philipp/doran
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
doran/deploy/k8s/README.md
Philipp d8248d555a refactor: split unrip into separate repo
2026-03-30 17:39:20 +02:00

51 lines
2.2 KiB
Markdown
Raw Blame History

# Kubernetes bootstrap assets
This directory is the repo-driven deployment target for the single-node Hetzner+k3s bootstrap.
## Layout
- `base/` — platform-only compatibility kustomization
- `platform/` — shared cluster manifests
- `projects/` — naming/layout conventions for hosted projects
- `overlays/hetzner-single-node/` — first-node overlay with concrete hostnames, local-path storage, and generated secret references
- `secrets/` — examples and instructions for supplying required secrets out-of-band
The actual `unrip` project manifests now live in the separate `unrip` application repository under:
- `deploy/k8s/base/`
## Shared cluster model
Shared platform namespaces:
- `forgejo`
- `registry`
- `observability` (`grafana`, `loki`, `promtail`, `headlamp`)
- `cert-manager`
Ingress is provided by the Traefik controller bundled with k3s. Base and overlay manifests therefore target `ingressClassName: traefik` instead of installing ingress-nginx.
Project-specific namespaces:
- `unrip`
- future projects should get their own namespace instead of sharing `unrip`
## Apply flow
After Terraform/cloud-init has produced a working kubeconfig, the canonical path is:
```bash
bash scripts/hetzner/bootstrap.sh
```
That script renders the Hetzner overlay inputs, creates platform and project registry auth secrets using the active project naming, and applies the generated bootstrap overlay under `.state/hetzner/generated-overlay/`.
For a manual, fully checked-in apply path, use:
```bash
kubectl apply -k deploy/k8s/overlays/hetzner-single-node
```
## Secret management
The overlay intentionally references generated or pre-created Secrets instead of committing credentials:
- `unrip/unrip-secrets`
- `unrip/unrip-registry-creds`
- `forgejo/forgejo-secrets`
- `observability/observability-secrets`
- `registry/registry-secrets`
The bootstrap script creates them from local environment variables and `pass`-resolved secrets. By default it targets the `unrip` project, but project secret env filenames, namespaces, image names, rollout targets, and registry pull-secret names are derived from `PROJECT_NAME` and `PROJECT_NAMESPACE` instead of hard-coding legacy `trading-system` values.
Reference in a new issue View git blame Copy permalink