Feature: Disable public ips on autoscaled nodes

[xavierleune]

The pull request #1567 lacks implementation for autoscaled nodes.

⚠️ This pull request actually depends on hetznercloud/terraform-provider-hcloud#1115 to fetch private ip in data_source.server

[gemini-code-assist]

Hello @xavierleune, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

This pull request introduces the ability to disable public IPv4 and IPv6 addresses on autoscaled nodes within the Kubernetes cluster managed by this Terraform module. This feature enhances security and reduces costs by preventing the assignment of public IPs to nodes that only require internal network access. The changes involve adding new variables to control the disabling of public IPs, modifying the autoscaler agent configuration to reflect these settings, and updating the documentation to reflect the new feature.

Highlights

• New Feature: Introduces autoscaler_disable_ipv4 and autoscaler_disable_ipv6 variables to disable public IPs on autoscaled nodes.
• Configuration Changes: Modifies autoscaler-agents.tf to pass the disable IPv4/IPv6 flags to the cloud-init configuration.
• Cloud-init Template Update: Updates templates/autoscaler-cloudinit.yaml.tpl to configure the default route based on public IP availability.
• Documentation Update: Updates README.md and kube.tf.example to document the new autoscaler_disable_ipv4 and autoscaler_disable_ipv6 variables.

Changelog

Click here to see the changelog

• README.md
  • Added documentation for autoscaler_disable_ipv4 and autoscaler_disable_ipv6 variables, explaining how to disable public IPs on autoscaled nodes.
  • Updated line 1016 to include the new variables.
• autoscaler-agents.tf
  • Passed var.autoscaler_disable_ipv4 and var.autoscaler_disable_ipv6 to the local context for use in cloud-init configuration (line 44).
  • Added private_network_only parameter to data "cloudinit_config" "autoscaler_config" and data "cloudinit_config" "autoscaler_legacy_config" based on the IPv4/IPv6 disable flags (lines 122 and 157).
• kube.tf.example
  • Added example configuration for disabling public IPs on autoscaled nodes using autoscaler_disable_ipv4 and autoscaler_disable_ipv6 (lines 364-366).
• templates/autoscaler-cloudinit.yaml.tpl
  • Added conditional logic to configure the default route based on the private_network_only flag (lines 46-50).
• templates/autoscaler.yaml.tpl
  • Added conditional logic to set HCLOUD_PUBLIC_IPV4 and HCLOUD_PUBLIC_IPV6 environment variables to "false" if the corresponding disable flags are set (lines 197-204).
• variables.tf
  • Added autoscaler_disable_ipv4 variable with a description and default value of false (lines 362-366).
  • Added autoscaler_disable_ipv6 variable with a description and default value of false (lines 368-372).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

No public IPs,
A private network's grace,
Security thrives now.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces the ability to disable public IPs on autoscaled nodes, which enhances security and reduces costs for users who don't require public IPs. The changes seem well-structured and cover the necessary files. However, there are a few points that need attention to ensure correctness and maintainability.

Summary of Findings

• Conditional Default Route Configuration: The logic for configuring the default route based on public IP availability in autoscaler-cloudinit.yaml.tpl relies on the private_network_only variable. It's crucial to ensure that this logic is robust and handles all possible scenarios correctly to avoid routing issues.
• Variable Description Consistency: The descriptions for autoscaler_disable_ipv4 and autoscaler_disable_ipv6 variables in variables.tf are identical. While functionally correct, consider rephrasing them slightly to emphasize the specific IPv version being disabled for clarity.
• HCloud Public IP Environment Variables: The templates/autoscaler.yaml.tpl file sets environment variables HCLOUD_PUBLIC_IPV4 and HCLOUD_PUBLIC_IPV6 to "false" based on the disable_ipv4 and disable_ipv6 variables. Ensure that these environment variables are correctly utilized by the cluster autoscaler to prevent the allocation of public IPs.

Merge Readiness

The pull request introduces a valuable feature for disabling public IPs on autoscaled nodes. However, before merging, it's essential to address the identified issues, particularly the conditional default route configuration and variable description consistency. I am unable to directly approve this pull request, and recommend that others review and approve this code before merging. Given the medium severity issues identified, I recommend that these be addressed before merging.

[gemini-code-assist]

Consider adding a comment explaining why these variables are being passed directly into the local block. This will help future maintainers understand the purpose of these variables and how they affect the autoscaler configuration.

      node_pools                                 = var.autoscaler_nodepools,
      # Pass disable_ipv4 and disable_ipv6 to configure network settings for autoscaled nodes
      disable_ipv4                               = var.autoscaler_disable_ipv4,
      disable_ipv6                               = var.autoscaler_disable_ipv6,

[gemini-code-assist]

This section configures the default route based on private_network_only. It's crucial to ensure that this logic is robust and handles all possible scenarios correctly. Consider adding comments to explain the IP addresses used (10.0.0.1 and 172.31.1.1) and their significance in the context of Hetzner Cloud networking. What happens if neither of these routes are valid?

# Configure default route based on public ip availability
%{if private_network_only~}
# 10.0.0.1 is the gateway for private networks
- [ip, route, add, default, via, '10.0.0.1', dev, 'eth0']
%{else~}
# 172.31.1.1 is the gateway for public networks
- [ip, route, add, default, via, '172.31.1.1', dev, 'eth0']
%{endif~}

[git-cachalot]

Great 👌

[loomsen]

Any chance we can see this merged soon?

Also, just for my understanding, why do we make private_network_only and the ipv4 routes set based on it dependent on ipv6? wouldn't it suffice to check if ipv4 is disabled and set the routes accordingly? ipv6 in the end has nothing to do with ipv4 routes, or am I mistaken somewhere?

[xavierleune]

@loomsen the pull request hetznercloud/terraform-provider-hcloud#1115 has been merged but now we should wait for the release of the version 1.51.0 hetznercloud/terraform-provider-hcloud#1119, feel free to reach on this pull request ^^

[mysticaltech]

Well done @xavierleune, as soon as hcloud 1.51.0 is shipped, going to merge this. Please if you can, add the minimum hcloud version in the code, you can grep for "hetznercloud/hcloud" to find the locations where to update the values.

[loomsen]

Well, that was quick, 1.51.0 got released :)

[apricote]

(Maintainer of the terraform provider)

We try to cut releases regularly without overwhelming users with too many small releases. If you reach out and say that you are actually blocked by it then this tips the scales, and we usually cut the release quickly.

[loomsen]

@mysticaltech can we go ahead and merge here? :) I could drop my local patch version then

[xavierleune]

@mysticaltech requirements are up to date !

[mysticaltech]

Thank you everyone, on it.