From 33037eba4699e474dfb78a6b48c840428ff4e83c Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Tue, 24 Mar 2026 17:24:05 +0200
Subject: [PATCH] =?UTF-8?q?upgrade=20MetalLB=20v0.10.2=20=E2=86=92=20v0.15?=
 =?UTF-8?q?.3=20and=20update=20annotations?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Replace custom ViktorBarzin/metallb module with official Helm chart
- Migrate from ConfigMap-based config to CRD (IPAddressPool + L2Advertisement)
- Update Traefik LB annotations from metallb.universe.tf to metallb.io format
- Technitium DNS keeps stable IP 10.0.20.204 via MetalLB auto-assignment
- Headscale split DNS already configured to use 10.0.20.204
---
 stacks/metallb/modules/metallb/main.tf       | 75 +++++++++++++-------
 stacks/platform/modules/traefik/main.tf      |  2 +-
 stacks/technitium/modules/technitium/main.tf |  1 +
 stacks/traefik/modules/traefik/main.tf       |  2 +-
 4 files changed, 53 insertions(+), 27 deletions(-)

diff --git a/stacks/metallb/modules/metallb/main.tf b/stacks/metallb/modules/metallb/main.tf
index 1659f08e..2c8d0078 100644
--- a/stacks/metallb/modules/metallb/main.tf
+++ b/stacks/metallb/modules/metallb/main.tf
@@ -1,9 +1,3 @@
-# Creates namespace and everythin needed
-# Do not use until https://github.com/colinwilson/terraform-kubernetes-metallb/issues/5 is solved
-# module "metallb" {
-#   source  = "colinwilson/metallb/kubernetes"
-#   version = "0.1.7"
-# }
 variable "tier" { type = string }
 
 resource "kubernetes_namespace" "metallb" {
@@ -11,30 +5,61 @@ resource "kubernetes_namespace" "metallb" {
     name = "metallb-system"
     labels = {
       app = "metallb"
-      # "istio-injection" : "disabled"
-      # tier = var.tier
     }
   }
 }
 
-module "metallb" {
-  source     = "ViktorBarzin/metallb/kubernetes"
-  version    = "0.1.5"
-  depends_on = [kubernetes_namespace.metallb]
+resource "helm_release" "metallb" {
+  name       = "metallb"
+  repository = "https://metallb.github.io/metallb"
+  chart      = "metallb"
+  version    = "0.15.3"
+  namespace  = kubernetes_namespace.metallb.metadata[0].name
+  timeout    = 600
+
+  values = [yamlencode({
+    controller = {
+      image = {
+        pullPolicy = "IfNotPresent"
+      }
+    }
+    speaker = {
+      image = {
+        pullPolicy = "IfNotPresent"
+      }
+      frr = {
+        enabled = false
+      }
+    }
+  })]
 }
 
-resource "kubernetes_config_map" "config" {
-  metadata {
-    name      = "config"
-    namespace = kubernetes_namespace.metallb.metadata[0].name
-  }
-  data = {
-    config = <<EOT
-address-pools:
-- name: default
-  protocol: layer2
-  addresses:
-  - 10.0.20.200-10.0.20.220
-EOT
+resource "kubernetes_manifest" "ip_address_pool" {
+  manifest = {
+    apiVersion = "metallb.io/v1beta1"
+    kind       = "IPAddressPool"
+    metadata = {
+      name      = "default"
+      namespace = "metallb-system"
+    }
+    spec = {
+      addresses = ["10.0.20.200-10.0.20.220"]
+    }
   }
+  depends_on = [helm_release.metallb]
+}
+
+resource "kubernetes_manifest" "l2_advertisement" {
+  manifest = {
+    apiVersion = "metallb.io/v1beta1"
+    kind       = "L2Advertisement"
+    metadata = {
+      name      = "default"
+      namespace = "metallb-system"
+    }
+    spec = {
+      ipAddressPools = ["default"]
+    }
+  }
+  depends_on = [helm_release.metallb]
 }
diff --git a/stacks/platform/modules/traefik/main.tf b/stacks/platform/modules/traefik/main.tf
index 6428322c..7fb06dcc 100644
--- a/stacks/platform/modules/traefik/main.tf
+++ b/stacks/platform/modules/traefik/main.tf
@@ -144,7 +144,7 @@ resource "helm_release" "traefik" {
     service = {
       type = "LoadBalancer"
       annotations = {
-        "metallb.universe.tf/loadBalancerIPs" = "10.0.20.202"
+        "metallb.io/loadBalancerIPs" = "10.0.20.202"
       }
       spec = {
         externalTrafficPolicy = "Local"
diff --git a/stacks/technitium/modules/technitium/main.tf b/stacks/technitium/modules/technitium/main.tf
index 34d90a81..71565733 100644
--- a/stacks/technitium/modules/technitium/main.tf
+++ b/stacks/technitium/modules/technitium/main.tf
@@ -265,6 +265,7 @@ resource "kubernetes_service" "technitium-dns" {
     labels = {
       "app" = "technitium"
     }
+    annotations = {}
   }
 
   spec {
diff --git a/stacks/traefik/modules/traefik/main.tf b/stacks/traefik/modules/traefik/main.tf
index dd17b78f..2ce97ef5 100644
--- a/stacks/traefik/modules/traefik/main.tf
+++ b/stacks/traefik/modules/traefik/main.tf
@@ -144,7 +144,7 @@ resource "helm_release" "traefik" {
     service = {
       type = "LoadBalancer"
       annotations = {
-        "metallb.universe.tf/loadBalancerIPs" = "10.0.20.202"
+        "metallb.io/loadBalancerIPs" = "10.0.20.202"
       }
       spec = {
         externalTrafficPolicy = "Local"