| additional_k3s_environment |
Additional environment variables for the k3s binary. See for example https://docs.k3s.io/advanced#configuring-an-http-proxy . |
map(any) |
{} |
no |
| additional_tls_sans |
Additional TLS SANs to allow connection to control-plane through it. |
list(string) |
[] |
no |
| address_for_connectivity_test |
The address to test for external connectivity before proceeding with the installation. Defaults to Google's public DNS. |
string |
"8.8.8.8" |
no |
| agent_nodepools |
Number of agent nodes. |
list(object({
name = string
server_type = string
location = string
backups = optional(bool)
floating_ip = optional(bool)
floating_ip_rdns = optional(string, null)
labels = list(string)
taints = list(string)
longhorn_volume_size = optional(number)
longhorn_mount_path = optional(string, "/var/longhorn")
swap_size = optional(string, "")
zram_size = optional(string, "")
kubelet_args = optional(list(string), ["kube-reserved=cpu=50m,memory=300Mi,ephemeral-storage=1Gi", "system-reserved=cpu=250m,memory=300Mi"])
selinux = optional(bool, true)
placement_group_compat_idx = optional(number, 0)
placement_group = optional(string, null)
subnet_ip_range = optional(string, null)
count = optional(number, null)
disable_ipv4 = optional(bool, false)
disable_ipv6 = optional(bool, false)
network_id = optional(number, 0)
nodes = optional(map(object({
server_type = optional(string)
location = optional(string)
backups = optional(bool)
floating_ip = optional(bool)
floating_ip_rdns = optional(string, null)
labels = optional(list(string))
taints = optional(list(string))
longhorn_volume_size = optional(number)
longhorn_mount_path = optional(string, null)
swap_size = optional(string, "")
zram_size = optional(string, "")
kubelet_args = optional(list(string), ["kube-reserved=cpu=50m,memory=300Mi,ephemeral-storage=1Gi", "system-reserved=cpu=250m,memory=300Mi"])
selinux = optional(bool, true)
placement_group_compat_idx = optional(number, 0)
placement_group = optional(string, null)
append_index_to_node_name = optional(bool, true)
})))
})) |
[] |
no |
| agent_nodes_custom_config |
Additional configuration for agent nodes and autoscaler nodes that will be added to k3s's config.yaml. E.g to allow kube-proxy monitoring. |
any |
{} |
no |
| allow_scheduling_on_control_plane |
Whether to allow non-control-plane workloads to run on the control-plane nodes. |
bool |
false |
no |
| authentication_config |
Strucutred authentication configuration. This can be used to define external authentication providers. |
string |
"" |
no |
| automatically_upgrade_k3s |
Whether to automatically upgrade k3s based on the selected channel. |
bool |
true |
no |
| automatically_upgrade_os |
Whether to enable or disable automatic os updates. Defaults to true. Should be disabled for single-node clusters |
bool |
true |
no |
| autoscaler_disable_ipv4 |
Disable IPv4 on nodes created by the Cluster Autoscaler. |
bool |
false |
no |
| autoscaler_disable_ipv6 |
Disable IPv6 on nodes created by the Cluster Autoscaler. |
bool |
false |
no |
| autoscaler_labels |
Labels for nodes created by the Cluster Autoscaler. |
list(string) |
[] |
no |
| autoscaler_nodepools |
Cluster autoscaler nodepools. |
list(object({
name = string
server_type = string
location = string
min_nodes = number
max_nodes = number
labels = optional(map(string), {})
kubelet_args = optional(list(string), ["kube-reserved=cpu=50m,memory=300Mi,ephemeral-storage=1Gi", "system-reserved=cpu=250m,memory=300Mi"])
taints = optional(list(object({
key = string
value = string
effect = string
})), [])
swap_size = optional(string, "")
zram_size = optional(string, "")
})) |
[] |
no |
| autoscaler_taints |
Taints for nodes created by the Cluster Autoscaler. |
list(string) |
[] |
no |
| base_domain |
Base domain of the cluster, used for reverse dns. |
string |
"" |
no |
| block_icmp_ping_in |
Block entering ICMP ping. |
bool |
false |
no |
| calico_values |
Just a stub for a future helm implementation. Now it can be used to replace the calico kustomize patch of the calico manifest. |
string |
"" |
no |
| calico_version |
Version of Calico. See https://github.com/projectcalico/calico/releases for the available versions. |
string |
null |
no |
| cert_manager_helmchart_bootstrap |
Whether the HelmChart cert_manager shall be run on control-plane nodes. |
bool |
false |
no |
| cert_manager_merge_values |
Additional Helm values to merge with defaults (or cert_manager_values if set). User values take precedence. Requires valid YAML format. |
string |
"" |
no |
| cert_manager_values |
Additional helm values file to pass to Cert-Manager as 'valuesContent' at the HelmChart. Defaults are set in locals.tf. For cert-manager versions prior to v1.15.0, you need to set 'installCRDs: true'. |
string |
"" |
no |
| cert_manager_version |
Version of cert_manager. |
string |
"*" |
no |
| cilium_egress_gateway_enabled |
Enables egress gateway to redirect and SNAT the traffic that leaves the cluster. |
bool |
false |
no |
| cilium_hubble_enabled |
Enables Hubble Observability to collect and visualize network traffic. |
bool |
false |
no |
| cilium_hubble_metrics_enabled |
Configures the list of Hubble metrics to collect |
list(string) |
[] |
no |
| cilium_ipv4_native_routing_cidr |
Used when Cilium is configured in native routing mode. The CNI assumes that the underlying network stack will forward packets to this destination without the need to apply SNAT. Default: value of "cluster_ipv4_cidr" |
string |
null |
no |
| cilium_loadbalancer_acceleration_mode |
Set Cilium loadbalancer.acceleration-mode. Supported values are "disabled", "native" and "best-effort". |
string |
"best-effort" |
no |
| cilium_merge_values |
Additional Helm values to merge with defaults (or cilium_values if set). User values take precedence. Requires valid YAML format. |
string |
"" |
no |
| cilium_routing_mode |
Set native-routing mode ("native") or tunneling mode ("tunnel"). |
string |
"tunnel" |
no |
| cilium_values |
Additional helm values file to pass to Cilium as 'valuesContent' at the HelmChart. |
string |
"" |
no |
| cilium_version |
Version of Cilium. See https://github.com/cilium/cilium/releases for the available versions. |
string |
"1.17.0" |
no |
| cluster_autoscaler_extra_args |
Extra arguments for the Cluster Autoscaler deployment. |
list(string) |
[] |
no |
| cluster_autoscaler_image |
Image of Kubernetes Cluster Autoscaler for Hetzner Cloud to be used. |
string |
"registry.k8s.io/autoscaling/cluster-autoscaler" |
no |
| cluster_autoscaler_log_level |
Verbosity level of the logs for cluster-autoscaler |
number |
4 |
no |
| cluster_autoscaler_log_to_stderr |
Determines whether to log to stderr or not |
bool |
true |
no |
| cluster_autoscaler_replicas |
Number of replicas for the cluster autoscaler deployment. Multiple replicas use leader election for HA. |
number |
1 |
no |
| cluster_autoscaler_resource_limits |
Should cluster autoscaler enable default resource requests and limits. Default values are requests: 100m & 300Mi and limits: 100m & 300Mi. |
bool |
true |
no |
| cluster_autoscaler_resource_values |
Requests and limits for Cluster Autoscaler. |
object({
requests = object({
cpu = string
memory = string
})
limits = object({
cpu = string
memory = string
})
}) |
{
"limits": {
"cpu": "100m",
"memory": "300Mi"
},
"requests": {
"cpu": "100m",
"memory": "300Mi"
}
} |
no |
| cluster_autoscaler_server_creation_timeout |
Timeout (in minutes) until which a newly created server/node has to become available before giving up and destroying it. |
number |
15 |
no |
| cluster_autoscaler_stderr_threshold |
Severity level above which logs are sent to stderr instead of stdout |
string |
"INFO" |
no |
| cluster_autoscaler_version |
Version of Kubernetes Cluster Autoscaler for Hetzner Cloud. Should be aligned with Kubernetes version. Available versions for the official image can be found at https://explore.ggcr.dev/?repo=registry.k8s.io%2Fautoscaling%2Fcluster-autoscaler. |
string |
"v1.33.3" |
no |
| cluster_dns_ipv4 |
Internal Service IPv4 address of core-dns. |
string |
null |
no |
| cluster_ipv4_cidr |
Internal Pod CIDR, used for the controller and currently for calico/cilium. |
string |
"10.42.0.0/16" |
no |
| cluster_name |
Name of the cluster. |
string |
"k3s" |
no |
| cni_plugin |
CNI plugin for k3s. |
string |
"flannel" |
no |
| control_plane_endpoint |
Optional external control plane endpoint URL (e.g. https://myapi.domain.com:6443). Used as the k3s 'server' value for agents and secondary control planes. |
string |
null |
no |
| control_plane_lb_enable_public_interface |
Enable or disable public interface for the control plane load balancer. Defaults to true. When disabled with nat_router enabled, the NAT router automatically forwards port 6443 to the private control plane LB. |
bool |
true |
no |
| control_plane_lb_type |
The type of load balancer to use for the control plane load balancer. Defaults to lb11, which is the cheapest one. |
string |
"lb11" |
no |
| control_plane_nodepools |
Number of control plane nodes. |
list(object({
name = string
server_type = string
location = string
backups = optional(bool)
labels = list(string)
taints = list(string)
count = number
swap_size = optional(string, "")
zram_size = optional(string, "")
kubelet_args = optional(list(string), ["kube-reserved=cpu=250m,memory=1500Mi,ephemeral-storage=1Gi", "system-reserved=cpu=250m,memory=300Mi"])
selinux = optional(bool, true)
placement_group_compat_idx = optional(number, 0)
placement_group = optional(string, null)
disable_ipv4 = optional(bool, false)
disable_ipv6 = optional(bool, false)
network_id = optional(number, 0)
})) |
[] |
no |
| control_planes_custom_config |
Additional configuration for control planes that will be added to k3s's config.yaml. E.g to allow etcd monitoring. |
any |
{} |
no |
| create_kubeconfig |
Create the kubeconfig as a local file resource. Should be disabled for automatic runs. |
bool |
true |
no |
| create_kustomization |
Create the kustomization backup as a local file resource. Should be disabled for automatic runs. |
bool |
true |
no |
| csi_driver_smb_helmchart_bootstrap |
Whether the HelmChart csi_driver_smb shall be run on control-plane nodes. |
bool |
false |
no |
| csi_driver_smb_values |
Additional helm values file to pass to csi-driver-smb as 'valuesContent' at the HelmChart. |
string |
"" |
no |
| csi_driver_smb_version |
Version of csi_driver_smb. See https://github.com/kubernetes-csi/csi-driver-smb/releases for the available versions. |
string |
"*" |
no |
| disable_hetzner_csi |
Disable hetzner csi driver. |
bool |
false |
no |
| disable_kube_proxy |
Disable kube-proxy in K3s (default false). |
bool |
false |
no |
| disable_network_policy |
Disable k3s default network policy controller (default false, automatically true for calico and cilium). |
bool |
false |
no |
| disable_selinux |
Disable SELinux on all nodes. |
bool |
false |
no |
| dns_servers |
IP Addresses to use for the DNS Servers, set to an empty list to use the ones provided by Hetzner. The length is limited to 3 entries, more entries is not supported by kubernetes |
list(string) |
[
"185.12.64.1",
"185.12.64.2",
"2a01:4ff:ff00::add:1"
] |
no |
| enable_cert_manager |
Enable cert manager. |
bool |
true |
no |
| enable_csi_driver_smb |
Whether or not to enable csi-driver-smb. |
bool |
false |
no |
| enable_delete_protection |
Enable or disable delete protection for resources in Hetzner Cloud. |
object({
floating_ip = optional(bool, false)
load_balancer = optional(bool, false)
volume = optional(bool, false)
}) |
{
"floating_ip": false,
"load_balancer": false,
"volume": false
} |
no |
| enable_iscsid |
This is always true when enable_longhorn=true, however, you may also want this enabled if you perform your own installation of longhorn after this module runs. |
bool |
false |
no |
| enable_klipper_metal_lb |
Use klipper load balancer. |
bool |
false |
no |
| enable_local_storage |
Whether to enable or disable k3s local-storage. Warning: when enabled, there will be two default storage classes: "local-path" and "hcloud-volumes"! |
bool |
false |
no |
| enable_longhorn |
Whether or not to enable Longhorn. |
bool |
false |
no |
| enable_metrics_server |
Whether to enable or disable k3s metric server. |
bool |
true |
no |
| enable_rancher |
Enable rancher. |
bool |
false |
no |
| enable_wireguard |
Use wireguard-native as the backend for CNI. |
bool |
false |
no |
| etcd_s3_backup |
Etcd cluster state backup to S3 storage |
map(any) |
{} |
no |
| exclude_agents_from_external_load_balancers |
Add node.kubernetes.io/exclude-from-external-load-balancers=true label to agent nodes. Enable this if you use both the Terraform-managed ingress LB and CCM-managed LoadBalancer services, and want to prevent double-registration of agents to the CCM LBs. Note: This excludes agents from ALL CCM-managed LoadBalancer services, not just ingress. |
bool |
false |
no |
| existing_network_id |
If you want to create the private network before calling this module, you can do so and pass its id here. NOTE: make sure to adapt network_ipv4_cidr accordingly to a range which does not collide with your other nodes. |
list(string) |
[] |
no |
| export_values |
Export for deployment used values.yaml-files as local files. |
bool |
false |
no |
| extra_firewall_rules |
Additional firewall rules to apply to the cluster. |
list(any) |
[] |
no |
| extra_kustomize_deployment_commands |
Commands to be executed after the kubectl apply -k <dir> step. |
string |
"" |
no |
| extra_kustomize_folder |
Folder from where to upload extra manifests |
string |
"extra-manifests" |
no |
| extra_kustomize_parameters |
All values will be passed to the kustomization.tmp.yml template. |
any |
{} |
no |
| firewall_kube_api_source |
Source networks that have Kube API access to the servers. |
list(string) |
[
"0.0.0.0/0",
"::/0"
] |
no |
| firewall_ssh_source |
Source networks that have SSH access to the servers. |
list(string) |
[
"0.0.0.0/0",
"::/0"
] |
no |
| flannel_backend |
Override the flannel backend used by k3s. When set, this takes precedence over enable_wireguard. Valid values: vxlan, host-gw, wireguard-native. See https://docs.k3s.io/networking/basic-network-options for details. Use wireguard-native for Robot nodes with vSwitch to avoid MTU issues. |
string |
null |
no |
| haproxy_additional_proxy_protocol_ips |
Additional trusted proxy protocol IPs to pass to haproxy. |
list(string) |
[] |
no |
| haproxy_merge_values |
Additional Helm values to merge with defaults (or haproxy_values if set). User values take precedence. Requires valid YAML format. |
string |
"" |
no |
| haproxy_requests_cpu |
Setting for HAProxy controller.resources.requests.cpu |
string |
"250m" |
no |
| haproxy_requests_memory |
Setting for HAProxy controller.resources.requests.memory |
string |
"400Mi" |
no |
| haproxy_values |
Helm values file to pass to haproxy as 'valuesContent' at the HelmChart, overriding the default. |
string |
"" |
no |
| haproxy_version |
Version of HAProxy helm chart. |
string |
"" |
no |
| hcloud_ssh_key_id |
If passed, a key already registered within hetzner is used. Otherwise, a new one will be created by the module. |
string |
null |
no |
| hcloud_token |
Hetzner Cloud API Token. |
string |
n/a |
yes |
| hetzner_ccm_merge_values |
Additional Helm values to merge with defaults (or hetzner_ccm_values if set). User values take precedence. Requires valid YAML format. |
string |
"" |
no |
| hetzner_ccm_use_helm |
Whether to use the helm chart for the Hetzner CCM or the legacy manifest which is the default. |
bool |
false |
no |
| hetzner_ccm_values |
Additional helm values file to pass to Hetzner Controller Manager as 'valuesContent' at the HelmChart. |
string |
"" |
no |
| hetzner_ccm_version |
Version of Kubernetes Cloud Controller Manager for Hetzner Cloud. See https://github.com/hetznercloud/hcloud-cloud-controller-manager/releases for the available versions. |
string |
null |
no |
| hetzner_csi_values |
Additional helm values file to pass to hetzner csi as 'valuesContent' at the HelmChart. |
string |
"" |
no |
| hetzner_csi_version |
Version of Container Storage Interface driver for Hetzner Cloud. See https://github.com/hetznercloud/csi-driver/releases for the available versions. |
string |
null |
no |
| ingress_controller |
The name of the ingress controller. |
string |
"traefik" |
no |
| ingress_max_replica_count |
Number of maximum replicas per ingress controller. Used for ingress HPA. Must be higher than number of replicas. |
number |
10 |
no |
| ingress_replica_count |
Number of replicas per ingress controller. 0 means autodetect based on the number of agent nodes. |
number |
0 |
no |
| ingress_target_namespace |
The namespace to deploy the ingress controller to. Defaults to ingress name. |
string |
"" |
no |
| initial_k3s_channel |
Allows you to specify an initial k3s channel. See https://update.k3s.io/v1-release/channels for available channels. |
string |
"v1.33" |
no |
| install_k3s_version |
Allows you to specify the k3s version (Example: v1.29.6+k3s2). Supersedes initial_k3s_channel. See https://github.com/k3s-io/k3s/releases for available versions. |
string |
"" |
no |
| k3s_agent_kubelet_args |
Kubelet args for agent nodes. |
list(string) |
[] |
no |
| k3s_audit_log_maxage |
Maximum number of days to retain audit log files |
number |
30 |
no |
| k3s_audit_log_maxbackup |
Maximum number of audit log files to retain |
number |
10 |
no |
| k3s_audit_log_maxsize |
Maximum size in megabytes of the audit log file before rotation |
number |
100 |
no |
| k3s_audit_log_path |
Path where audit logs will be stored on control plane nodes |
string |
"/var/log/k3s-audit/audit.log" |
no |
| k3s_audit_policy_config |
K3S audit-policy.yaml contents. Used to configure Kubernetes audit logging. |
string |
"" |
no |
| k3s_autoscaler_kubelet_args |
Kubelet args for autoscaler nodes. |
list(string) |
[] |
no |
| k3s_control_plane_kubelet_args |
Kubelet args for control plane nodes. |
list(string) |
[] |
no |
| k3s_exec_agent_args |
Agents nodes are started with k3s agent {k3s_exec_agent_args}. Use this to add kubelet-arg for example. |
string |
"" |
no |
| k3s_exec_server_args |
The control plane is started with k3s server {k3s_exec_server_args}. Use this to add kube-apiserver-arg for example. |
string |
"" |
no |
| k3s_global_kubelet_args |
Global kubelet args for all nodes. |
list(string) |
[] |
no |
| k3s_kubelet_config |
K3S kubelet-config.yaml contents. Used to configure the kubelet. |
string |
"" |
no |
| k3s_prefer_bundled_bin |
Whether to use the bundled k3s mount binary instead of the one from the distro's util-linux package. |
bool |
false |
no |
| k3s_registries |
K3S registries.yml contents. It used to access private docker registries. |
string |
" " |
no |
| k3s_token |
k3s master token (must match when restoring a cluster). |
string |
null |
no |
| keep_disk_agents |
Whether to keep OS disks of nodes the same size when upgrading an agent node |
bool |
false |
no |
| keep_disk_cp |
Whether to keep OS disks of nodes the same size when upgrading a control-plane node |
bool |
false |
no |
| kubeconfig_server_address |
The hostname used for kubeconfig. |
string |
"" |
no |
| kured_options |
n/a |
map(string) |
{} |
no |
| kured_version |
Version of Kured. See https://github.com/kubereboot/kured/releases for the available versions. |
string |
null |
no |
| lb_hostname |
The Hetzner Load Balancer hostname, for either Traefik, HAProxy or Ingress-Nginx. |
string |
"" |
no |
| load_balancer_algorithm_type |
Specifies the algorithm type of the load balancer. |
string |
"round_robin" |
no |
| load_balancer_disable_ipv6 |
Disable IPv6 for the load balancer. |
bool |
false |
no |
| load_balancer_disable_public_network |
Disables the public network of the load balancer. |
bool |
false |
no |
| load_balancer_health_check_interval |
Specifies the interval at which a health check is performed. Minimum is 3s. |
string |
"15s" |
no |
| load_balancer_health_check_retries |
Specifies the number of times a health check is retried before a target is marked as unhealthy. |
number |
3 |
no |
| load_balancer_health_check_timeout |
Specifies the timeout of a single health check. Must not be greater than the health check interval. Minimum is 1s. |
string |
"10s" |
no |
| load_balancer_location |
Default load balancer location. |
string |
"nbg1" |
no |
| load_balancer_type |
Default load balancer server type. |
string |
"lb11" |
no |
| longhorn_fstype |
The longhorn fstype. |
string |
"ext4" |
no |
| longhorn_helmchart_bootstrap |
Whether the HelmChart longhorn shall be run on control-plane nodes. |
bool |
false |
no |
| longhorn_merge_values |
Helm values to merge with defaults (or longhorn_values if set). User values take precedence. Use for targeted overrides like image tags. Requires valid YAML format. |
string |
"" |
no |
| longhorn_namespace |
Namespace for longhorn deployment, defaults to 'longhorn-system' |
string |
"longhorn-system" |
no |
| longhorn_replica_count |
Number of replicas per longhorn volume. |
number |
3 |
no |
| longhorn_repository |
By default the official chart which may be incompatible with rancher is used. If you need to fully support rancher switch to https://charts.rancher.io. |
string |
"https://charts.longhorn.io" |
no |
| longhorn_values |
Helm values passed as valuesContent to the Longhorn HelmChart. When set, this replaces the module defaults. |
string |
"" |
no |
| longhorn_version |
Longhorn Helm chart version. |
string |
"*" |
no |
| microos_arm_snapshot_id |
MicroOS ARM snapshot ID to be used. Per default empty, the most recent image created using createkh will be used |
string |
"" |
no |
| microos_x86_snapshot_id |
MicroOS x86 snapshot ID to be used. Per default empty, the most recent image created using createkh will be used |
string |
"" |
no |
| nat_router |
Do you want to pipe all egress through a single nat router which is to be constructed? Note: Requires use_control_plane_lb=true when enabled. Automatically forwards port 6443 to the control plane LB when control_plane_lb_enable_public_interface=false. |
object({
server_type = string
location = string
labels = optional(map(string), {})
enable_sudo = optional(bool, false)
enable_redundancy = optional(bool, false)
standby_location = optional(string, "")
}) |
null |
no |
| nat_router_hcloud_token |
API Token used by the nat-router to change ip assignment when nat_router.enable_redundancy is true. |
string |
"" |
no |
| nat_router_subnet_index |
Subnet index for NAT router. Default 200 is safe for most deployments. Must not conflict with control plane (counting down from 255) or agent pools (counting up from 0). |
number |
200 |
no |
| network_ipv4_cidr |
The main network cidr that all subnets will be created upon. |
string |
"10.0.0.0/8" |
no |
| network_region |
Default region for network. |
string |
"eu-central" |
no |
| nginx_merge_values |
Additional Helm values to merge with defaults (or nginx_values if set). User values take precedence. Requires valid YAML format. |
string |
"" |
no |
| nginx_values |
Additional helm values file to pass to nginx as 'valuesContent' at the HelmChart. |
string |
"" |
no |
| nginx_version |
Version of Nginx helm chart. See https://github.com/kubernetes/ingress-nginx?tab=readme-ov-file#supported-versions-table for the available versions. |
string |
"" |
no |
| placement_group_disable |
Whether to disable placement groups. |
bool |
false |
no |
| postinstall_exec |
Additional to execute after the install calls, for example restoring a backup. |
list(string) |
[] |
no |
| preinstall_exec |
Additional to execute before the install calls, for example fetching and installing certs. |
list(string) |
[] |
no |
| rancher_bootstrap_password |
Rancher bootstrap password. |
string |
"" |
no |
| rancher_helmchart_bootstrap |
Whether the HelmChart rancher shall be run on control-plane nodes. |
bool |
false |
no |
| rancher_hostname |
The rancher hostname. |
string |
"" |
no |
| rancher_install_channel |
The rancher installation channel. |
string |
"stable" |
no |
| rancher_merge_values |
Additional Helm values to merge with defaults (or rancher_values if set). User values take precedence. Requires valid YAML format. |
string |
"" |
no |
| rancher_registration_manifest_url |
The url of a rancher registration manifest to apply. (see https://rancher.com/docs/rancher/v2.6/en/cluster-provisioning/registered-clusters/). |
string |
"" |
no |
| rancher_values |
Additional helm values file to pass to Rancher as 'valuesContent' at the HelmChart. |
string |
"" |
no |
| rancher_version |
Version of rancher. |
string |
"*" |
no |
| restrict_outbound_traffic |
Whether or not to restrict the outbound traffic. |
bool |
true |
no |
| robot_ccm_enabled |
Enables the integration of Hetzner Robot dedicated servers via the Cloud Controller Manager (CCM). If true, robot_user and robot_password must also be provided, otherwise the integration will not be activated. |
bool |
false |
no |
| robot_password |
Password for the Hetzner Robot webservice |
string |
"" |
no |
| robot_user |
User for the Hetzner Robot webservice |
string |
"" |
no |
| service_ipv4_cidr |
Internal Service CIDR, used for the controller and currently for calico/cilium. |
string |
"10.43.0.0/16" |
no |
| ssh_additional_public_keys |
Additional SSH public Keys. Use them to grant other team members root access to your cluster nodes. |
list(string) |
[] |
no |
| ssh_hcloud_key_label |
Additional SSH public Keys by hcloud label. e.g. role=admin |
string |
"" |
no |
| ssh_max_auth_tries |
The maximum number of authentication attempts permitted per connection. |
number |
2 |
no |
| ssh_port |
The main SSH port to connect to the nodes. |
number |
22 |
no |
| ssh_private_key |
SSH private Key. |
string |
n/a |
yes |
| ssh_public_key |
SSH public Key. |
string |
n/a |
yes |
| subnet_amount |
The amount of subnets into which the network will be split. Must be a power of 2. |
number |
256 |
no |
| sys_upgrade_controller_version |
Version of the System Upgrade Controller for automated upgrades of k3s. v0.15.0+ supports the 'window' parameter for scheduling upgrades. See https://github.com/rancher/system-upgrade-controller/releases for available versions. |
string |
"v0.18.0" |
no |
| system_upgrade_enable_eviction |
Whether to directly delete pods during system upgrade (k3s) or evict them. Defaults to true. Disable this on small clusters to avoid system upgrades hanging since pods resisting eviction keep node unschedulable forever. NOTE: turning this off, introduces potential downtime of services of the upgraded nodes. |
bool |
true |
no |
| system_upgrade_schedule_window |
Schedule window for k3s automated upgrades (system-upgrade-controller v0.15.0+). When set, upgrade jobs will only be created within the specified time window. 'days' accepts lowercase day names (e.g. ["monday","tuesday"]). 'startTime'/'endTime' use HH:MM format. 'timeZone' defaults to UTC. See https://docs.k3s.io/upgrades/automated#scheduling-upgrades |
object({
days = optional(list(string), [])
startTime = optional(string, "")
endTime = optional(string, "")
timeZone = optional(string, "UTC")
}) |
null |
no |
| system_upgrade_use_drain |
Wether using drain (true, the default), which will deletes and transfers all pods to other nodes before a node is being upgraded, or cordon (false), which just prevents schedulung new pods on the node during upgrade and keeps all pods running |
bool |
true |
no |
| traefik_additional_options |
Additional options to pass to Traefik as a list of strings. These are the ones that go into the additionalArguments section of the Traefik helm values file. |
list(string) |
[] |
no |
| traefik_additional_ports |
Additional ports to pass to Traefik. These are the ones that go into the ports section of the Traefik helm values file. |
list(object({
name = string
port = number
exposedPort = number
})) |
[] |
no |
| traefik_additional_trusted_ips |
Additional Trusted IPs to pass to Traefik. These are the ones that go into the trustedIPs section of the Traefik helm values file. |
list(string) |
[] |
no |
| traefik_autoscaling |
Should traefik enable Horizontal Pod Autoscaler. |
bool |
true |
no |
| traefik_image_tag |
Traefik image tag. Useful to use the beta version for new features. Example: v3.0.0-beta5 |
string |
"" |
no |
| traefik_merge_values |
Additional Helm values to merge with defaults (or traefik_values if set). User values take precedence. Requires valid YAML format. |
string |
"" |
no |
| traefik_pod_disruption_budget |
Should traefik enable pod disruption budget. Default values are maxUnavailable: 33% and minAvailable: 1. |
bool |
true |
no |
| traefik_provider_kubernetes_gateway_enabled |
Should traefik enable the kubernetes gateway provider. Default is false. |
bool |
false |
no |
| traefik_redirect_to_https |
Should traefik redirect http traffic to https. |
bool |
true |
no |
| traefik_resource_limits |
Should traefik enable default resource requests and limits. Default values are requests: 100m & 50Mi and limits: 300m & 150Mi. |
bool |
true |
no |
| traefik_resource_values |
Requests and limits for Traefik. |
object({
requests = object({
cpu = string
memory = string
})
limits = object({
cpu = string
memory = string
})
}) |
{
"limits": {
"cpu": "300m",
"memory": "150Mi"
},
"requests": {
"cpu": "100m",
"memory": "50Mi"
}
} |
no |
| traefik_values |
Additional helm values file to pass to Traefik as 'valuesContent' at the HelmChart. |
string |
"" |
no |
| traefik_version |
Version of Traefik helm chart. See https://github.com/traefik/traefik-helm-chart/releases for the available versions. |
string |
"" |
no |
| use_cluster_name_in_node_name |
Whether to use the cluster name in the node name. |
bool |
true |
no |
| use_control_plane_lb |
Creates a dedicated load balancer for the Kubernetes API (port 6443). When enabled, kubectl and other API clients connect through this LB instead of directly to the first control plane node. Recommended for production clusters with multiple control plane nodes for high availability. Note: This is separate from the ingress load balancer for HTTP/HTTPS traffic. |
bool |
false |
no |
| vswitch_id |
Hetzner Cloud vSwitch ID. If defined, a subnet will be created in the IP-range defined by vswitch_subnet_index. The vSwitch must exist before this module is called. |
number |
null |
no |
| vswitch_subnet_index |
Subnet index (0-255) for vSwitch. Default 201 is safe for most deployments. Must not conflict with control plane (counting down from 255) or agent pools (counting up from 0). |
number |
201 |
no |