OpenStaticFish/HetznerTerra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
HetznerTerra/SECRETS_SETUP.md
T
micqdf b1dae28aa5
Deploy Cluster / Terraform (push) Failing after 52s
Details
Deploy Cluster / Ansible (push) Has been skipped
Details
Deploy Grafana Content / Grafana Content (push) Failing after 1m37s
Details
feat: migrate cluster baseline from Hetzner to Proxmox 
Replace Hetzner infrastructure and cloud-provider assumptions with Proxmox
VM clones, kube-vip API HA, and NFS-backed storage. Update bootstrap,
Flux addons, CI workflows, and docs to target the new private Proxmox
baseline while preserving the existing Tailscale, Doppler, Flux, Rancher,
and B2 backup flows.
2026-04-22 03:02:13 +00:00

101 lines
3.0 KiB
Markdown
Raw Permalink Blame History

# Gitea Secrets Setup
This document describes the secrets required for the Proxmox-based deployment workflow.
## Required Secrets
Add these secrets in your Gitea repository settings:
**Settings → Secrets → Actions**
### Infrastructure Secrets
#### `PROXMOX_ENDPOINT`
- Proxmox VE API endpoint
- Example: `https://100.105.0.115:8006/`
#### `PROXMOX_API_TOKEN_ID`
- Proxmox API token ID
- Example: `terraform-prov@pve!k8s-cluster`
#### `PROXMOX_API_TOKEN_SECRET`
- Proxmox API token secret
- Create with `pveum user token add terraform-prov@pve k8s-cluster`
#### `S3_ACCESS_KEY` & `S3_SECRET_KEY`
- Backblaze B2 credentials for Terraform state storage
- Get from: https://secure.backblaze.com/b2_buckets.htm
- Create application key with access to your terraform state bucket
#### `S3_ENDPOINT`
- Backblaze B2 S3 endpoint
- Example: `https://s3.eu-central-003.backblazeb2.com`
#### `S3_BUCKET`
- Backblaze B2 bucket name for Terraform state
- Example: `k8s-terraform-state`
### SSH Secrets
#### `SSH_PRIVATE_KEY` & `SSH_PUBLIC_KEY`
- SSH key pair for cluster access
- Generate with: `ssh-keygen -t ed25519 -C "k8s@proxmox" -f ~/.ssh/infra`
- Private key content (include BEGIN/END lines)
- Public key content (full line starting with ssh-ed25519)
### Tailscale Secrets
#### `TAILSCALE_AUTH_KEY`
- Tailscale auth key for node registration
- Get from: https://login.tailscale.com/admin/settings/keys
- Type: Reusable, Ephemeral
- Scope: `devices:core:write`
#### `TAILSCALE_TAILNET`
- Your Tailscale network name
- Example: `tail7ec33.ts.net` or your custom domain
#### `TAILSCALE_OAUTH_CLIENT_ID` & `TAILSCALE_OAUTH_CLIENT_SECRET`
- OAuth credentials for Tailscale Kubernetes Operator
- Get from: https://login.tailscale.com/admin/settings/oauth
- Create OAuth client with scope: `devices:core:write`
### Application Secrets
#### `DOPPLER_HETZNERTERRA_SERVICE_TOKEN`
- Doppler service token for the `hetznerterra` project runtime secrets
- Used by External Secrets Operator bootstrap
- Recommended scope: `hetznerterra` project, `prod` config only
#### `GRAFANA_ADMIN_PASSWORD`
- Transitional fallback only while migrating observability secrets to Doppler
- In steady state, store this in Doppler as `GRAFANA_ADMIN_PASSWORD`
## Setting Up Secrets
1. Go to your Gitea repository
2. Navigate to **Settings → Secrets → Actions**
3. Click **Add Secret**
4. Enter the secret name (exact match from above)
5. Paste the secret value
6. Click **Add Secret**
7. Repeat for all secrets
## Verification
After adding all secrets, trigger a workflow run:
```bash
git commit --allow-empty -m "ci: trigger workflow with new secrets"
git push
```
Check the workflow logs to verify all secrets are being used correctly.
## Security Notes
- Never commit secrets to the repository
- Use strong, unique passwords for Grafana and other services
- Prefer Doppler for runtime app/platform secrets after cluster bootstrap
- Rotate Tailscale auth keys periodically
- Review OAuth client permissions regularly
- CI expects direct SSH access to the Proxmox VMs and direct Proxmox API access
Reference in New Issue View Git Blame Copy Permalink