feat: Add use_nftables option, bump Kubernetes and addons (#40)

* feat: Add use_nftables option, bump Kubernetes and addons

- Add `use_nftables` variable (default true) controlling kube-proxy
  mode and wigglenet's firewall backend; defaults give nftables on
  both, false falls back to iptables on both. Gate wigglenet's
  xtables-lock mount behind iptables mode.
- Bump wigglenet to v0.6.1, Kubernetes default to v1.35.3, Hetzner
  CCM to v1.30.1, CSI driver to v2.20.0, sidecars updated to match.
- Install nftables userland on all distros so admins can inspect
  rules regardless of the active backend.
- Bump default server type from cpx31 to cpx32 across the module
  and all examples; bump tested Fedora image to fedora-43.
- Fix `vars.hetzner_token` typo in examples/{simple,cloud_init,private_network}.tf.
- README: drop stale ipvs/LoadBalancer hostname caveat, refresh
  example kubectl output to v1.35.3.

* change server sku

Author: tibordp

README.md

@@ -69,9 +69,9 @@ and check the access by viewing the created cluster nodes:
 ```cmd
 $ kubectl get nodes --kubeconfig=kubeconfig.conf
 NAME                  STATUS   ROLES           AGE   VERSION
-k8s-control-plane-0   Ready    control-plane   31m   v1.34.1
-k8s-worker-0          Ready    <none>          31m   v1.34.1
-k8s-worker-1          Ready    <none>          31m   v1.34.1
+k8s-control-plane-0   Ready    control-plane   31m   v1.35.3
+k8s-worker-0          Ready    <none>          31m   v1.35.3
+k8s-worker-1          Ready    <none>          31m   v1.35.3
 ```
 
 ## Supported base images
@@ -80,7 +80,7 @@ The module should work on most major RPM and DEB distros. It been tested on thes
 
 - Ubuntu 24.04 (`ubuntu-24.04`)
 - Debian 13 (`debian-13`)
-- Fedora 42 (`fedora-42`)
+- Fedora 43 (`fedora-43`)
 
 Others may work as well, but have not been tested.
 
@@ -192,15 +192,13 @@ See [example](./examples/private_network.tf) for more details.
 Read these notes carefully before using this module in production.
 
 - Control plane services that use host networking, such as etcd, kubelet and api-server bind on a public IP. This is not a problem per se since these components all use mTLS for communication, but appropriate Hetzner Firewall rules can be added (make sure to allow UDP port 24601 for Wireguard node-to-node tunnels)
-- Wigglenet is a custom network plugin with a smaller community than mainstream alternatives like Cilium or Calico. It has been used successfully for several years,
-  though primarily in smaller-scale deployments. NetworkPolicy support was added in v0.5.0 and is relatively new, so don't use it as your only line of defense.
+- Wigglenet is a custom network plugin with a smaller community than mainstream alternatives like Cilium or Calico. It has been used successfully for several years, though primarily in smaller-scale deployments.
 - kubelet serving certificates are self-signed. This can be an issue for metrics-server. See [here for details and workarounds](https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/#kubelet-serving-certs).
 - Some restrictions on day-2 operations. The following are supported seamlessly, but other changes will likely require the manual steps:
    - Node replacement (see notes above for control plane nodes)
    - Vertical scaling of node (changing the server type)
    - Horizontal scaling (changing node count).
    - Changing cluster addons settings (Wigglenet firewall settings, Hetzner API token for the Hetzner CCM and CSI).
-- As kube-proxy is configured to use IPVS mode, `load-balancer.hetzner.cloud/hostname: <hostname>` must be set on all `LoadBalancer` services, otherwise healthchecks will fail and the service will not be accessible from outsie the cluster (see [this issue](https://github.com/kubernetes/kubernetes/issues/79783) for more details)
 
 In addition some caveats for dual-stack clusters in general:
 

addons.tf

@@ -7,6 +7,7 @@ resource "null_resource" "install_addons" {
     wigglenet_manifest = templatefile("${path.module}/templates/wigglenet.yaml.tpl", {
       filter_pod_ingress_ipv6 = var.filter_pod_ingress_ipv6
       native_routing_ipv4     = var.use_hcloud_network
+      firewall_backend        = var.use_nftables ? "nftables" : "iptables"
     })
     ccm_manifest = templatefile("${path.module}/templates/hetzner_ccm.yaml.tpl", {
       use_hcloud_network = var.use_hcloud_network

control_plane.tf

@@ -65,6 +65,7 @@ resource "null_resource" "cluster_bootstrap" {
       service_cidr_ipv6      = var.service_cidr_ipv6
       primary_ip_family      = var.primary_ip_family
       kubernetes_version     = var.kubernetes_version
+      kube_proxy_mode        = var.use_nftables ? "nftables" : "iptables"
     })
     destination = "/root/cluster.yaml"
   }

examples/cloud_init.tf

@@ -12,7 +12,7 @@ terraform {
 variable "hetzner_token" {}
 
 provider "hcloud" {
-  token = vars.hetzner_token
+  token = var.hetzner_token
 }
 
 resource "hcloud_ssh_key" "key" {
@@ -25,9 +25,9 @@ module "cluster" {
 
   name           = "k8s"
   hcloud_ssh_key = hcloud_ssh_key.key.id
-  hcloud_token   = vars.hetzner_token
+  hcloud_token   = var.hetzner_token
   location       = "hel1"
-  server_type    = "cpx31"
+  server_type    = "cpx32"
 }
 
 // After control plane is set up, additional workers can be joined
@@ -37,7 +37,7 @@ resource "hcloud_server" "instance" {
   ssh_keys    = [hcloud_ssh_key.key.id]
   image       = "ubuntu-20.04"
   location    = "hel1"
-  server_type = "cpx31"
+  server_type = "cpx32"
 
   user_data = module.cluster.join_user_data
 }

examples/ha_dns_name.tf

@@ -37,7 +37,7 @@ module "cluster" {
   hcloud_ssh_key = hcloud_ssh_key.key.id
   hcloud_token   = var.hetzner_token
   location       = "nbg1"
-  server_type    = "cpx31"
+  server_type    = "cpx32"
   node_count     = 3
 
   control_plane_endpoint = "k8s.example.com"
@@ -53,7 +53,7 @@ module "workers" {
   hcloud_ssh_key = hcloud_ssh_key.key.id
   location       = "nbg1"
 
-  server_type = "cpx31"
+  server_type = "cpx32"
 }
 
 resource "aws_route53_record" "api_server_aaaa" {

examples/ha_load_balancer.tf

@@ -28,7 +28,7 @@ module "cluster" {
   hcloud_ssh_key = hcloud_ssh_key.key.id
   hcloud_token   = var.hetzner_token
   location       = "nbg1"
-  server_type    = "cpx31"
+  server_type    = "cpx32"
   node_count     = 3
 
   load_balancer_type = "lb11"
@@ -44,7 +44,7 @@ module "workers" {
   hcloud_ssh_key = hcloud_ssh_key.key.id
   location       = "nbg1"
 
-  server_type = "cpx31"
+  server_type = "cpx32"
 }
 
 output "load_balancer_ipv4" {

examples/private_network.tf

@@ -12,7 +12,7 @@ terraform {
 variable "hetzner_token" {}
 
 provider "hcloud" {
-  token = vars.hetzner_token
+  token = var.hetzner_token
 }
 
 resource "hcloud_ssh_key" "key" {
@@ -25,9 +25,9 @@ module "cluster" {
 
   name           = "k8s"
   hcloud_ssh_key = hcloud_ssh_key.key.id
-  hcloud_token   = vars.hetzner_token
+  hcloud_token   = var.hetzner_token
   location       = "hel1"
-  server_type    = "cpx31"
+  server_type    = "cpx32"
 
   # The default pod_cidr_ipv4 is 10.96.0.0/16. This can be customized,
   # but it should be within the range of the private network. Also, it should
@@ -49,7 +49,7 @@ module "workers" {
   hcloud_ssh_key = hcloud_ssh_key.key.id
   location       = "hel1"
 
-  server_type = "cpx31"
+  server_type = "cpx32"
 
   use_hcloud_network = true
   hcloud_network_id  = hcloud_network.my_net.id

examples/simple.tf

@@ -12,7 +12,7 @@ terraform {
 variable "hetzner_token" {}
 
 provider "hcloud" {
-  token = vars.hetzner_token
+  token = var.hetzner_token
 }
 
 resource "hcloud_ssh_key" "key" {
@@ -25,9 +25,9 @@ module "cluster" {
 
   name           = "k8s"
   hcloud_ssh_key = hcloud_ssh_key.key.id
-  hcloud_token   = vars.hetzner_token
+  hcloud_token   = var.hetzner_token
   location       = "hel1"
-  server_type    = "cpx31"
+  server_type    = "cpx32"
 }
 
 module "workers" {
@@ -40,7 +40,7 @@ module "workers" {
   hcloud_ssh_key = hcloud_ssh_key.key.id
   location       = "hel1"
 
-  server_type = "cpx31"
+  server_type = "cpx32"
 }
 
 output "simple_kubeconfig" {

modules/kubernetes-node/scripts/prepare-node.sh.tpl

@@ -20,7 +20,7 @@ install_prerequisites() {
     # Install prerequisites
     apt-get -qq update
     apt-get -qq -y upgrade
-    apt-get -qq -y install apt-transport-https ca-certificates curl gnupg lsb-release ipvsadm wireguard apparmor
+    apt-get -qq -y install apt-transport-https ca-certificates curl gnupg lsb-release ipvsadm nftables wireguard apparmor
     curl -fsSL "https://download.docker.com/linux/$os_id/gpg" | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
     curl -fsSL "https://pkgs.k8s.io/core:/stable:/v${kubernetes_minor_version}/deb/Release.key" | gpg --dearmor -o /etc/apt/keyrings/kubernetes-apt-keyring.gpg
     echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/$os_id $(lsb_release -cs) stable" \
@@ -55,15 +55,15 @@ EOF
 
     if [ "$os_id" == "fedora" ]; then
       addrepo https://download.docker.com/linux/fedora/docker-ce.repo
-      dnf -qy install containerd.io ipvsadm wireguard-tools iproute-tc
+      dnf -qy install containerd.io ipvsadm nftables wireguard-tools iproute-tc
     elif [ "$(. /etc/os-release && echo "$PLATFORM_ID")" = "platform:el9" ]; then
       # Wireguard is installed by default on EL9-like systems
       addrepo https://download.docker.com/linux/centos/docker-ce.repo
-      dnf -qy install containerd.io ipvsadm wireguard-tools iproute-tc
+      dnf -qy install containerd.io ipvsadm nftables wireguard-tools iproute-tc
     else
       addrepo https://download.docker.com/linux/centos/docker-ce.repo
       dnf -qy install elrepo-release epel-release
-      dnf -qy install containerd.io ipvsadm kmod-wireguard wireguard-tools iproute-tc
+      dnf -qy install containerd.io ipvsadm nftables kmod-wireguard wireguard-tools iproute-tc
     fi
   fi
 }

modules/worker-node/variables.tf

@@ -13,9 +13,9 @@ variable "hcloud_ssh_key" {
 }
 
 variable "server_type" {
-  description = "Server SKU (default: 'cpx31')"
+  description = "Server SKU (default: 'cpx32')"
   type        = string
-  default     = "cpx31"
+  default     = "cpx32"
 }
 
 variable "image" {
@@ -51,7 +51,7 @@ variable "labels" {
 variable "kubernetes_version" {
   description = "Kubernetes version"
   type        = string
-  default     = "1.34.1"
+  default     = "1.35.3"
 
   validation {
     condition     = can(regex("^1\\.([0-9]+)\\.([0-9]+)$", var.kubernetes_version))