Provisioning to Hetzner Cloud + some questions

[vitobotta]

Hi! This project looks really cool! A few questions if you don't mind:

• is this for development environments only or would it work for production as well? I am worried about the lb being a single point of failure
• would it be possible to add support for Hetzner Cloud? It's a very good provider with incredible prices. I use it and love it but they don't offer load balancers yet so I am considering using inlets. I could use a DigitalOcean droplet in Frankfurt for now since added latency would be small. Can the region in DO be set?
• what about security? Does the lb provisioned have a firewall and things like fail2ban? Is password auth disabled?
• if I use DigitalOcean for now, can the lb be changed later with possibly no downtime if/when inlets adds support for Hetzner Cloud?

Thanks a lot in advance!

[utsavanand2]

Hi @vitobotta! It's really cool that you found our project interesting! Personally I'm a big fan of inlets-operator too!

• is this for development environments only or would it work for production as well? I am worried about the lb being a single point of failure

-> inlets-operator works great for development and production environments alike. inlets also has an offering for inlets-pro which allows exposing L4 protocols like TCP and UDP.
Well the exit node/instance provisioned by the cloud provider is definitely a single point of failure and hence is dependent upon how well the cloud-provider manages a zonal or regional downtime, providers like Google Cloud offer live migration of instances.

• would it be possible to add support for Hetzner Cloud? It's a very good provider with incredible prices. I use it and love it but they don't offer load balancers yet so I am considering using inlets. I could use a DigitalOcean droplet in Frankfurt for now since added latency would be small. Can the region in DO be set?

-> Yes you can add support for any cloud platform as long as it offers some kind of API for provisioning instances with metadata like startup-scripts and ports to open (which partly answers your 3rd question)

• what about security? Does the lb provisioned have a firewall and things like fail2ban? Is password auth disabled?

-> Yes you can have firewall-rules in place as long as you're not blocking 80 and 443 itself

• if I use DigitalOcean for now, can the lb be changed later with possibly no downtime if/when inlets adds support for Hetzner Cloud?

-> Surely you can! As with any kubernetes deployment you'll expose your service first with DigitalOcean as
kubectl expose <deployment> --name lb1 --port 80 --type LoadBalancer

Then, update your inlets-operator deployment to use Hetzner Cloud and expose your existing exposed deployment with a new service with a different name
kubectl expose <deployment> --name lb2 --port 80 --type LoadBalancer

@alexellis is the creator of inlets and I'm sure he would correct me if I'm wrong somewhere. 😄

[vitobotta]

Just tried with DigitalOcean with the fra1 region (my servers are in Nuremberg) for nginx ingress, it works!

Another few questions:

• which load balancer is used? i.e. haproxy, traefik, nginx, ..?
• how many connections can it handle?
• is the lb updated automatically when I add/remove nodes and pods are rescheduled and things like that?

Thanks!

[vitobotta]

Hi @utsavanand2 ! Thanks for your reply :) Hetzner Cloud has a very nice API, so it shouldn't be difficult but I am not sure of how to tackle this since I am still relatively new to K8s. I wish I could help with this already :(

I wouldn't want to have to SSH into the lb and configure a firewall etc myself. I am mostly wondering about SSH since these days there's a lot of attempts by script kiddies, bots etc. Is password auth disabled at least? Generally speaking, how is the LB VM configured from a security standpoint?

Thanks!

[vitobotta]

Just tried, the password auth is enabled and works withe password that DO has emailed me

[vitobotta]

Yet another question :D My app uses websockets. Will it work with this LB? I've read that the connection between the cluster and the LB is done via websockets? So will my app work? Thanks @alexellis

[vitobotta]

I can answer myself the last question, it seems to work with a demo app! 💯

[alexellis]

@vitobotta do you still have time to work on the Hetzner provisioner? The code would start here -> https://github.com/inlets/inletsctl/tree/master/pkg/provision

[vitobotta]

Hi @alexellis, I switched to DigitalOcean a month ago so I am using their load balancers. BTW Hetzner Cloud also has load balancers now.

[AdamWorley]

Hi @alexellis I'm just trying to add hetzner to the inlets-operator Arkade project and make it an available provider in this project, would it best to link back to this issue for both in the pull requests?

[alexellis]

Who can add Hetzner to the operator? We have the provisioning package ready now. Adding it to the controller should be a case of:

1. Find all references of "EC2" or "DigitalOcean"
2. Copy/paste
3. Test end to end with exposing a service, accessing it and then deleting the service to check the VM is removed.

Pinging a few people: @AdamWorley @vitobotta @utsavanand2 @Waterdrips

Alex

[alexellis]

Closing as duplicate of the newer issue #115 - this also went a little off topic.

[alexellis]

/lock

[alexellis]

Please participate in the feature request in #115