chore: Improve configuration and fix typos

tibordp · tibordp · commit 2cbc0d5996a8 · 2025-10-13T21:21:37.000+01:00
- Fix typo: adverise_addresses -&gt; advertise_addresses
- Add health check to load balancer (10s interval, 5s timeout)
- Upgrade KubeletConfiguration API to v1 (stable since K8s 1.28)
- Fix variable quoting in cluster-join.sh
- Update test script kubectl version to v1.34.1
- Fix typo in private_network example (pod_cidr_ipv6 -&gt; pod_cidr_ipv4)
- Fix ha_load_balancer example to use load_balancer_type
diff --git a/README.md b/README.md
@@ -124,7 +124,7 @@ If the node is already defunct, there are two cases to consider:
 
   It is important to remove failed members from etcd even if quorum is still present as new control plane nodes will not be able to join until etcd cluster is healthy.
 
-- etcd cluster no longer has quorum, e.g. a single control plane node is gone out of a 2-node cluster. In this case the etcd cluster will need to be rebuilt from snapshot, following the steps for [disaster recovery](https://etcd.io/docs/v3.4/op-guide/recovery/). Data loss may have occured.
+- etcd cluster no longer has quorum, e.g. a single control plane node is gone out of a 2-node cluster. In this case the etcd cluster will need to be rebuilt from snapshot, following the steps for [disaster recovery](https://etcd.io/docs/v3.6/op-guide/recovery/). Data loss may have occured.
 
 
 You may also need to manually remove the Node object, as the Hetzner Cloud Controller that is responsible for deleting defunct nodes may have been running on this very node (should not be an issue if `kubectl drain` was done first)
@@ -192,7 +192,8 @@ See [example](./examples/private_network.tf) for more details.
 Read these notes carefully before using this module in production.
 
 - Control plane services that use host networking, such as etcd, kubelet and api-server bind on a public IP. This is not a problem per se since these components all use mTLS for communication, but appropriate Hetzner Firewall rules can be added (make sure to allow UDP port 24601 for Wireguard node-to-node tunnels)
-- Wigglenet is an experimental network plugin that I wrote for my personal use and has definitely not been battle tested. `NetworkPolicy` is supported as of v0.5.0.
+- Wigglenet is a custom network plugin with a smaller community than mainstream alternatives like Cilium or Calico. It has been used successfully for several years,
+  though primarily in smaller-scale deployments. NetworkPolicy support was added in v0.5.0 and is relatively new, so don't use it as your only line of defense.
 - kubelet serving certificates are self-signed. This can be an issue for metrics-server. See [here for details and workarounds](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#kubelet-serving-certs).
 - Some restrictions on day-2 operations. The following are supported seamlessly, but other changes will likely require the manual steps:
    - Node replacement (see notes above for control plane nodes)
diff --git a/control_plane.tf b/control_plane.tf
@@ -5,7 +5,7 @@ locals {
 
   control_plane_endpoint = var.control_plane_endpoint != "" ? var.control_plane_endpoint : (local.use_load_balancer ? "[${hcloud_load_balancer.control_plane[0].ipv6}]" : "[${module.control_plane[0].ipv6_address}]")
 
-  adverise_addresses = var.primary_ip_family == "ipv6" ? module.control_plane.*.ipv6_address : module.control_plane.*.ipv4_address
+  advertise_addresses = var.primary_ip_family == "ipv6" ? module.control_plane.*.ipv6_address : module.control_plane.*.ipv4_address
 
   # If using IP as an apiserver endpoint, add also the IPv4 SAN to the TLS certificate
   apiserver_cert_sans = concat(var.control_plane_endpoint != "" ? [
@@ -59,7 +59,7 @@ resource "null_resource" "cluster_bootstrap" {
       apiserver_cert_sans    = local.apiserver_cert_sans
       certificate_key        = random_id.certificate_key.hex
       control_plane_endpoint = local.control_plane_endpoint
-      advertise_address      = local.adverise_addresses[0]
+      advertise_address      = local.advertise_addresses[0]
       pod_cidr_ipv4          = var.pod_cidr_ipv4
       service_cidr_ipv4      = var.service_cidr_ipv4
       service_cidr_ipv6      = var.service_cidr_ipv6
@@ -110,7 +110,7 @@ resource "null_resource" "control_plane_join" {
       ssh -i ${var.ssh_private_key_path} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
         root@${local.kubeadm_host} \
         'echo $(kubeadm token create --print-join-command --ttl=60m) \
-        --apiserver-advertise-address ${local.adverise_addresses[count.index]} \
+        --apiserver-advertise-address ${local.advertise_addresses[count.index]} \
         --control-plane \
         --certificate-key ${random_id.certificate_key.hex}' | \
       ssh -i ${var.ssh_private_key_path} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
diff --git a/examples/ha_load_balancer.tf b/examples/ha_load_balancer.tf
@@ -31,7 +31,7 @@ module "cluster" {
   server_type    = "cpx31"
   node_count     = 3
 
-  control_plane_endpoint = "k8s.example.com"
+  load_balancer_type = "lb11"
 }
 
 module "workers" {
diff --git a/examples/private_network.tf b/examples/private_network.tf
@@ -29,7 +29,7 @@ module "cluster" {
   location       = "hel1"
   server_type    = "cpx31"
 
-  # The default pod_cidr_ipv6 is 10.96.0.0/16. This can be customized,
+  # The default pod_cidr_ipv4 is 10.96.0.0/16. This can be customized,
   # but it should be within the range of the private network. Also, it should
   # not overlap with the subnet specified below, as that subnet is used for nodes.
   # pod_cidr_ipv4 = "10.96.0.0/16"
diff --git a/loadbalancer.tf b/loadbalancer.tf
@@ -15,6 +15,14 @@ resource "hcloud_load_balancer_service" "control_plane" {
   listen_port      = 6443
   destination_port = 6443
   protocol         = "tcp"
+
+  health_check {
+    protocol = "tcp"
+    port     = 6443
+    interval = 10
+    timeout  = 5
+    retries  = 3
+  }
 }
 
 resource "hcloud_load_balancer_target" "control_plane_target" {
diff --git a/scripts/cluster-join.sh b/scripts/cluster-join.sh
@@ -15,6 +15,6 @@ else
   kubeadm init --config cluster.yaml --upload-certs
 fi
 
-mkdir -p $HOME/.kube
-cp -f /etc/kubernetes/admin.conf $HOME/.kube/config
-chown $(id -u):$(id -g) $HOME/.kube/config
+mkdir -p "$HOME/.kube"
+cp -f /etc/kubernetes/admin.conf "$HOME/.kube/config"
+chown "$(id -u):$(id -g)" "$HOME/.kube/config"
diff --git a/templates/kubeadm.yaml.tpl b/templates/kubeadm.yaml.tpl
@@ -1,5 +1,5 @@
 kind: KubeletConfiguration
-apiVersion: kubelet.config.k8s.io/v1beta1
+apiVersion: kubelet.config.k8s.io/v1
 cgroupDriver: systemd
 ---
 kind: InitConfiguration
diff --git a/test/test.sh b/test/test.sh
@@ -17,7 +17,7 @@ teardown_cluster() {
 
 case "$1" in
 kubectl)
-    curl -LO https://dl.k8s.io/release/v1.27.1/bin/linux/amd64/kubectl
+    curl -LO https://dl.k8s.io/release/v1.34.1/bin/linux/amd64/kubectl
     chmod +x kubectl
     ;;
 setup)

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ module "cluster" {`
`31`	`31`	`server_type = "cpx31"`
`32`	`32`	`node_count = 3`
`33`	`33`
`34`		`- control_plane_endpoint = "k8s.example.com"`
	`34`	`+ load_balancer_type = "lb11"`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`module "workers" {`