 or v1.26. That way you get the best of both worlds without the breaking changes risk. 482 - # For production use, always use an HA setup with at least 3 control-plane nodes and 2 agents, and keep this on for maximum security. 483 - 55 + # Kubernetes version & upgrades 56 + initial_k3s_channel = "v1.31" 484 57 automatically_upgrade_k3s = true 485 - 486 - # By default nodes are drained before k3s upgrade, which will delete and transfer all pods to other nodes. 487 - # Set this to false to cordon nodes instead, which just prevents scheduling new pods on the node during upgrade 488 - # and keeps all pods running. This may be useful if you have pods which are known to be slow to start e.g. 489 - # because they have to mount volumes with many files which require to get the right security context applied. 490 - system_upgrade_use_drain = true 491 - 492 - # During k3s via system-upgrade-manager pods are evicted by default. 493 - # On small clusters this can lead to hanging upgrades and indefinitely unschedulable nodes, 494 - # in that case, set this to false to immediately delete pods before upgrading. 495 - # NOTE: Turning this flag off might lead to downtimes of services (which may be acceptable for your use case) 496 - # NOTE: This flag takes effect only when system_upgrade_use_drain is set to true. 497 - # system_upgrade_enable_eviction = false 498 - 499 - automatically_upgrade_os = true 500 - 501 - # If you need more control over kured and the reboot behaviour, you can pass additional options to kured. 502 - # For example limiting reboots to certain timeframes. For all options see: https://kured.dev/docs/configuration/ 503 - # By default, the kured lock does not expire and is only released once a node successfully reboots. You can add the option 504 - # "lock-ttl" : "30m", if you have a single node which sometimes gets stuck. Note however, that in that case, kured continuous 505 - # draining the next node because the lock was released. You may end up with all nodes drained and your cluster completely down. 506 - # The default options are: `--reboot-command=/usr/bin/systemctl reboot --pre-reboot-node-labels=kured=rebooting --post-reboot-node-labels=kured=done --period=5m` 507 - # Defaults can be overridden by using the same key. 508 - # kured_options = { 509 - # "reboot-days": "su", 510 - # "start-time": "3am", 511 - # "end-time": "8am", 512 - # "time-zone": "Local", 513 - # "lock-ttl" : "30m", 514 - # } 58 + automatically_upgrade_os = true 59 + system_upgrade_use_drain = true 515 60 516 - # Allows you to specify the k3s version. If defined, supersedes initial_k3s_channel. 517 - # See https://github.com/k3s-io/k3s/releases for the available versions. 518 - # install_k3s_version = "v1.30.2+k3s2" 61 + # Networking 62 + dns_servers = [ 63 + "1.1.1.1", 64 + "8.8.8.8", 65 + "2606:4700:4700::1111", 66 + ] 519 67 520 - # Allows you to specify either stable, latest, testing or supported minor versions. 521 - # see https://rancher.com/docs/k3s/latest/en/upgrades/basic/ and https://update.k3s.io/v1-release/channels 522 - # ⚠️ If you are going to use Rancher addons for instance, it's always a good idea to fix the kube version to one minor version below the latest stable, 523 - # e.g. v1.29 instead of the stable v1.30. 524 - # The default is "v1.30". 525 - initial_k3s_channel = "v1.31" 68 + use_control_plane_lb = false 526 69 527 - # Allows to specify the version of the System Upgrade Controller for automated upgrades of k3s 528 - # See https://github.com/rancher/system-upgrade-controller/releases for the available versions. 529 - # sys_upgrade_controller_version = "v0.14.2" 530 - 531 - # The cluster name, by default "k3s" 532 - # cluster_name = "" 533 - 534 - # Whether to use the cluster name in the node name, in the form of {cluster_name}-{nodepool_name}, the default is "true". 535 - # use_cluster_name_in_node_name = false 536 - 537 - # Extra k3s registries. This is useful if you have private registries and you want to pull images without additional secrets. 538 - # Or if you want to proxy registries for various reasons like rate-limiting. 539 - # It will create the registries.yaml file, more info here https://docs.k3s.io/installation/private-registry. 540 - # Note that you do not need to get this right from the first time, you can update it when you want during the life of your cluster. 541 - # The default is blank. 542 - /* k3s_registries = <<-EOT 543 - mirrors: 544 - hub.my_registry.com: 545 - endpoint: 546 - - "hub.my_registry.com" 547 - configs: 548 - hub.my_registry.com: 549 - auth: 550 - username: username 551 - password: password 552 - EOT */ 553 - 554 - # Additional environment variables for the host OS on which k3s runs. See for example https://docs.k3s.io/advanced#configuring-an-http-proxy . 555 - # additional_k3s_environment = { 556 - # "CONTAINERD_HTTP_PROXY" : "http://your.proxy:port", 557 - # "CONTAINERD_HTTPS_PROXY" : "http://your.proxy:port", 558 - # "NO_PROXY" : "127.0.0.0/8,10.0.0.0/8,", 559 - # } 560 - 561 - # Additional commands to execute on the host OS before the k3s install, for example fetching and installing certs. 562 - # preinstall_exec = [ 563 - # "curl https://somewhere.over.the.rainbow/ca.crt > /root/ca.crt", 564 - # "trust anchor --store /root/ca.crt", 565 - # ] 566 - 567 - # Structured authentication configuration. Multiple authentication providers support requires v1.30+ of 568 - # kubernetes. 569 - # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration 570 - # 571 - # authentication_config = <<-EOT 572 - # apiVersion: apiserver.config.k8s.io/v1beta1 573 - # kind: AuthenticationConfiguration 574 - # jwt: 575 - # - issuer: 576 - # url: "https://token.actions.githubusercontent.com" 577 - # audiences: 578 - # - "https://github.com/octo-org" 579 - # claimMappings: 580 - # username: 581 - # claim: sub 582 - # prefix: "gh:" 583 - # groups: 584 - # claim: repository_owner 585 - # prefix: "gh:" 586 - # claimValidationRules: 587 - # - claim: repository 588 - # requiredValue: "octo-org/octo-repo" 589 - # - claim: "repository_visibility" 590 - # requiredValue: "public" 591 - # - claim: "ref" 592 - # requiredValue: "refs/heads/main" 593 - # - claim: "ref_type" 594 - # requiredValue: "branch" 595 - # - issuer: 596 - # url: "https://your.oidc.issuer" 597 - # audiences: 598 - # - "oidc_client_id" 599 - # claimMappings: 600 - # username: 601 - # claim: oidc_username_claim 602 - # prefix: "oidc:" 603 - # groups: 604 - # claim: oidc_groups_claim 605 - # prefix: "oidc:" 606 - # EOT 607 - 608 - # Set to true if util-linux breaks on the OS (temporary regression fixed in util-linux v2.41.1). 609 - # k3s_prefer_bundled_bin = true 610 - 611 - # Additional flags to pass to the k3s server command (the control plane). 612 - # k3s_exec_server_args = "--kube-apiserver-arg enable-admission-plugins=PodTolerationRestriction,PodNodeSelector" 613 - 614 - # Additional flags to pass to the k3s agent command (every agents nodes, including autoscaler nodepools). 615 - # k3s_exec_agent_args = "--kubelet-arg kube-reserved=cpu=100m,memory=200Mi,ephemeral-storage=1Gi" 616 - 617 - # The vars below here passes it to the k3s config.yaml. This way it persist across reboots 618 - # Make sure you set "feature-gates=NodeSwap=true" if want to use swap_size 619 - # Note: CloudDualStackNodeIPs was removed in K8s 1.32 (always enabled now) 620 - # see https://github.com/k3s-io/k3s/issues/8811#issuecomment-1856974516 621 - # k3s_global_kubelet_args = ["kube-reserved=cpu=100m,ephemeral-storage=1Gi", "system-reserved=cpu=memory=200Mi", "image-gc-high-threshold=50", "image-gc-low-threshold=40"] 622 - # k3s_control_plane_kubelet_args = [] 623 - # k3s_agent_kubelet_args = [] 624 - # k3s_autoscaler_kubelet_args = [] 625 - 626 - # https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/ 627 - # k3s_kubelet_config = <<-EOT 628 - # apiVersion: kubelet.config.k8s.io/v1beta1 629 - # kind: KubeletConfiguration 630 - # imageGCLowThresholdPercent: 40 631 - # imageGCHighThresholdPercent: 50 632 - # imageMaximumGCAge: 24h 633 - # EOT 634 - 635 - # If you want to allow all outbound traffic you can set this to "false". Default is "true". 636 - # restrict_outbound_traffic = false 637 - 638 - # Allow access to the Kube API from the specified networks. The default is ["0.0.0.0/0", "::/0"]. 639 - # Allowed values: null (disable Kube API rule entirely) or a list of allowed networks with CIDR notation. 640 - # For maximum security, it's best to disable it completely by setting it to null. However, in that case, to get access to the kube api, 641 - # you would have to connect to any control plane node via SSH, as you can run kubectl from within these. 642 - # Please be advised that this setting has no effect on the load balancer when the use_control_plane_lb variable is set to true. This is 643 - # because firewall rules cannot be applied to load balancers yet. 70 + # Firewall — API and SSH restricted to known IPs 644 71 firewall_kube_api_source = ["5.132.126.116/32", "89.146.51.229/32"] 72 + firewall_ssh_source = ["5.132.126.116/32", "89.146.51.229/32"] 645 73 646 - # Allow SSH access from the specified networks. Default: ["0.0.0.0/0", "::/0"] 647 - # Allowed values: null (disable SSH rule entirely) or a list of allowed networks with CIDR notation. 648 - # Ideally you would set your IP there. And if it changes after cluster deploy, you can always update this variable and apply again. 649 - firewall_ssh_source = ["5.132.126.116/32", "89.146.51.229/32"] 650 - 651 - # By default, SELinux is enabled in enforcing mode on all nodes. For container-specific SELinux issues, 652 - # consider using the pre-installed 'udica' tool to create custom, targeted SELinux policies instead of 653 - # disabling SELinux globally. See the "Fix SELinux issues with udica" example in the README for details. 654 - # disable_selinux = false 655 - 656 - # Adding extra firewall rules, like opening a port 657 - # More info on the format here https://registry.terraform.io/providers/hetznercloud/hcloud/latest/docs/resources/firewall 658 74 extra_firewall_rules = [ 659 75 { 660 76 description = "Node management SSH" ··· 674 90 } 675 91 ] 676 92 677 - # If you want to configure a different CNI for k3s, use this flag 678 - # possible values: flannel (Default), calico, and cilium 679 - # As for Cilium, we allow infinite configurations via helm values, please check the CNI section of the readme over at https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner/#cni. 680 - # Also, see the cilium_values at towards the end of this file, in the advanced section (or use cilium_merge_values). 681 - # ⚠️ Depending on your setup, sometimes you need your control-planes to have more than 682 - # 2GB of RAM if you are going to use Cilium, otherwise the pods will not start. 683 - # cni_plugin = "cilium" 684 - 685 - # You can choose the version of Cilium that you want. By default we keep the version up to date and configure Cilium with compatible settings according to the version. 686 - # See https://github.com/cilium/cilium/releases for the available versions. 687 - # cilium_version = "v1.14.0" 688 - 689 - # Set native-routing mode ("native") or tunneling mode ("tunnel"). Default: tunnel 690 - # cilium_routing_mode = "native" 691 - 692 - # Used when Cilium is configured in native routing mode. The CNI assumes that the underlying network stack will forward packets to this destination without the need to apply SNAT. Default: value of "cluster_ipv4_cidr" 693 - # cilium_ipv4_native_routing_cidr = "10.0.0.0/8" 694 - 695 - # Enables egress gateway to redirect and SNAT the traffic that leaves the cluster. Default: false 696 - # cilium_egress_gateway_enabled = true 697 - 698 - # Enables Hubble Observability to collect and visualize network traffic. Default: false 699 - # cilium_hubble_enabled = true 700 - 701 - # Configures the list of Hubble metrics to collect. 702 - # cilium_hubble_metrics_enabled = [ 703 - # "policy:sourceContext=app|workload-name|pod|reserved-identity;destinationContext=app|workload-name|pod|dns|reserved-identity;labelsContext=source_namespace,destination_namespace" 704 - # ] 705 - 706 - # You can choose the version of Calico that you want. By default, the latest is used. 707 - # More info on available versions can be found at https://github.com/projectcalico/calico/releases 708 - # Please note that if you are getting 403s from Github, it's also useful to set the version manually. However there is rarely a need for that! 709 - # calico_version = "v3.27.2" 710 - 711 - # If you want to disable the k3s kube-proxy, use this flag. The default is "false". 712 - # Ensure that your CNI is capable of handling all the functionalities typically covered by kube-proxy. 713 - # disable_kube_proxy = true 714 - 715 - # If you want to disable the k3s default network policy controller, use this flag! 716 - # Both Calico and Cilium cni_plugin values override this value to true automatically, the default is "false". 717 - # disable_network_policy = true 718 - 719 - # If you want to disable the automatic use of placement group "spread". See https://docs.hetzner.com/cloud/placement-groups/overview/ 720 - # We advise to not touch that setting, unless you have a specific purpose. 721 - # The default is "false", meaning it's enabled by default. 722 - # placement_group_disable = true 723 - 724 - # By default, we allow ICMP ping in to the nodes, to check for liveness for instance. If you do not want to allow that, you can. Just set this flag to true (false by default). 725 - # block_icmp_ping_in = true 726 - 727 - # You can enable cert-manager (installed by Helm behind the scenes) with the following flag, the default is "true". 728 - # enable_cert_manager = false 729 - 730 - # IP Addresses to use for the DNS Servers, the defaults are the ones provided by Hetzner https://docs.hetzner.com/dns-console/dns/general/recursive-name-servers/. 731 - # The number of different DNS servers is limited to 3 by Kubernetes itself. 732 - # It's always a good idea to have at least 1 IPv4 and 1 IPv6 DNS server for robustness. 733 - dns_servers = [ 734 - "1.1.1.1", 735 - "8.8.8.8", 736 - "2606:4700:4700::1111", 737 - ] 738 - 739 - # When this is enabled, rather than the first node, all external traffic will be routed via a control-plane loadbalancer, allowing for high availability. 740 - # The default is false. 741 - use_control_plane_lb = false 742 - 743 - # When the above use_control_plane_lb is enabled, you can change the lb type for it, the default is "lb11". 744 - # control_plane_lb_type = "lb21" 745 - 746 - # When the above use_control_plane_lb is enabled, you can change to disable the public interface for control plane load balancer, the default is true. 747 - # control_plane_lb_enable_public_interface = false 748 - 749 - # Let's say you are not using the control plane LB solution above, and still want to have one hostname point to all your control-plane nodes. 750 - # You could create multiple A records of to let's say cp.cluster.my.org pointing to all of your control-plane nodes ips. 751 - # In which case, you need to define that hostname in the k3s TLS-SANs config to allow connection through it. It can be hostnames or IP addresses. 752 - # additional_tls_sans = ["cp.cluster.my.org"] 753 - 754 - # If you create a hostname with multiple A records pointing to all of your 755 - # control-plane nodes ips, you may want to use that hostname in the generated 756 - # kubeconfig. 757 - # kubeconfig_server_address = "cp.cluster.my.org" 758 - 759 - # lb_hostname Configuration: 760 - # 761 - # Purpose: 762 - # The lb_hostname setting optimizes communication between services within the Kubernetes cluster 763 - # when they use domain names instead of direct service names. By associating a domain name directly 764 - # with the Hetzner Load Balancer, this setting can help reduce potential communication delays. 765 - # 766 - # Scenario: 767 - # If Service B communicates with Service A using a domain (e.g., `a.mycluster.domain.com`) that points 768 - # to an external Load Balancer, there can be a slowdown in communication. 769 - # 770 - # Guidance: 771 - # - If your internal services use domain names pointing to an external LB, set lb_hostname to a domain 772 - # like `mycluster.domain.com`. 773 - # - Create an A record pointing `mycluster.domain.com` to your LB's IP. 774 - # - Create a CNAME record for `a.mycluster.domain.com` (or xyz.com) pointing to `mycluster.domain.com`. 775 - # 776 - # Technical Note: 777 - # This setting sets the `load-balancer.hetzner.cloud/hostname` in the Hetzner LB definition, suitable for 778 - # HAProxy, Nginx and Traefik ingress controllers. 779 - # 780 - # Recommendation: 781 - # This setting is optional. If services communicate using direct service names, you can leave this unset. 782 - # For inter-namespace communication, use `.service_name` as per Kubernetes norms. 783 - # 784 - # Example: 785 - # lb_hostname = "mycluster.domain.com" 786 - 787 - # You can enable Rancher (installed by Helm behind the scenes) with the following flag, the default is "false". 788 - # ⚠️ Rancher often doesn't support the latest Kubernetes version. You will need to set initial_k3s_channel to a supported version. 789 - # When Rancher is enabled, it automatically installs cert-manager too, and it uses rancher's own self-signed certificates. 790 - # See for options https://ranchermanager.docs.rancher.com/getting-started/installation-and-upgrade/install-upgrade-on-a-kubernetes-cluster#3-choose-your-ssl-configuration 791 - # The easiest thing is to leave everything as is (using the default rancher self-signed certificate) and put Cloudflare in front of it. 792 - # As for the number of replicas, by default it is set to the number of control plane nodes. 793 - # You can customized all of the above by adding a rancher_values variable see at the end of this file in the advanced section (or use rancher_merge_values). 794 - # After the cluster is deployed, you can always use HelmChartConfig definition to tweak the configuration. 795 - # IMPORTANT: Rancher's install is quite memory intensive, you will require at least 4GB if RAM, meaning cx23 server type (for your control plane). 796 - # ALSO, in order for Rancher to successfully deploy, you have to set the "rancher_hostname". 797 - # enable_rancher = true 798 - 799 - # If using Rancher you can set the Rancher hostname, it must be unique hostname even if you do not use it. 800 - # If not pointing the DNS, you can just port-forward locally via kubectl to get access to the dashboard. 801 - # If you already set the lb_hostname above and are using a Hetzner LB, you do not need to set this one, as it will be used by default. 802 - # But if you set this one explicitly, it will have preference over the lb_hostname in rancher settings. 803 - # rancher_hostname = "rancher.xyz.dev" 804 - 805 - # When Rancher is deployed, by default is uses the "latest" channel. But this can be customized. 806 - # The allowed values are "stable" or "latest". 807 - # rancher_install_channel = "stable" 808 - 809 - # Finally, you can specify a bootstrap-password for your rancher instance. Minimum 48 characters long! 810 - # If you leave empty, one will be generated for you. 811 - # (Can be used by another rancher2 provider to continue setup of rancher outside this module.) 812 - # rancher_bootstrap_password = "" 813 - 814 - # Separate from the above Rancher config (only use one or the other). You can import this cluster directly on an 815 - # an already active Rancher install. By clicking "import cluster" choosing "generic", giving it a name and pasting 816 - # the cluster registration url below. However, you can also ignore that and apply the url via kubectl as instructed 817 - # by Rancher in the wizard, and that would register your cluster too. 818 - # More information about the registration can be found here https://rancher.com/docs/rancher/v2.6/en/cluster-provisioning/registered-clusters/ 819 - # rancher_registration_manifest_url = "https://rancher.xyz.dev/v3/import/xxxxxxxxxxxxxxxxxxYYYYYYYYYYYYYYYYYYYzzzzzzzzzzzzzzzzzzzzz.yaml" 820 - 821 - # Extra commands to be executed after the `kubectl apply -k` (useful for post-install actions, e.g. wait for CRD, apply additional manifests, etc.). 822 - # extra_kustomize_deployment_commands="" 823 - 824 - # Extra values that will be passed to the `extra-manifests/kustomization.yaml.tpl` if its present. 825 - # extra_kustomize_parameters={} 826 - 827 - # See working examples for extra manifests or a HelmChart in examples/kustomization_user_deploy/README.md 828 - 829 - # It is best practice to turn this off, but for backwards compatibility it is set to "true" by default. 830 - # See https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner/issues/349 831 - # When "false". The kubeconfig file can instead be created by executing: "terraform output --raw kubeconfig > cluster_kubeconfig.yaml" 832 - # Always be careful to not commit this file! 833 93 create_kubeconfig = false 834 - 835 - # Don't create the kustomize backup. This can be helpful for automation. 836 - # create_kustomization = false 837 - 838 - # Export the values.yaml files used for the deployment of traefik, longhorn, cert-manager, etc. 839 - # This can be helpful to use them for later deployments like with ArgoCD. 840 - # The default is false. 841 - # export_values = true 842 - 843 - # MicroOS snapshot IDs to be used. Per default empty, the most recent image created using createkh will be used. 844 - # We recommend the default, but if you want to use specific IDs you can. 845 - # You can fetch the ids with the hcloud cli by running the "hcloud image list --selector 'microos-snapshot=yes'" command. 846 - # microos_x86_snapshot_id = "1234567" 847 - # microos_arm_snapshot_id = "1234567" 848 - 849 - ### ADVANCED - Custom helm values for packages above (search _values if you want to located where those are mentioned upper in this file) 850 - # ⚠️ Inside the _values variable below are examples, up to you to find out the best helm values possible, we do not provide support for customized helm values. 851 - # Please understand that the indentation is very important, inside the EOTs, as those are proper yaml helm values. 852 - # We advise you to use the default values, and only change them if you know what you are doing! 853 - 854 - # You can inline the values here in heredoc-style (as the examples below with the <<EOT to EOT). Please note that the current indentation inside the EOT is important. 855 - # Or you can create a thepackage-values.yaml file with the content and use it here with the following syntax: 856 - # thepackage_values = file("thepackage-values.yaml") 857 - # _values fully replaces the chart values used by the module. _merge_values keeps the defaults (or *_values if set) and overlays your YAML on top. 858 - 859 - # Cilium, all Cilium helm values can be found at https://github.com/cilium/cilium/blob/master/install/kubernetes/cilium/values.yaml 860 - # Be careful when maintaining your own cilium_values, as the choice of available settings depends on the Cilium version used. See also the cilium_version setting to fix a specific version. 861 - # If you want to merge extra values into defaults (or cilium_values), use cilium_merge_values. 862 - # The following is an example, please note that the current indentation inside the EOT is important. 863 - /* cilium_values = <<EOT 864 - 865 - ipam: 866 - mode: kubernetes 867 - k8s: 868 - requireIPv4PodCIDR: true 869 - kubeProxyReplacement: true 870 - routingMode: native 871 - ipv4NativeRoutingCIDR: "10.0.0.0/8" 872 - endpointRoutes: 873 - enabled: true 874 - loadBalancer: 875 - acceleration: native 876 - bpf: 877 - masquerade: true 878 - encryption: 879 - enabled: true 880 - type: wireguard 881 - MTU: 1450 882 - EOT */ 883 - 884 - /* cilium_merge_values = <<EOT 885 - encryption: 886 - enabled: true 887 - type: wireguard 888 - EOT */ 889 - 890 - # If you want to use a specific cert-manager helm chart version, set it below; otherwise, leave them as-is for the latest versions. 891 - # cert_manager_version = "" 892 - 893 - # Cert manager, all cert-manager helm values can be found at https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml 894 - # If you want to merge extra values into defaults (or cert_manager_values), use cert_manager_merge_values. 895 - # The following is an example, please note that the current indentation inside the EOT is important. 896 - # For cert-manager versions < v1.15.0, you need to set installCRDs: true instead of crds.enabled and crds.keep. 897 - /* cert_manager_values = <<EOT 898 - crds: 899 - enabled: true 900 - keep: true 901 - replicaCount: 3 902 - webhook: 903 - replicaCount: 3 904 - cainjector: 905 - replicaCount: 3 906 - EOT */ 907 - 908 - /* cert_manager_merge_values = <<EOT 909 - webhook: 910 - replicaCount: 2 911 - EOT */ 912 - 913 - # Hetzner Cloud Controller Manager, all Hetzner Cloud Controller Manager helm values can be found at https://github.com/hetznercloud/hcloud-cloud-controller-manager/blob/main/chart/values.yaml 914 - # We advise you to not touch this and to let the defaults that are already set under the hood. 915 - # If you want to merge extra values into defaults (or hetzner_ccm_values), use hetzner_ccm_merge_values. 916 - # For advanced use cases like adding Hetzner Robot servers, see: https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner/blob/master/docs/add-robot-server.md 917 - # The following is an example, please note that the current indentation inside the EOT is important. 918 - /* hetzner_ccm_values = <<EOT 919 - networking: 920 - enabled: true 921 - args: 922 - cloud-provider: hcloud 923 - allow-untagged-cloud: "" 924 - route-reconciliation-period: 30s 925 - webhook-secure-port: "0" 926 - env: 927 - HCLOUD_LOAD_BALANCERS_LOCATION: 928 - value: "nbg1" 929 - HCLOUD_LOAD_BALANCERS_USE_PRIVATE_IP: 930 - value: "true" 931 - HCLOUD_LOAD_BALANCERS_ENABLED: 932 - value: "true" 933 - HCLOUD_LOAD_BALANCERS_DISABLE_PRIVATE_INGRESS: 934 - value: "true" 935 - EOT */ 936 - 937 - /* hetzner_ccm_merge_values = <<EOT 938 - env: 939 - HCLOUD_LOAD_BALANCERS_LOCATION: 940 - value: "nbg1" 941 - EOT */ 942 - 943 - # csi-driver-smb, all csi-driver-smb helm values can be found at https://github.com/kubernetes-csi/csi-driver-smb/blob/master/charts/latest/csi-driver-smb/values.yaml 944 - # The following is an example, please note that the current indentation inside the EOT is important. 945 - /* csi_driver_smb_values = <<EOT 946 - controller: 947 - name: csi-smb-controller 948 - replicas: 1 949 - runOnMaster: false 950 - runOnControlPlane: false 951 - resources: 952 - csiProvisioner: 953 - limits: 954 - memory: 300Mi 955 - requests: 956 - cpu: 10m 957 - memory: 20Mi 958 - livenessProbe: 959 - limits: 960 - memory: 100Mi 961 - requests: 962 - cpu: 10m 963 - memory: 20Mi 964 - smb: 965 - limits: 966 - memory: 200Mi 967 - requests: 968 - cpu: 10m 969 - memory: 20Mi 970 - EOT */ 971 - 972 - # Longhorn, all Longhorn helm values can be found at https://github.com/longhorn/longhorn/blob/master/chart/values.yaml 973 - # If you want to merge extra values into defaults (or longhorn_values), use longhorn_merge_values. 974 - # The following is an example, please note that the current indentation inside the EOT is important. 975 - /* longhorn_values = <<EOT 976 - defaultSettings: 977 - defaultDataPath: /var/longhorn 978 - persistence: 979 - defaultFsType: ext4 980 - defaultClassReplicaCount: 3 981 - defaultClass: true 982 - EOT */ 983 - 984 - /* longhorn_merge_values = <<EOT 985 - defaultSettings: 986 - defaultReplicaCount: 2 987 - EOT */ 988 - 989 - # Pinned to avoid schema breakage with newer chart versions (globalArguments, redirections removed) 990 - traefik_version = "34.3.0" 991 - 992 - # Traefik, all Traefik helm values can be found at https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml 993 - # If you want to merge extra values into defaults (or traefik_values), use traefik_merge_values. 994 - # The following is an example, please note that the current indentation inside the EOT is important. 995 - /* traefik_values = <<EOT 996 - deployment: 997 - replicas: 1 998 - globalArguments: [] 999 - service: 1000 - enabled: true 1001 - type: LoadBalancer 1002 - annotations: 1003 - "load-balancer.hetzner.cloud/name": "k3s" 1004 - "load-balancer.hetzner.cloud/use-private-ip": "true" 1005 - "load-balancer.hetzner.cloud/disable-private-ingress": "true" 1006 - "load-balancer.hetzner.cloud/location": "nbg1" 1007 - "load-balancer.hetzner.cloud/type": "lb11" 1008 - "load-balancer.hetzner.cloud/uses-proxyprotocol": "true" 1009 - 1010 - ports: 1011 - web: 1012 - redirections: 1013 - entryPoint: 1014 - to: websecure 1015 - scheme: https 1016 - permanent: true 1017 - 1018 - proxyProtocol: 1019 - trustedIPs: 1020 - - 127.0.0.1/32 1021 - - 10.0.0.0/8 1022 - forwardedHeaders: 1023 - trustedIPs: 1024 - - 127.0.0.1/32 1025 - - 10.0.0.0/8 1026 - websecure: 1027 - proxyProtocol: 1028 - trustedIPs: 1029 - - 127.0.0.1/32 1030 - - 10.0.0.0/8 1031 - forwardedHeaders: 1032 - trustedIPs: 1033 - - 127.0.0.1/32 1034 - - 10.0.0.0/8 1035 - EOT */ 1036 - 1037 - /* traefik_merge_values = <<EOT 1038 - service: 1039 - annotations: 1040 - "load-balancer.hetzner.cloud/location": "fsn1" 1041 - EOT */ 1042 - 1043 - # If you want to use a specific Nginx helm chart version, set it below; otherwise, leave them as-is for the latest versions. 1044 - # See https://github.com/kubernetes/ingress-nginx?tab=readme-ov-file#supported-versions-table for the available versions. 1045 - # nginx_version = "" 1046 - 1047 - # Nginx, all Nginx helm values can be found at https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml 1048 - # You can also have a look at https://kubernetes.github.io/ingress-nginx/, to understand how it works, and all the options at your disposal. 1049 - # If you want to merge extra values into defaults (or nginx_values), use nginx_merge_values. 1050 - # The following is an example, please note that the current indentation inside the EOT is important. 1051 - /* nginx_values = <<EOT 1052 - controller: 1053 - watchIngressWithoutClass: "true" 1054 - kind: "DaemonSet" 1055 - config: 1056 - "use-forwarded-headers": "true" 1057 - "compute-full-forwarded-for": "true" 1058 - "use-proxy-protocol": "true" 1059 - service: 1060 - annotations: 1061 - "load-balancer.hetzner.cloud/name": "k3s" 1062 - "load-balancer.hetzner.cloud/use-private-ip": "true" 1063 - "load-balancer.hetzner.cloud/disable-private-ingress": "true" 1064 - "load-balancer.hetzner.cloud/location": "nbg1" 1065 - "load-balancer.hetzner.cloud/type": "lb11" 1066 - "load-balancer.hetzner.cloud/uses-proxyprotocol": "true" 1067 - EOT */ 1068 - 1069 - /* nginx_merge_values = <<EOT 1070 - controller: 1071 - kind: "Deployment" 1072 - EOT */ 1073 - 1074 - # If you want to use a specific HAProxy helm chart version, set it below; otherwise, leave them as-is for the latest versions. 1075 - # haproxy_version = "" 1076 - 1077 - # If you want to configure additional proxy protocol trusted IPs for haproxy, enter them here as a list of IPs (strings). 1078 - # Example for Cloudflare: 1079 - # haproxy_additional_proxy_protocol_ips = [ 1080 - # "173.245.48.0/20", 1081 - # "103.21.244.0/22", 1082 - # "103.22.200.0/22", 1083 - # "103.31.4.0/22", 1084 - # "141.101.64.0/18", 1085 - # "108.162.192.0/18", 1086 - # "190.93.240.0/20", 1087 - # "188.114.96.0/20", 1088 - # "197.234.240.0/22", 1089 - # "198.41.128.0/17", 1090 - # "162.158.0.0/15", 1091 - # "104.16.0.0/13", 1092 - # "104.24.0.0/14", 1093 - # "172.64.0.0/13", 1094 - # "131.0.72.0/22", 1095 - # "2400:cb00::/32", 1096 - # "2606:4700::/32", 1097 - # "2803:f800::/32", 1098 - # "2405:b500::/32", 1099 - # "2405:8100::/32", 1100 - # "2a06:98c0::/29", 1101 - # "2c0f:f248::/32" 1102 - # ] 1103 - 1104 - # Configure CPU and memory requests for each HAProxy pod 1105 - # haproxy_requests_cpu = "250m" 1106 - # haproxy_requests_memory = "400Mi" 1107 - 1108 - # Override values given to the HAProxy helm chart. 1109 - # All HAProxy helm values can be found at https://github.com/haproxytech/helm-charts/blob/main/kubernetes-ingress/values.yaml 1110 - # Default values can be found at https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner/blob/master/locals.tf 1111 - # If you want to merge extra values into defaults (or haproxy_values), use haproxy_merge_values. 1112 - /* haproxy_values = <<EOT 1113 - EOT */ 1114 - 1115 - /* haproxy_merge_values = <<EOT 1116 - controller: 1117 - replicaCount: 2 1118 - EOT */ 1119 - 1120 - # Rancher, all Rancher helm values can be found at https://rancher.com/docs/rancher/v2.5/en/installation/install-rancher-on-k8s/chart-options/ 1121 - # If you want to merge extra values into defaults (or rancher_values), use rancher_merge_values. 1122 - # The following is an example, please note that the current indentation inside the EOT is important. 1123 - /* rancher_values = <<EOT 1124 - ingress: 1125 - tls: 1126 - source: "rancher" 1127 - hostname: "rancher.example.com" 1128 - replicas: 1 1129 - bootstrapPassword: "supermario" 1130 - EOT */ 1131 - 1132 - /* rancher_merge_values = <<EOT 1133 - replicas: 3 1134 - EOT */ 1135 - 1136 94 } 1137 95 1138 96 provider "hcloud" { ··· 1166 124 sensitive = true 1167 125 default = "" 1168 126 } 1169 -