aula-06 e aula-08: Hetzner CSI Driver e segurança de rede

aula-06:
- Adicionar instalação do Hetzner CSI Driver no setup.sh
- Input interativo seguro para token da Hetzner Cloud
- Atualizar custom-values.yaml para n8n.kube.quest

aula-08:
- Adicionar regras de firewall para VXLAN e rede privada
- Configurar Flannel para usar interface privada (--iface-can-reach)
- Configurar kubelet.nodeIP.validSubnets para rede privada
- Corrigir segurança: VXLAN restrito a 10.0.0.0/8

aula-06/custom-values.yaml

@@ -12,7 +12,7 @@
 # -----------------------------------------------------------------------------
 image:
   repository: n8nio/n8n
-  tag: "2.1.4"
+  tag: "2.0.3"
   pullPolicy: IfNotPresent
 
 # -----------------------------------------------------------------------------
@@ -58,7 +58,7 @@ ingress:
     nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
     nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
   hosts:
-    - host: n8n.localhost
+    - host: n8n.kube.quest
       paths:
         - path: /
           pathType: Prefix
@@ -121,7 +121,7 @@ worker:
 webhook:
   mode: queue
   count: 1
-  url: "http://n8n.localhost"
+  url: "https://n8n.kube.quest"
   extraEnvVars:
     N8N_SECURE_COOKIE: "false"
   resources:

aula-06/setup.sh

@@ -67,7 +67,68 @@ log_success "Helm $(helm version --short) encontrado"
 echo ""
 
 # =============================================================================
-# 1. INSTALAR NGINX INGRESS (se não existir)
+# 1. INSTALAR HETZNER CSI DRIVER (para provisionar volumes)
+# =============================================================================
+
+log_info "=== Configurando Hetzner CSI Driver ==="
+
+# Verificar se secret já existe (evita pedir token novamente)
+if kubectl get secret hcloud -n kube-system &> /dev/null; then
+    log_success "Secret hcloud já existe em kube-system"
+else
+    # Pedir token via input interativo
+    echo ""
+    log_info "Token da Hetzner Cloud necessário para provisionar volumes."
+    log_info "Crie um token em: https://console.hetzner.cloud/projects/*/security/tokens"
+    echo ""
+    log_info "Cole o token e pressione ENTER:"
+
+    # Desabilita echo, lê linha completa, reabilita echo
+    stty -echo
+    IFS= read -r HCLOUD_TOKEN
+    stty echo
+    echo ""
+
+    if [ -z "$HCLOUD_TOKEN" ]; then
+        log_error "Token não pode ser vazio."
+        exit 1
+    fi
+
+    log_info "Criando secret hcloud em kube-system..."
+    kubectl create secret generic hcloud \
+        --namespace=kube-system \
+        --from-literal=token="$HCLOUD_TOKEN"
+    log_success "Secret hcloud criado"
+fi
+
+# Instalar Hetzner CSI Driver via Helm (se não instalado)
+if helm status hcloud-csi -n kube-system &> /dev/null; then
+    log_success "Hetzner CSI Driver já está instalado"
+else
+    log_info "Instalando Hetzner CSI Driver..."
+    helm repo add hcloud https://charts.hetzner.cloud 2>/dev/null || true
+    helm repo update hcloud
+
+    helm install hcloud-csi hcloud/hcloud-csi \
+        --namespace kube-system \
+        --wait \
+        --timeout 5m
+    log_success "Hetzner CSI Driver instalado"
+fi
+
+# Verificar StorageClass
+log_info "Verificando StorageClass..."
+if kubectl get storageclass hcloud-volumes &> /dev/null; then
+    log_success "StorageClass hcloud-volumes disponível"
+else
+    log_error "StorageClass hcloud-volumes não encontrado"
+    exit 1
+fi
+
+echo ""
+
+# =============================================================================
+# 2. INSTALAR NGINX INGRESS (se não existir)
 # =============================================================================
 
 log_info "=== Verificando NGINX Ingress ==="
@@ -82,6 +143,8 @@ else
     helm install nginx-ingress ingress-nginx/ingress-nginx \
         --namespace ingress-nginx \
         --create-namespace \
+        --set controller.allowSnippetAnnotations=true \
+        --set controller.config.annotations-risk-level=Critical \
         --wait
 
     log_success "NGINX Ingress instalado"
@@ -89,7 +152,7 @@ fi
 echo ""
 
 # =============================================================================
-# 2. CRIAR NAMESPACE E APLICAR SECRETS
+# 3. CRIAR NAMESPACE E APLICAR SECRETS
 # =============================================================================
 
 log_info "=== Configurando namespace n8n ==="
@@ -106,7 +169,7 @@ fi
 echo ""
 
 # =============================================================================
-# 3. INSTALAR n8n VIA HELM
+# 4. INSTALAR n8n VIA HELM
 # =============================================================================
 
 log_info "=== Instalando n8n ==="
@@ -138,7 +201,7 @@ fi
 echo ""
 
 # =============================================================================
-# 4. AGUARDAR PODS FICAREM PRONTOS
+# 5. AGUARDAR PODS FICAREM PRONTOS
 # =============================================================================
 
 log_info "=== Aguardando pods ficarem prontos ==="
@@ -185,6 +248,7 @@ echo -e "${GREEN}  Setup Completo!${NC}"
 echo "=============================================="
 echo ""
 echo "Componentes instalados:"
+echo "  - Hetzner CSI Driver (StorageClass: hcloud-volumes)"
 echo "  - NGINX Ingress Controller"
 echo "  - n8n (namespace: n8n)"
 echo "    - Main node"
@@ -216,7 +280,7 @@ echo "  # Desinstalar"
 echo "  helm uninstall n8n -n n8n"
 echo ""
 echo "  # Fazer upgrade do helm chart"
-echo "  helm upgrade --reuse-values --values --custom-values.yaml n8n community-charts/n8n --namespace n8n"
+echo "  helm upgrade --reuse-values --values custom-values.yaml n8n community-charts/n8n --namespace n8n"
 echo ""
 echo "  # Verificar historico de releases"
 echo "  helm history n8n -n n8n"

aula-08/main.tf

@@ -130,6 +130,30 @@ resource "hcloud_firewall" "cluster" {
     source_ips = ["0.0.0.0/0", "::/0"]
   }
 
+  # Allow VXLAN for Flannel CNI (private network only - secure)
+  rule {
+    direction  = "in"
+    protocol   = "udp"
+    port       = "4789"
+    source_ips = ["10.0.0.0/8"]
+  }
+
+  # Allow all TCP traffic between cluster nodes (private network)
+  rule {
+    direction  = "in"
+    protocol   = "tcp"
+    port       = "any"
+    source_ips = ["10.0.0.0/8"]
+  }
+
+  # Allow all UDP traffic between cluster nodes (private network)
+  rule {
+    direction  = "in"
+    protocol   = "udp"
+    port       = "any"
+    source_ips = ["10.0.0.0/8"]
+  }
+
   # Allow all outbound traffic
   rule {
     direction  = "out"

aula-08/talos-patches/control-plane.yaml

@@ -29,6 +29,10 @@ machine:
       max-pods: "110"
       kube-reserved: "cpu=200m,memory=300Mi"
       system-reserved: "cpu=200m,memory=200Mi"
+    # Force kubelet to use private network IP
+    nodeIP:
+      validSubnets:
+        - 10.0.0.0/8
 
   # Time sync
   time:
@@ -51,6 +55,9 @@ cluster:
   network:
     cni:
       name: flannel
+      flannel:
+        extraArgs:
+          - --iface-can-reach=10.0.1.1
     dnsDomain: cluster.local
     serviceSubnets:
       - 10.96.0.0/12

aula-08/talos-patches/worker.yaml

@@ -19,6 +19,10 @@ machine:
       max-pods: "110"
       kube-reserved: "cpu=100m,memory=200Mi"
       system-reserved: "cpu=100m,memory=100Mi"
+    # Force kubelet to use private network IP
+    nodeIP:
+      validSubnets:
+        - 10.0.0.0/8
 
   # Time sync
   time:
@@ -37,6 +41,9 @@ cluster:
   network:
     cni:
       name: flannel
+      flannel:
+        extraArgs:
+          - --iface-can-reach=10.0.1.1
     dnsDomain: cluster.local
     serviceSubnets:
       - 10.96.0.0/12