✨ Add hetzner baremetal cluster stack (#125)

* Add hetzner baremetal cluster stack

Signed-off-by: Roman Hros <[email protected]>

* Add etcd encryption via variable

Signed-off-by: Roman Hros <[email protected]>

* Add clusterLoadBalancerName and clusterLoadBalancerAlgorithm variables

Signed-off-by: Roman Hros <[email protected]>

* Add certSANs and OIDC config

Signed-off-by: Roman Hros <[email protected]>

* Update containerd

Signed-off-by: Roman Hros <[email protected]>

* Replace syself's hccm with Hetzner's one

Signed-off-by: Roman Hros <[email protected]>

* Update rook-ceph

Signed-off-by: Roman Hros <[email protected]>

* Bump k8s, containerd and cilium versions

Signed-off-by: Roman Hros <[email protected]>

* Add rook-ceph production ready default helm values

Signed-off-by: Roman Hros <[email protected]>

* Add quick start guide

Signed-off-by: Roman Hros <[email protected]>

* Update rook-ceph cluster-addon

Signed-off-by: Roman Hros <[email protected]>

---------

Signed-off-by: Roman Hros <[email protected]>

providers/hetzner/baremetal/1-30/cluster-addon-values.yaml

@@ -0,0 +1,12 @@
+values: |
+  metrics-server:
+    commonLabels:
+      domain: "{{ .Cluster.spec.controlPlaneEndpoint.host }}"
+      clusterAddonVersion: "v1"
+  {{- range .Cluster.spec.topology.variables }}
+  {{- if and (eq .name "rook_ceph_values") .value }}
+  rook-ceph:{{ .value | nindent 4 }}
+  {{- else if and (eq .name "rook_ceph_cluster_values") .value }}
+  rook-ceph-cluster:{{ .value | nindent 4 }}
+  {{- end }}
+  {{- end }}

providers/hetzner/baremetal/1-30/cluster-addon/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

providers/hetzner/baremetal/1-30/cluster-addon/Chart.lock

@@ -0,0 +1,18 @@
+dependencies:
+- name: metrics-server
+  repository: https://kubernetes-sigs.github.io/metrics-server/
+  version: 3.12.1
+- name: cilium
+  repository: https://helm.cilium.io/
+  version: 1.15.7
+- name: hcloud-cloud-controller-manager
+  repository: https://charts.hetzner.cloud
+  version: 1.20.0
+- name: rook-ceph
+  repository: https://charts.rook.io/release
+  version: v1.14.9
+- name: rook-ceph-cluster
+  repository: https://charts.rook.io/release
+  version: v1.14.9
+digest: sha256:225dd45233da2ae9fe8c52f1908167ffab3e7ca6df86996e21a5abe233756711
+generated: "2024-08-08T15:38:15.791040283+02:00"

providers/hetzner/baremetal/1-30/cluster-addon/Chart.yaml

@@ -0,0 +1,27 @@
+apiVersion: v2
+dependencies:
+- alias: metrics-server
+  name: metrics-server
+  repository: https://kubernetes-sigs.github.io/metrics-server/
+  version: 3.12.1
+- alias: cilium
+  name: cilium
+  repository: https://helm.cilium.io/
+  version: 1.15.7
+- alias: hcloud-cloud-controller-manager
+  name: hcloud-cloud-controller-manager
+  repository: https://charts.hetzner.cloud
+  version: 1.20.0
+- alias: rook-ceph
+  name: rook-ceph
+  repository: https://charts.rook.io/release
+  version: v1.14.9
+  condition: rook-ceph.enabled,rook-ceph-cluster.enabled
+- alias: rook-ceph-cluster
+  name: rook-ceph-cluster
+  repository: https://charts.rook.io/release
+  version: v1.14.9
+  condition: rook-ceph-cluster.enabled
+name: hetzner-baremetal-1-30-cluster-addon
+type: application
+version: v1

providers/hetzner/baremetal/1-30/cluster-addon/values.yaml

@@ -0,0 +1,73 @@
+metrics-server:
+  fullnameOverride: metrics-server
+
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+
+  service:
+    labels:
+      kubernetes.io/cluster-service: "true"
+      kubernetes.io/name: "Metrics-server"
+
+cilium:
+  rollOutCiliumPods: true
+  priorityClassName: "system-node-critical"
+
+  hubble:
+    metrics:
+      enabled:
+      - dns:query;ignoreAAAA
+      - drop
+      - tcp
+      - flow
+      - icmp
+      - http
+    relay:
+      enabled: true
+      rollOutPods: true
+    ui:
+      enabled: true
+      rollOutPods: true
+  ipam:
+    mode: "kubernetes"
+
+  kubeProxyReplacement: "partial"
+
+  operator:
+    rollOutPods: true
+    priorityClassName: "system-node-critical"
+
+hcloud-cloud-controller-manager:
+  robot:
+    enabled: true
+  env:
+    HCLOUD_TOKEN:
+      valueFrom:
+        secretKeyRef:
+          name: hetzner
+          key: hcloud
+    ROBOT_USER:
+      valueFrom:
+        secretKeyRef:
+          name: hetzner
+          key: robot-user
+    ROBOT_PASSWORD:
+      valueFrom:
+        secretKeyRef:
+          name: hetzner
+          key: robot-password
+
+rook-ceph:
+  enableDiscoveryDaemon: true
+rook-ceph-cluster:
+  operatorNamespace: kube-system
+  toolbox:
+    enabled: true
+  cephClusterSpec:
+    mgr:
+      modules:
+      - name: rook
+        enabled: true

providers/hetzner/baremetal/1-30/cluster-class/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

providers/hetzner/baremetal/1-30/cluster-class/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+description: |
+  This chart installs and configures:
+  * Hetzner Baremetal Cluster Class
+name: hetzner-baremetal-1-30-cluster-class
+type: application
+version: v1

providers/hetzner/baremetal/1-30/cluster-class/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cluster-class.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cluster-class.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "cluster-class.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "cluster-class.labels" -}}
+helm.sh/chart: {{ include "cluster-class.chart" . }}
+{{ include "cluster-class.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "cluster-class.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "cluster-class.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cluster-class.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "cluster-class.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}