# Load Balancer for Kubernetes API High Availability
# Provides a single endpoint for all control planes

resource "hcloud_load_balancer" "kube_api" {
  name               = "${var.cluster_name}-api"
  load_balancer_type = "lb11" # Cheapest tier: €5.39/month
  location           = var.location

  labels = {
    cluster = var.cluster_name
    role    = "kube-api"
  }
}

# Attach Load Balancer to private network (required for use_private_ip)
resource "hcloud_load_balancer_network" "kube_api" {
  load_balancer_id = hcloud_load_balancer.kube_api.id
  network_id       = hcloud_network.cluster.id
  ip               = cidrhost(var.subnet_cidr, 5) # 10.0.1.5
}

# Attach all control plane servers as targets
resource "hcloud_load_balancer_target" "kube_api_targets" {
  count            = var.control_plane_count
  type             = "server"
  load_balancer_id = hcloud_load_balancer.kube_api.id
  server_id        = hcloud_server.control_plane[count.index].id
  use_private_ip   = true

  depends_on = [hcloud_load_balancer_network.kube_api, hcloud_server.control_plane]
}

# Kubernetes API service on port 6443
resource "hcloud_load_balancer_service" "kube_api" {
  load_balancer_id = hcloud_load_balancer.kube_api.id
  protocol         = "tcp"
  listen_port      = 6443
  destination_port = 6443

  health_check {
    protocol = "tcp"
    port     = 6443
    interval = 15
    timeout  = 10
    retries  = 3
  }
}

# Firewall rule to allow LB access to control planes on 6443
# This is added to the existing cluster firewall