Fixes for Hetzner terraform and Hetzner Cloud (#8702)

* - add ability to specify the network_zone in hetzner terraform
- Export the network id from hetzner terraform the the generated inventory.ini

* - Add with_networks variable to allow different deployments of hcloud controller manager

- Add network id to hcloud controller secret (added via the inventory)

- Don't include extra_args if it's not set

contrib/terraform/hetzner/README.md

@@ -97,6 +97,7 @@ terraform destroy --var-file default.tfvars ../../contrib/terraform/hetzner
 * `prefix`: Prefix to add to all resources, if set to "" don't set any prefix
 * `ssh_public_keys`: List of public SSH keys to install on all machines
 * `zone`: The zone where to run the cluster
+* `network_zone`: the network zone where the cluster is running
 * `machines`: Machines to provision. Key of this object will be used as the name of the machine
   * `node_type`: The role of this node *(master|worker)*
   * `size`: Size of the VM

contrib/terraform/hetzner/default.tfvars

@@ -1,6 +1,6 @@
 prefix = "default"
 zone   = "hel1"
-
+network_zone = "eu-central"
 inventory_file = "inventory.ini"
 
 ssh_public_keys = [

contrib/terraform/hetzner/main.tf

@@ -10,6 +10,7 @@ module "kubernetes" {
   machines = var.machines
 
   ssh_public_keys = var.ssh_public_keys
+  network_zone = var.network_zone
 
   ssh_whitelist        = var.ssh_whitelist
   api_server_whitelist = var.api_server_whitelist
@@ -34,9 +35,9 @@ data "template_file" "inventory" {
       keys(module.kubernetes.worker_ip_addresses),
       values(module.kubernetes.worker_ip_addresses).*.public_ip,
     values(module.kubernetes.worker_ip_addresses).*.private_ip))
-
     list_master = join("\n", keys(module.kubernetes.master_ip_addresses))
     list_worker = join("\n", keys(module.kubernetes.worker_ip_addresses))
+    network_id = module.kubernetes.network_id
   }
 }
 

contrib/terraform/hetzner/modules/kubernetes-cluster/main.tf

@@ -6,7 +6,7 @@ resource "hcloud_network" "kubernetes" {
 resource "hcloud_network_subnet" "kubernetes" {
   type         = "cloud"
   network_id   = hcloud_network.kubernetes.id
-  network_zone = "eu-central"
+  network_zone = var.network_zone
   ip_range     = var.private_subnet_cidr
 }
 

contrib/terraform/hetzner/modules/kubernetes-cluster/output.tf

@@ -21,3 +21,7 @@ output "worker_ip_addresses" {
 output "cluster_private_network_cidr" {
   value = var.private_subnet_cidr
 }
+
+output "network_id" {
+  value = hcloud_network.kubernetes.id
+}

contrib/terraform/hetzner/modules/kubernetes-cluster/variables.tf

@@ -39,3 +39,6 @@ variable "private_network_cidr" {
 variable "private_subnet_cidr" {
   default = "10.0.10.0/24"
 }
+variable "network_zone" {
+  default = "eu-central"
+}

contrib/terraform/hetzner/templates/inventory.tpl

@@ -14,3 +14,6 @@ ${list_worker}
 [k8s-cluster:children]
 kube-master
 kube-node
+
+[k8s-cluster:vars]
+network_id=${network_id}

contrib/terraform/hetzner/variables.tf

@@ -1,6 +1,10 @@
 variable "zone" {
   description = "The zone where to run the cluster"
 }
+variable "network_zone" {
+  description = "The network zone where the cluster is running"
+  default = "eu-central"
+}
 
 variable "prefix" {
   description = "Prefix for resource names"

inventory/sample/group_vars/all/hcloud.yml

@@ -2,7 +2,7 @@
 # external_hcloud_cloud:
 #   hcloud_api_token: ""
 #   token_secret_name: hcloud
-#
+#   with_networks: false # Use the hcloud controller-manager with networks support https://github.com/hetznercloud/hcloud-cloud-controller-manager#networks-support
 #   service_account_name: cloud-controller-manager
 #
 #   controller_image_tag: "latest"

roles/kubernetes-apps/external_cloud_controller/hcloud/tasks/main.yml

@@ -9,8 +9,8 @@
     - {name: external-hcloud-cloud-secret, file: external-hcloud-cloud-secret.yml}
     - {name: external-hcloud-cloud-service-account, file: external-hcloud-cloud-service-account.yml}
     - {name: external-hcloud-cloud-role-bindings, file: external-hcloud-cloud-role-bindings.yml}
-    - {name: external-hcloud-cloud-controller-manager-ds, file: external-hcloud-cloud-controller-manager-ds.yml}
-    - {name: external-hcloud-cloud-controller-manager-ds-with-networks, file: external-hcloud-cloud-controller-manager-ds-with-networks.yml}
+    - {name: "{{ 'external-hcloud-cloud-controller-manager-ds-with-networks' if external_hcloud_cloud.with_networks  else 'external-hcloud-cloud-controller-manager-ds' }}", file: "{{ 'external-hcloud-cloud-controller-manager-ds-with-networks.yml' if external_hcloud_cloud.with_networks  else  'external-hcloud-cloud-controller-manager-ds.yml' }}"}
+
   register: external_hcloud_manifests
   when: inventory_hostname == groups['kube_control_plane'][0]
   tags: external-hcloud

roles/kubernetes-apps/external_cloud_controller/hcloud/templates/external-hcloud-cloud-controller-manager-ds-with-networks.yml.j2

@@ -1,6 +1,6 @@
 ---
 apiVersion: apps/v1
-kind: DeamonSet
+kind: DaemonSet
 metadata:
   name: hcloud-cloud-controller-manager
   namespace: kube-system
@@ -44,10 +44,13 @@ spec:
             - "--allow-untagged-cloud"
             - "--allocate-node-cidrs=true"
             - "--cluster-cidr=10.244.0.0/16"
+{% if external_hcloud_cloud.controller_extra_args is defined %}
+
           args:
 {% for key, value in external_hcloud_cloud.controller_extra_args.items() %}
             - "{{ '--' + key + '=' + value }}"
 {% endfor %}
+{% endif %}
           resources:
             requests:
               cpu: 100m
@@ -60,10 +63,10 @@ spec:
             - name: HCLOUD_TOKEN
               valueFrom:
                 secretKeyRef:
-                  name: hcloud
+                  name: {{ external_hcloud_cloud.token_secret_name }}
                   key: token
             - name: HCLOUD_NETWORK
               valueFrom:
                 secretKeyRef:
                   name: {{ external_hcloud_cloud.token_secret_name }}
-                  key: {{ external_hcloud_cloud.token_secret_key }}
+                  key: network

roles/kubernetes-apps/external_cloud_controller/hcloud/templates/external-hcloud-cloud-controller-manager-ds.yml.j2

@@ -1,6 +1,6 @@
 ---
 apiVersion: apps/v1
-kind: DeamonSet
+kind: DaemonSet
 metadata:
   name: hcloud-cloud-controller-manager
   namespace: kube-system
@@ -41,10 +41,12 @@ spec:
             - "--cloud-provider=hcloud"
             - "--leader-elect=false"
             - "--allow-untagged-cloud"
+{% if external_hcloud_cloud.controller_extra_args is defined %}
           args:
 {% for key, value in external_hcloud_cloud.controller_extra_args.items() %}
             - "{{ '--' + key + '=' + value }}"
 {% endfor %}
+{% endif %}
           resources:
             requests:
               cpu: 100m
@@ -58,4 +60,4 @@ spec:
               valueFrom:
                 secretKeyRef:
                   name: {{ external_hcloud_cloud.token_secret_name }}
-                  key: {{ external_hcloud_cloud.token_secret_key }}
+                  key: token

roles/kubernetes-apps/external_cloud_controller/hcloud/templates/external-hcloud-cloud-secret.yml.j2

@@ -5,4 +5,7 @@ metadata:
   name: "{{ external_hcloud_cloud.token_secret_name }}"
   namespace: kube-system
 data:
-  token: "{{ external_hcloud_cloud.hcloud_api_token | base64 }}"
+  token: "{{ external_hcloud_cloud.hcloud_api_token | b64encode }}"
+{% if external_hcloud_cloud.with_networks  %}
+  network: "{{ network_id|b64encode }}"
+{% endif %}