-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Calico and HCC #641
Comments
When you use the private networks from Hetzner Cloud with hcloud-cloud-controller-manager and enable the routes-controller (default), then you should be able to use Calico without any additional overlay networks. You can configure this in Calico with I have never personally tested this configuration though. |
I am also interested in this topic, if you have any knowledge @medicol69 please let me now :) |
Yes, it works fine with calico. To run a quick test use hetzner-k3s. Important warning when running cloud together when baremetal with private networking. Calico requires a /24 vlan address per node which means when you're creating a subnet make sure the vlan subnet is at minimum a /23 (1 nodes max) or ideally /17 (127 nodes max) allocating first half to cloud instances and the second half to baremetal instances. |
thanks, but I don't think that the hetzner private network interfaces are stable enough to use them in production. If anyone got them to work and give out an example of how to use it in prod I'm all ears. |
I am currently running it just fine with calico and even have ceph working over vlan with pretty good performance. You cannot advertise nodeip with internal so define hostendpoint instead for metrics and etcd to be protected. Load balancers also require you to use public net in this case. |
I am using calico without encapsulation and hccm with routes enabled. Calico uses BPF and replaces kube-proxy. I think this works well, but I haven't tested it enough to be 100% sure. If you have any feedback on this configuration, I would love to discuss it :)
|
I am not sure why, but when using hetzner-k3s the internal network works just fine, however, a manually bootstrapped cluster has an issue with the cloud controller where it does not recognize the internal ip address so it never gets the taint removed and the labels added. I spent few hours trying to figure out why without being able to find any difference between the two configurations. My only guess is that it is some internal order of configuration where the metadata/private network endpoints are not being parsed in order. So to recap: allocate at least /16 vlan range and do not use the hcloud controller (will not be able to use the load balancer or resolve labels automatically). |
What kubernetes version do you use? Kubernetes 1.29 had a change that the node ip will be left empty if cloud-provider is set to external and --node-ip is not set manually. Maybe this is the case here. From CHANGELOG-1.29: |
I was thinking on private networking on hetzner, if anyone is doing that in production please share your config, and what are your experiences. |
I am currently testing this. You can see my calico values above. HCCM configuration is normal with networks enabled. |
I tried both 1.29 and 1.30, here's my init script:
EDIT: added node-ip=$PRIVATE_IP, the configuration before is what I am currently using to get around the issue.
Yes, it does work including networking and routes out of the box when using hetzner-k3s tool. But I had issues with getting HCCM to recognize the nodes when defining an internal ip as the node network when attempting to bootstrap the cluster manually. However, using the public ip works fine (and routes are still created for internal communication). Robot does not support networking from HCCM. |
I am using kubeadm only on hcloud nodes (currently no dedicated / robot nodes, maybe i will add them later) and this works fine. |
Alright, here's the full guide to replicate the issue:
bash init_master.sh test-cluster cluster.local IP_ADDRESS 10.224.0.0 10.222.0.0/16 10.223.0.0/16 10.223.0.10 IP_ADDRESS kubectl config set-context test-cluster Install calico: Create HCCM secret with the network cidr and hcloud token. Install hcloud:
Observe the following error:
edit: the actual name doesn't matter for the hostname since providerid is specified, usually the hostname would be a domain matching the name of the node and the calico step is optional. |
TL;DR
This is more of an inquiry, since it's not that clear from the documentation, does the hetzner cloud controller work with the Calico CNI when using the private interfaces on Hetzner? Thanks
Expected behavior
this is an inquiry on the documentation.
The text was updated successfully, but these errors were encountered: