There are several tasks that have to be completed, before a workload cluster can be created.
- Create a new HCloud project.
- Generate an API token with read and write access. You'll find this if you click on the project and go to "security".
- If you want to use it, generate an SSH key, upload the public key to HCloud (also via "security") and give it a name. Read more about Managing SSH Keys
- Create a new web service user. Here you can define a password and copy your user name.
- Generate an SSH key. You can either upload it via Hetzner Robot UI, or you can just rely on the controller to upload a key that it does not find in the robot API. This is possible, as you have to store the public and private key together with the ssh key's name in a secret that the controller reads.
- Install and setup kubectl in your local environment
- Install Kind and Docker
Cluster API requires an existing Kubernetes cluster accessible via kubectl. During the installation process the Kubernetes cluster will be transformed into a management cluster by installing the Cluster API provider components, so it is recommended to keep it separated from any application workload.
It is a common practice to create a temporary, local bootstrap cluster which is then used to provision a target management cluster on the selected infrastructure provider.
For production use-cases a “real” Kubernetes cluster should be used with appropriate backup and DR policies and procedures in place. The Kubernetes cluster must be at least a supported version.
kind can be used for creating a local Kubernetes cluster for development environments or for the creation of a temporary bootstrap cluster used to provision a target management cluster on the selected infrastructure provider.
Please use the instructions here: https://cluster-api.sigs.k8s.io/user/quick-start.html#install-clusterctl
or use: make install-clusterctl
Now that we’ve got clusterctl installed and all the prerequisites in place, let’s transform the Kubernetes cluster into a management cluster by using clusterctl init. More informations about clusterctl can be found here.
For the latest version:
clusterctl init --core cluster-api --bootstrap kubeadm --control-plane kubeadm --infrastructure hetzner
or for a specific version: --infrastructure hetzner:vX.X.X
export HCLOUD_SSH_KEY="<ssh-key-name>" \
export CLUSTER_NAME="my-cluster" \
export HCLOUD_REGION="fsn1" \
export CONTROL_PLANE_MACHINE_COUNT=3 \
export WORKER_MACHINE_COUNT=3 \
export KUBERNETES_VERSION=1.24.0 \
export HCLOUD_CONTROL_PLANE_MACHINE_TYPE=cpx31 \
export HCLOUD_WORKER_MACHINE_TYPE=cpx31- HCLOUD_SSH_KEY: The SSH Key name you loaded in HCloud.
- HCLOUD_REGION: https://docs.hetzner.com/cloud/general/locations/
- HCLOUD_IMAGE_NAME: The Image name of your operating system.
- HCLOUD_X_MACHINE_TYPE: https://www.hetzner.com/cloud#pricing
For a list of all variables need for generating a cluster manifest (from the cluster-template.yaml) use clusterctl generate cluster my-cluster --list-variables:
Required Variables:
- HCLOUD_CONTROL_PLANE_MACHINE_TYPE
- HCLOUD_REGION
- HCLOUD_SSH_KEY
- HCLOUD_WORKER_MACHINE_TYPE
Optional Variables:
- CLUSTER_NAME (defaults to my-cluster)
- CONTROL_PLANE_MACHINE_COUNT (defaults to 1)
- WORKER_MACHINE_COUNT (defaults to 0)
In order for the provider integration hetzner to communicate with the Hetzner API (HCloud API we need to create a secret with the access data. The secret must be in the same namespace as the other CRs.
export HCLOUD_TOKEN="<YOUR-TOKEN>"
- HCLOUD_TOKEN: The project where your cluster will be placed to. You have to get a token from your HCloud Project.
kubectl create secret generic hetzner --from-literal=hcloud=$HCLOUD_TOKEN
# Patch the created secret so it is automatically moved to the target cluster later.
kubectl patch secret hetzner -p '{"metadata":{"labels":{"clusterctl.cluster.x-k8s.io/move":""}}}'The secret name and the tokens can also be customized in the cluster template.
In order for the provider integration hetzner to communicate with the Hetzner API (HCloud API + Robot API), we need to create a secret with the access data. The secret must be in the same namespace as the other CRs.
export HCLOUD_TOKEN="<YOUR-TOKEN>" \
export HETZNER_ROBOT_USER="<YOUR-ROBOT-USER>" \
export HETZNER_ROBOT_PASSWORD="<YOUR-ROBOT-PASSWORD>" \
export HETZNER_SSH_PUB_PATH="<YOUR-SSH-PUBLIC-PATH>" \
export HETZNER_SSH_PRIV_PATH="<YOUR-SSH-PRIVATE-PATH>" \- HCLOUD_TOKEN: The project where your cluster will be placed to. You have to get a token from your HCloud Project.
- HETZNER_ROBOT_USER: The User you have defined in robot under settings / Web
- HETZNER_ROBOT_PASSWORD: The Robot Password you have set in robot under settings/web.
- HETZNER_SSH_PUB_PATH: The Path to your generated Public SSH Key.
- HETZNER_SSH_PRIV_PATH: The Path to your generated Private SSH Key. This is needed because CAPH uses this key to provision the node in Hetzner Dedicated.
kubectl create secret generic hetzner --from-literal=hcloud=$HCLOUD_TOKEN --from-literal=robot-user=$HETZNER_ROBOT_USER --from-literal=robot-password=$HETZNER_ROBOT_PASSWORD
kubectl create secret generic robot-ssh --from-literal=sshkey-name=cluster --from-file=ssh-privatekey=$HETZNER_SSH_PRIV_PATH --from-file=ssh-publickey=$HETZNER_SSH_PUB_PATH
# Patch the created secret so it is automatically moved to the target cluster later.
kubectl patch secret hetzner -p '{"metadata":{"labels":{"clusterctl.cluster.x-k8s.io/move":""}}}'The secret name and the tokens can also be customized in the cluster template.
For using cluster-api with the bootstrap provider kubeadm, we need a server with all the necessary binaries and settings for running kubernetes. There are several ways to achieve this. In the quick-start guide we use pre-kubeadm commands in the KubeadmControlPlane and KubeadmConfigTemplate object. These are propagated from the bootstrap provider kubeadm and the control plane provider kubeadm to the node as cloud-init commands. This way is usable universally also in other infrastructure providers. For Hcloud there is an alternative way using packer, that creates a snapshot to boot from, this is in the sense of versioning and the speed of creating a node clearly advantageous. The same is possible for Hetzner Bare Metal as we could use installimage and a prepared tarball which gets then installed.
See node-image for more informations.