From c850ad291ad4cf3bde33cc7384109db0ea22a63b Mon Sep 17 00:00:00 2001
From: Ultradesu <ultradesu@hexor.cy>
Date: Tue, 16 Jun 2026 02:23:36 +0100
Subject: [PATCH] Added node-external-ip-labeler.yaml

---
 .../kube-system-custom/kustomization.yaml     |   2 +-
 .../node-external-ip-labeler.yaml             | 173 ++++++++++++++++++
 2 files changed, 174 insertions(+), 1 deletion(-)
 create mode 100644 k8s/core/kube-system-custom/node-external-ip-labeler.yaml

diff --git a/k8s/core/kube-system-custom/kustomization.yaml b/k8s/core/kube-system-custom/kustomization.yaml
index bef00ee..700acb6 100644
--- a/k8s/core/kube-system-custom/kustomization.yaml
+++ b/k8s/core/kube-system-custom/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
   - nfs-storage.yaml
   - coredns-internal-resolve.yaml
   - https-middleware.yaml
+  - node-external-ip-labeler.yaml
 
 helmCharts:
   - name: csi-driver-nfs
@@ -15,4 +16,3 @@ helmCharts:
     namespace: kube-system
     #valuesFile: values.yaml
     includeCRDs: true
-
diff --git a/k8s/core/kube-system-custom/node-external-ip-labeler.yaml b/k8s/core/kube-system-custom/node-external-ip-labeler.yaml
new file mode 100644
index 0000000..655af2b
--- /dev/null
+++ b/k8s/core/kube-system-custom/node-external-ip-labeler.yaml
@@ -0,0 +1,173 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: node-external-ip-labeler
+  namespace: kube-system
+  labels:
+    app: node-external-ip-labeler
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: node-external-ip-labeler
+  labels:
+    app: node-external-ip-labeler
+rules:
+  - apiGroups: [""]
+    resources: ["nodes"]
+    verbs: ["get", "list", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: node-external-ip-labeler
+  labels:
+    app: node-external-ip-labeler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: node-external-ip-labeler
+subjects:
+  - kind: ServiceAccount
+    name: node-external-ip-labeler
+    namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: node-external-ip-labeler
+  namespace: kube-system
+  labels:
+    app: node-external-ip-labeler
+rules:
+  - apiGroups: ["batch"]
+    resources: ["jobs"]
+    verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: node-external-ip-labeler
+  namespace: kube-system
+  labels:
+    app: node-external-ip-labeler
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: node-external-ip-labeler
+subjects:
+  - kind: ServiceAccount
+    name: node-external-ip-labeler
+    namespace: kube-system
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: node-external-ip-labeler
+  namespace: kube-system
+  labels:
+    app: node-external-ip-labeler
+spec:
+  schedule: "17 3 * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        metadata:
+          labels:
+            app: node-external-ip-labeler
+        spec:
+          serviceAccountName: node-external-ip-labeler
+          restartPolicy: Never
+          tolerations:
+            - operator: Exists
+          containers:
+            - name: fanout
+              image: bitnami/kubectl:latest
+              imagePullPolicy: IfNotPresent
+              command:
+                - /bin/bash
+                - -lc
+              args:
+                - |
+                  set -euo pipefail
+
+                  clean_name() {
+                    echo "$1" \
+                      | tr '[:upper:]' '[:lower:]' \
+                      | tr -c 'a-z0-9-' '-' \
+                      | sed 's/^-*//;s/-*$//' \
+                      | cut -c1-45
+                  }
+
+                  for NODE_NAME in $(kubectl get nodes -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{end}'); do
+                    NODE_CLEAN="$(clean_name "${NODE_NAME}")"
+                    JOB_NAME="node-external-ip-${NODE_CLEAN}"
+
+                    kubectl delete job "${JOB_NAME}" -n kube-system --ignore-not-found=true --wait=true --timeout=60s
+
+                    cat <<EOF | kubectl apply -f -
+                  apiVersion: batch/v1
+                  kind: Job
+                  metadata:
+                    name: ${JOB_NAME}
+                    namespace: kube-system
+                    labels:
+                      app: node-external-ip-labeler
+                      target-node: "${NODE_CLEAN}"
+                  spec:
+                    ttlSecondsAfterFinished: 86400
+                    backoffLimit: 2
+                    template:
+                      metadata:
+                        labels:
+                          app: node-external-ip-labeler
+                          target-node: "${NODE_CLEAN}"
+                      spec:
+                        serviceAccountName: node-external-ip-labeler
+                        nodeName: "${NODE_NAME}"
+                        hostNetwork: true
+                        dnsPolicy: ClusterFirstWithHostNet
+                        restartPolicy: Never
+                        tolerations:
+                          - operator: Exists
+                        containers:
+                          - name: label-node
+                            image: bitnami/kubectl:latest
+                            imagePullPolicy: IfNotPresent
+                            env:
+                              - name: NODE_NAME
+                                value: "${NODE_NAME}"
+                            command:
+                              - /bin/bash
+                              - -lc
+                            args:
+                              - |
+                                set -euo pipefail
+
+                                json_ip() {
+                                  sed -n 's/.*"ip"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/p'
+                                }
+
+                                IPV4="\$(curl -fsS --connect-timeout 10 --max-time 30 'https://api.ipify.org?format=json' | json_ip)"
+                                IP64="\$(curl -fsS --connect-timeout 10 --max-time 30 'https://api64.ipify.org?format=json' | json_ip || true)"
+
+                                if [ -z "\${IPV4}" ]; then
+                                  echo "Unable to detect external IPv4 for node ${NODE_NAME}"
+                                  exit 1
+                                fi
+
+                                kubectl label node "${NODE_NAME}" external-ipv4="\${IPV4}" --overwrite
+                                kubectl annotate node "${NODE_NAME}" homelab.hexor.cy/external-ipv4="\${IPV4}" --overwrite
+
+                                if echo "\${IP64}" | grep -q ':'; then
+                                  kubectl annotate node "${NODE_NAME}" homelab.hexor.cy/external-ipv6="\${IP64}" --overwrite
+                                elif [ -n "\${IP64}" ]; then
+                                  kubectl annotate node "${NODE_NAME}" homelab.hexor.cy/external-ipv4-api64="\${IP64}" --overwrite
+                                fi
+                  EOF
+                  done