HetznerTerra/STABLE_BASELINE.md

Stable Private-Only Baseline

This document defines the current engineering target for this repository.

Topology

• 1 control plane
• 2 workers
• private Hetzner network
• Tailscale operator access

In Scope

• Terraform infrastructure bootstrap
• Ansible k3s bootstrap with external cloud provider
• Hetzner CCM deployed via Ansible (before workers join)
• Hetzner CSI for persistent volumes (via Flux)
• Flux core reconciliation
• External Secrets Operator with Doppler
• Tailscale private access
• Persistent volume provisioning validated

Deferred for Later Phases

• Observability stack (deferred - complex helm release needs separate debugging)

Out of Scope

• HA control plane
• public ingress or DNS
• public TLS
• app workloads
• DR / backup strategy
• upgrade strategy

Phase Gates

1. Terraform apply completes for the default topology.
2. k3s server bootstrap completes with external cloud provider enabled.
3. CCM deployed via Ansible before workers join (fixes uninitialized taint issue).
4. Workers join successfully and all nodes show proper providerID.
5. Flux source and infrastructure reconciliation are healthy.
6. CSI deploys and creates hcloud-volumes StorageClass.
7. PVC provisioning tested and working (validated with test pod).
8. External Secrets sync required secrets.
9. Tailscale private access works.
10. Terraform destroy succeeds cleanly or via workflow retry.

Success Criteria

✅ ACHIEVED - Two consecutive fresh rebuilds passed all phase gates with no manual fixes:

• Build 1: Initial CCM/CSI deployment and validation (2026-03-23)
• Build 2: Full destroy/rebuild cycle successful (2026-03-23)

The platform is now stable with cloud provider integration and persistent volume support.