micqdf
b1dae28aa5
Replace Hetzner infrastructure and cloud-provider assumptions with Proxmox VM clones, kube-vip API HA, and NFS-backed storage. Update bootstrap, Flux addons, CI workflows, and docs to target the new private Proxmox baseline while preserving the existing Tailscale, Doppler, Flux, Rancher, and B2 backup flows.
3.0 KiB
3.0 KiB
Gitea Secrets Setup
This document describes the secrets required for the Proxmox-based deployment workflow.
Required Secrets
Add these secrets in your Gitea repository settings: Settings → Secrets → Actions
Infrastructure Secrets
PROXMOX_ENDPOINT
- Proxmox VE API endpoint
- Example:
https://100.105.0.115:8006/
PROXMOX_API_TOKEN_ID
- Proxmox API token ID
- Example:
terraform-prov@pve!k8s-cluster
PROXMOX_API_TOKEN_SECRET
- Proxmox API token secret
- Create with
pveum user token add terraform-prov@pve k8s-cluster
S3_ACCESS_KEY & S3_SECRET_KEY
- Backblaze B2 credentials for Terraform state storage
- Get from: https://secure.backblaze.com/b2_buckets.htm
- Create application key with access to your terraform state bucket
S3_ENDPOINT
- Backblaze B2 S3 endpoint
- Example:
https://s3.eu-central-003.backblazeb2.com
S3_BUCKET
- Backblaze B2 bucket name for Terraform state
- Example:
k8s-terraform-state
SSH Secrets
SSH_PRIVATE_KEY & SSH_PUBLIC_KEY
- SSH key pair for cluster access
- Generate with:
ssh-keygen -t ed25519 -C "k8s@proxmox" -f ~/.ssh/infra - Private key content (include BEGIN/END lines)
- Public key content (full line starting with ssh-ed25519)
Tailscale Secrets
TAILSCALE_AUTH_KEY
- Tailscale auth key for node registration
- Get from: https://login.tailscale.com/admin/settings/keys
- Type: Reusable, Ephemeral
- Scope:
devices:core:write
TAILSCALE_TAILNET
- Your Tailscale network name
- Example:
tail7ec33.ts.netor your custom domain
TAILSCALE_OAUTH_CLIENT_ID & TAILSCALE_OAUTH_CLIENT_SECRET
- OAuth credentials for Tailscale Kubernetes Operator
- Get from: https://login.tailscale.com/admin/settings/oauth
- Create OAuth client with scope:
devices:core:write
Application Secrets
DOPPLER_HETZNERTERRA_SERVICE_TOKEN
- Doppler service token for the
hetznerterraproject runtime secrets - Used by External Secrets Operator bootstrap
- Recommended scope:
hetznerterraproject,prodconfig only
GRAFANA_ADMIN_PASSWORD
- Transitional fallback only while migrating observability secrets to Doppler
- In steady state, store this in Doppler as
GRAFANA_ADMIN_PASSWORD
Setting Up Secrets
- Go to your Gitea repository
- Navigate to Settings → Secrets → Actions
- Click Add Secret
- Enter the secret name (exact match from above)
- Paste the secret value
- Click Add Secret
- Repeat for all secrets
Verification
After adding all secrets, trigger a workflow run:
git commit --allow-empty -m "ci: trigger workflow with new secrets"
git push
Check the workflow logs to verify all secrets are being used correctly.
Security Notes
- Never commit secrets to the repository
- Use strong, unique passwords for Grafana and other services
- Prefer Doppler for runtime app/platform secrets after cluster bootstrap
- Rotate Tailscale auth keys periodically
- Review OAuth client permissions regularly
- CI expects direct SSH access to the Proxmox VMs and direct Proxmox API access