Find another solution for whitelisting Hetzner API, dns based?

[valkenburg-prevue-ch]

terraform-hcloud-kube-hetzner/locals.tf

Line 120 in 8ab132e

hetzner_cloud_api_ipv4 = "213.239.246.1/32"

The IP addresses are going to change on 7 March, and in the future will change without further notice and only detectable through dns: https://status.hetzner.com/incident/62839f8e-073a-4159-87a1-b05d093fe689

[mysticaltech]

@valkenburg-prevue-ch Good catch!

At deployment time we can get the IP with dig a console.hetzner.cloud, then on the cluster we can have a small cronjob running in the system namespace, hitting the DNS every 5 minutes to see if the IP has changed, and if yes, we have access to the Hetzner token already (used by the CCM and CSI), so we use that to make an API call to the firewall service to update it. Just an idea.

[mysticaltech]

@valkenburg-prevue-ch The only thing affected is the API IP, and it's probably used for out traffic, and done so by the CCM and CSI, so they will be using the DNS and out traffic for DNS and HTTP is allowed by default, so we should not see any issue, however just in case, I have asked on a Hetzner repo over at hetznercloud/csi-driver#204.

[mysticaltech]

Ok, Hetzner confirmed that the API IP is just used for out outbound so we're good!