Use kops-controller on hetzner, even with gossip

This is a more secure configuration.
2023-06-11 07:15:31 -04:00 · 2023-06-11 07:15:31 -04:00 · abd274b3f9
parent 75b6da4641
commit abd274b3f9
3 changed files with 50 additions and 27 deletions
--- a/pkg/apis/kops/model/features.go
+++ b/pkg/apis/kops/model/features.go
@ -52,11 +52,14 @@ func UseChallengeCallback(cloudProvider kops.CloudProviderID) bool {

 // UseKopsControllerForNodeConfig checks if nodeup should use kops-controller to get nodeup.Config.
 func UseKopsControllerForNodeConfig(cluster *kops.Cluster) bool {
+	if cluster.UsesLegacyGossip() {
 		switch cluster.Spec.GetCloudProvider() {
 		case kops.CloudProviderGCE:
 			// We can use cloud-discovery here.
+		case kops.CloudProviderHetzner:
+			// We don't have a cloud-discovery mechanism implemented in nodeup for hetzner,
+			// but we assume that we're using a load balancer with a fixed IP address
 		default:
-		if cluster.UsesLegacyGossip() {
 			return false
 		}
 	}
--- a/pkg/model/hetznermodel/loadbalancer.go
+++ b/pkg/model/hetznermodel/loadbalancer.go
@ -60,7 +60,7 @@ func (b *LoadBalancerModelBuilder) Build(c *fi.CloudupModelBuilderContext) error
 		},
 	}

-	if b.Cluster.UsesNoneDNS() {
+	if b.Cluster.UsesNoneDNS() || b.UseKopsControllerForNodeBootstrap() {
 		loadbalancer.Services = append(loadbalancer.Services, &hetznertasks.LoadBalancerService{
 			Protocol:        string(hcloud.LoadBalancerServiceProtocolTCP),
 			ListenerPort:    fi.PtrTo(wellknownports.KopsControllerPort),
--- a/upup/pkg/fi/cloudup/apply_cluster.go
+++ b/upup/pkg/fi/cloudup/apply_cluster.go
@ -1419,7 +1419,7 @@ func (n *nodeUpConfigBuilder) BuildConfig(ig *kops.InstanceGroup, apiserverAddit
 	}

 	// Set API server address to an IP from the cluster network CIDR
-	if cluster.UsesNoneDNS() {
+	var controlPlaneIPs []string
 	switch cluster.Spec.GetCloudProvider() {
 	case kops.CloudProviderAWS, kops.CloudProviderHetzner, kops.CloudProviderOpenstack:
 		// Use a private IP address that belongs to the cluster network CIDR (some additional addresses may be FQDNs or public IPs)
@ -1430,7 +1430,7 @@ func (n *nodeUpConfigBuilder) BuildConfig(ig *kops.InstanceGroup, apiserverAddit
 					return nil, nil, fmt.Errorf("failed to parse network CIDR %q: %w", networkCIDR, err)
 				}
 				if cidr.Contains(net.ParseIP(additionalIP)) {
-						bootConfig.APIServerIPs = append(bootConfig.APIServerIPs, additionalIP)
+					controlPlaneIPs = append(controlPlaneIPs, additionalIP)
 				}
 			}
 		}
@ -1438,25 +1438,45 @@ func (n *nodeUpConfigBuilder) BuildConfig(ig *kops.InstanceGroup, apiserverAddit
 	case kops.CloudProviderDO, kops.CloudProviderScaleway:
 		// Use any IP address that is found (including public ones)
 		for _, additionalIP := range apiserverAdditionalIPs {
-				bootConfig.APIServerIPs = append(bootConfig.APIServerIPs, additionalIP)
+			controlPlaneIPs = append(controlPlaneIPs, additionalIP)
 		}

 	case kops.CloudProviderGCE:
 		// Use any IP address that is found (including public ones)
 		for _, additionalIP := range apiserverAdditionalIPs {
-				bootConfig.APIServerIPs = append(bootConfig.APIServerIPs, additionalIP)
+			controlPlaneIPs = append(controlPlaneIPs, additionalIP)
 		}
+	}
+
+	if cluster.UsesNoneDNS() {
+		switch cluster.Spec.GetCloudProvider() {
+		case kops.CloudProviderAWS, kops.CloudProviderHetzner, kops.CloudProviderOpenstack:
+			bootConfig.APIServerIPs = controlPlaneIPs
+
+		case kops.CloudProviderDO, kops.CloudProviderScaleway:
+			bootConfig.APIServerIPs = controlPlaneIPs
+
+		case kops.CloudProviderGCE:
+			bootConfig.APIServerIPs = controlPlaneIPs
+
 		default:
 			return nil, nil, fmt.Errorf("'none' DNS topology is not supported for cloud %q", cluster.Spec.GetCloudProvider())
 		}
+	} else {
+		// If we do have a fixed IP, we use it (on some clouds, initially)
+		switch cluster.Spec.GetCloudProvider() {
+		case kops.CloudProviderHetzner:
+			bootConfig.APIServerIPs = controlPlaneIPs
+		}
 	}

 	useConfigServer := apiModel.UseKopsControllerForNodeConfig(cluster) && !ig.HasAPIServer()
 	if useConfigServer {
 		hosts := []string{"kops-controller.internal." + cluster.ObjectMeta.Name}
-		if cluster.UsesNoneDNS() && len(bootConfig.APIServerIPs) > 0 {
+		if len(bootConfig.APIServerIPs) > 0 {
 			hosts = bootConfig.APIServerIPs
 		}
+
 		configServer := &nodeup.ConfigServerOptions{
 			CACertificates: config.CAs[fi.CertificateIDCA],
 		}