Workshop completo: aulas 08-10 com Talos, n8n e GitLab na Hetzner

Aula 08 - Cluster Kubernetes HA:
- Setup interativo com OpenTofu para Talos na Hetzner
- CCM, CSI Driver, Cluster Autoscaler, Metrics Server
- NGINX Ingress com LoadBalancer (HTTP/HTTPS/SSH)

Aula 09 - n8n na Hetzner:
- Deploy via Helm com PostgreSQL e Redis
- Suporte multi-tenant com add-client.sh
- Integração com Hetzner CSI para volumes persistentes

Aula 10 - GitLab na Hetzner:
- Setup agnóstico: CloudFlare (trusted proxies) ou Let's Encrypt
- Anti-affinity para distribuir webservice/sidekiq em nós diferentes
- Container Registry e SSH via TCP passthrough
- Documentação do erro 422 e solução com trustedCIDRsForXForwardedFor

Melhorias gerais:
- READMEs atualizados com arquitetura e troubleshooting
- Scripts cleanup.sh para todas as aulas
- CLAUDE.md atualizado com contexto do projeto

aula-08/main.tf

@@ -32,7 +32,12 @@ resource "random_string" "cluster_id" {
 }
 
 locals {
-  cluster_name = "talos-${random_string.cluster_id.result}"
+  cluster_name        = "talos-${random_string.cluster_id.result}"
+  control_plane_count = var.enable_ha ? 3 : 1
+
+  # Endpoint: LoadBalancer IP if enabled, otherwise Floating IP
+  cluster_endpoint_ip = var.enable_loadbalancer ? hcloud_load_balancer.cluster[0].ipv4 : hcloud_floating_ip.control_plane[0].ip_address
+
   common_labels = {
     cluster     = local.cluster_name
     environment = var.environment
@@ -191,7 +196,7 @@ resource "hcloud_placement_group" "cluster" {
 ############################################################
 
 resource "hcloud_server" "control_plane" {
-  count       = 3
+  count       = local.control_plane_count
   name        = "${local.cluster_name}-cp-${count.index}"
   server_type = "cax11"
   image       = data.hcloud_image.talos.id
@@ -218,14 +223,15 @@ resource "hcloud_server" "control_plane" {
 }
 
 resource "hcloud_server_network" "control_plane" {
-  count      = 3
+  count      = local.control_plane_count
   server_id  = hcloud_server.control_plane[count.index].id
   network_id = hcloud_network.cluster.id
   ip         = "10.0.1.${10 + count.index}"
 }
 
-# Floating IP for stable control plane access
+# Floating IP for stable control plane access (only if LoadBalancer is disabled)
 resource "hcloud_floating_ip" "control_plane" {
+  count         = var.enable_loadbalancer ? 0 : 1
   type          = "ipv4"
   name          = "${local.cluster_name}-cp-ip"
   home_location = "nbg1"
@@ -233,10 +239,139 @@ resource "hcloud_floating_ip" "control_plane" {
 }
 
 resource "hcloud_floating_ip_assignment" "control_plane" {
-  floating_ip_id = hcloud_floating_ip.control_plane.id
+  count          = var.enable_loadbalancer ? 0 : 1
+  floating_ip_id = hcloud_floating_ip.control_plane[0].id
   server_id      = hcloud_server.control_plane[0].id
 }
 
+############################################################
+# LOAD BALANCER (for HA access to control plane and ingress)
+############################################################
+
+resource "hcloud_load_balancer" "cluster" {
+  count              = var.enable_loadbalancer ? 1 : 0
+  name               = "${local.cluster_name}-lb"
+  load_balancer_type = "lb11"
+  location           = "nbg1"
+  labels             = local.common_labels
+}
+
+resource "hcloud_load_balancer_network" "cluster" {
+  count            = var.enable_loadbalancer ? 1 : 0
+  load_balancer_id = hcloud_load_balancer.cluster[0].id
+  network_id       = hcloud_network.cluster.id
+  ip               = "10.0.1.2"
+
+  depends_on = [hcloud_network_subnet.cluster]
+}
+
+# Kubernetes API (6443) -> Control Planes
+resource "hcloud_load_balancer_service" "kubernetes_api" {
+  count            = var.enable_loadbalancer ? 1 : 0
+  load_balancer_id = hcloud_load_balancer.cluster[0].id
+  protocol         = "tcp"
+  listen_port      = 6443
+  destination_port = 6443
+
+  health_check {
+    protocol = "tcp"
+    port     = 6443
+    interval = 10
+    timeout  = 5
+    retries  = 3
+  }
+}
+
+# Talos API (50000) -> Control Planes
+resource "hcloud_load_balancer_service" "talos_api" {
+  count            = var.enable_loadbalancer ? 1 : 0
+  load_balancer_id = hcloud_load_balancer.cluster[0].id
+  protocol         = "tcp"
+  listen_port      = 50000
+  destination_port = 50000
+
+  health_check {
+    protocol = "tcp"
+    port     = 50000
+    interval = 10
+    timeout  = 5
+    retries  = 3
+  }
+}
+
+# HTTP (80) -> Workers (NGINX Ingress)
+resource "hcloud_load_balancer_service" "http" {
+  count            = var.enable_loadbalancer ? 1 : 0
+  load_balancer_id = hcloud_load_balancer.cluster[0].id
+  protocol         = "tcp"
+  listen_port      = 80
+  destination_port = 80
+
+  health_check {
+    protocol = "tcp"
+    port     = 80
+    interval = 10
+    timeout  = 5
+    retries  = 3
+  }
+}
+
+# HTTPS (443) -> Workers (NGINX Ingress)
+resource "hcloud_load_balancer_service" "https" {
+  count            = var.enable_loadbalancer ? 1 : 0
+  load_balancer_id = hcloud_load_balancer.cluster[0].id
+  protocol         = "tcp"
+  listen_port      = 443
+  destination_port = 443
+
+  health_check {
+    protocol = "tcp"
+    port     = 443
+    interval = 10
+    timeout  = 5
+    retries  = 3
+  }
+}
+
+# SSH (22) -> Workers (GitLab SSH)
+resource "hcloud_load_balancer_service" "ssh" {
+  count            = var.enable_loadbalancer ? 1 : 0
+  load_balancer_id = hcloud_load_balancer.cluster[0].id
+  protocol         = "tcp"
+  listen_port      = 22
+  destination_port = 22
+
+  health_check {
+    protocol = "tcp"
+    port     = 22
+    interval = 10
+    timeout  = 5
+    retries  = 3
+  }
+}
+
+# LB Targets: Control Planes (for 6443 and 50000)
+resource "hcloud_load_balancer_target" "control_plane" {
+  count            = var.enable_loadbalancer ? local.control_plane_count : 0
+  type             = "server"
+  load_balancer_id = hcloud_load_balancer.cluster[0].id
+  server_id        = hcloud_server.control_plane[count.index].id
+  use_private_ip   = true
+
+  depends_on = [hcloud_load_balancer_network.cluster]
+}
+
+# LB Targets: Workers (for 80, 443, and 22)
+resource "hcloud_load_balancer_target" "worker" {
+  count            = var.enable_loadbalancer ? 1 : 0
+  type             = "server"
+  load_balancer_id = hcloud_load_balancer.cluster[0].id
+  server_id        = hcloud_server.worker[count.index].id
+  use_private_ip   = true
+
+  depends_on = [hcloud_load_balancer_network.cluster]
+}
+
 ############################################################
 # WORKER NODE (Single CAX11)
 ############################################################
@@ -288,15 +423,15 @@ resource "talos_machine_secrets" "this" {
 data "talos_client_configuration" "this" {
   cluster_name         = local.cluster_name
   client_configuration = talos_machine_secrets.this.client_configuration
-  endpoints            = [hcloud_floating_ip.control_plane.ip_address]
+  endpoints            = [local.cluster_endpoint_ip]
 }
 
 # Control plane configuration
 data "talos_machine_configuration" "control_plane" {
-  count            = 3
+  count            = local.control_plane_count
   cluster_name     = local.cluster_name
   machine_type     = "controlplane"
-  cluster_endpoint = "https://${hcloud_floating_ip.control_plane.ip_address}:6443"
+  cluster_endpoint = "https://${local.cluster_endpoint_ip}:6443"
   machine_secrets  = talos_machine_secrets.this.machine_secrets
   talos_version    = var.talos_version
 
@@ -304,15 +439,16 @@ data "talos_machine_configuration" "control_plane" {
     templatefile("${path.module}/talos-patches/control-plane.yaml", {
       cluster_name = local.cluster_name
       node_name    = hcloud_server.control_plane[count.index].name
-      is_ha        = true
+      is_ha        = var.enable_ha
       is_first_cp  = count.index == 0
-      etcd_peers   = [for i in range(3) : "10.0.1.${10 + i}"]
-      floating_ip  = hcloud_floating_ip.control_plane.ip_address
+      etcd_peers   = [for i in range(local.control_plane_count) : "10.0.1.${10 + i}"]
+      floating_ip  = local.cluster_endpoint_ip
     })
   ]
 
   depends_on = [
     hcloud_server.control_plane,
+    hcloud_load_balancer.cluster,
     hcloud_floating_ip_assignment.control_plane
   ]
 }
@@ -322,7 +458,7 @@ data "talos_machine_configuration" "worker" {
   count            = 1
   cluster_name     = local.cluster_name
   machine_type     = "worker"
-  cluster_endpoint = "https://${hcloud_floating_ip.control_plane.ip_address}:6443"
+  cluster_endpoint = "https://${local.cluster_endpoint_ip}:6443"
   machine_secrets  = talos_machine_secrets.this.machine_secrets
   talos_version    = var.talos_version
 
@@ -335,6 +471,7 @@ data "talos_machine_configuration" "worker" {
 
   depends_on = [
     hcloud_server.worker,
+    hcloud_load_balancer.cluster,
     hcloud_floating_ip_assignment.control_plane
   ]
 }
@@ -344,7 +481,7 @@ data "talos_machine_configuration" "worker" {
 ############################################################
 
 resource "talos_machine_configuration_apply" "control_plane" {
-  count                       = 3
+  count                       = local.control_plane_count
   client_configuration        = talos_machine_secrets.this.client_configuration
   machine_configuration_input = data.talos_machine_configuration.control_plane[count.index].machine_configuration
   endpoint                    = hcloud_server.control_plane[count.index].ipv4_address
@@ -400,11 +537,11 @@ resource "talos_cluster_kubeconfig" "this" {
 ############################################################
 
 resource "local_sensitive_file" "kubeconfig" {
-  # Replace the internal hostname with the floating IP for external access
+  # Replace the internal hostname with the LB/Floating IP for external access
   content = replace(
     talos_cluster_kubeconfig.this.kubeconfig_raw,
     "https://${local.cluster_name}.local:6443",
-    "https://${hcloud_floating_ip.control_plane.ip_address}:6443"
+    "https://${local.cluster_endpoint_ip}:6443"
   )
   filename = "${path.root}/kubeconfig"
 }