openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 26 Packages Projects Releases Wiki Activity
59367b2fe5
openova/clusters/otech.omani.works/infrastructure/provider-config-hcloud.yaml
e3mrah 7622cf626d
fix(bp-crossplane): align ProviderConfig secretRef with cloud-init seam (Refs #1947) (#1963) 
ProviderConfig in clusters/_template/infrastructure/ referenced
`crossplane-system/hcloud-credentials/token`, a Secret that nothing
in OpenTofu's cloud-init plants. Cloud-init writes the canonical
cloud-credentials Secret to `flux-system/cloud-credentials/hcloud-token`
(infra/hetzner/cloudinit-control-plane.tftpl line ~440), and the
cloud-init-applied ProviderConfig points at that.

Once bootstrap-kit reaches Ready, Flux's infrastructure-config
Kustomization reconciles `_template/infrastructure/` and over-writes
the cloud-init-applied ProviderConfig with the broken secretRef.
The Provider package itself still rolls out fine (the install path
doesn't consume ProviderConfig), but every managed-resource
reconcile (Server / LoadBalancer / Network / Volume) fails to
authenticate — silently de-credentialing the entire Crossplane Day-2
seam.

Refs #1947 — T3 walk on t34 (2026-05-19) flagged
`kubectl api-resources --api-group=hcloud.crossplane.io` empty. The
package availability is a separate concern (xpkg.upbound.io serves
404 for `crossplane-contrib/provider-hcloud` at all versions — the
upstream `crossplane-contrib/provider-hcloud` GitHub repo is also
404'd). That's a follow-up issue. THIS fix ensures the ProviderConfig
is correct so when the package is restored / mirrored, no second
chart-bump is needed.

Per docs/INVIOLABLE-PRINCIPLES.md #3: Crossplane is the only Day-2
cloud-resource mutation seam. The ProviderConfig MUST stay aligned
with the seam the OpenTofu module establishes — drift here silently
breaks every XRC-based mutation.

Also fixes the two legacy per-cluster overlays
(`omantel.omani.works/`, `otech.omani.works/`) so future operators
don't copy the broken reference forward — those overlays are
currently inert (cloud-init's Flux Kustomization points at
`_template/infrastructure`, not the per-cluster path), but
consistency matters per principle #11.

No chart bump needed: this is a pure Kustomize seam fix in
`clusters/_template/infrastructure/` — Flux reconciles directly
without going through bp-crossplane / bp-crossplane-claims.

Co-authored-by: hatiyildiz <hatice.yildiz@openova.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-19 19:23:04 +04:00

23 lines
776 B
YAML
Raw Blame History

# ProviderConfig for provider-hcloud (Refs #1947).
#
# Stays in lockstep with clusters/_template/infrastructure/provider-config-hcloud.yaml —
# Flux's infrastructure-config Kustomization (planted by
# infra/hetzner/cloudinit-control-plane.tftpl) points at `_template/`,
# so this per-cluster overlay is legacy/inert. Kept correct so future
# operators don't copy a broken reference forward.
#
# Secret seam (matches cloudinit-control-plane.tftpl line ~440 + ~527):
# - name `cloud-credentials` in `flux-system` namespace
# - key `hcloud-token`
apiVersion: hcloud.crossplane.io/v1beta1
kind: ProviderConfig
metadata:
name: default
spec:
credentials:
source: Secret
secretRef:
namespace: flux-system
name: cloud-credentials
key: hcloud-token
Reference in New Issue View Git Blame Copy Permalink