2026-03-20 02:24:37 +00:00
|
|
|
# Stable Private-Only Baseline
|
|
|
|
|
|
|
|
|
|
This document defines the current engineering target for this repository.
|
|
|
|
|
|
|
|
|
|
## Topology
|
|
|
|
|
|
|
|
|
|
- 1 control plane
|
|
|
|
|
- 2 workers
|
|
|
|
|
- private Hetzner network
|
|
|
|
|
- Tailscale operator access
|
|
|
|
|
|
|
|
|
|
## In Scope
|
|
|
|
|
|
|
|
|
|
- Terraform infrastructure bootstrap
|
2026-03-21 18:41:36 +00:00
|
|
|
- Ansible k3s bootstrap (using k3s embedded cloud provider)
|
2026-03-20 02:24:37 +00:00
|
|
|
- Flux core reconciliation
|
|
|
|
|
- External Secrets Operator with Doppler
|
|
|
|
|
- Tailscale private access
|
|
|
|
|
- Observability stack
|
|
|
|
|
|
2026-03-21 18:41:36 +00:00
|
|
|
## Deferred for Later Phases
|
|
|
|
|
|
|
|
|
|
- Hetzner CCM (using k3s embedded for now)
|
|
|
|
|
- Hetzner CSI (deferred - local storage sufficient for baseline)
|
|
|
|
|
|
2026-03-20 02:24:37 +00:00
|
|
|
## Out of Scope
|
|
|
|
|
|
|
|
|
|
- HA control plane
|
|
|
|
|
- public ingress or DNS
|
|
|
|
|
- public TLS
|
|
|
|
|
- app workloads
|
|
|
|
|
- DR / backup strategy
|
|
|
|
|
- upgrade strategy
|
|
|
|
|
|
|
|
|
|
## Phase Gates
|
|
|
|
|
|
|
|
|
|
1. Terraform apply completes for the default topology.
|
|
|
|
|
2. k3s server bootstrap completes and kubeconfig works.
|
|
|
|
|
3. Workers join and all nodes are Ready.
|
|
|
|
|
4. Flux source and infrastructure reconciliation are healthy.
|
2026-03-21 18:41:36 +00:00
|
|
|
5. External Secrets sync required secrets.
|
|
|
|
|
6. Tailscale private access works.
|
|
|
|
|
7. Observability is healthy and reachable privately.
|
|
|
|
|
8. Terraform destroy succeeds cleanly or via workflow retry.
|
|
|
|
|
|
|
|
|
|
_Note: Hetzner CCM and CSI are suspended for the stable baseline phase. Using k3s embedded cloud provider._
|
2026-03-20 02:24:37 +00:00
|
|
|
|
|
|
|
|
## Success Criteria
|
|
|
|
|
|
|
|
|
|
The baseline is considered stable only after two consecutive fresh rebuilds pass all phase gates with no manual fixes.
|
