bug: stuck

test: try doing the lb separately
feat: got it all working
2026-01-01 17:10:55 -05:00 · 2026-01-01 15:59:48 -05:00 · 2026-01-01 15:07:44 -05:00 · 2025-12-31 17:23:04 -05:00 · 2025-12-31 16:19:17 -05:00 · 2025-12-31 14:12:34 -05:00
15 changed files with 433 additions and 34 deletions
--- a/README.md
+++ b/README.md
@@ -1,3 +1,9 @@
 # hetzner-cluster
 Create a private Kubernetes cluster on Hetzner Cloud.
 ## Resources
 <https://community.hetzner.com/tutorials/kubernetes-on-hetzner-with-crio-flannel-and-hetzner-balancer>
 <https://community.hetzner.com/tutorials/how-to-set-up-nat-for-cloud-networks>
--- a/Taskfile.yml
+++ b/Taskfile.yml
@@ -6,6 +6,7 @@ tasks:
  tf:destroy: ansible-playbook playbooks/destroy.yml {{.CLI_ARGS}}
  configure-nat: ansible-playbook playbooks/configure_nat.yml {{.CLI_ARGS}}
  configure-servers: ansible-playbook playbooks/configure_servers.yml {{.CLI_ARGS}}
  deploy: ansible-playbook playbooks/install_k8s.yml {{.CLI_ARGS}}
  enter:
    cmd: ssh -i {{.KEY}} -p 22 root@{{.IP}}
--- a/inventory.cfg
+++ b/inventory.cfg
@@ -4,3 +4,4 @@ nat
 [servers]
 node-a
 node-b
 control
--- a/playbooks/destroy.yml
+++ b/playbooks/destroy.yml
@@ -4,7 +4,7 @@
  vars_files:
    - ../vault.yml
  tasks:
-    - name: Destroy
+    - name: Destroy Terraform.
      community.general.terraform:
        project_path: '../terraform'
        state: "absent"
--- a/playbooks/install_k8s.yml
+++ b/playbooks/install_k8s.yml
@@ -0,0 +1,237 @@
 # - name: Configure compute for the cluster.
 #   hosts: servers
 #   gather_facts: false
 #   vars:
 #     kubernetes_version: v1.30
 #   tasks:
 #     - name: Download Kubernetes key.
 #       ansible.builtin.apt_key:
 #         url: https://pkgs.k8s.io/core:/stable:/{{ kubernetes_version }}/deb/Release.key
 #         state: present
 #     - name: Download Kubernetes repository.
 #       ansible.builtin.apt_repository:
 #         repo: "deb https://pkgs.k8s.io/core:/stable:/{{ kubernetes_version }}/deb/ /"
 #         state: present
 #     - name: Download CRI-O key.
 #       ansible.builtin.apt_key:
 #         url: https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/Release.key
 #         state: present
 #     - name: Download CRI-O repository.
 #       ansible.builtin.apt_repository:
 #         repo: "deb https://pkgs.k8s.io/addons:/cri-o:/prerelease:/main/deb/ /"
 #         state: present
 #     - name: Download Helm key.
 #       ansible.builtin.apt_key:
 #         url: https://packages.buildkite.com/helm-linux/helm-debian/gpgkey
 #         state: present
 #     - name: Download Helm repository.
 #       ansible.builtin.apt_repository:
 #         repo: "deb https://packages.buildkite.com/helm-linux/helm-debian/any/ any main"
 #         state: present
 #     - name: Install packages.
 #       ansible.builtin.apt:
 #         state: present
 #         update_cache: true
 #         name: [cri-o, kubelet, kubeadm, kubectl, python3-pip, helm, git]
 #     - name: Install Kubernetes Python packages.
 #       ansible.builtin.pip:
 #         name: [kubernetes, pyyaml]
 #         state: present
 #         break_system_packages: true
 #     - name: Enable `br_netfilter` module.
 #       community.general.modprobe:
 #         name: br_netfilter
 #         state: present
 #       notify: Reboot the nodes.
 #     - name: Configure `sysctl` permanently.
 #       ansible.posix.sysctl:
 #         name: '{{ item }}'
 #         value: '1'
 #         state: present
 #         reload: true
 #       loop:
 #         - net.bridge.bridge-nf-call-iptables
 #         - net.ipv4.ip_forward
 #   handlers:
 #     - name: Reboot the nodes.
 #       ansible.builtin.reboot:
 # - name: Spawn new cluster on control node.
 #   hosts: control
 #   gather_facts: false
 #   vars:
 #     config_template: ../templates/InitConfiguration.yml.jinja2
 #     config:
 #       bootstrap_token: "{{ secrets.bootstrap_token }}"
 #       node_ip: 10.0.2.11
 #       node_name: control
 #   vars_files:
 #     - ../vault.yml
 #   tasks:
 #     - name: Test for cluster.
 #       kubernetes.core.k8s_cluster_info:
 #       register: api_status
 #       ignore_errors: true
 #     - name: Copy configuration over.
 #       ansible.builtin.template:
 #         src: "{{ config_template }}"
 #         dest: InitConfiguration.yml
 #         mode: preserve
 #       when: "api_status.failed"
 #     - name: Initialize cluster.
 #       ansible.builtin.command:
 #         kubeadm init --config InitConfiguration.yml
 #       changed_when: true
 #       when: "api_status.failed"
 #     - name: Apply the Kubernetes config to the shell.
 #       ansible.builtin.lineinfile:
 #         path: /etc/environment
 #         line: 'KUBECONFIG=/etc/kubernetes/admin.conf'
 #       when: "api_status.failed"
 # - name: Join worker nodes to cluster.
 #   hosts: [node-a, node-b]
 #   vars:
 #     join_template: ../templates/JoinConfiguration.yml.jinja2
 #     join_control_ip: 10.0.2.11
 #     join_bootstrap_token: "{{ secrets.bootstrap_token }}"
 #   vars_files:
 #     - ../vault.yml
 #   tasks:
 #     - name: Copy join configuration over.
 #       vars:
 #         join_worker_ip: "{{ ansible_default_ipv4.address }}"
 #         join_worker_name: "{{ ansible_hostname }}"
 #       ansible.builtin.template:
 #         src: "{{ join_template }}"
 #         dest: JoinConfiguration.yml
 #         mode: preserve
 #     - name: Join the nodes.
 #       ansible.builtin.command:
 #         kubeadm join --config JoinConfiguration.yml
 #       changed_when: true
 # - name: Install Helm Diff.
 #   gather_facts: false
 #   hosts: control
 #   tasks:
 #     - name: Install it.
 #       kubernetes.core.helm_plugin:
 #         plugin_path: https://github.com/databus23/helm-diff
 #         state: present
 - name: Install CNI.
  gather_facts: false
  hosts: control
  tasks:
    - name: Assign nodes as workers.
      kubernetes.core.k8s:
        state: patched
        kind: Node
        name: "{{ item }}"
        definition:
          metadata:
            labels:
              node-role.kubernetes.io/worker: worker
      loop: [node-a, node-b]
    - name: Create Flannel namespace.
      kubernetes.core.k8s:
        state: present
        kind: Namespace
        name: kube-flannel
    - name: Add privilege to the namespace.
      kubernetes.core.k8s:
        state: patched
        kind: Namespace
        name: kube-flannel
        definition:
          metadata:
            labels:
              pod-security.kubernetes.io/enforce: privileged
    - name: Add Flannel repository.
      kubernetes.core.helm_repository:
        name: flannel
        url: https://flannel-io.github.io/flannel/
        state: present
    - name: Install Flannel.
      kubernetes.core.helm:
        name: flannel
        chart_ref: flannel/flannel
        namespace: kube-flannel
        values:
          podCidr: 10.244.0.0/16
        state: present
    - name: Patch CoreDNS deployment.
      kubernetes.core.k8s_json_patch:
        name: coredns
        namespace: kube-system
        kind: Deployment
        patch:
          - op: add
            path: /spec/template/spec/tolerations/-
            value:
              key: node.cloudprovider.kubernetes.io/uninitialized
              value: "true"
              effect: NoSchedule
 - name: Install `nginx` Controller.
  gather_facts: false
  hosts: control
  vars_files:
    - ../vault.yml
    - ../secrets/tf_outputs.yml
  tasks:
    - name: Remove schedule taint to nodes.
      kubernetes.core.k8s_taint:
        state: absent
        name: "{{ item }}"
        taints:
          - key: node.cloudprovider.kubernetes.io/uninitialized
            value: true
            effect: NoSchedule
      loop: [node-a, node-b]
    - name: Add `ingress-nginx` repository.
      kubernetes.core.helm_repository:
        name: ingress-nginx
        url: https://kubernetes.github.io/ingress-nginx
        state: present
    - name: Copy over values file.
      vars:
        values_template: ../templates/IngressValues.yml.jinja2
        load_balancer_name: "{{ variables.load_balancer_name }}"
        network_zone: "{{ variables.network_zone }}"
        certificate_name: "test"
      ansible.builtin.template:
        src: "{{ values_template }}"
        dest: IngressValues.yml
        mode: preserve
    - name: Install it.
      kubernetes.core.helm:
        name: ingress-nginx-controller
        chart_ref: ingress-nginx/ingress-nginx
        namespace: kube-system
        state: present
        update_repo_cache: true
        values_files: [IngressValues.yml]
--- a/templates/HCCMValues.yml.jinja2
+++ b/templates/HCCMValues.yml.jinja2
@@ -0,0 +1,3 @@
 networking:
  enabled: "true"
  clusterCIDR: "10.244.0.0/16"
--- a/templates/IngressValues.yml.jinja2
+++ b/templates/IngressValues.yml.jinja2
@@ -0,0 +1,17 @@
 controller:
  dnsPolicy: ClusterFirstWithHostNet
  hostNetwork: true
  kind: DaemonSet
  service:
    annotations:
      load-balancer.hetzner.cloud/name: {{ load_balancer_name }}
      load-balancer.hetzner.cloud/type: "lb11"
      load-balancer.hetzner.cloud/ipv6-disabled: "true"
      load-balancer.hetzner.cloud/use-private-ip: "true"
      load-balancer.hetzner.cloud/protocol: "https"
      load-balancer.hetzner.cloud/network-zone: {{ network_zone }}
      load-balancer.hetzner.cloud/http-certificates: {{ certificate_name }}
      load-balancer.hetzner.cloud/http-redirect-http: "true"
    enableHttp: false
    targetPorts:
      https: http
--- a/templates/InitConfiguration.yml.jinja2
+++ b/templates/InitConfiguration.yml.jinja2
@@ -0,0 +1,42 @@
 apiVersion: kubeadm.k8s.io/v1beta3
 bootstrapTokens:
  - groups:
      - system:bootstrappers:kubeadm:default-node-token
    token: {{ config.bootstrap_token }}
    ttl: 24h0m0s
    usages:
      - signing
      - authentication
 kind: InitConfiguration
 localAPIEndpoint:
  advertiseAddress: {{ config.node_ip }}
  bindPort: 6443
 nodeRegistration:
  criSocket: unix:///var/run/crio/crio.sock
  imagePullPolicy: IfNotPresent
  kubeletExtraArgs:
    cloud-provider: external
    node-ip: {{ config.node_ip }}
  name: {{ config.node_name }}
  taints: null
 ---
 apiServer:
  timeoutForControlPlane: 4m0s
  certSANs:
    - {{ config.node_ip }}
 apiVersion: kubeadm.k8s.io/v1beta3
 certificatesDir: /etc/kubernetes/pki
 clusterName: kubernetes
 controllerManager: {}
 dns: {}
 etcd:
  local:
    dataDir: /var/lib/etcd
 imageRepository: registry.k8s.io
 kind: ClusterConfiguration
 kubernetesVersion: 1.30.0
 networking:
  dnsDomain: cluster.local
  serviceSubnet: 10.96.0.0/12
  podSubnet: 10.244.0.0/16
 scheduler: {}
--- a/templates/JoinConfiguration.yml.jinja2
+++ b/templates/JoinConfiguration.yml.jinja2
@@ -0,0 +1,18 @@
 apiVersion: kubeadm.k8s.io/v1beta3
 caCertPath: /etc/kubernetes/pki/ca.crt
 discovery:
  bootstrapToken:
    apiServerEndpoint: {{ join_control_ip }}:6443
    token: {{ join_bootstrap_token }}
    unsafeSkipCAVerification: true
  timeout: 5m0s
  tlsBootstrapToken: {{ join_bootstrap_token }}
 kind: JoinConfiguration
 nodeRegistration:
  criSocket: unix:///var/run/crio/crio.sock
  imagePullPolicy: IfNotPresent
  kubeletExtraArgs:
    cloud-provider: external
    node-ip: {{ join_worker_ip }}
  name: {{ join_worker_name }}
  taints: null
--- a/terraform/compute.tf
+++ b/terraform/compute.tf
@@ -51,3 +51,18 @@ resource "hcloud_server" "server" {
  depends_on = [hcloud_network_subnet.subnet]
 }
 resource "hcloud_load_balancer" "lb" {
  name               = "lb-hetzner"
  load_balancer_type = "lb11"
  network_zone       = "eu-central"
 }
 resource "hcloud_load_balancer_target" "load_balancer_target" {
  for_each = hcloud_server.server
  type             = "server"
  load_balancer_id = hcloud_load_balancer.lb.id
  use_private_ip   = true
  server_id        = each.value.id
 }
--- a/terraform/network.tf
+++ b/terraform/network.tf
@@ -19,3 +19,10 @@ resource "hcloud_network_route" "gateway" {
  destination = "0.0.0.0/0"
  gateway     = local.nat-private-ip
 }
 // Attach the load blaancer to the private network.
 resource "hcloud_load_balancer_network" "attachment" {
  load_balancer_id = hcloud_load_balancer.lb.id
  subnet_id        = hcloud_network_subnet.subnet.id
  ip               = local.lb-private-ip
 }
--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@@ -1,3 +1,7 @@
 output "nat_public_ip" {
  value = hcloud_server.nat.ipv4_address
 }
 output "private_network_id" {
  value = hcloud_network.net.id
 }
--- a/terraform/routing.tf
+++ b/terraform/routing.tf
@@ -0,0 +1,32 @@
 data "hcloud_zone" "zone" {
  name = local.domain
 }
 // Attach the load balancer to the domain.
 resource "hcloud_zone_rrset" "records" {
  for_each = toset(["@", "*"])
  zone     = data.hcloud_zone.zone.name
  name     = each.value
  type     = "A"
  ttl      = 60
  records  = [{ value = hcloud_load_balancer.lb.ipv4 }]
  change_protection = false
 }
 // A managed certificate for the domain, to be used by the load balancer.
 resource "hcloud_managed_certificate" "main" {
  name         = local.certificate_name
  domain_names = ["*.${local.domain}", "${local.domain}"]
 }
 resource "hcloud_load_balancer_service" "load_balancer_service" {
  load_balancer_id = hcloud_load_balancer.lb.id
  protocol         = "https"
  http {
    sticky_sessions = true
    certificates    = [hcloud_managed_certificate.main.id]
    redirect_http   = true
  }
 }
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@@ -3,10 +3,16 @@ locals {
  subnet-cidr = "10.0.2.0/24"
  nat-private-ip = "10.0.2.8"
  lb-private-ip  = "10.0.2.128"
  servers = {
    control = "10.0.2.11"
    node-a  = "10.0.2.9"
    node-b  = "10.0.2.10"
  }
  domain = "maximhutz.com"
  certificate_name = "Main Certificate"
 }
 variable "public_key_file" {
--- a/vault.yml
+++ b/vault.yml
@@ -1,30 +1,40 @@
 $ANSIBLE_VAULT;1.1;AES256
-39353161316464393931613836373735326631623763363337313366303631326661356239346261
+62656134326239313562396138346634316530303635353562616163323836666132616565366336
-3939383335343235643439393434353266376662336136640a616231346663633738336265393437
+3035353733653832316165356663303264396439393232390a666465306363356335383734616438
-61386631343036353765643139373764353437323562376263316562346430613837663833383638
+37313833663535356163616666343933303363383462353064633538333433373431663161626230
-3866353634633564310a343435393662626239666564363631666165326364313730653031393466
+3962303165346162360a626536313165643466343965633431343833653163656266396535656232
-63316539346466663535306232633835306664353262376366623630653730386565333262326430
+35653139613737336431323733616533363531616131613965663534343938396661336331376633
-65656435386530623463643436626236393065376639636161316161313236376565353761653835
+62306130323131626435303262326261376630616433613363363536663638306261643734363661
-65313039313339323933343765303561643631346236396638306131613936666165353661613731
+66366631393034653536343163313862623733316465376533313030393761363033376536643861
-31333162613364333230396638363663613435613637313536623330336463613363623034613565
+63313735343033656332333838343532343236623435303135383033306131313930316137613634
-38326332343537323364373930623435313231666264646562383930633731306130323938393838
+37386339313530353534343162613733333935333136656134623862323861653739353636366363
-35646261646635303030373265396139336363656463633230646332643832336239323137633337
+38656565643437663330353366636331316337626438323162393838346534393063386338326336
-62343438616266623630336235663563666432383732393963396436613934653931633036346332
+64373030336466376432386334653737313461626264396431613330393938316230623235663962
-66376433376265363539313435383965316564653232333737333137383065363362346562346463
+62323431626261386238363163646662336134373534376632653431396532626438613830396164
-65343033353163316430656132663261626562323762303165633666613233353132376531303532
+34663434656131336265353336633930666230323131633130373833396230313634646134353464
-66376131396633366435336165326432356535663232643631316464613065316139623363356537
+30373537623939316565393966376439336465623330353037303536306632646361643437306139
-66326634656330303537376633633463616663633761643561306665326364333464333163386635
+36393232623236613737336263396138376336396335316465663661613635636232383435666230
-37376362643065656265386232373066313562396139636131626330303364353636613139383565
+65333361656337653135363239346264613530626231636635303466326331323832383337626534
-63393733303638393335303765343366353063633433666363323631303334396537323430366361
+64306630306531393461356535336136323833643735353232343336623830656563616663353933
-65313131383339383265323436356630623265313436653565346133383335303862613234663539
+34656562626238343030383833326333323463306634616333303531633832326532316664383837
-65366434623639346261373361393065386466623061613165326436313935376137363236333663
+65343463323837376630323663323961636631376535313538646462626130653431306563323137
-36653933623836316163663531373139303334333162393637613633303261653934623830313337
+35616335333265306366376532353861643935663764326334313035323432343361306639643633
-63363931393639373533393236646361313938643062356436626266373339316437323930383464
+62643932303161326634656463633166643062363262303665633261303730353438633834326432
-61306132303463623162646264613439386137396464613930353439646135313036356138323039
+63386439653266333561336432653737316538333330613662356535363162633635663039646430
-37366430386661333862666364313563663239383435613161613436313831633863356465623437
+31363866396265613639333266636532373438366430663632633061663736366366623061313765
-62343639336638346663363036313965623833616632653065313031393137656562663563613637
+37313932613339643731616263656636303439633637623935333136353866303361396230393632
-62396130396238333232323632656334333030373265613230306332643166353135656335346535
+37316566303932336361653335353632353161353864616361326665393065363736363430666464
-38316265383866306333356263643233333861663036316164313932306134396133356332336461
+62656333393632313664653837393335353662363965313238633131313631373534313336613831
-32323833323430653830396430393731343961393638656534663963333632646364303063356432
+33313762316330653835616637323134656536626661343833373336363430633836663831643563
-33623436646539373864386535383832333461313936613363346433666636623561373837383537
+39303364656638306661616537623538663230326639643533306538353435626336383435633836
-6237
+35656633313436623733666464346337343664393236336535616135333032363034666333316233
 65363537633630356662353034613935366330643361393631353561643062376239343363646462
 38633335356234396334313265393235636337663365646533343234323634646166623038343266
 32646432653731383366616333633862643531303633613136386331383365376633343935666563
 33363035356365626263646132353631653336383939646538393336393463626632663661663962
 63656238353463356665633964316135646264333262633862643234313035386230666661643733
 65396534636365356130356463393634646136373362343334636138633531383135333637323635
 35366131353261643661373366653838373238343732633430653862613134386565303765326166
 32386465336231666564653361653235646231623065643738613939353439323430656236613633
 63333034303863633036613662313238383430373365353637323062363363303461333766373164
 393133613238363662663335626561393630
Author	SHA1	Message	Date
Max	44d59737c7	bug: stuck	2026-01-01 17:10:55 -05:00
Max	b04298adfb	test: try doing the lb separately	2026-01-01 15:59:48 -05:00
Max	4768c94b24	feat: got it all working	2026-01-01 15:07:44 -05:00
Max	380ddb8920	feat: up to final step	2025-12-31 17:23:04 -05:00
Max	9a323672bc	feat: up to hetzner cloud controller creation	2025-12-31 16:19:17 -05:00
Max	9066a8e600	fix: remove aws provider	2025-12-31 14:12:34 -05:00
Max	31118df33a	fix: forgot to remove lb attachment	2025-12-31 14:05:05 -05:00
Max	d4ae65180b	feat: removed lb, added managed cert	2025-12-31 14:03:47 -05:00
Max	f39b29288e	feat: attach lb to network	2025-12-31 12:13:02 -05:00
Max	a916da7d45	feat: new load balancer, with dns via route 53	2025-12-31 12:10:52 -05:00
Max	b8938983dc	feat: add control plane to inventory	2025-12-31 11:10:17 -05:00
Max	42642ae933	feat: add control plane node	2025-12-31 11:07:40 -05:00