# Stable Private-Only Baseline

This document defines the current engineering target for this repository.

## Topology

- 1 control plane
- 2 workers
- private Hetzner network
- Tailscale operator access

## In Scope

- Terraform infrastructure bootstrap
- Ansible k3s bootstrap with external cloud provider
- **Hetzner CCM deployed via Ansible (before workers join)**
- **Hetzner CSI for persistent volumes (via Flux)**
- Flux core reconciliation
- External Secrets Operator with Doppler
- Tailscale private access
- Persistent volume provisioning validated

## Deferred for Later Phases

- Observability stack (deferred - complex helm release needs separate debugging)

## Out of Scope

- HA control plane
- public ingress or DNS
- public TLS
- app workloads
- DR / backup strategy
- upgrade strategy

## Phase Gates

1. Terraform apply completes for the default topology.
2. k3s server bootstrap completes with external cloud provider enabled.
3. **CCM deployed via Ansible before workers join** (fixes uninitialized taint issue).
4. Workers join successfully and all nodes show proper `providerID`.
5. Flux source and infrastructure reconciliation are healthy.
6. **CSI deploys and creates `hcloud-volumes` StorageClass**.
7. **PVC provisioning tested and working** (validated with test pod).
8. External Secrets sync required secrets.
9. Tailscale private access works.
10. Terraform destroy succeeds cleanly or via workflow retry.

## Success Criteria

✅ **ACHIEVED** - Two consecutive fresh rebuilds passed all phase gates with no manual fixes:
- Build 1: Initial CCM/CSI deployment and validation (2026-03-23)
- Build 2: Full destroy/rebuild cycle successful (2026-03-23)

The platform is now stable with cloud provider integration and persistent volume support.