From 50dc74c1d800ded5e75229fd9c4317661acc677a Mon Sep 17 00:00:00 2001 From: Allyson de Paula Date: Sat, 27 Dec 2025 22:56:09 -0300 Subject: [PATCH] =?UTF-8?q?aula-06=20e=20aula-08:=20Hetzner=20CSI=20Driver?= =?UTF-8?q?=20e=20seguran=C3=A7a=20de=20rede?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit aula-06: - Adicionar instalação do Hetzner CSI Driver no setup.sh - Input interativo seguro para token da Hetzner Cloud - Atualizar custom-values.yaml para n8n.kube.quest aula-08: - Adicionar regras de firewall para VXLAN e rede privada - Configurar Flannel para usar interface privada (--iface-can-reach) - Configurar kubelet.nodeIP.validSubnets para rede privada - Corrigir segurança: VXLAN restrito a 10.0.0.0/8 --- aula-06/custom-values.yaml | 6 +- aula-06/setup.sh | 74 ++++++++++++++++++++++-- aula-08/main.tf | 24 ++++++++ aula-08/talos-patches/control-plane.yaml | 7 +++ aula-08/talos-patches/worker.yaml | 7 +++ 5 files changed, 110 insertions(+), 8 deletions(-) diff --git a/aula-06/custom-values.yaml b/aula-06/custom-values.yaml index cb650be..62efce9 100644 --- a/aula-06/custom-values.yaml +++ b/aula-06/custom-values.yaml @@ -12,7 +12,7 @@ # ----------------------------------------------------------------------------- image: repository: n8nio/n8n - tag: "2.1.4" + tag: "2.0.3" pullPolicy: IfNotPresent # ----------------------------------------------------------------------------- @@ -58,7 +58,7 @@ ingress: nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" hosts: - - host: n8n.localhost + - host: n8n.kube.quest paths: - path: / pathType: Prefix @@ -121,7 +121,7 @@ worker: webhook: mode: queue count: 1 - url: "http://n8n.localhost" + url: "https://n8n.kube.quest" extraEnvVars: N8N_SECURE_COOKIE: "false" resources: diff --git a/aula-06/setup.sh b/aula-06/setup.sh index 3ea0bf2..62d3409 100755 --- a/aula-06/setup.sh +++ b/aula-06/setup.sh @@ -67,7 +67,68 @@ log_success "Helm $(helm version --short) encontrado" echo "" # ============================================================================= -# 1. INSTALAR NGINX INGRESS (se não existir) +# 1. INSTALAR HETZNER CSI DRIVER (para provisionar volumes) +# ============================================================================= + +log_info "=== Configurando Hetzner CSI Driver ===" + +# Verificar se secret já existe (evita pedir token novamente) +if kubectl get secret hcloud -n kube-system &> /dev/null; then + log_success "Secret hcloud já existe em kube-system" +else + # Pedir token via input interativo + echo "" + log_info "Token da Hetzner Cloud necessário para provisionar volumes." + log_info "Crie um token em: https://console.hetzner.cloud/projects/*/security/tokens" + echo "" + log_info "Cole o token e pressione ENTER:" + + # Desabilita echo, lê linha completa, reabilita echo + stty -echo + IFS= read -r HCLOUD_TOKEN + stty echo + echo "" + + if [ -z "$HCLOUD_TOKEN" ]; then + log_error "Token não pode ser vazio." + exit 1 + fi + + log_info "Criando secret hcloud em kube-system..." + kubectl create secret generic hcloud \ + --namespace=kube-system \ + --from-literal=token="$HCLOUD_TOKEN" + log_success "Secret hcloud criado" +fi + +# Instalar Hetzner CSI Driver via Helm (se não instalado) +if helm status hcloud-csi -n kube-system &> /dev/null; then + log_success "Hetzner CSI Driver já está instalado" +else + log_info "Instalando Hetzner CSI Driver..." + helm repo add hcloud https://charts.hetzner.cloud 2>/dev/null || true + helm repo update hcloud + + helm install hcloud-csi hcloud/hcloud-csi \ + --namespace kube-system \ + --wait \ + --timeout 5m + log_success "Hetzner CSI Driver instalado" +fi + +# Verificar StorageClass +log_info "Verificando StorageClass..." +if kubectl get storageclass hcloud-volumes &> /dev/null; then + log_success "StorageClass hcloud-volumes disponível" +else + log_error "StorageClass hcloud-volumes não encontrado" + exit 1 +fi + +echo "" + +# ============================================================================= +# 2. INSTALAR NGINX INGRESS (se não existir) # ============================================================================= log_info "=== Verificando NGINX Ingress ===" @@ -82,6 +143,8 @@ else helm install nginx-ingress ingress-nginx/ingress-nginx \ --namespace ingress-nginx \ --create-namespace \ + --set controller.allowSnippetAnnotations=true \ + --set controller.config.annotations-risk-level=Critical \ --wait log_success "NGINX Ingress instalado" @@ -89,7 +152,7 @@ fi echo "" # ============================================================================= -# 2. CRIAR NAMESPACE E APLICAR SECRETS +# 3. CRIAR NAMESPACE E APLICAR SECRETS # ============================================================================= log_info "=== Configurando namespace n8n ===" @@ -106,7 +169,7 @@ fi echo "" # ============================================================================= -# 3. INSTALAR n8n VIA HELM +# 4. INSTALAR n8n VIA HELM # ============================================================================= log_info "=== Instalando n8n ===" @@ -138,7 +201,7 @@ fi echo "" # ============================================================================= -# 4. AGUARDAR PODS FICAREM PRONTOS +# 5. AGUARDAR PODS FICAREM PRONTOS # ============================================================================= log_info "=== Aguardando pods ficarem prontos ===" @@ -185,6 +248,7 @@ echo -e "${GREEN} Setup Completo!${NC}" echo "==============================================" echo "" echo "Componentes instalados:" +echo " - Hetzner CSI Driver (StorageClass: hcloud-volumes)" echo " - NGINX Ingress Controller" echo " - n8n (namespace: n8n)" echo " - Main node" @@ -216,7 +280,7 @@ echo " # Desinstalar" echo " helm uninstall n8n -n n8n" echo "" echo " # Fazer upgrade do helm chart" -echo " helm upgrade --reuse-values --values --custom-values.yaml n8n community-charts/n8n --namespace n8n" +echo " helm upgrade --reuse-values --values custom-values.yaml n8n community-charts/n8n --namespace n8n" echo "" echo " # Verificar historico de releases" echo " helm history n8n -n n8n" diff --git a/aula-08/main.tf b/aula-08/main.tf index ec4aea7..ed141e5 100644 --- a/aula-08/main.tf +++ b/aula-08/main.tf @@ -130,6 +130,30 @@ resource "hcloud_firewall" "cluster" { source_ips = ["0.0.0.0/0", "::/0"] } + # Allow VXLAN for Flannel CNI (private network only - secure) + rule { + direction = "in" + protocol = "udp" + port = "4789" + source_ips = ["10.0.0.0/8"] + } + + # Allow all TCP traffic between cluster nodes (private network) + rule { + direction = "in" + protocol = "tcp" + port = "any" + source_ips = ["10.0.0.0/8"] + } + + # Allow all UDP traffic between cluster nodes (private network) + rule { + direction = "in" + protocol = "udp" + port = "any" + source_ips = ["10.0.0.0/8"] + } + # Allow all outbound traffic rule { direction = "out" diff --git a/aula-08/talos-patches/control-plane.yaml b/aula-08/talos-patches/control-plane.yaml index 72730b3..e4cad9e 100644 --- a/aula-08/talos-patches/control-plane.yaml +++ b/aula-08/talos-patches/control-plane.yaml @@ -29,6 +29,10 @@ machine: max-pods: "110" kube-reserved: "cpu=200m,memory=300Mi" system-reserved: "cpu=200m,memory=200Mi" + # Force kubelet to use private network IP + nodeIP: + validSubnets: + - 10.0.0.0/8 # Time sync time: @@ -51,6 +55,9 @@ cluster: network: cni: name: flannel + flannel: + extraArgs: + - --iface-can-reach=10.0.1.1 dnsDomain: cluster.local serviceSubnets: - 10.96.0.0/12 diff --git a/aula-08/talos-patches/worker.yaml b/aula-08/talos-patches/worker.yaml index b5c0d24..74a6648 100644 --- a/aula-08/talos-patches/worker.yaml +++ b/aula-08/talos-patches/worker.yaml @@ -19,6 +19,10 @@ machine: max-pods: "110" kube-reserved: "cpu=100m,memory=200Mi" system-reserved: "cpu=100m,memory=100Mi" + # Force kubelet to use private network IP + nodeIP: + validSubnets: + - 10.0.0.0/8 # Time sync time: @@ -37,6 +41,9 @@ cluster: network: cni: name: flannel + flannel: + extraArgs: + - --iface-can-reach=10.0.1.1 dnsDomain: cluster.local serviceSubnets: - 10.96.0.0/12