d-bis/Sankofa
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Proxmox provider configuration examples for improved clarity and security
Some checks failed
CD Pipeline / Deploy to Staging (push) Has been cancelled
Details
CD Pipeline / Deploy to Production (push) Has been cancelled
Details
CI Pipeline / Lint and Type Check (push) Has been cancelled
Details
CI Pipeline / Test Backend (push) Has been cancelled
Details
CI Pipeline / Test Frontend (push) Has been cancelled
Details
CI Pipeline / Build (push) Has been cancelled
Details
CI Pipeline / Security Scan (push) Has been cancelled
Details
Deploy to Staging / Deploy to Staging (push) Has been cancelled
Details
Test Suite / frontend-tests (push) Has been cancelled
Details
Test Suite / api-tests (push) Has been cancelled
Details
Test Suite / blockchain-tests (push) Has been cancelled
Details
Type Check / type-check (map[directory:. name:root]) (push) Has been cancelled
Details
Type Check / type-check (map[directory:api name:api]) (push) Has been cancelled
Details
Type Check / type-check (map[directory:portal name:portal]) (push) Has been cancelled
Details
Build Crossplane Provider / build (push) Has been cancelled
Details
Crossplane Provider CI / Go Test (push) Has been cancelled
Details
Crossplane Provider CI / Go Lint (push) Has been cancelled
Details
Crossplane Provider CI / Go Build (push) Has been cancelled
Details
Validate Configuration Files / validate (push) Has been cancelled
Details

Browse Source 
- Revised provider-config-template.yaml and provider-config.yaml to reflect updated site names and endpoints for better alignment with VM specifications.
- Enhanced documentation regarding authentication methods, emphasizing the use of token-based authentication for production environments.
- Updated namespace references to ensure consistency across configuration files.
This commit is contained in:
defiQUG
2025-12-13 05:10:55 -08:00
parent c9f6690285
commit 4880a9d6c3
5 changed files with 838 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

313
docs/proxmox/PROXMOX_BASE_CONFIGURATION_REVIEW.md Normal file
View File

@@ -0,0 +1,313 @@
# Proxmox Base Configuration Review
**Date**: 2025-01-XX
**Status**: ⚠️ **CONFIGURATION MISMATCH DETECTED**
---
## Executive Summary
Review of Proxmox base configurations reveals a **critical mismatch** between site names used in VM specifications and the provider configuration. This must be fixed before deployment.
---
## Configuration Issues Found
### ⚠️ Issue 1: Site Name Mismatch
**Problem**: VM specifications use `site-1` and `site-2`, but provider config uses `us-sfvalley`.
**Current State**:
- **VM Files**: Use `site: "site-1"` and `site: "site-2"`
- **Provider Config**: Uses `name: us-sfvalley` (only site-1 configured)
- **Impact**: VMs referencing `site-2` will fail to deploy
**Files Affected**:
- `crossplane-provider-proxmox/examples/provider-config.yaml`
- All VM files in `examples/production/` (30 files)
---
## Current Provider Configuration
### File: `crossplane-provider-proxmox/examples/provider-config.yaml`
**Current Configuration**:
```yaml
sites:
- name: us-sfvalley
endpoint: "https://192.168.11.10:8006"
node: "ml110-01"
insecureSkipTLSVerify: true
# Site 2 is commented out!
# - name: us-sfvalley-2
# endpoint: "https://192.168.11.11:8006"
# node: "r630-01"
# insecureSkipTLSVerify: true
```
**Issues**:
1. ❌ Site name `us-sfvalley` doesn't match VM specs (`site-1`)
2. ❌ Site 2 is commented out (22 VMs need this!)
3. ❌ Site 2 name `us-sfvalley-2` doesn't match VM specs (`site-2`)
---
## Required Configuration
### Corrected Provider Configuration
The provider config must define both sites with names matching the VM specifications:
```yaml
sites:
- name: site-1
endpoint: "https://192.168.11.10:8006"
node: "ml110-01"
insecureSkipTLSVerify: true
- name: site-2
endpoint: "https://192.168.11.11:8006"
node: "r630-01"
insecureSkipTLSVerify: true
```
---
## Site Configuration Details
### Site-1 (ML110-01)
**Configuration**:
- **Name**: `site-1` (must match VM specs)
- **Endpoint**: `https://192.168.11.10:8006`
- **Node**: `ml110-01`
- **IP Address**: 192.168.11.10
- **Hardware**: 6 CPU cores, 256 GB RAM
- **VMs**: 4 production VMs (8 CPU cores total)
**VMs on Site-1**:
- nginx-proxy-vm
- phoenix-dns-primary
- smom-sentry-01
- smom-sentry-02
### Site-2 (R630-01)
**Configuration**:
- **Name**: `site-2` (must match VM specs)
- **Endpoint**: `https://192.168.11.11:8006`
- **Node**: `r630-01`
- **IP Address**: 192.168.11.11
- **Hardware**: 52 CPU cores, 768 GB RAM
- **VMs**: 22 production VMs (54 CPU cores total)
**VMs on Site-2**:
- cloudflare-tunnel-vm
- All Phoenix Infrastructure VMs (7 VMs)
- All Blockchain Validators (4 VMs)
- Blockchain Sentries (2 VMs)
- Blockchain RPC Nodes (4 VMs)
- Blockchain Services (4 VMs)
---
## Provider Configuration Files
### 1. Main Provider Config
**File**: `crossplane-provider-proxmox/examples/provider-config.yaml`
**Status**: ⚠️ **NEEDS UPDATE**
**Required Changes**:
1. Change site name from `us-sfvalley` to `site-1`
2. Uncomment and configure site-2
3. Change site-2 name from `us-sfvalley-2` to `site-2`
4. Update namespace to `crossplane-system` (recommended)
### 2. Provider Config Template
**File**: `crossplane-provider-proxmox/examples/provider-config-template.yaml`
**Status**: ⚠️ **NEEDS UPDATE**
**Current State**:
- Uses `us-sfvalley` and `us-sfvalley-2`
- Has more detailed structure with nodes/storage/networks
- Uses different endpoint format (hostnames vs IPs)
**Required Changes**:
1. Update site names to `site-1` and `site-2`
2. Ensure endpoints match actual Proxmox nodes
3. Verify node names match (ml110-01, r630-01)
---
## Network Configuration
### Proxmox API Endpoints
**Site-1 (ML110-01)**:
- **IP**: 192.168.11.10
- **Port**: 8006 (HTTPS)
- **Endpoint**: `https://192.168.11.10:8006`
- **Alternative**: `https://ml110-01.sankofa.nexus:8006` (if DNS configured)
**Site-2 (R630-01)**:
- **IP**: 192.168.11.11
- **Port**: 8006 (HTTPS)
- **Endpoint**: `https://192.168.11.11:8006`
- **Alternative**: `https://r630-01.sankofa.nexus:8006` (if DNS configured)
### Network Bridge
**Both Sites**:
- **Bridge**: `vmbr0`
- **Network**: 192.168.11.0/24
- **Gateway**: Configured per site
---
## Storage Configuration
### Site-1 (ML110-01)
**Storage Pools**:
- **local-lvm**: 794.3 GB available
- **ceph-fs**: 384 GB available
**Usage**:
- All VMs on ML110-01 use `local-lvm` (small disks)
### Site-2 (R630-01)
**Storage Pools**:
- **local-lvm**: 171.3 GB available
- **Ceph OSD**: Configured
- **ceph-fs**: Available (distributed storage)
**Usage**:
- Small disks (Cloudflare Tunnel): `local-lvm`
- Large disks (all other VMs): `ceph-fs`
---
## Credentials Configuration
### Secret Configuration
**File**: `crossplane-provider-proxmox/examples/provider-config.yaml`
**Current**:
```yaml
apiVersion: v1
kind: Secret
metadata:
name: proxmox-credentials
namespace: default
type: Opaque
stringData:
username: "root@pam"
password: "YOUR_PROXMOX_PASSWORD_HERE"
```
**Recommendations**:
1. ✅ Use `crossplane-system` namespace (more secure)
2. ✅ Use API tokens instead of passwords (recommended)
3. ✅ Store credentials securely (not in git)
4. ⚠️ Update password before deployment
### Token-Based Authentication (Recommended)
```yaml
stringData:
tokenid: "root@pam!api-token-name"
token: "your-api-token-secret"
```
---
## TLS Configuration
### Current Setting
**Both Sites**: `insecureSkipTLSVerify: true`
**Security Considerations**:
- ⚠️ **Development/Testing**: Acceptable
-**Production**: Should be `false` with proper certificates
-**Recommendation**: Use proper TLS certificates in production
---
## Provider Deployment Configuration
### File: `crossplane-provider-proxmox/config/provider.yaml`
**Status**: ✅ **CORRECT**
**Configuration**:
- Namespace: `crossplane-system`
- ServiceAccount: `crossplane-provider-proxmox`
- RBAC: Properly configured
- Resource limits: 500m CPU, 512Mi memory
- Health probes: Configured
---
## Action Items
### Critical (Must Fix Before Deployment)
1. ⚠️ **Update Provider Config Site Names**
- Change `us-sfvalley``site-1`
- Add `site-2` configuration
- Ensure endpoints are correct
2. ⚠️ **Update Provider Config Template**
- Align site names with VM specifications
- Verify endpoint formats
3. ⚠️ **Update Credentials**
- Replace placeholder password
- Consider using API tokens
- Move to `crossplane-system` namespace
### Recommended (Before Production)
4.**TLS Configuration**
- Set `insecureSkipTLSVerify: false` for production
- Configure proper TLS certificates
5.**Documentation**
- Document credential management process
- Create deployment checklist
---
## Verification Checklist
### Before Deployment
- [ ] Provider config has `site-1` defined
- [ ] Provider config has `site-2` defined
- [ ] Site names match VM specifications exactly
- [ ] Endpoints are correct (IP addresses or hostnames)
- [ ] Node names match (`ml110-01`, `r630-01`)
- [ ] Credentials are configured (not placeholders)
- [ ] Secret namespace is appropriate
- [ ] TLS settings are appropriate for environment
---
## Related Documentation
- [VM Deployment Plan](../vm/VM_DEPLOYMENT_PLAN.md) - Deployment strategy
- [VM Configuration Status](../vm/VM_CONFIGURATION_STATUS.md) - VM configuration status
- [Provider README](../../crossplane-provider-proxmox/README.md) - Provider documentation
---
**Last Updated**: 2025-01-XX
**Status**: ⚠️ **REQUIRES UPDATES BEFORE DEPLOYMENT**