85b8fec6b3
Migrate ~180 LOC of openssl/kubectl init Jobs to declarative Secret manifests reconciled by mittwald/kubernetes-secret-generator (random strings, SSH keypair) and cert-manager Certificates (RSA private key + self-signed CA chain). mittwald only fills empty fields, so existing populated Secrets keep their current values across the migration. Changes: - New prototype kubernetes-secret-generator (chart 3.4.1, mittwald helm repo). Cluster-wide informer reconciler, no webhook -> cold-bootstrap safe via ArgoCD retries. - New cert-manager selfsigned ClusterIssuer (in-cluster trust root). letsencrypt remains for public-DNS endpoints. - forgejo: admin-secret Job replaced with a mittwald-annotated Secret (hex-encoded 24-char password). Deploy-key Job split: mittwald ssh-keypair Secret + slim Job that uploads pubkey to Forgejo and copies privkey into the argocd repo Secret. - ocis: 13 Secrets / 16 random fields now mittwald-managed (UUIDs replaced with opaque random hex; ocis treats user-id as opaque). IDP RSA signing key, LDAP self-signed CA, and LDAP server cert produced by cert-manager. Per-Deployment ytt overlay remaps volume key paths (tls.crt -> ldap-ca.crt, tls.key -> private-key.pem, etc.) since the ocis chart mounts Secrets raw without items support. Old multi-secret s3-secret-job replaced with a slim external-secret precheck Job that only validates pre-created Hetzner S3/Storage Box credentials. - Application sync-wave -10 on cert-manager and kubernetes-secret- generator so they install before consumers. ArgoCD selfHeal handles any residual races. CLAUDE.md: remove the "all namespaces use privileged PodSecurity" convention. Existing namespaces still carry the label and will be audited separately. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| docs | ||
| envs | ||
| prototypes | ||
| rendered | ||
| talos | ||
| .envrc | ||
| .gitattributes | ||
| .gitignore | ||
| .myks.yaml | ||
| .sops.yaml | ||
| CLAUDE.md | ||
| flake.lock | ||
| flake.nix | ||
| README.md | ||
k8s-and-chill
Private Kubernetes cluster running on 3x Hetzner CAX11 (ARM64) instances with Talos Linux, managed by myks.
Cluster Setup
Prerequisites
Enter the dev shell (via direnv or nix develop), which provides:
talosctlkubectlhelmmykshcloud
Infrastructure
| Node | Public IP | Private IP | Location |
|---|---|---|---|
| ubuntu-4gb-nbg1-1 | 195.201.219.17 | 10.0.0.3 | nbg1 |
| ubuntu-4gb-nbg1-2 | 195.201.140.75 | 10.0.0.4 | nbg1 |
| ubuntu-4gb-nbg1-3 | 195.201.219.111 | 10.0.0.2 | nbg1 |
All nodes are control plane nodes (3-node HA etcd). The Kubernetes API endpoint is https://195.201.219.111:6443.
The nodes are connected via a Hetzner private network (thalos-k8s), which is used for inter-node communication.
Installing Talos on Hetzner Cloud
The servers were originally provisioned with Ubuntu. Talos was installed by writing the Talos disk image via Hetzner rescue mode.
1. Get the Talos image URL
Talos images for Hetzner Cloud are generated via the Talos Image Factory. For vanilla Talos (no extensions), get the schematic ID:
curl -sX POST https://factory.talos.dev/schematics \
-H 'Content-Type: application/json' \
-d '{"customization":{"systemExtensions":{"officialExtensions":[]}}}'
# Returns: {"id":"376567988ad370138ad8b2698212367b8edcb69b5fd68c80be1f2ec7d603b4ba"}
The image URL follows this pattern:
https://factory.talos.dev/image/<schematic-id>/<talos-version>/hcloud-arm64.raw.xz
2. Enable rescue mode and reboot
For each server:
hcloud server enable-rescue <server-name> --ssh-key "<ssh-key-name>"
hcloud server reboot <server-name>
3. Write Talos to disk
SSH into each server's rescue system and write the image:
ssh root@<server-ip> "curl -fsSL '<image-url>' | xz -d | dd of=/dev/sda bs=4M status=progress && sync"
4. Reboot into Talos
hcloud server reboot <server-name>
Bootstrapping the Cluster
1. Generate machine configs
mkdir -p talos
talosctl gen config k8s-and-chill https://195.201.219.111:6443 --output talos/
This creates controlplane.yaml, worker.yaml, and talosconfig.
2. Configure talosctl
export TALOSCONFIG=talos/talosconfig
talosctl config endpoint 195.201.219.111 195.201.140.75 195.201.219.17
talosctl config node 195.201.219.111 195.201.140.75 195.201.219.17
3. Apply configs
Apply the controlplane config to each node (use --insecure on first apply since the nodes don't have matching certs yet):
talosctl apply-config --insecure --nodes 195.201.219.111 --file talos/controlplane.yaml
talosctl apply-config --insecure --nodes 195.201.140.75 --file talos/controlplane.yaml
talosctl apply-config --insecure --nodes 195.201.219.17 --file talos/controlplane.yaml
4. Bootstrap etcd
Run this on exactly one node:
talosctl bootstrap --nodes 195.201.219.111
5. Get kubeconfig
talosctl kubeconfig talos/kubeconfig --nodes 195.201.219.111
6. Verify
export KUBECONFIG=talos/kubeconfig
kubectl get nodes -o wide
kubectl get pods -A