Setup bastion host

[PurpleBooth]

Currently this does not work as we have no way to get rescue system in place so we can install MicroOS

[mysticaltech]

Beautiful code right there; I am sure @phaer will be inspired by it. There must be a way to make this work, like setup with the public interface, then just take it down, all via userdata, or remote-exec (unless am not seeing things clearly).

[mysticaltech]

@PurpleBooth As shared in the following comment, we can do private agents more simply, with bare Kubernetes, without having an additional bastion host. See my comment here #241 (comment).

The simpler, the better! But definitely, I would love to hear your arguments if you don't agree.

[mysticaltech]

@PurpleBooth While merging the latest changes, I noticed that you were probably assuming that rebootmgr takes care of all reboots including dealing with kured. This is not the case, in order to disable kured, you have to add a REBOOT_METHOD=none to the transactional_update.conf file, located somewhere in /etc, see our cloud-init template file.

More on this here https://en.opensuse.org/Kubic:Update_and_Reboot#Reboot_Strategy_Options and https://github.com/openSUSE/transactional-update/blob/master/etc/transactional-update.conf.

[mysticaltech]

Now I understand better what this is, thanks to your topology description. It also made me realize that node upgrades, k3s upgrades, and container fetching would disappear, which is not really ideal. Or am I mistaken?

[mysticaltech]

Ah, they do have a gateway that the private subnet can route traffic to in all likelihood. So the nodes would not be cut out from OUT traffic (but needs to be tested, of course).

[mysticaltech]

@PurpleBooth Interesting article https://docs.hetzner.com/cloud/servers/getting-started/connecting-via-private-ip/

[mysticaltech]

I believe the next step here is to use snapshots made with "normal" nodes. So yes, the bastion setup will take longer, but that's a small initial price to pay for the added sec.

[mysticaltech]

Just stumbled on this, seems interesting, but probably not needed (at least for now) https://github.com/inlets/inlets-pro

[mysticaltech]

@PurpleBooth I will close this PR for now, because it has stalled and the base is significantly outdated. But the branch will remain, so it can be picked up again later without issue.