# Kubernetes bootstrap assets

This directory is the repo-driven deployment target for the single-node Hetzner+k3s bootstrap.

## Layout
- `base/` — shared bootstrap manifests plus the current `unrip` project manifests
- `projects/` — conventions for hosting multiple isolated projects on the same cluster
- `overlays/hetzner-single-node/` — first-node overlay with concrete hostnames, local-path storage, and generated secret references
- `secrets/` — examples and instructions for supplying required secrets out-of-band

## Shared cluster model
Shared platform namespaces:
- `forgejo`
- `registry`
- `observability` (`grafana`, `loki`, `promtail`, `headlamp`)
- `cert-manager`

Ingress is provided by the Traefik controller bundled with k3s. Base and overlay manifests therefore target `ingressClassName: traefik` instead of installing ingress-nginx.

Project-specific namespaces:
- `unrip`
- future projects should get their own namespace instead of sharing `unrip`

## Apply flow
After Terraform/cloud-init has produced a working kubeconfig, the canonical path is:

```bash
bash scripts/hetzner/bootstrap.sh
```

That script renders the Hetzner overlay inputs, creates platform and project registry auth secrets using the active project naming, and applies the generated bootstrap overlay under `.state/hetzner/generated-overlay/`.

For a manual, fully checked-in apply path, use:

```bash
kubectl apply -k deploy/k8s/overlays/hetzner-single-node
```

## Secret management
The overlay intentionally references generated or pre-created Secrets instead of committing credentials:
- `unrip/unrip-secrets`
- `unrip/unrip-registry-creds`
- `forgejo/forgejo-secrets`
- `observability/observability-secrets`
- `registry/registry-secrets`

The bootstrap script creates them from local environment variables and `pass`-resolved secrets. By default it targets the `unrip` project, but project secret env filenames, namespaces, image names, rollout targets, and registry pull-secret names are derived from `PROJECT_NAME` and `PROJECT_NAMESPACE` instead of hard-coding legacy `trading-system` values.