| .. | ||
| base | ||
| overlays/hetzner-single-node | ||
| platform/base | ||
| projects | ||
| secrets | ||
| README.md | ||
Kubernetes bootstrap assets
This directory is the repo-driven deployment target for the single-node Hetzner+k3s bootstrap.
Layout
base/— shared bootstrap manifests plus the currentunripproject manifestsprojects/— conventions for hosting multiple isolated projects on the same clusteroverlays/hetzner-single-node/— first-node overlay with concrete hostnames, local-path storage, and generated secret referencessecrets/— examples and instructions for supplying required secrets out-of-band
Shared cluster model
Shared platform namespaces:
forgejoregistryobservability(grafana,loki,promtail,headlamp)ingress-nginxcert-manager
Project-specific namespaces:
unrip- future projects should get their own namespace instead of sharing
unrip
Apply flow
After Terraform/cloud-init has produced a working kubeconfig, the canonical path is:
bash scripts/hetzner/bootstrap.sh
That script renders the Hetzner overlay inputs, creates platform and project registry auth secrets using the active project naming, and applies:
kubectl apply -k deploy/k8s/overlays/hetzner-single-node
Secret management
The overlay intentionally references generated or pre-created Secrets instead of committing credentials:
unrip/unrip-secretsunrip/unrip-registry-credsforgejo/forgejo-secretsobservability/observability-secretsregistry/registry-secrets
The bootstrap script creates them from local environment variables. By default it targets the unrip project, but its kubeconfig context name, bootstrap image tag, project secret env filename, project namespace, and project registry secret name are derived from PROJECT_NAME, PROJECT_NAMESPACE, and CLUSTER_NAME instead of hard-coding legacy trading-system values.