feat(robot): allow Robot support without API credentials for IP-based LB targets

[robertlemke]

When robot.enabled is set but no ROBOT_USER / ROBOT_PASSWORD are provided, the HCCM now derives IP targets directly from the Kubernetes Node's InternalIP instead of querying the Robot API. This is useful for setups where Robot servers are connected via vSwitch and only the service controller is needed.

Existing behavior is unchanged when credentials are provided. Partial credentials (only user or only password) are rejected during validation.

Fixes: #1162

[robertlemke]

Hey there! This is my first contribution to HCCM and I tried to make it as clean and meaningful as possible.

I added tests and also tested the feature in a Talos Cluster based on Hetzner dedicated servers, as well as my CAPI-based cluster using HCloud instances.

Please let me know if I missed anything or if the motivation for this feature is unclear.

[lukasmetzner]

Hey, I did a quick review and left some suggestions.

[codecov]

Codecov Report

❌ Patch coverage is 63.15789% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.67%. Comparing base (a899dba) to head (3bf2c02).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/hcops/load_balancer.go	60.60%	12 Missing and 1 partial ⚠️
hcloud/cloud.go	0.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1163      +/-   ##
==========================================
- Coverage   68.55%   65.67%   -2.89%     
==========================================
  Files          24       24              
  Lines        2643     2657      +14     
==========================================
- Hits         1812     1745      -67     
- Misses        656      744      +88     
+ Partials      175      168       -7     

Flag	Coverage Δ
e2e	?
unit	65.67% <63.15%> (+0.71%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[lukasmetzner]

The e2e tests failing is normal here due to missing permissions. Once everything is resolved in the PR I will manually run them on my machine. If you have the resources to test your changes on the Cloud and Robot platform, feel free to share the results, but as this induces costs, don't feel obligated to do so.

[robertlemke]

Thanks again for your review and the time you put into adjusting my code! I adopted your changes and adjusted tests accordingly.

Regarding the e2e test: Would be great if you could run them for me! I tested the changes on a Talos cluster with Hetzner dedicated servers connected via vSwitch, as well as a CAPI-based cluster with HCloud instances (to verify no regressions).

[robertlemke]

Fixed lint complaint and rebased the commit.

[lukasmetzner]

Hey, @robertlemke

took me a bit to find the time to test this manually, but looking good so far. I have a small question regarding your use-case. For the InternalIPs, do you use IPs from a Hetzner Cloud Private Network, which the Robot server is connected to via a vSwitch?

[robertlemke]

Hey @lukasmetzner,

sorry for the hassle and thanks again for your time!

I have a small question regarding your use-case. For the InternalIPs, do you use IPs from a Hetzner Cloud Private Network, which the Robot server is connected to via a vSwitch?

Yes, exactly! Our Robot servers are connected to a Hetzner Cloud Network via vSwitch. The nodes get their vSwitch IP assigned as InternalIP through the Talos machine configuration. The CCM then uses these IPs as Load Balancer targets which works perfectly since the LB and the Robot servers are on the same private network.

This is the main use case we had in mind: you get full Load Balancer integration for Robot servers without needing Robot API credentials, as long as private networking via vSwitch is set up.

Does that make it a bit clearer? Feel free to ask, if you need to know more.

Cheers!