fix: Use Doppler-backed Rancher bootstrap password

infrastructure/addons/kustomization-rancher.yaml

@@ -16,4 +16,5 @@ spec:
   dependsOn:
     - name: addon-tailscale-operator
     - name: addon-tailscale-proxyclass
+    - name: addon-external-secrets
     - name: addon-cnpg

infrastructure/addons/rancher/helmrelease-rancher.yaml

@@ -55,3 +55,8 @@ spec:
             - matchExpressions:
                 - key: node-role.kubernetes.io/control-plane
                   operator: DoesNotExist
+  valuesFrom:
+    - kind: Secret
+      name: rancher-bootstrap-password
+      valuesKey: bootstrapPassword
+      targetPath: bootstrapPassword

infrastructure/addons/rancher/kustomization.yaml

@@ -4,6 +4,7 @@ resources:
   - namespace.yaml
   - helmrepository-rancher.yaml
   - helmrelease-rancher.yaml
+  - rancher-bootstrap-password-flux-externalsecret.yaml
   - rancher-bootstrap-password-externalsecret.yaml
   - rancher-db-password-externalsecret.yaml
   - rancher-tailscale-service.yaml

infrastructure/addons/rancher/rancher-bootstrap-password-flux-externalsecret.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: rancher-bootstrap-password
+  namespace: flux-system
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: doppler-hetznerterra
+    kind: ClusterSecretStore
+  target:
+    name: rancher-bootstrap-password
+    creationPolicy: Owner
+    template:
+      type: Opaque
+      data:
+        bootstrapPassword: "{{ .RANCHER_BOOTSTRAP_PASSWORD }}"
+  data:
+    - secretKey: RANCHER_BOOTSTRAP_PASSWORD
+      remoteRef:
+        key: RANCHER_BOOTSTRAP_PASSWORD