Sankofa/docs/proxmox/PROXMOX_BASE_CONFIGURATION_REVIEW.md

# Proxmox Base Configuration Review

**Date**: 2025-01-XX  
**Status**: ⚠️ **CONFIGURATION MISMATCH DETECTED**

---

## Executive Summary

Review of Proxmox base configurations reveals a **critical mismatch** between site names used in VM specifications and the provider configuration. This must be fixed before deployment.

---

## Configuration Issues Found

### ⚠️ Issue 1: Site Name Mismatch

**Problem**: VM specifications use `site-1` and `site-2`, but provider config uses `us-sfvalley`.

**Current State**:
- **VM Files**: Use `site: "site-1"` and `site: "site-2"`
- **Provider Config**: Uses `name: us-sfvalley` (only site-1 configured)
- **Impact**: VMs referencing `site-2` will fail to deploy

**Files Affected**:
- `crossplane-provider-proxmox/examples/provider-config.yaml`
- All VM files in `examples/production/` (30 files)

---

## Current Provider Configuration

### File: `crossplane-provider-proxmox/examples/provider-config.yaml`

**Current Configuration**:
```yaml
sites:
  - name: us-sfvalley
    endpoint: "https://192.168.11.10:8006"
    node: "ml110-01"
    insecureSkipTLSVerify: true
  # Site 2 is commented out!
  # - name: us-sfvalley-2
  #   endpoint: "https://192.168.11.11:8006"
  #   node: "r630-01"
  #   insecureSkipTLSVerify: true
```

**Issues**:
1. ❌ Site name `us-sfvalley` doesn't match VM specs (`site-1`)
2. ❌ Site 2 is commented out (22 VMs need this!)
3. ❌ Site 2 name `us-sfvalley-2` doesn't match VM specs (`site-2`)

---

## Required Configuration

### Corrected Provider Configuration

The provider config must define both sites with names matching the VM specifications:

```yaml
sites:
  - name: site-1
    endpoint: "https://192.168.11.10:8006"
    node: "ml110-01"
    insecureSkipTLSVerify: true
  - name: site-2
    endpoint: "https://192.168.11.11:8006"
    node: "r630-01"
    insecureSkipTLSVerify: true
```

---

## Site Configuration Details

### Site-1 (ML110-01)

**Configuration**:
- **Name**: `site-1` (must match VM specs)
- **Endpoint**: `https://192.168.11.10:8006`
- **Node**: `ml110-01`
- **IP Address**: 192.168.11.10
- **Hardware**: 6 CPU cores, 256 GB RAM
- **VMs**: 4 production VMs (8 CPU cores total)

**VMs on Site-1**:
- nginx-proxy-vm
- phoenix-dns-primary
- smom-sentry-01
- smom-sentry-02

### Site-2 (R630-01)

**Configuration**:
- **Name**: `site-2` (must match VM specs)
- **Endpoint**: `https://192.168.11.11:8006`
- **Node**: `r630-01`
- **IP Address**: 192.168.11.11
- **Hardware**: 52 CPU cores, 768 GB RAM
- **VMs**: 22 production VMs (54 CPU cores total)

**VMs on Site-2**:
- cloudflare-tunnel-vm
- All Phoenix Infrastructure VMs (7 VMs)
- All Blockchain Validators (4 VMs)
- Blockchain Sentries (2 VMs)
- Blockchain RPC Nodes (4 VMs)
- Blockchain Services (4 VMs)

---

## Provider Configuration Files

### 1. Main Provider Config

**File**: `crossplane-provider-proxmox/examples/provider-config.yaml`

**Status**: ⚠️ **NEEDS UPDATE**

**Required Changes**:
1. Change site name from `us-sfvalley` to `site-1`
2. Uncomment and configure site-2
3. Change site-2 name from `us-sfvalley-2` to `site-2`
4. Update namespace to `crossplane-system` (recommended)

### 2. Provider Config Template

**File**: `crossplane-provider-proxmox/examples/provider-config-template.yaml`

**Status**: ⚠️ **NEEDS UPDATE**

**Current State**:
- Uses `us-sfvalley` and `us-sfvalley-2`
- Has more detailed structure with nodes/storage/networks
- Uses different endpoint format (hostnames vs IPs)

**Required Changes**:
1. Update site names to `site-1` and `site-2`
2. Ensure endpoints match actual Proxmox nodes
3. Verify node names match (ml110-01, r630-01)

---

## Network Configuration

### Proxmox API Endpoints

**Site-1 (ML110-01)**:
- **IP**: 192.168.11.10
- **Port**: 8006 (HTTPS)
- **Endpoint**: `https://192.168.11.10:8006`
- **Alternative**: `https://ml110-01.sankofa.nexus:8006` (if DNS configured)

**Site-2 (R630-01)**:
- **IP**: 192.168.11.11
- **Port**: 8006 (HTTPS)
- **Endpoint**: `https://192.168.11.11:8006`
- **Alternative**: `https://r630-01.sankofa.nexus:8006` (if DNS configured)

### Network Bridge

**Both Sites**:
- **Bridge**: `vmbr0`
- **Network**: 192.168.11.0/24
- **Gateway**: Configured per site

---

## Storage Configuration

### Site-1 (ML110-01)

**Storage Pools**:
- **local-lvm**: 794.3 GB available
- **ceph-fs**: 384 GB available

**Usage**:
- All VMs on ML110-01 use `local-lvm` (small disks)

### Site-2 (R630-01)

**Storage Pools**:
- **local-lvm**: 171.3 GB available
- **Ceph OSD**: Configured
- **ceph-fs**: Available (distributed storage)

**Usage**:
- Small disks (Cloudflare Tunnel): `local-lvm`
- Large disks (all other VMs): `ceph-fs`

---

## Credentials Configuration

### Secret Configuration

**File**: `crossplane-provider-proxmox/examples/provider-config.yaml`

**Current**:
```yaml
apiVersion: v1
kind: Secret
metadata:
  name: proxmox-credentials
  namespace: default
type: Opaque
stringData:
  username: "root@pam"
  password: "YOUR_PROXMOX_PASSWORD_HERE"
```

**Recommendations**:
1. ✅ Use `crossplane-system` namespace (more secure)
2. ✅ Use API tokens instead of passwords (recommended)
3. ✅ Store credentials securely (not in git)
4. ⚠️ Update password before deployment

### Token-Based Authentication (Recommended)

```yaml
stringData:
  tokenid: "root@pam!api-token-name"
  token: "your-api-token-secret"
```

---

## TLS Configuration

### Current Setting

**Both Sites**: `insecureSkipTLSVerify: true`

**Security Considerations**:
- ⚠️ **Development/Testing**: Acceptable
- ❌ **Production**: Should be `false` with proper certificates
- ✅ **Recommendation**: Use proper TLS certificates in production

---

## Provider Deployment Configuration

### File: `crossplane-provider-proxmox/config/provider.yaml`

**Status**: ✅ **CORRECT**

**Configuration**:
- Namespace: `crossplane-system`
- ServiceAccount: `crossplane-provider-proxmox`
- RBAC: Properly configured
- Resource limits: 500m CPU, 512Mi memory
- Health probes: Configured

---

## Action Items

### Critical (Must Fix Before Deployment)

1. ⚠️ **Update Provider Config Site Names**
   - Change `us-sfvalley` → `site-1`
   - Add `site-2` configuration
   - Ensure endpoints are correct

2. ⚠️ **Update Provider Config Template**
   - Align site names with VM specifications
   - Verify endpoint formats

3. ⚠️ **Update Credentials**
   - Replace placeholder password
   - Consider using API tokens
   - Move to `crossplane-system` namespace

### Recommended (Before Production)

4. ✅ **TLS Configuration**
   - Set `insecureSkipTLSVerify: false` for production
   - Configure proper TLS certificates

5. ✅ **Documentation**
   - Document credential management process
   - Create deployment checklist

---

## Verification Checklist

### Before Deployment

- [ ] Provider config has `site-1` defined
- [ ] Provider config has `site-2` defined
- [ ] Site names match VM specifications exactly
- [ ] Endpoints are correct (IP addresses or hostnames)
- [ ] Node names match (`ml110-01`, `r630-01`)
- [ ] Credentials are configured (not placeholders)
- [ ] Secret namespace is appropriate
- [ ] TLS settings are appropriate for environment

---

## Related Documentation

- [VM Deployment Plan](../vm/VM_DEPLOYMENT_PLAN.md) - Deployment strategy
- [VM Configuration Status](../vm/VM_CONFIGURATION_STATUS.md) - VM configuration status
- [Provider README](../../crossplane-provider-proxmox/README.md) - Provider documentation

---

**Last Updated**: 2025-01-XX  
**Status**: ⚠️ **REQUIRES UPDATES BEFORE DEPLOYMENT**