[CA]: hetzner cloud firewall feature

[sergeyshevch]

Resolve #4008

Adding support for hcloud firewall feature.
Upgrading hcloud client lib to 1.28.0

[k8s-ci-robot]

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

---

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please sign in with your organization's credentials at https://identity.linuxfoundation.org/projects/cncf to be authorized.
• If you have done the above and are still having issues with the CLA being reported as unsigned, please log a ticket with the Linux Foundation Helpdesk: https://support.linuxfoundation.org/
• Should you encounter any issues with the Linux Foundation Helpdesk, send a message to the backup e-mail support address at: login-issues@jira.linuxfoundation.org

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[k8s-ci-robot]

Welcome @sergeyshevch!

It looks like this is your first PR to kubernetes/autoscaler 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/autoscaler has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[sergeyshevch]

/assign @aleksandra-malinowska

[sergeyshevch]

Most of changes in this PR just moved here from https://github.com/hetznercloud/hcloud-go last release. For using firewall feature of client lib we need to get newer version that was on autoscaler repo. So if it needed i can move it to another PR

[sergeyshevch]

@Jeffwan github also suggested you as a reviewer. Can you take a look?

[sergeyshevch]

@Jeffwan @aleksandra-malinowska Can someone of you look into this PR? I currently stopping works with Hetzner cloud and i guess it wil be good to review and merge this PR

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[fgbreel]

Hello, I'm pretty much interested in this feature too because computers created by the cluster-autoscaler currently have no firewall assigned to them in Hetzner.

Thank you!

[AzSiAz]

@fgbreel Until this is merged, if this is merged, you can use label feature of hetzner firewall, to have them automatically applied 😄

[fgbreel]

@AzSiAz Thanks for the tip, I will check that out!

[sergeyshevch]

@fgbreel I currently don't have an actual cluster setup on hetzner. I can rebase this PR but it was not reviewed by any contributor after a few pings.

If you are interested in this please ping someone on k8s slack for review.
I will rebase this PR in a few days

[fgbreel]

Thanks @sergeyshevch for the update. Will do it as soon I manage to find some time for it.

At the moment I'm using the labels to assign the firewall, targeting instances containing the hcloud/node-group label it as recommended by @AzSiAz and seems to work well.

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

[sergeyshevch]

@LKaemmerling @Fgruntjes Looks like you wrote most of the code in this provider. Maybe it will be a good idea to add you to the OWNERS file?

[LKaemmerling]

Hey @sergeyshevch,

thank you for the ping and the great MR! We (Hetzner Cloud) maintain the parts already, and of course, it would be good if we were added to the Owners file. (The best would be me and @samcday).

I just reviewed your changes and they look fine from my side. So this is basically my

/approve

[sergeyshevch]

@LKaemmerling Thanks for the review! I will add you to OWNERS file

[sergeyshevch]

/unassign @aleksandra-malinowska

[sergeyshevch]

@LKaemmerling I cannot add you to OWNERS file because you are not in Kubernetes organization

[sergeyshevch]

/verify-owners

[emrahcetiner]

any updates on this? @LKaemmerling

[sergeyshevch]

@emrahcetiner we need approve from @aleksandra-malinowska

[mwielgus]

/approve
/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: LKaemmerling, mwielgus, sergeyshevch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cluster-autoscaler/OWNERS [mwielgus]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[efpe]

When will this be released? Is there anything we can do to speed up the process?