philipp/doran
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
doran/deploy/k8s
History
Philipp d8248d555a refactor: split unrip into separate repo
2026-03-30 17:39:20 +02:00
..
base refactor: split unrip into separate repo 2026-03-30 17:39:20 +02:00
overlays/hetzner-single-node refactor: split unrip into separate repo 2026-03-30 17:39:20 +02:00
platform/base refactor: isolate unrip project into projects folder 2026-03-29 14:33:19 +02:00
projects refactor: split unrip into separate repo 2026-03-30 17:39:20 +02:00
secrets feat: add headlamp web ui for cluster ops 2026-03-29 10:28:09 +02:00
README.md refactor: split unrip into separate repo 2026-03-30 17:39:20 +02:00

README.md

Kubernetes bootstrap assets

This directory is the repo-driven deployment target for the single-node Hetzner+k3s bootstrap.

Layout

  • base/ — platform-only compatibility kustomization
  • platform/ — shared cluster manifests
  • projects/ — naming/layout conventions for hosted projects
  • overlays/hetzner-single-node/ — first-node overlay with concrete hostnames, local-path storage, and generated secret references
  • secrets/ — examples and instructions for supplying required secrets out-of-band

The actual unrip project manifests now live in the separate unrip application repository under:

  • deploy/k8s/base/

Shared cluster model

Shared platform namespaces:

  • forgejo
  • registry
  • observability (grafana, loki, promtail, headlamp)
  • cert-manager

Ingress is provided by the Traefik controller bundled with k3s. Base and overlay manifests therefore target ingressClassName: traefik instead of installing ingress-nginx.

Project-specific namespaces:

  • unrip
  • future projects should get their own namespace instead of sharing unrip

Apply flow

After Terraform/cloud-init has produced a working kubeconfig, the canonical path is:

bash scripts/hetzner/bootstrap.sh

That script renders the Hetzner overlay inputs, creates platform and project registry auth secrets using the active project naming, and applies the generated bootstrap overlay under .state/hetzner/generated-overlay/.

For a manual, fully checked-in apply path, use:

kubectl apply -k deploy/k8s/overlays/hetzner-single-node

Secret management

The overlay intentionally references generated or pre-created Secrets instead of committing credentials:

  • unrip/unrip-secrets
  • unrip/unrip-registry-creds
  • forgejo/forgejo-secrets
  • observability/observability-secrets
  • registry/registry-secrets

The bootstrap script creates them from local environment variables and pass-resolved secrets. By default it targets the unrip project, but project secret env filenames, namespaces, image names, rollout targets, and registry pull-secret names are derived from PROJECT_NAME and PROJECT_NAMESPACE instead of hard-coding legacy trading-system values.