From b0838c8a0168ad5449e2896c74c308e167d87276 Mon Sep 17 00:00:00 2001
From: phaer <hello@phaer.org>
Date: Tue, 25 Jan 2022 15:05:29 +0100
Subject: [PATCH] ingress: don't use private ip, make ipv6 optional

---
 main.tf                           | 5 +++--
 templates/traefik_config.yaml.tpl | 7 ++++++-
 variables.tf                      | 6 ++++++
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index 2feee40..4d12561 100644
--- a/main.tf
+++ b/main.tf
@@ -166,8 +166,9 @@ resource "local_file" "hetzner_csi_config" {
 
 resource "local_file" "traefik_config" {
   content = templatefile("${path.module}/templates/traefik_config.yaml.tpl", {
-    lb_server_type = var.lb_server_type
-    location       = var.location
+    lb_disable_ipv6 = var.lb_disable_ipv6
+    lb_server_type  = var.lb_server_type
+    location        = var.location
   })
   filename             = "${path.module}/templates/rendered/traefik_config.yaml"
   file_permission      = "0644"
diff --git a/templates/traefik_config.yaml.tpl b/templates/traefik_config.yaml.tpl
index 787f5a9..4b03c7a 100644
--- a/templates/traefik_config.yaml.tpl
+++ b/templates/traefik_config.yaml.tpl
@@ -10,7 +10,12 @@ spec:
       type: LoadBalancer
       annotations:
         "load-balancer.hetzner.cloud/name": "traefik"
+        # make hetzners load-balancer connect to our nodes via our private k3s-net.
         "load-balancer.hetzner.cloud/use-private-ip": "true"
+        # keep hetzner-ccm from exposing our private ingress ip, which in general isn't routeable from the public internet.
+        "load-balancer.hetzner.cloud/disable-private-ingress": "true"
+        # disable ipv6 by default, because external-dns doesn't support AAAA for hcloud yet https://github.com/kubernetes-sigs/external-dns/issues/2044
+        "load-balancer.hetzner.cloud/ipv6-disabled": "${lb_disable_ipv6}"
         "load-balancer.hetzner.cloud/location": "${location}"
         "load-balancer.hetzner.cloud/type": "${lb_server_type}"
         "load-balancer.hetzner.cloud/uses-proxyprotocol": "true"
@@ -18,4 +23,4 @@ spec:
       - "--entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8"
       - "--entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8"
       - "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
-      - "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
\ No newline at end of file
+      - "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
diff --git a/variables.tf b/variables.tf
index 4b5c424..81c7ea9 100644
--- a/variables.tf
+++ b/variables.tf
@@ -34,6 +34,12 @@ variable "lb_server_type" {
   type        = string
 }
 
+variable "lb_disable_ipv6" {
+  description = "Disable ipv6 for the load balancer"
+  type        = bool
+  default     = false
+}
+
 variable "servers_num" {
   description = "Number of control plane nodes."
   type        = number