Make External Secrets Operator installation optional

Only install the External Secrets Operator with 1Password Connect when
onepassword_credentials_json variable is set. Also fix hardcoded SSH key
paths in outputs.tf.

Author: Robin Lenz

hetzner-setup/ProcessCube.Cloud/ansible/inventory/hosts.tpl

@@ -25,5 +25,7 @@ letsencrypt_email=${letsencrypt_email}
 tailscale_auth_key=${tailscale_auth_key}
 tailscale_tags=${tailscale_tags}
 %{ endif ~}
+%{ if onepassword_credentials_json != "" ~}
 onepassword_credentials_json=${onepassword_credentials_json}
+%{ endif ~}
 ansible_python_interpreter=/usr/bin/python3

hetzner-setup/ProcessCube.Cloud/ansible/site.yml

@@ -79,7 +79,8 @@
   gather_facts: no
   become: yes
   roles:
-    - external_secrets
+    - role: external_secrets
+      when: onepassword_credentials_json is defined and onepassword_credentials_json != ""
 
 - name: Install ArgoCD
   hosts: k3s_master

hetzner-setup/ProcessCube.Cloud/outputs.tf

@@ -26,7 +26,7 @@ output "k3s_token" {
 
 output "kubeconfig_command" {
   description = "Command to get kubeconfig from master node"
-  value       = "ssh -i ~/.ssh/id_ed25519_tes root@${hcloud_server.k3s_master.ipv4_address} 'cat /etc/rancher/k3s/k3s.yaml' > kubeconfig.yaml"
+  value       = "ssh root@${hcloud_server.k3s_master.ipv4_address} 'cat /etc/rancher/k3s/k3s.yaml' > kubeconfig.yaml"
 }
 
 output "network_id" {
@@ -47,7 +47,7 @@ output "load_balancer_info" {
 output "ssh_commands" {
   description = "SSH commands to access nodes"
   value = {
-    master  = "ssh -i ~/.ssh/id_ed25519_tes root@${hcloud_server.k3s_master.ipv4_address}"
-    workers = [for worker in hcloud_server.k3s_worker : "ssh -i ~/.ssh/id_ed25519_tes root@${worker.ipv4_address}"]
+    master  = "ssh root@${hcloud_server.k3s_master.ipv4_address}"
+    workers = [for worker in hcloud_server.k3s_worker : "ssh root@${worker.ipv4_address}"]
   }
 }

hetzner-setup/ProcessCube.Cloud/terraform.tfvars.example

@@ -24,6 +24,7 @@ letsencrypt_email = "info@processcube.io"
 tailscale_auth_key = "YOUR_TAILSCALE_AUTH_KEY_HERE"
 # tailscale_tags     = "tag:k3s"  # Optional: Uncomment to use tags
 
-# 1Password Connect Configuration for External Secrets Operator
-onepassword_credentials_json = "/path/to/1password-credentials.json"
+# 1Password Connect Configuration for External Secrets Operator (Optional)
+# onepassword_credentials_json = "/path/to/1password-credentials.json"
+# Note: External Secrets Operator will only be installed if this is set
 # Note: onepassword-connect-token must be created per application namespace

hetzner-setup/ProcessCube.Cloud/variables.tf

@@ -86,7 +86,8 @@ variable "tailscale_tags" {
 }
 
 variable "onepassword_credentials_json" {
-  description = "Path to 1Password Connect credentials JSON file"
+  description = "Path to 1Password Connect credentials JSON file (optional - External Secrets Operator will only be installed if this is set)"
   type        = string
   sensitive   = true
+  default     = ""
 }