feat: allow to pass robot username & password

docs/Hybrid_cluster.md

@@ -0,0 +1,34 @@
+# Set up a private network and a vSwitch prior to that
+
+https://docs.hetzner.com/cloud/networks/connect-dedi-vswitch/
+
+Follow the instructions and make sure cloud nodes & robot nodes can ping each other
+
+# Cluster settings
+
+Encryption needs to be disabled. Cilium has been tested and works well. Other CNIs might work but haven't been tested thoroughly.
+
+```
+robot_user: "XXXX"
+robot_password: "YYYY"
+networking:
+  cni:
+    enabled: true
+    encryption: false
+    mode: cilium
+```
+
+# You can then add the node to the k3s
+
+1. Get the token one of the master nodes
+
+`cat /var/lib/rancher/k3s/server/token`
+
+2. Start the agent on the dedicated node (change MASTER_IP & TOKEN).
+
+```
+curl -sfL https://get.k3s.io | \
+      K3S_URL=https://MASTER_IP:6443 \
+      K3S_TOKEN=TOKEN \
+      sh -s - --node-label dedicated=true
+```

src/configuration/main.cr

@@ -38,6 +38,8 @@ class Configuration::Main
   getter protect_against_deletion : Bool = true
   getter create_load_balancer_for_the_kubernetes_api : Bool = false
   getter k3s_upgrade_concurrency : Int64 = 1
+  getter robot_user : String?
+  getter robot_password : String?
 
   def all_kubelet_args
     ["cloud-provider=external", "resolv-conf=/etc/k8s-resolv.conf"] + kubelet_args

src/configuration/manifests.cr

@@ -3,7 +3,7 @@ module Configuration
     include YAML::Serializable
     include YAML::Serializable::Unmapped
 
-    getter cloud_controller_manager_manifest_url : String = "https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/v1.23.0/ccm-networks.yaml"
+    getter cloud_controller_manager_manifest_url : String = "https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases/download/v1.24.0/ccm-networks.yaml"
     getter csi_driver_manifest_url : String = "https://raw.githubusercontent.com/hetznercloud/csi-driver/v2.13.0/deploy/kubernetes/hcloud-csi.yml"
     getter system_upgrade_controller_deployment_manifest_url : String = "https://github.com/rancher/system-upgrade-controller/releases/download/v0.15.2/system-upgrade-controller.yaml"
     getter system_upgrade_controller_crd_manifest_url : String = "https://github.com/rancher/system-upgrade-controller/releases/download/v0.15.2/crd.yaml"

src/kubernetes/software/hetzner/cloud_controller_manager.cr

@@ -1,5 +1,6 @@
 require "../../../util"
 require "../../util"
+require "yaml"
 
 class Kubernetes::Software::Hetzner::CloudControllerManager
   include Util
@@ -25,12 +26,50 @@ class Kubernetes::Software::Hetzner::CloudControllerManager
 
   private def manifest
     manifest_url = if settings.networking.private_network.enabled
-      settings.manifests.cloud_controller_manager_manifest_url
-    else
-      settings.manifests.cloud_controller_manager_manifest_url.gsub("-networks", "")
-    end
+                     settings.manifests.cloud_controller_manager_manifest_url
+                   else
+                     settings.manifests.cloud_controller_manager_manifest_url.gsub("-networks", "")
+                   end
 
     manifest = fetch_manifest(manifest_url)
     manifest.gsub(/--cluster-cidr=[^"]+/, "--cluster-cidr=#{settings.networking.cluster_cidr}")
+
+    documents = YAML.parse_all(manifest)
+
+    if settings.responds_to?(:robot_user) && settings.robot_user
+      documents.each do |doc|
+        next unless doc["kind"]?.try(&.as_s) == "Deployment"
+        next unless doc["metadata"]?.try(&.["name"]?.try(&.as_s)) == "hcloud-cloud-controller-manager"
+
+        containers_any = doc["spec"]?.try(&.["template"]?.try(&.["spec"]?.try(&.["containers"]?)))
+        next unless containers_any && (containers_array = containers_any.as_a?)
+
+        container_any = containers_array[0]?
+        next unless container_any && (container_hash = container_any.as_h?)
+
+        env_array = container_hash[YAML::Any.new("env")]?.try(&.as_a) || [] of YAML::Any
+
+        robot_enabled = YAML::Any.new({
+          YAML::Any.new("name")  => YAML::Any.new("ROBOT_ENABLED"),
+          YAML::Any.new("value") => YAML::Any.new("true"),
+        })
+
+        env_array << robot_enabled
+
+        if settings.networking.private_network.enabled
+          network_routes_enabled = YAML::Any.new({
+            YAML::Any.new("name")  => YAML::Any.new("HCLOUD_NETWORK_ROUTES_ENABLED"),
+            YAML::Any.new("value") => YAML::Any.new("false"),
+          })
+          env_array << network_routes_enabled
+        end
+
+        container_hash[YAML::Any.new("env")] = YAML::Any.new(env_array)
+
+        containers_array[0] = YAML::Any.new(container_hash)
+      end
+    end
+
+    documents.map(&.to_yaml).join("---\n")
   end
 end

src/kubernetes/software/hetzner/csi_driver.cr

@@ -13,13 +13,42 @@ class Kubernetes::Software::Hetzner::CSIDriver
 
   def install
     log_line "Installing Hetzner CSI Driver..."
-
-    apply_manifest_from_url(settings.manifests.csi_driver_manifest_url, "Failed to install Hetzner CSI Driver")
+    apply_manifest_from_yaml(manifest, "Failed to install Hetzner CSI Driver")
 
     log_line "Hetzner CSI Driver installed"
   end
 
   private def default_log_prefix
     "Hetzner CSI Driver"
   end
+
+  private def manifest
+    manifest = fetch_manifest(settings.manifests.csi_driver_manifest_url)
+
+    documents = YAML.parse_all(manifest)
+
+    documents.each do |doc|
+      next unless doc["kind"]?.try(&.as_s) == "DaemonSet"
+      next unless doc["metadata"]?.try(&.["name"]?.try(&.as_s)) == "hcloud-csi-node"
+
+      spec = doc["spec"]?
+      next unless spec_h = spec.try(&.as_h?)
+
+      template = spec_h["template"]?
+      next unless template_h = template.try(&.as_h?)
+
+      spec = template_h["spec"]?
+      next unless spec_h = spec.try(&.as_h?)
+
+      node_selector = spec_h["nodeSelector"]?.try(&.as_h?) || begin
+        new_selector = {} of YAML::Any => YAML::Any
+        spec_h[YAML::Any.new("nodeSelector")] = YAML::Any.new(new_selector)
+        new_selector
+      end
+
+      node_selector[YAML::Any.new("instance.hetzner.cloud/provided-by")] = YAML::Any.new("cloud")
+    end
+
+    documents.map(&.to_yaml).join("---\n")
+  end
 end

src/kubernetes/software/hetzner/secret.cr

@@ -17,15 +17,17 @@ class Kubernetes::Software::Hetzner::Secret
     log_line "Creating secret for Hetzner Cloud token..."
 
     network_name = if settings.networking.private_network.enabled
-      existing_network_name = settings.networking.private_network.existing_network_name
-      existing_network_name.empty? ? settings.cluster_name : existing_network_name
-    else
-      ""
-    end
+                     existing_network_name = settings.networking.private_network.existing_network_name
+                     existing_network_name.empty? ? settings.cluster_name : existing_network_name
+                   else
+                     ""
+                   end
 
     secret_manifest = Crinja.render(HETZNER_CLOUD_SECRET_MANIFEST, {
-      network: network_name,
-      token: settings.hetzner_token
+      network:        network_name,
+      token:          settings.hetzner_token,
+      robot_user:     settings.robot_user,
+      robot_password: settings.robot_password,
     })
 
     apply_manifest_from_yaml(secret_manifest, "Failed to create Hetzner Cloud secret")

templates/hetzner_cloud_secret_manifest.yaml

@@ -1,8 +1,10 @@
 apiVersion: "v1"
 kind: "Secret"
 metadata:
-  namespace: 'kube-system'
-  name: 'hcloud'
+  namespace: "kube-system"
+  name: "hcloud"
 stringData:
   network: "{{ network }}"
   token: "{{ token }}"
+  robot-user: "{{ robot_user }}"
+  robot-password: "{{ robot_password }}"