Merge pull request #1691 from utay/infer-cluster-dns-ipv4

Infer cluster_dns_ipv4 from service_ipv4_cidr

Author: mysticaltech

control_planes.tf

@@ -122,7 +122,7 @@ locals {
       selinux                     = var.disable_selinux ? false : (v.selinux == true ? true : false)
       cluster-cidr                = var.cluster_ipv4_cidr
       service-cidr                = var.service_ipv4_cidr
-      cluster-dns                 = var.cluster_dns_ipv4
+      cluster-dns                 = local.cluster_dns_ipv4
       write-kubeconfig-mode       = "0644" # needed for import into rancher
     },
     lookup(local.cni_k3s_settings, var.cni_plugin, {}),

docs/terraform.md

@@ -126,7 +126,7 @@
 | <a name="input_cluster_autoscaler_server_creation_timeout"></a> [cluster\_autoscaler\_server\_creation\_timeout](#input\_cluster\_autoscaler\_server\_creation\_timeout) | Timeout (in minutes) until which a newly created server/node has to become available before giving up and destroying it. | `number` | `15` | no |
 | <a name="input_cluster_autoscaler_stderr_threshold"></a> [cluster\_autoscaler\_stderr\_threshold](#input\_cluster\_autoscaler\_stderr\_threshold) | Severity level above which logs are sent to stderr instead of stdout | `string` | `"INFO"` | no |
 | <a name="input_cluster_autoscaler_version"></a> [cluster\_autoscaler\_version](#input\_cluster\_autoscaler\_version) | Version of Kubernetes Cluster Autoscaler for Hetzner Cloud. Should be aligned with Kubernetes version. Available versions for the official image can be found at https://explore.ggcr.dev/?repo=registry.k8s.io%2Fautoscaling%2Fcluster-autoscaler. | `string` | `"v1.32.0"` | no |
-| <a name="input_cluster_dns_ipv4"></a> [cluster\_dns\_ipv4](#input\_cluster\_dns\_ipv4) | Internal Service IPv4 address of core-dns. | `string` | `"10.43.0.10"` | no |
+| <a name="input_cluster_dns_ipv4"></a> [cluster\_dns\_ipv4](#input\_cluster\_dns\_ipv4) | Internal Service IPv4 address of core-dns. It is automatically inferred from `service_ipv4_cidr` if not explicitly set. | `string` | `null` | no |
 | <a name="input_cluster_ipv4_cidr"></a> [cluster\_ipv4\_cidr](#input\_cluster\_ipv4\_cidr) | Internal Pod CIDR, used for the controller and currently for calico/cilium. | `string` | `"10.42.0.0/16"` | no |
 | <a name="input_cluster_name"></a> [cluster\_name](#input\_cluster\_name) | Name of the cluster. | `string` | `"k3s"` | no |
 | <a name="input_cni_plugin"></a> [cni\_plugin](#input\_cni\_plugin) | CNI plugin for k3s. | `string` | `"flannel"` | no |

init.tf

@@ -73,7 +73,7 @@ resource "null_resource" "first_control_plane" {
           node-label                  = local.control_plane_nodes[keys(module.control_planes)[0]].labels
           cluster-cidr                = var.cluster_ipv4_cidr
           service-cidr                = var.service_ipv4_cidr
-          cluster-dns                 = var.cluster_dns_ipv4
+          cluster-dns                 = local.cluster_dns_ipv4
         },
         lookup(local.cni_k3s_settings, var.cni_plugin, {}),
         var.use_control_plane_lb ? {

kube.tf.example

@@ -136,7 +136,7 @@ module "kube-hetzner" {
 
       # Enable automatic backups via Hetzner (default: false)
       # backups = true
-      
+
       # To disable public ips (default: false)
       # WARNING: If both values are set to "true", your server will only be accessible via a private network. Make sure you have followed
       # the instructions regarding this type of setup in README.md: "Use only private IPs in your cluster".
@@ -156,7 +156,7 @@ module "kube-hetzner" {
 
       # Enable automatic backups via Hetzner (default: false)
       # backups = true
-      
+
       # To disable public ips (default: false)
       # WARNING: If both values are set to "true", your server will only be accessible via a private network. Make sure you have followed
       # the instructions regarding this type of setup in README.md: "Use only private IPs in your cluster".
@@ -176,7 +176,7 @@ module "kube-hetzner" {
 
       # Enable automatic backups via Hetzner (default: false)
       # backups = true
-      
+
       # To disable public ips (default: false)
       # WARNING: If both values are set to "true", your server will only be accessible via a private network. Make sure you have followed
       # the instructions regarding this type of setup in README.md: "Use only private IPs in your cluster".
@@ -582,7 +582,7 @@ module "kube-hetzner" {
   #   Even if patched to remove the "default" label, the local-path storage class will be reset as default on each reboot of
   #   the node where the controller runs.
   #   This is not a problem if you explicitly define which storageclass to use in your PVCs.
-  #   Workaround if you don't want two default storage classes: leave this to false and add the local-path-provisioner helm chart 
+  #   Workaround if you don't want two default storage classes: leave this to false and add the local-path-provisioner helm chart
   #   as an extra (https://github.com/kube-hetzner/terraform-hcloud-kube-hetzner#adding-extras).
   # enable_local_storage = false
 
@@ -633,7 +633,7 @@ module "kube-hetzner" {
   # Allows you to specify the k3s version. If defined, supersedes initial_k3s_channel.
   # See https://github.com/k3s-io/k3s/releases for the available versions.
   # install_k3s_version = "v1.30.2+k3s2"
-  
+
   # Allows you to specify either stable, latest, testing or supported minor versions.
   # see https://rancher.com/docs/k3s/latest/en/upgrades/basic/ and https://update.k3s.io/v1-release/channels
   # ⚠️ If you are going to use Rancher addons for instance, it's always a good idea to fix the kube version to one minor version below the latest stable,
@@ -681,8 +681,8 @@ module "kube-hetzner" {
   #   "trust anchor --store /root/ca.crt",
   # ]
 
-  # Structured authentication configuration. Multiple authentication providers support requires v1.30+ of 
-  # kubernetes.  
+  # Structured authentication configuration. Multiple authentication providers support requires v1.30+ of
+  # kubernetes.
   # https://kubernetes.io/docs/reference/access-authn-authz/authentication/#using-authentication-configuration
   #
   # authentication_config = <<-EOT
@@ -755,7 +755,7 @@ module "kube-hetzner" {
   # firewall_ssh_source = ["1.2.3.4/32"]
 
   # By default, SELinux is enabled in enforcing mode on all nodes. For container-specific SELinux issues,
-  # consider using the pre-installed 'udica' tool to create custom, targeted SELinux policies instead of 
+  # consider using the pre-installed 'udica' tool to create custom, targeted SELinux policies instead of
   # disabling SELinux globally. See the "Fix SELinux issues with udica" example in the README for details.
   # disable_selinux = false
 

locals.tf

@@ -227,6 +227,8 @@ locals {
   # The first two subnets are respectively the default subnet 10.0.0.0/16 use for potientially anything and 10.1.0.0/16 used for control plane nodes.
   # the rest of the subnets are for agent nodes in each nodepools.
   network_ipv4_subnets = [for index in range(256) : cidrsubnet(var.network_ipv4_cidr, 8, index)]
+  # By convention the DNS service (usually core-dns) is assigned the 10th IP address in the service CIDR block
+  cluster_dns_ipv4 = var.cluster_dns_ipv4 != null ? var.cluster_dns_ipv4 : cidrhost(var.service_ipv4_cidr, 10)
 
   # if we are in a single cluster config, we use the default klipper lb instead of Hetzner LB
   control_plane_count    = sum([for v in var.control_plane_nodepools : v.count])

variables.tf

@@ -117,7 +117,7 @@ variable "service_ipv4_cidr" {
 variable "cluster_dns_ipv4" {
   description = "Internal Service IPv4 address of core-dns."
   type        = string
-  default     = "10.43.0.10"
+  default     = null
 }
 
 variable "load_balancer_location" {