philipp/doran
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
doran/deploy/k8s/README.md

2.2 KiB
Raw Blame History

Kubernetes bootstrap assets

This directory is the repo-driven deployment target for the single-node Hetzner+k3s bootstrap.

Layout

  • base/ — compatibility kustomization that composes platform resources with the current unrip project path
  • platform/ — shared cluster manifests
  • projects/ — naming/layout conventions for hosted projects
  • overlays/hetzner-single-node/ — first-node overlay with concrete hostnames, local-path storage, and generated secret references
  • secrets/ — examples and instructions for supplying required secrets out-of-band

The actual unrip project manifests now live under:

  • projects/unrip/deploy/k8s/base/ at the repo root

Shared cluster model

Shared platform namespaces:

  • forgejo
  • registry
  • observability (grafana, loki, promtail, headlamp)
  • cert-manager

Ingress is provided by the Traefik controller bundled with k3s. Base and overlay manifests therefore target ingressClassName: traefik instead of installing ingress-nginx.

Project-specific namespaces:

  • unrip
  • future projects should get their own namespace instead of sharing unrip

Apply flow

After Terraform/cloud-init has produced a working kubeconfig, the canonical path is:

bash scripts/hetzner/bootstrap.sh

That script renders the Hetzner overlay inputs, creates platform and project registry auth secrets using the active project naming, and applies the generated bootstrap overlay under .state/hetzner/generated-overlay/.

For a manual, fully checked-in apply path, use:

kubectl apply -k deploy/k8s/overlays/hetzner-single-node

Secret management

The overlay intentionally references generated or pre-created Secrets instead of committing credentials:

  • unrip/unrip-secrets
  • unrip/unrip-registry-creds
  • forgejo/forgejo-secrets
  • observability/observability-secrets
  • registry/registry-secrets

The bootstrap script creates them from local environment variables and pass-resolved secrets. By default it targets the unrip project, but project secret env filenames, namespaces, image names, rollout targets, and registry pull-secret names are derived from PROJECT_NAME and PROJECT_NAMESPACE instead of hard-coding legacy trading-system values.