ProviderConfig in clusters/_template/infrastructure/ referenced
`crossplane-system/hcloud-credentials/token`, a Secret that nothing
in OpenTofu's cloud-init plants. Cloud-init writes the canonical
cloud-credentials Secret to `flux-system/cloud-credentials/hcloud-token`
(infra/hetzner/cloudinit-control-plane.tftpl line ~440), and the
cloud-init-applied ProviderConfig points at that.
Once bootstrap-kit reaches Ready, Flux's infrastructure-config
Kustomization reconciles `_template/infrastructure/` and over-writes
the cloud-init-applied ProviderConfig with the broken secretRef.
The Provider package itself still rolls out fine (the install path
doesn't consume ProviderConfig), but every managed-resource
reconcile (Server / LoadBalancer / Network / Volume) fails to
authenticate — silently de-credentialing the entire Crossplane Day-2
seam.
Refs #1947 — T3 walk on t34 (2026-05-19) flagged
`kubectl api-resources --api-group=hcloud.crossplane.io` empty. The
package availability is a separate concern (xpkg.upbound.io serves
404 for `crossplane-contrib/provider-hcloud` at all versions — the
upstream `crossplane-contrib/provider-hcloud` GitHub repo is also
404'd). That's a follow-up issue. THIS fix ensures the ProviderConfig
is correct so when the package is restored / mirrored, no second
chart-bump is needed.
Per docs/INVIOLABLE-PRINCIPLES.md #3: Crossplane is the only Day-2
cloud-resource mutation seam. The ProviderConfig MUST stay aligned
with the seam the OpenTofu module establishes — drift here silently
breaks every XRC-based mutation.
Also fixes the two legacy per-cluster overlays
(`omantel.omani.works/`, `otech.omani.works/`) so future operators
don't copy the broken reference forward — those overlays are
currently inert (cloud-init's Flux Kustomization points at
`_template/infrastructure`, not the per-cluster path), but
consistency matters per principle #11.
No chart bump needed: this is a pure Kustomize seam fix in
`clusters/_template/infrastructure/` — Flux reconciles directly
without going through bp-crossplane / bp-crossplane-claims.
Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7622cf626d