From 3ac92689f05d646f9ffdabfed3c7ccab7d189d38 Mon Sep 17 00:00:00 2001 From: Cristian Klein Date: Fri, 16 Apr 2021 12:22:22 +0200 Subject: [PATCH] exoscale: Rework EIP access from workers (#7337) Context: Load-balancing in Exoscale is performed by associating many workers with the same EIP. This works, however, the workers cannot access themselves via the EIP, which is needed at least for cert-managers "self-test". Problem: The old iptables based workaround felt fragile and disappointed me at least once. New solution: Add the EIP to a loopback interface on each worker. --- .../templates/cloud-init.tmpl | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/contrib/terraform/exoscale/modules/kubernetes-cluster/templates/cloud-init.tmpl b/contrib/terraform/exoscale/modules/kubernetes-cluster/templates/cloud-init.tmpl index 10674560a..a81b8e38a 100644 --- a/contrib/terraform/exoscale/modules/kubernetes-cluster/templates/cloud-init.tmpl +++ b/contrib/terraform/exoscale/modules/kubernetes-cluster/templates/cloud-init.tmpl @@ -26,16 +26,25 @@ write_files: ethernets: eth1: dhcp4: true -runcmd: - - netplan apply - - /sbin/sysctl net.ipv4.conf.all.forwarding=1 %{ if node_type == "worker" } # TODO: When a VM is seen as healthy and is added to the EIP loadbalancer # pool it no longer can send traffic back to itself via the EIP IP # address. # Remove this if it ever gets solved. - - iptables -t nat -A PREROUTING -d ${eip_ip_address} -j DNAT --to 127.0.0.1 + - path: /etc/netplan/20-eip-fix.yaml + content: | + network: + version: 2 + ethernets: + "lo:0": + match: + name: lo + dhcp4: false + addresses: + - ${eip_ip_address}/32 %{ endif } +runcmd: + - netplan apply %{ if node_local_partition_size > 0 } - mkdir -p /mnt/disks/node-local-storage - chown nobody:nogroup /mnt/disks/node-local-storage