feat(hetzner): support per-nodepool Hetzner firewalls

[tjorri]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Today the Hetzner cloud provider attaches a single, cluster-wide firewall (HCLOUD_FIREWALL) to every server it creates. There is no way to give one nodepool extra firewall rules without applying them to the entire cluster.

This PR adds a firewalls field to NodeConfig (nodeConfigs in HCLOUD_CLUSTER_CONFIG) listing additional firewall ids or names to attach to that pool's servers, on top of HCLOUD_FIREWALL. The cluster firewall and the per-nodepool firewalls are merged (deduplicated by id) at server creation, so a pool can carry extra rules — e.g. a dedicated ingress/edge pool that needs a public port range — without relaxing the firewall on the rest of the cluster.

Firewalls are resolved once at provider initialization and fail fast if a referenced firewall does not exist, mirroring the existing placementGroup handling. HCLOUD_FIREWALL is unchanged and remains cluster-wide; the new field is optional and additive, so existing deployments behave identically. Per-nodepool firewalls require the nodeConfigs format.

Which issue(s) this PR fixes:

Fixes #9809

Special notes for your reviewer:

• Backward compatible: HCLOUD_FIREWALL behaviour is untouched and firewalls defaults to empty.
• The merge is deduplicated by firewall id, so a pool may list the global firewall harmlessly and Hetzner never sees a duplicate attachment.
• Mirrors the existing per-pool placementGroup pattern: resolved in BuildHetzner, stored on the node group, applied in createServer.
• Firewalls are attached at server creation; this does not retroactively change firewalls on already-running nodes.
• Unit test added for the global/per-pool/dedup merge (TestBuildServerCreateFirewalls); README updated.

Does this PR introduce a user-facing change?

The Hetzner cloud provider adds a new `firewalls` field to `nodeConfigs` in `HCLOUD_CLUSTER_CONFIG`. Firewalls specified there (ids or names) are attached to that nodepool's servers at creation time, in addition to the cluster-wide `HCLOUD_FIREWALL`.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: tjorri / name: Tuomo (4a92bf8)

[k8s-ci-robot]

This issue is currently awaiting triage.

If SIG Autoscaling contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

Welcome @tjorri!

It looks like this is your first PR to kubernetes/autoscaler 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/autoscaler has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tjorri
Once this PR has been reviewed and has the lgtm label, please assign lukasmetzner for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• cluster-autoscaler/cloudprovider/hetzner/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @tjorri. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[lukasmetzner]

Hey @tjorri,

thanks for the contribution 🚀 The idea looks good to me.

I just noticed, that the API is return an internal server error when the same Firewall ID is specified more than once in the create Server call. I would just like to sort out this issue with the corresponding internal team and then do a review here.

[lukasmetzner]

At this stage we could already append the global Firewall and deduplicate the list. Then we don't need to do this for every create Server call.

If we don't use the hcloud.Firewall object anywhere else, we could directly store the hcloud.ServerCreateFirewall object.

[lukasmetzner]

Suggested change

	firewall, _, err := manager.client.Firewall.Get(ctx, firewallRef)
	// Check if an error occurred
	if err != nil {
	firewall, _, err := manager.client.Firewall.Get(ctx, firewallRef)
	if err != nil {