# Bootstrap OneLab on this cluster

## 1. Private registry (`hub.andrewalliance.com`)

Pods need an image pull secret in namespace `onelab`:

```bash
kubectl create secret docker-registry hub-andrewalliance -n onelab \
  --docker-server=hub.andrewalliance.com \
  --docker-username='YOUR_USER' \
  --docker-password='YOUR_PASSWORD'
```

Then set in `gitops/values/k3s-example.yaml`:

```yaml
imagePullSecrets:
  - name: hub-andrewalliance
```

Commit, push, and either `helm upgrade` or let Argo CD sync.

## 2. Argo CD + private Git (`git.luneski.fr`)

If the Application shows `authentication required: Unauthorized`, register the repo in Argo CD (CLI or UI):

```bash
# Example; use a deploy token or PAT with repo read access
argocd repo add https://git.luneski.fr/luneski/onelab-k8s.git \
  --username git \
  --password YOUR_TOKEN
```

Then apply the Application:

```bash
kubectl apply -f gitops/argocd/application.yaml
```

**Helm vs Argo:** If you already installed with `helm upgrade --install onelab ...`, either delete that Helm release before letting Argo manage the same resources, or keep Helm-only and do not apply the Application until you choose one controller.

## 3. RabbitMQ TLS

Secret `onelab-rabbit-tls` must exist before RabbitMQ starts (created once from `app/rabbit/ssl/` or your own PEMs).