Cloudijs Platform

Hosting platform based on Kubernetes. This repository contain the Terraform code used to setup this platform on Hetzner. The platform relies heavily on the amazing terraform-hcloud-kubernetes Tofu/Terraform module.

Pre-requisites

• Hetzner Account
• OpenTofu
• Taskfile

Deployment

To deploy the platform you will need a Hetzner account, create an S3 bucket and create an API token. Make sure to gather the values for the S3 bucket configuration. These can be specified as environment variables or in an .env file:

export HCLOUD_TOKEN="<your-token>"

export STATE_BUCKET_NAME="<your-object-storage-bucket-name>"
export STATE_BUCKET_KEY="<your-object-storage-bucket-key>"

export STATE_BUCKET_ACCESS_KEY="<your-s3-credentials-access-key>"
export STATE_BUCKET_SECRET_KEY="<your-s3-credentials-secret-key>"

# .env

HCLOUD_TOKEN="<your-token>"

STATE_BUCKET_NAME="<your-object-storage-bucket-name>"
STATE_BUCKET_KEY="<your-object-storage-bucket-key>"

STATE_BUCKET_ACCESS_KEY="<your-s3-credentials-access-key>"
STATE_BUCKET_SECRET_KEY="<your-s3-credentials-secret-key>"

Run Tofu after setting the required variables to setup the platform:

task create

Other available tasks like destroying the environment can be found using the task command.

Operations

• Suspend and resume reconcilation in Flux:

flux suspend source git cloudijs-system -n cloudijs-system

flux resume source git cloudijs-system -n cloudijs-system

Secrets

Sensitive data like passwords, api keys etc. are stored in secrets. The tool kubeseal is used to be able to store secrets encrypted in the repository. For example:

apiVersion: v1
kind: Secret
metadata:
  name: secret-basic-auth
  namespace: mynamespace
stringData:
  username: admin
  password: t0p-Secret

Then encrypt this secret file with the kubeseal command:

kubeseal -f secret-unc.yaml -w secret.yaml --controller-namespace=cloudijs-system

Don't forget to add the namespace in the original secret object before encrypting, this is required by Kubeseal to be included.

Sources

• https://github.com/hcloud-k8s/terraform-hcloud-kubernetes
• https://registry.terraform.io/modules/hcloud-k8s/kubernetes/hcloud/latest
• https://registry.terraform.io/providers/hetznercloud/hcloud/latest
• https://docs.hetzner.cloud/changelog#2025-04-23-talos-linux-v195-iso-now-available
• https://github.com/hetznercloud/hcloud-cloud-controller-manager/tree/main
• https://github.com/dflook/terraform-github-actions

License

MIT license