Add New Project: hetzner-metal-kubernetes #137
Description
Project Name
hetzner-metal-kubernetes
Description
Automates deploying Kubernetes (single-server or HA) on Hetzner dedicated servers with Fedora CoreOS using Ansible. Includes network and security setup.
Link
https://github.com/cisnerosf/hetzner-metal-kubernetes
Type
Integration
Language
None
Further Comments
Automates deploying K3S (single-server or HA) on Hetzner dedicated servers with Fedora CoreOS using Ansible. Includes network and security setup:
- WireGuard native backend: Uses WireGuard as a backend for Flannel, which helps secure communication between nodes in a cluster.
- vSwitch Integration: Connects all nodes using Hetzner's vSwitch technology, establishing a virtual layer 2 network (VLAN) with IP range
10.100.100.0/25(up to 100 nodes allowed due to vSwitch limits). - Robot API Management: Includes a
utils.pyCLI tool for managing servers, firewall rules and vSwitches via the Robot WebService API. - Firewall: When using 10G uplink (strongly recommended), the Robot firewall is not available, therefore firewall rules are also configured at the host level using nftables.
- Audit: Includes basic audit rules for both K3S and Fedora CoreOS.
- RAID 1 (mirrored NVMe): Each machine should have 2 NVMe drives enabled.
- Cloudflare Full (strict) and AOP:
artifacts/butane-k3s-manifests.ymlcontains manifests that configures Authenticated Origin Pulls (mTLS) with Full (strict) mode for Traefik on port 443. - Fedora CoreOS: designed for running containerized workloads securely and at scale, offering an immutable, minimal and automatically updating operating system that enhances reliability and security.
- Reboot Coordination: fleetlock reboot coordinator for the nodes in the cluster.
- Disk Encryption: Encrypt disks using LUKS with TPM2.