doran/deploy/k8s

Kubernetes bootstrap assets

This directory is the repo-driven deployment target for the single-node Hetzner+k3s bootstrap.

Layout

• base/ — shared bootstrap manifests plus the current unrip project manifests
• projects/ — conventions for hosting multiple isolated projects on the same cluster
• overlays/hetzner-single-node/ — first-node overlay with concrete hostnames, local-path storage, and generated secret references
• secrets/ — examples and instructions for supplying required secrets out-of-band

Shared cluster model

Shared platform namespaces:

• forgejo
• registry
• observability (grafana, loki, promtail, headlamp)
• cert-manager

Ingress is provided by the Traefik controller bundled with k3s. Base and overlay manifests therefore target ingressClassName: traefik instead of installing ingress-nginx.

Project-specific namespaces:

• unrip
• future projects should get their own namespace instead of sharing unrip

Apply flow

After Terraform/cloud-init has produced a working kubeconfig, the canonical path is:

bash scripts/hetzner/bootstrap.sh

That script renders the Hetzner overlay inputs, creates platform and project registry auth secrets using the active project naming, and applies the generated bootstrap overlay under .state/hetzner/generated-overlay/.

For a manual, fully checked-in apply path, use:

kubectl apply -k deploy/k8s/overlays/hetzner-single-node

Secret management

The overlay intentionally references generated or pre-created Secrets instead of committing credentials:

• unrip/unrip-secrets
• unrip/unrip-registry-creds
• forgejo/forgejo-secrets
• observability/observability-secrets
• registry/registry-secrets

The bootstrap script creates them from local environment variables and pass-resolved secrets. By default it targets the unrip project, but project secret env filenames, namespaces, image names, rollout targets, and registry pull-secret names are derived from PROJECT_NAME and PROJECT_NAMESPACE instead of hard-coding legacy trading-system values.