hetznercloud · lukasmetzner · Aug 1, 2025 · Jul 28, 2025 · Jul 31, 2025
@@ -108,7 +108,7 @@ func NewCloud(cidr string) (cloudprovider.Interface, error) {
 		}
 		networkID = n.ID
 
-		if !cfg.Network.DisableAttachedCheck {
+		if cfg.Network.AttachedCheckEnabled {
 			attached, err := serverIsAttachedToNetwork(metadataClient, networkID)
 			if err != nil {
 				return nil, fmt.Errorf("%s: checking if server is in Network not possible: %w", op, err)
@@ -181,7 +181,7 @@ func (c *cloud) LoadBalancer() (cloudprovider.LoadBalancer, bool) {
 		Recorder:      c.recorder,
 	}
 
-	return newLoadBalancers(lbOps, c.cfg.LoadBalancer.DisablePrivateIngress, c.cfg.LoadBalancer.DisableIPv6), true
+	return newLoadBalancers(lbOps, c.cfg.LoadBalancer.PrivateIngressEnabled, c.cfg.LoadBalancer.IPv6Enabled), true
 }
 
 func (c *cloud) Clusters() (cloudprovider.Clusters, bool) {

@@ -31,16 +31,16 @@ type LoadBalancerOps interface {
 
 type loadBalancers struct {
 	lbOps                        LoadBalancerOps
-	disablePrivateIngressDefault bool
-	disableIPv6Default           bool
-	useProxyProtocolDefault      bool
+	ipv6EnabledDefault           bool
+	proxyProtocolEnabledDefault  bool
+	privateIngressEnabledDefault bool
 }
 
-func newLoadBalancers(lbOps LoadBalancerOps, disablePrivateIngressDefault bool, disableIPv6Default bool) *loadBalancers {
+func newLoadBalancers(lbOps LoadBalancerOps, privateIngressEnabledDefault bool, ipv6EnabledDefault bool) *loadBalancers {
 	return &loadBalancers{
 		lbOps:                        lbOps,
-		disablePrivateIngressDefault: disablePrivateIngressDefault,
-		disableIPv6Default:           disableIPv6Default,
+		ipv6EnabledDefault:           ipv6EnabledDefault,
+		privateIngressEnabledDefault: privateIngressEnabledDefault,
 	}
 }
 
@@ -219,12 +219,12 @@ func (l *loadBalancers) buildLoadBalancerStatusIngress(lb *hcloud.LoadBalancer,
 	var ingress []corev1.LoadBalancerIngress
 	ipMode := corev1.LoadBalancerIPModeVIP
 
-	useProxyProtocol, err := l.getUseProxyProtocol(svc)
+	proxyProtocolEnabled, err := l.getProxyProtocolEnabled(svc)
 	if err != nil {
 		return nil, fmt.Errorf("%s: %w", op, err)
 	}
 
-	if useProxyProtocol {
+	if proxyProtocolEnabled {
 		ipMode = corev1.LoadBalancerIPModeProxy
 	}
 
@@ -234,24 +234,24 @@ func (l *loadBalancers) buildLoadBalancerStatusIngress(lb *hcloud.LoadBalancer,
 			IPMode: &ipMode,
 		})
 
-		disableIPV6, err := l.getDisableIPv6(svc)
+		ipv6Enabled, err := l.getIPv6Enabled(svc)
 		if err != nil {
 			return nil, fmt.Errorf("%s: %w", op, err)
 		}
-		if !disableIPV6 {
+		if ipv6Enabled {
 			ingress = append(ingress, corev1.LoadBalancerIngress{
 				IP:     lb.PublicNet.IPv6.IP.String(),
 				IPMode: &ipMode,
 			})
 		}
 	}
 
-	disablePrivIngress, err := l.getDisablePrivateIngress(svc)
+	privateIngressEnabled, err := l.getPrivateIngressEnabled(svc)
 	if err != nil {
 		return nil, fmt.Errorf("%s: %w", op, err)
 	}
 
-	if !disablePrivIngress {
+	if privateIngressEnabled {
 		for _, privateNet := range lb.PrivateNet {
 			ingress = append(ingress, corev1.LoadBalancerIngress{
 				IP:     privateNet.IP.String(),
@@ -263,37 +263,37 @@ func (l *loadBalancers) buildLoadBalancerStatusIngress(lb *hcloud.LoadBalancer,
 	return ingress, nil
 }
 
-func (l *loadBalancers) getDisablePrivateIngress(svc *corev1.Service) (bool, error) {
+func (l *loadBalancers) getPrivateIngressEnabled(svc *corev1.Service) (bool, error) {
 	disable, err := annotation.LBDisablePrivateIngress.BoolFromService(svc)
 	if err == nil {
-		return disable, nil
+		return !disable, nil
 	}
 	if errors.Is(err, annotation.ErrNotSet) {
-		return l.disablePrivateIngressDefault, nil
+		return l.privateIngressEnabledDefault, nil
 	}
-	return false, err
+	return true, err
 }
 
-func (l *loadBalancers) getUseProxyProtocol(svc *corev1.Service) (bool, error) {
-	disable, err := annotation.LBSvcProxyProtocol.BoolFromService(svc)
+func (l *loadBalancers) getProxyProtocolEnabled(svc *corev1.Service) (bool, error) {
+	enable, err := annotation.LBSvcProxyProtocol.BoolFromService(svc)
 	if err == nil {
-		return disable, nil
+		return enable, nil
 	}
 	if errors.Is(err, annotation.ErrNotSet) {
-		return l.useProxyProtocolDefault, nil
+		return l.proxyProtocolEnabledDefault, nil
 	}
 	return false, err
 }
 
-func (l *loadBalancers) getDisableIPv6(svc *corev1.Service) (bool, error) {
+func (l *loadBalancers) getIPv6Enabled(svc *corev1.Service) (bool, error) {
 	disable, err := annotation.LBIPv6Disabled.BoolFromService(svc)
 	if err == nil {
-		return disable, nil
+		return !disable, nil
 	}
 	if errors.Is(err, annotation.ErrNotSet) {
-		return l.disableIPv6Default, nil
+		return l.ipv6EnabledDefault, nil
 	}
-	return false, err
+	return true, err
 }
 
 func (l *loadBalancers) UpdateLoadBalancer(

@@ -150,9 +150,9 @@ func TestLoadBalancers_GetLoadBalancer(t *testing.T) {
 			},
 		},
 		{
-			Name:                         "get load balancer with private network and without private ingress",
-			ServiceUID:                   "1",
-			DisablePrivateIngressDefault: true,
+			Name:                     "get load balancer with private network and without private ingress",
+			ServiceUID:               "1",
+			UsePrivateIngressDefault: hcloud.Ptr(false),
 			LB: &hcloud.LoadBalancer{
 				ID:               1,
 				Name:             "with-priv-net-without-private-ingress",
@@ -374,7 +374,7 @@ func TestLoadBalancers_EnsureLoadBalancer_CreateLoadBalancer(t *testing.T) {
 			ServiceAnnotations: map[annotation.Name]string{
 				annotation.LBName: "with-priv-net-no-priv-ingress",
 			},
-			DisablePrivateIngressDefault: true,
+			UsePrivateIngressDefault: hcloud.Ptr(false),
 			LB: &hcloud.LoadBalancer{
 				ID:               1,
 				Name:             "with-priv-net-no-priv-ingress",

@@ -18,16 +18,16 @@ type LoadBalancerTestCase struct {
 	Name string
 
 	// Defined in test case as needed
-	ClusterName                  string
-	NetworkID                    int
-	ServiceUID                   string
-	ServiceAnnotations           map[annotation.Name]string
-	DisablePrivateIngressDefault bool
-	DisableIPv6Default           bool
-	Nodes                        []*corev1.Node
-	LB                           *hcloud.LoadBalancer
-	LBCreateResult               *hcloud.LoadBalancerCreateResult
-	Mock                         func(t *testing.T, tt *LoadBalancerTestCase)
+	ClusterName              string
+	NetworkID                int
+	ServiceUID               string
+	ServiceAnnotations       map[annotation.Name]string
+	UsePrivateIngressDefault *bool
+	UseIPv6Default           *bool
+	Nodes                    []*corev1.Node
+	LB                       *hcloud.LoadBalancer
+	LBCreateResult           *hcloud.LoadBalancerCreateResult
+	Mock                     func(t *testing.T, tt *LoadBalancerTestCase)
 
 	// Defines the actual test
 	Perform func(t *testing.T, tt *LoadBalancerTestCase)
@@ -44,6 +44,14 @@ type LoadBalancerTestCase struct {
 func (tt *LoadBalancerTestCase) run(t *testing.T) {
 	t.Helper()
 
+	if tt.UsePrivateIngressDefault == nil {
+		tt.UsePrivateIngressDefault = hcloud.Ptr(true)
+	}
+
+	if tt.UseIPv6Default == nil {
+		tt.UseIPv6Default = hcloud.Ptr(true)
+	}
+
 	tt.LBOps = &hcops.MockLoadBalancerOps{}
 	tt.LBOps.Test(t)
 
@@ -70,7 +78,7 @@ func (tt *LoadBalancerTestCase) run(t *testing.T) {
 		tt.Mock(t, tt)
 	}
 
-	tt.LoadBalancers = newLoadBalancers(tt.LBOps, tt.DisablePrivateIngressDefault, tt.DisableIPv6Default)
+	tt.LoadBalancers = newLoadBalancers(tt.LBOps, *tt.UsePrivateIngressDefault, *tt.UseIPv6Default)
 	tt.Perform(t, tt)
 
 	tt.LBOps.AssertExpectations(t)

@@ -79,14 +79,14 @@ type LoadBalancerConfiguration struct {
 	Enabled               bool
 	Location              string
 	NetworkZone           string
-	DisablePrivateIngress bool
-	UsePrivateIP          bool
-	DisableIPv6           bool
+	PrivateIngressEnabled bool
+	PrivateIPEnabled      bool
+	IPv6Enabled           bool
 }
 
 type NetworkConfiguration struct {
 	NameOrID             string
-	DisableAttachedCheck bool
+	AttachedCheckEnabled bool
 }
 
 type RouteConfiguration struct {
@@ -171,24 +171,30 @@ func Read() (HCCMConfiguration, error) {
 	}
 	cfg.LoadBalancer.Location = os.Getenv(hcloudLoadBalancersLocation)
 	cfg.LoadBalancer.NetworkZone = os.Getenv(hcloudLoadBalancersNetworkZone)
-	cfg.LoadBalancer.DisablePrivateIngress, err = getEnvBool(hcloudLoadBalancersDisablePrivateIngress, false)
+
+	disablePrivateIngress, err := getEnvBool(hcloudLoadBalancersDisablePrivateIngress, false)
 	if err != nil {
 		errs = append(errs, err)
 	}
-	cfg.LoadBalancer.UsePrivateIP, err = getEnvBool(hcloudLoadBalancersUsePrivateIP, false)
+	cfg.LoadBalancer.PrivateIngressEnabled = !disablePrivateIngress // Invert the logic, as the env var is prefixed with DISABLE_.
+
+	cfg.LoadBalancer.PrivateIPEnabled, err = getEnvBool(hcloudLoadBalancersUsePrivateIP, false)
 	if err != nil {
 		errs = append(errs, err)
 	}
-	cfg.LoadBalancer.DisableIPv6, err = getEnvBool(hcloudLoadBalancersDisableIPv6, false)
+
+	disableIPv6, err := getEnvBool(hcloudLoadBalancersDisableIPv6, false)
 	if err != nil {
 		errs = append(errs, err)
 	}
+	cfg.LoadBalancer.IPv6Enabled = !disableIPv6 // Invert the logic, as the env var is prefixed with DISABLE_.
 
 	cfg.Network.NameOrID = os.Getenv(hcloudNetwork)
-	cfg.Network.DisableAttachedCheck, err = getEnvBool(hcloudNetworkDisableAttachedCheck, false)
+	disableAttachedCheck, err := getEnvBool(hcloudNetworkDisableAttachedCheck, false)
 	if err != nil {
 		errs = append(errs, err)
 	}
+	cfg.Network.AttachedCheckEnabled = !disableAttachedCheck // Invert the logic, as the env var is prefixed with DISABLE_.
 
 	// Enabling Routes only makes sense when a Network is configured, otherwise there is no network to add the routes to.
 	if cfg.Network.NameOrID != "" {