aula-06 e aula-08: Hetzner CSI Driver e segurança de rede

aula-06: - Adicionar instalação do Hetzner CSI Driver no setup.sh - Input interativo seguro para token da Hetzner Cloud - Atualizar custom-values.yaml para n8n.kube.quest aula-08: - Adicionar regras de firewall para VXLAN e rede privada - Configurar Flannel para usar interface privada (--iface-can-reach) - Configurar kubelet.nodeIP.validSubnets para rede privada - Corrigir segurança: VXLAN restrito a 10.0.0.0/8
2025-12-27 22:56:09 -03:00
parent 6db8ca3189
commit 50dc74c1d8
5 changed files with 110 additions and 8 deletions
--- a/aula-06/custom-values.yaml
+++ b/aula-06/custom-values.yaml
@@ -12,7 +12,7 @@
 # -----------------------------------------------------------------------------
 image:
  repository: n8nio/n8n
-  tag: "2.1.4"
+  tag: "2.0.3"
  pullPolicy: IfNotPresent

 # -----------------------------------------------------------------------------
@@ -58,7 +58,7 @@ ingress:
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
  hosts:
-    - host: n8n.localhost
+    - host: n8n.kube.quest
      paths:
        - path: /
          pathType: Prefix
@@ -121,7 +121,7 @@ worker:
 webhook:
  mode: queue
  count: 1
-  url: "http://n8n.localhost"
+  url: "https://n8n.kube.quest"
  extraEnvVars:
    N8N_SECURE_COOKIE: "false"
  resources:
--- a/aula-06/setup.sh
+++ b/aula-06/setup.sh
@@ -67,7 +67,68 @@ log_success "Helm $(helm version --short) encontrado"
 echo ""

 # =============================================================================
-# 1. INSTALAR NGINX INGRESS (se não existir)
+# 1. INSTALAR HETZNER CSI DRIVER (para provisionar volumes)
+# =============================================================================
+
+log_info "=== Configurando Hetzner CSI Driver ==="
+
+# Verificar se secret já existe (evita pedir token novamente)
+if kubectl get secret hcloud -n kube-system &> /dev/null; then
+    log_success "Secret hcloud já existe em kube-system"
+else
+    # Pedir token via input interativo
+    echo ""
+    log_info "Token da Hetzner Cloud necessário para provisionar volumes."
+    log_info "Crie um token em: https://console.hetzner.cloud/projects/*/security/tokens"
+    echo ""
+    log_info "Cole o token e pressione ENTER:"
+
+    # Desabilita echo, lê linha completa, reabilita echo
+    stty -echo
+    IFS= read -r HCLOUD_TOKEN
+    stty echo
+    echo ""
+
+    if [ -z "$HCLOUD_TOKEN" ]; then
+        log_error "Token não pode ser vazio."
+        exit 1
+    fi
+
+    log_info "Criando secret hcloud em kube-system..."
+    kubectl create secret generic hcloud \
+        --namespace=kube-system \
+        --from-literal=token="$HCLOUD_TOKEN"
+    log_success "Secret hcloud criado"
+fi
+
+# Instalar Hetzner CSI Driver via Helm (se não instalado)
+if helm status hcloud-csi -n kube-system &> /dev/null; then
+    log_success "Hetzner CSI Driver já está instalado"
+else
+    log_info "Instalando Hetzner CSI Driver..."
+    helm repo add hcloud https://charts.hetzner.cloud 2>/dev/null || true
+    helm repo update hcloud
+
+    helm install hcloud-csi hcloud/hcloud-csi \
+        --namespace kube-system \
+        --wait \
+        --timeout 5m
+    log_success "Hetzner CSI Driver instalado"
+fi
+
+# Verificar StorageClass
+log_info "Verificando StorageClass..."
+if kubectl get storageclass hcloud-volumes &> /dev/null; then
+    log_success "StorageClass hcloud-volumes disponível"
+else
+    log_error "StorageClass hcloud-volumes não encontrado"
+    exit 1
+fi
+
+echo ""
+
+# =============================================================================
+# 2. INSTALAR NGINX INGRESS (se não existir)
 # =============================================================================

 log_info "=== Verificando NGINX Ingress ==="
@@ -82,6 +143,8 @@ else
    helm install nginx-ingress ingress-nginx/ingress-nginx \
        --namespace ingress-nginx \
        --create-namespace \
+        --set controller.allowSnippetAnnotations=true \
+        --set controller.config.annotations-risk-level=Critical \
        --wait

    log_success "NGINX Ingress instalado"
@@ -89,7 +152,7 @@ fi
 echo ""

 # =============================================================================
-# 2. CRIAR NAMESPACE E APLICAR SECRETS
+# 3. CRIAR NAMESPACE E APLICAR SECRETS
 # =============================================================================

 log_info "=== Configurando namespace n8n ==="
@@ -106,7 +169,7 @@ fi
 echo ""

 # =============================================================================
-# 3. INSTALAR n8n VIA HELM
+# 4. INSTALAR n8n VIA HELM
 # =============================================================================

 log_info "=== Instalando n8n ==="
@@ -138,7 +201,7 @@ fi
 echo ""

 # =============================================================================
-# 4. AGUARDAR PODS FICAREM PRONTOS
+# 5. AGUARDAR PODS FICAREM PRONTOS
 # =============================================================================

 log_info "=== Aguardando pods ficarem prontos ==="
@@ -185,6 +248,7 @@ echo -e "${GREEN}  Setup Completo!${NC}"
 echo "=============================================="
 echo ""
 echo "Componentes instalados:"
+echo "  - Hetzner CSI Driver (StorageClass: hcloud-volumes)"
 echo "  - NGINX Ingress Controller"
 echo "  - n8n (namespace: n8n)"
 echo "    - Main node"
@@ -216,7 +280,7 @@ echo "  # Desinstalar"
 echo "  helm uninstall n8n -n n8n"
 echo ""
 echo "  # Fazer upgrade do helm chart"
-echo "  helm upgrade --reuse-values --values --custom-values.yaml n8n community-charts/n8n --namespace n8n"
+echo "  helm upgrade --reuse-values --values custom-values.yaml n8n community-charts/n8n --namespace n8n"
 echo ""
 echo "  # Verificar historico de releases"
 echo "  helm history n8n -n n8n"
--- a/aula-08/main.tf
+++ b/aula-08/main.tf
@@ -130,6 +130,30 @@ resource "hcloud_firewall" "cluster" {
    source_ips = ["0.0.0.0/0", "::/0"]
  }

+  # Allow VXLAN for Flannel CNI (private network only - secure)
+  rule {
+    direction  = "in"
+    protocol   = "udp"
+    port       = "4789"
+    source_ips = ["10.0.0.0/8"]
+  }
+
+  # Allow all TCP traffic between cluster nodes (private network)
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "any"
+    source_ips = ["10.0.0.0/8"]
+  }
+
+  # Allow all UDP traffic between cluster nodes (private network)
+  rule {
+    direction  = "in"
+    protocol   = "udp"
+    port       = "any"
+    source_ips = ["10.0.0.0/8"]
+  }
+
  # Allow all outbound traffic
  rule {
    direction  = "out"
--- a/aula-08/talos-patches/control-plane.yaml
+++ b/aula-08/talos-patches/control-plane.yaml
@@ -29,6 +29,10 @@ machine:
      max-pods: "110"
      kube-reserved: "cpu=200m,memory=300Mi"
      system-reserved: "cpu=200m,memory=200Mi"
+    # Force kubelet to use private network IP
+    nodeIP:
+      validSubnets:
+        - 10.0.0.0/8

  # Time sync
  time:
@@ -51,6 +55,9 @@ cluster:
  network:
    cni:
      name: flannel
+      flannel:
+        extraArgs:
+          - --iface-can-reach=10.0.1.1
    dnsDomain: cluster.local
    serviceSubnets:
      - 10.96.0.0/12
--- a/aula-08/talos-patches/worker.yaml
+++ b/aula-08/talos-patches/worker.yaml
@@ -19,6 +19,10 @@ machine:
      max-pods: "110"
      kube-reserved: "cpu=100m,memory=200Mi"
      system-reserved: "cpu=100m,memory=100Mi"
+    # Force kubelet to use private network IP
+    nodeIP:
+      validSubnets:
+        - 10.0.0.0/8

  # Time sync
  time:
@@ -37,6 +41,9 @@ cluster:
  network:
    cni:
      name: flannel
+      flannel:
+        extraArgs:
+          - --iface-can-reach=10.0.1.1
    dnsDomain: cluster.local
    serviceSubnets:
      - 10.96.0.0/12