44 lines
1.8 KiB
Markdown
44 lines
1.8 KiB
Markdown
# Kubernetes bootstrap assets
|
|
|
|
This directory is the repo-driven deployment target for the single-node Hetzner+k3s bootstrap.
|
|
|
|
## Layout
|
|
- `base/` — shared bootstrap manifests plus the current `unrip` project manifests
|
|
- `projects/` — conventions for hosting multiple isolated projects on the same cluster
|
|
- `overlays/hetzner-single-node/` — first-node overlay with concrete hostnames, local-path storage, and generated secret references
|
|
- `secrets/` — examples and instructions for supplying required secrets out-of-band
|
|
|
|
## Shared cluster model
|
|
Shared platform namespaces:
|
|
- `forgejo`
|
|
- `registry`
|
|
- `observability`
|
|
- `ingress-nginx`
|
|
- `cert-manager`
|
|
|
|
Project-specific namespaces:
|
|
- `unrip`
|
|
- future projects should get their own namespace instead of sharing `unrip`
|
|
|
|
## Apply flow
|
|
After Terraform/cloud-init has produced a working kubeconfig, the canonical path is:
|
|
|
|
```bash
|
|
bash scripts/hetzner/bootstrap.sh
|
|
```
|
|
|
|
That script renders the Hetzner overlay inputs, creates platform and project registry auth secrets using the active project naming, and applies:
|
|
|
|
```bash
|
|
kubectl apply -k deploy/k8s/overlays/hetzner-single-node
|
|
```
|
|
|
|
## Secret management
|
|
The overlay intentionally references generated or pre-created Secrets instead of committing credentials:
|
|
- `unrip/unrip-secrets`
|
|
- `unrip/unrip-registry-creds`
|
|
- `forgejo/forgejo-secrets`
|
|
- `observability/observability-secrets`
|
|
- `registry/registry-secrets`
|
|
|
|
The bootstrap script creates them from local environment variables. By default it targets the `unrip` project, but its kubeconfig context name, bootstrap image tag, project secret env filename, project namespace, and project registry secret name are derived from `PROJECT_NAME`, `PROJECT_NAMESPACE`, and `CLUSTER_NAME` instead of hard-coding legacy `trading-system` values.
|