Merge pull request #727 from privatecoder/add-private-ip-connection

add option to create and set-up a cluster through their private-IPs

Author: vitobotta

docs/Creating_a_cluster.md

@@ -19,6 +19,7 @@ networking:
   ssh:
     port: 22
     use_agent: false # set to true if your key has a passphrase
+    use_private_ip: false # set to true to connect to nodes via their private IPs
     public_key_path: "~/.ssh/id_ed25519.pub"
     private_key_path: "~/.ssh/id_ed25519"
   allowed_networks:
@@ -243,6 +244,8 @@ To create the cluster run:
 hetzner-k3s create --config cluster_config.yaml | tee create.log
 ```
 
+If you need to bypass the validation that your current IP is included in the allowed SSH/API networks, add `--skip-current-ip-validation`.
+
 This process will take a few minutes, depending on how many master and worker nodes you have.
 
 ### Disabling public IPs (IPv4 or IPv6 or both) on nodes
@@ -371,4 +374,3 @@ The `create` command can be run multiple times with the same configuration witho
 eval "$(ssh-agent -s)"
 ssh-add --apple-use-keychain ~/.ssh/<private key>
 ```
-

docs/Setting_up_a_cluster.md

@@ -32,6 +32,7 @@ networking:
   ssh:
     port: 22
     use_agent: false
+    use_private_ip: false
     public_key_path: "~/.ssh/id_rsa.pub"
     private_key_path: "~/.ssh/id_rsa"
   allowed_networks:

docs/Troubleshooting.md

@@ -64,7 +64,7 @@ This will provide more detailed output, which can help you identify the root of
 
 **Symptoms**: Cluster creation hangs after nodes are created. SSH connection times out when trying to connect to a private IP address.
 
-**Note**: The tool currently does not support IPv6-only public network configuration. When you disable IPv4 (`public_network.ipv4: false`), you must run `hetzner-k3s` from a machine that has access to the same private network, either directly or through a VPN. Otherwise, the tool will attempt to use the private IP addresses for SSH connections and fail.
+**Note**: The tool currently does not support IPv6-only public network configuration. When you disable IPv4 (`public_network.ipv4: false`) or enable `networking.ssh.use_private_ip: true`, you must run `hetzner-k3s` from a machine that has access to the same private network, either directly or through a VPN. Otherwise, the tool will attempt to use private IP addresses for SSH/API connections and fail.
 
 ### Load Balancer Issues
 

src/cluster/create.cr

@@ -12,7 +12,13 @@ class Cluster::Create
   private getter hetzner_client : Hetzner::Client { configuration.hetzner_client }
   private getter settings : Configuration::Main { configuration.settings }
   private getter autoscaling_worker_node_pools : Array(Configuration::Models::WorkerNodePool) { settings.worker_node_pools.select(&.autoscaling_enabled) }
-  private getter ssh_client : Util::SSH { Util::SSH.new(settings.networking.ssh.private_key_path, settings.networking.ssh.public_key_path) }
+  private getter ssh_client : Util::SSH do
+    Util::SSH.new(
+      settings.networking.ssh.private_key_path,
+      settings.networking.ssh.public_key_path,
+      settings.networking.ssh.use_private_ip
+    )
+  end
   private getter network : Hetzner::Network?
   private getter ssh_key : Hetzner::SSHKey
   private getter load_balancer : Hetzner::LoadBalancer?

src/cluster/run.cr

@@ -150,8 +150,9 @@ class Cluster::Run
 
     puts "Nodes that will be affected:"
     instances.each do |instance|
-      if instance.host_ip_address
-        puts "  - #{instance.name} (#{instance.host_ip_address})"
+      host_ip_address = instance.host_ip_address(settings.networking.ssh.use_private_ip)
+      if host_ip_address
+        puts "  - #{instance.name} (#{host_ip_address})"
       else
         puts "  - #{instance.name} (no IP address - will be skipped)"
       end
@@ -165,8 +166,9 @@ class Cluster::Run
     puts
 
     puts "Node that will be affected:"
-    if instance.host_ip_address
-      puts "  - #{instance.name} (#{instance.host_ip_address})"
+    host_ip_address = instance.host_ip_address(settings.networking.ssh.use_private_ip)
+    if host_ip_address
+      puts "  - #{instance.name} (#{host_ip_address})"
     else
       puts "  - #{instance.name} (no IP address - will be skipped)"
     end
@@ -188,7 +190,8 @@ class Cluster::Run
   private def setup_ssh_connection
     Util::SSH.new(
       settings.networking.ssh.private_key_path,
-      settings.networking.ssh.public_key_path
+      settings.networking.ssh.public_key_path,
+      settings.networking.ssh.use_private_ip
     )
   end
 
@@ -228,8 +231,9 @@ class Cluster::Run
     output_lines = [] of String
     success = true
 
-    if instance.host_ip_address
-      output_lines << "=== Instance: #{instance.name} (#{instance.host_ip_address}) ==="
+    host_ip_address = instance.host_ip_address(settings.networking.ssh.use_private_ip)
+    if host_ip_address
+      output_lines << "=== Instance: #{instance.name} (#{host_ip_address}) ==="
 
       begin
         success_message = block.call(ssh, instance)

src/configuration/loader.cr

@@ -68,10 +68,11 @@ class Configuration::Loader
 
   getter new_k3s_version : String?
   getter configuration_file_path : String
+  getter skip_current_ip_validation : Bool = false
 
   private property force : Bool = false
 
-  def initialize(@configuration_file_path, @new_k3s_version, @force)
+  def initialize(@configuration_file_path, @new_k3s_version, @force, @skip_current_ip_validation = false)
     @settings = Configuration::Main.from_yaml(File.read(configuration_file_path))
 
     Configuration::Validators::ConfigurationFilePath.new(errors, configuration_file_path).validate
@@ -98,7 +99,8 @@ class Configuration::Loader
       masters_pool: masters_pool,
       instance_types: instance_types,
       all_locations: all_locations,
-      new_k3s_version: new_k3s_version
+      new_k3s_version: new_k3s_version,
+      skip_current_ip_validation: skip_current_ip_validation
     ).validate(command)
   end
 

src/configuration/models/networking_config/ssh.cr

@@ -4,6 +4,7 @@ class Configuration::Models::NetworkingConfig::SSH
 
   getter port : Int32 = 22
   getter use_agent : Bool = false
+  getter use_private_ip : Bool = false
   getter private_key_path : String = "~/.ssh/id_rsa"
   getter public_key_path : String = "~/.ssh/id_rsa.pub"
 

src/configuration/validators/command_specific_settings.cr

@@ -16,6 +16,7 @@ class Configuration::Validators::CommandSpecificSettings
   getter instance_types : Array(Hetzner::InstanceType)
   getter all_locations : Array(Hetzner::Location)
   getter new_k3s_version : String?
+  getter skip_current_ip_validation : Bool = false
 
   def initialize(
     @errors,
@@ -25,7 +26,8 @@ class Configuration::Validators::CommandSpecificSettings
     @masters_pool,
     @instance_types,
     @all_locations,
-    @new_k3s_version
+    @new_k3s_version,
+    @skip_current_ip_validation = false
   )
   end
 
@@ -50,7 +52,8 @@ class Configuration::Validators::CommandSpecificSettings
       hetzner_client: hetzner_client,
       masters_pool: masters_pool,
       instance_types: instance_types,
-      all_locations: all_locations
+      all_locations: all_locations,
+      skip_current_ip_validation: skip_current_ip_validation
     ).validate
   end
 
@@ -66,4 +69,4 @@ class Configuration::Validators::CommandSpecificSettings
   private def validate_run_settings
     Configuration::Validators::RunSettings.new(errors).validate
   end
-end
+end

src/configuration/validators/create_settings.cr

@@ -21,6 +21,7 @@ class Configuration::Validators::CreateSettings
   getter masters_pool : Configuration::Models::MasterNodePool
   getter instance_types : Array(Hetzner::InstanceType)
   getter all_locations : Array(Hetzner::Location)
+  getter skip_current_ip_validation : Bool = false
 
   def initialize(
     @errors,
@@ -29,7 +30,8 @@ class Configuration::Validators::CreateSettings
     @hetzner_client,
     @masters_pool,
     @instance_types,
-    @all_locations
+    @all_locations,
+    @skip_current_ip_validation = false
   )
   end
 
@@ -40,7 +42,14 @@ class Configuration::Validators::CreateSettings
 
     Configuration::Validators::Datastore.new(errors, settings.datastore).validate
 
-    Configuration::Validators::Networking.new(errors, settings.networking, settings, hetzner_client, settings.networking.private_network).validate
+    Configuration::Validators::Networking.new(
+      errors,
+      settings.networking,
+      settings,
+      hetzner_client,
+      settings.networking.private_network,
+      skip_current_ip_validation: skip_current_ip_validation
+    ).validate
 
     Configuration::Validators::MastersPool.new(
       errors: errors,

src/configuration/validators/networking.cr

@@ -17,15 +17,20 @@ class Configuration::Validators::Networking
   getter settings : Configuration::Main
   getter hetzner_client : Hetzner::Client
   getter private_network : Configuration::Models::NetworkingConfig::PrivateNetwork
+  getter skip_current_ip_validation : Bool = false
 
-  def initialize(@errors, @networking, @settings, @hetzner_client, @private_network)
+  def initialize(@errors, @networking, @settings, @hetzner_client, @private_network, @skip_current_ip_validation = false)
   end
 
   def validate
     Configuration::Validators::NetworkingConfig::CNI.new(errors, networking.cni, private_network).validate
-    Configuration::Validators::NetworkingConfig::AllowedNetworks.new(errors, networking.allowed_networks).validate
+    Configuration::Validators::NetworkingConfig::AllowedNetworks.new(
+      errors,
+      networking.allowed_networks,
+      skip_current_ip_validation: skip_current_ip_validation
+    ).validate
     Configuration::Validators::NetworkingConfig::PrivateNetwork.new(errors, private_network, hetzner_client).validate
     Configuration::Validators::NetworkingConfig::PublicNetwork.new(errors, networking.public_network, settings).validate
     Configuration::Validators::NetworkingConfig::SSH.new(errors, networking.ssh, hetzner_client, settings.cluster_name).validate
   end
-end
+end