refactor: simplify stable cluster baseline

2026-03-20 02:24:37 +00:00
parent 5bd4c41c2d
commit 522626a52b
4 changed files with 77 additions and 6 deletions
--- a/STABLE_BASELINE.md
+++ b/STABLE_BASELINE.md
@@ -0,0 +1,47 @@
+# Stable Private-Only Baseline
+
+This document defines the current engineering target for this repository.
+
+## Topology
+
+- 1 control plane
+- 2 workers
+- private Hetzner network
+- Tailscale operator access
+
+## In Scope
+
+- Terraform infrastructure bootstrap
+- Ansible k3s bootstrap
+- Flux core reconciliation
+- Hetzner CCM
+- Hetzner CSI
+- External Secrets Operator with Doppler
+- Tailscale private access
+- Observability stack
+
+## Out of Scope
+
+- HA control plane
+- public ingress or DNS
+- public TLS
+- app workloads
+- DR / backup strategy
+- upgrade strategy
+
+## Phase Gates
+
+1. Terraform apply completes for the default topology.
+2. k3s server bootstrap completes and kubeconfig works.
+3. Workers join and all nodes are Ready.
+4. Flux source and infrastructure reconciliation are healthy.
+5. CCM is Ready.
+6. CSI is Ready and a PVC can bind.
+7. External Secrets sync required secrets.
+8. Tailscale private access works.
+9. Observability is healthy and reachable privately.
+10. Terraform destroy succeeds cleanly or via workflow retry.
+
+## Success Criteria
+
+The baseline is considered stable only after two consecutive fresh rebuilds pass all phase gates with no manual fixes.