From 2bb986f80ffa465166ec252cb4338664eb15b906 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 18:31:07 +0100
Subject: [PATCH 01/32] make deprovisionK3sInfra idempotent

---
 .../provs/server/infrastructure/K3s.kt                      | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/K3s.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/K3s.kt
index 615df3a..4ac8d13 100644
--- a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/K3s.kt
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/K3s.kt
@@ -52,7 +52,11 @@ fun Prov.deprovisionK3sInfra() = task {
     deleteFile(certManagerDeployment.path, sudo = true)
     deleteFile(certManagerIssuer.path, sudo = true)
     deleteFile(k3sKubeConfig.path, sudo = true)
-    cmd("k3s-uninstall.sh")
+
+    val k3sUninstallScript = "k3s-uninstall.sh"
+    if (chk("which $k3sUninstallScript")) {
+        cmd(k3sUninstallScript)
+    }
 }
 
 

From 80ae1710524b3614a3024078d80258d2e0e8b731 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 18:31:40 +0100
Subject: [PATCH 02/32] release: 0.31.1

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index acc5d1d..ec84fd8 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.31.1-SNAPSHOT"
+version = "0.31.1"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index 4391093..aa79d09 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.31.1-SNAPSHOT"
+version = "0.31.1"
 
 
 @init

From bc38779b25e78937ec26db5a515b6b7f617b34a5 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 18:31:40 +0100
Subject: [PATCH 03/32] bump version to: 0.31.2-SNAPSHOT

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index ec84fd8..12387b5 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.31.1"
+version = "0.31.2-SNAPSHOT"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index aa79d09..c19faa4 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.31.1"
+version = "0.31.2-dev"
 
 
 @init

From d43057bf9d928b3536921d57a60e3e29c5451437 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 18:43:38 +0100
Subject: [PATCH 04/32] release: 0.32.0

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 12387b5..70231da 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.31.2-SNAPSHOT"
+version = "0.32.0"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index c19faa4..e289448 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.31.2-dev"
+version = "0.32.0"
 
 
 @init

From 1d64b4400eff1abe20c737f91a4bcd7912c917f2 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 18:43:38 +0100
Subject: [PATCH 05/32] bump version to: 0.32.1-SNAPSHOT

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 70231da..daea1eb 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.32.0"
+version = "0.32.1-SNAPSHOT"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index e289448..5478898 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.32.0"
+version = "0.32.1-dev"
 
 
 @init

From 8191096794be3089109b87c967632321b2a751f6 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 18:50:40 +0100
Subject: [PATCH 06/32] add release_main_branch to build.py

---
 build.py       | 1 +
 doc/Release.md | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/build.py b/build.py
index 5478898..81772d0 100644
--- a/build.py
+++ b/build.py
@@ -38,6 +38,7 @@ def initialize2(project):
         "project_root_path": PROJECT_ROOT_PATH,
         "build_types": [],
         "mixin_types": ["RELEASE"],
+        "release_main_branch": "main",
         "release_primary_build_file": "build.gradle",
         "release_secondary_build_files": ["build.py"],
         # release artifacts
diff --git a/doc/Release.md b/doc/Release.md
index ddc8049..98e2919 100644
--- a/doc/Release.md
+++ b/doc/Release.md
@@ -5,7 +5,7 @@ release-1.2 or release-1.2.3
 
 I.e.: release-X.X.Z where X, Y, Z are the major, minor resp. the patch level of the release. Z can be omitted.
 
-**Note:** Such kind of release tags should only be applied to commits in the master branch.
+**Note:** Such kind of release tags should only be applied to commits in the main branch.
 
 ```
 #adjust [version]

From f9c25a0e1ab1c8b056b65b29439b84e264854e67 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 18:51:08 +0100
Subject: [PATCH 07/32] release: 0.32.1

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index daea1eb..affca90 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.32.1-SNAPSHOT"
+version = "0.32.1"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index 81772d0..7f6ca8b 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.32.1-dev"
+version = "0.32.1"
 
 
 @init

From d0e88c3bf48008725e2ebebbfc89ff26a67b3c8e Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 18:51:08 +0100
Subject: [PATCH 08/32] bump version to: 0.32.2-SNAPSHOT

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index affca90..ff4ddf4 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.32.1"
+version = "0.32.2-SNAPSHOT"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index 7f6ca8b..6793c6e 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.32.1"
+version = "0.32.2-dev"
 
 
 @init

From 4cf3ab358cd609026572d704234578552bd69ac9 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 18:57:32 +0100
Subject: [PATCH 09/32] release: 0.32.2

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index ff4ddf4..3f8052d 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.32.2-SNAPSHOT"
+version = "0.32.2"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index 6793c6e..8d43a5a 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.32.2-dev"
+version = "0.32.2"
 
 
 @init

From d4115992b0c8bcf408f84a38d2dd206e6c0afa40 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 18:57:32 +0100
Subject: [PATCH 10/32] bump version to: 0.32.3-SNAPSHOT

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 3f8052d..adcb5a2 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.32.2"
+version = "0.32.3-SNAPSHOT"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index 8d43a5a..32476cb 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.32.2"
+version = "0.32.3-dev"
 
 
 @init

From 8c6f25598d26bf6b0cafac189dc3c396b981de94 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 19:33:59 +0100
Subject: [PATCH 11/32] release: 0.33.0

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index adcb5a2..e60682a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.32.3-SNAPSHOT"
+version = "0.33.0"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index 32476cb..58b688b 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.32.3-dev"
+version = "0.33.0"
 
 
 @init

From dd9e7b71b26187243dc34b584c96ec6208bdd75e Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 19:33:59 +0100
Subject: [PATCH 12/32] bump version to: 0.33.1-SNAPSHOT

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index e60682a..57fec27 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.33.0"
+version = "0.33.1-SNAPSHOT"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index 58b688b..044bb3b 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.33.0"
+version = "0.33.1-dev"
 
 
 @init

From 028543df53ece1a28b5adec5ea83d0f38a9e48e2 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 20:28:39 +0100
Subject: [PATCH 13/32] update logback

---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 57fec27..ed4e7c6 100644
--- a/build.gradle
+++ b/build.gradle
@@ -76,8 +76,8 @@ dependencies {
     api('com.charleskorn.kaml:kaml:0.54.0')
 
     api("org.slf4j:slf4j-api:1.7.36")
-    api('ch.qos.logback:logback-classic:1.2.11')
-    api('ch.qos.logback:logback-core:1.2.11')
+    api('ch.qos.logback:logback-classic:1.4.14')
+    api('ch.qos.logback:logback-core:1.4.14')
 
     implementation("org.jetbrains.kotlin:kotlin-reflect:$kotlin_version_no")
     implementation("com.hierynomus:sshj:0.32.0")

From ba0f58b02d6a1167a9cc78f7ad00eacbfae57147 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 20:29:03 +0100
Subject: [PATCH 14/32] release: 0.33.1

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index ed4e7c6..38dae4f 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.33.1-SNAPSHOT"
+version = "0.33.1"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index 044bb3b..087bda6 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.33.1-dev"
+version = "0.33.1"
 
 
 @init

From c0e64096a85a2f8893e443f629a3a558744b6843 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Sat, 24 Feb 2024 20:29:03 +0100
Subject: [PATCH 15/32] bump version to: 0.33.2-SNAPSHOT

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 38dae4f..a93e17e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.33.1"
+version = "0.33.2-SNAPSHOT"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index 087bda6..64d9074 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.33.1"
+version = "0.33.2-dev"
 
 
 @init

From 497fd9a45dae53a3d3782621368e8857e213de2f Mon Sep 17 00:00:00 2001
From: Michael Jerger <michael.jerger@meissa-gmbh.de>
Date: Wed, 28 Feb 2024 10:11:58 +0100
Subject: [PATCH 16/32] fix scripts

---
 .../provs/desktop/infrastructure/k3s-connect.sh                | 2 +-
 .../provs/desktop/infrastructure/ssht.sh                       | 3 ++-
 .../provs/desktop/infrastructure/sshu.sh                       | 3 ++-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/main/resources/org/domaindrivenarchitecture/provs/desktop/infrastructure/k3s-connect.sh b/src/main/resources/org/domaindrivenarchitecture/provs/desktop/infrastructure/k3s-connect.sh
index b1ab76f..a52df87 100644
--- a/src/main/resources/org/domaindrivenarchitecture/provs/desktop/infrastructure/k3s-connect.sh
+++ b/src/main/resources/org/domaindrivenarchitecture/provs/desktop/infrastructure/k3s-connect.sh
@@ -8,7 +8,7 @@ function usage() {
 
 function main() {
   local cluster_name="${1}";
-  local domain_name="${2:-meissa-gmbh.de}";
+  local domain_name="${2:-meissa.de}";
 
   /usr/local/bin/k3s-create-context.sh ${cluster_name} ${domain_name}
   kubectl config use-context ${cluster_name}
diff --git a/src/main/resources/org/domaindrivenarchitecture/provs/desktop/infrastructure/ssht.sh b/src/main/resources/org/domaindrivenarchitecture/provs/desktop/infrastructure/ssht.sh
index a451e4d..8e930b8 100644
--- a/src/main/resources/org/domaindrivenarchitecture/provs/desktop/infrastructure/ssht.sh
+++ b/src/main/resources/org/domaindrivenarchitecture/provs/desktop/infrastructure/ssht.sh
@@ -4,8 +4,9 @@ set -o noglob
 
 function main() {
     local cluster_name="${1}"; shift
+    local domain_name="${1:-meissa.de}"; shift
 
-    ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@${cluster_name}.meissa-gmbh.de -L 8002:localhost:8002 -L 6443:192.168.5.1:6443
+    ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@${cluster_name}.${domain_name} -L 8002:localhost:8002 -L 6443:192.168.5.1:6443
 }
 
 main $1
diff --git a/src/main/resources/org/domaindrivenarchitecture/provs/desktop/infrastructure/sshu.sh b/src/main/resources/org/domaindrivenarchitecture/provs/desktop/infrastructure/sshu.sh
index 9394548..2c88543 100644
--- a/src/main/resources/org/domaindrivenarchitecture/provs/desktop/infrastructure/sshu.sh
+++ b/src/main/resources/org/domaindrivenarchitecture/provs/desktop/infrastructure/sshu.sh
@@ -4,8 +4,9 @@ set -o noglob
 
 function main() {
     local cluster_name="${1}"; shift
+    local domain_name="${1:-meissa.de}"; shift
 
-    ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@${cluster_name}.meissa-gmbh.de
+    ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no root@${cluster_name}.${domain_name}
 }
 
 main $1

From d187a8423ce187a29d35751c16024dda1401185c Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Tue, 5 Mar 2024 23:33:54 +0100
Subject: [PATCH 17/32] add kubeconform

---
 .../provs/desktop/domain/DesktopService.kt    |  2 ++
 .../desktop/infrastructure/Kubeconform.kt     | 26 +++++++++++++++++++
 .../infrastructure/KubeconformKtTest.kt       | 23 ++++++++++++++++
 3 files changed, 51 insertions(+)
 create mode 100644 src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/Kubeconform.kt
 create mode 100644 src/test/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/KubeconformKtTest.kt

diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/domain/DesktopService.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/domain/DesktopService.kt
index 26bd3c8..3435b08 100644
--- a/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/domain/DesktopService.kt
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/domain/DesktopService.kt
@@ -160,4 +160,6 @@ fun Prov.provisionIdeDesktop() {
     // IDEs
     installVSC("python", "clojure")
     installIntelliJ()
+
+    installKubeconform()
 }
diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/Kubeconform.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/Kubeconform.kt
new file mode 100644
index 0000000..1810e3a
--- /dev/null
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/Kubeconform.kt
@@ -0,0 +1,26 @@
+package org.domaindrivenarchitecture.provs.desktop.infrastructure
+
+import org.domaindrivenarchitecture.provs.framework.core.Prov
+import org.domaindrivenarchitecture.provs.framework.ubuntu.filesystem.base.createDirs
+import org.domaindrivenarchitecture.provs.framework.ubuntu.web.base.downloadFromURL
+
+
+fun Prov.installKubeconform() = task {
+    // check for latest stable release on: https://github.com/yannh/kubeconform/releases
+    val version = "0.6.4"
+    val installationPath = "~/bin/"
+    val filename = "kubeconform-linux-amd64"
+    val packedFilename = "$filename.tar.gz"
+
+    createDirs(installationPath)
+
+    downloadFromURL(
+        "https://github.com/yannh/kubeconform/releases/download/v$version/$packedFilename",
+        path = installationPath,
+        sha256sum = "2b4ebeaa4d5ac4843cf8f7b7e66a8874252b6b71bc7cbfc4ef1cbf85acec7c07"
+    )
+    cmd("tar -xvf $packedFilename", installationPath)
+    cmd("chmod +x kubeconform", installationPath)
+}
+
+
diff --git a/src/test/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/KubeconformKtTest.kt b/src/test/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/KubeconformKtTest.kt
new file mode 100644
index 0000000..9366457
--- /dev/null
+++ b/src/test/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/KubeconformKtTest.kt
@@ -0,0 +1,23 @@
+package org.domaindrivenarchitecture.provs.desktop.infrastructure
+
+import org.domaindrivenarchitecture.provs.framework.ubuntu.filesystem.base.checkFile
+import org.domaindrivenarchitecture.provs.test.defaultTestContainer
+import org.domaindrivenarchitecture.provs.test.tags.ContainerTest
+
+import org.junit.jupiter.api.Assertions.*
+
+class KubeconformKtTest {
+
+    @ContainerTest
+    fun installKubeconform() {
+        // given
+        val prov = defaultTestContainer()
+
+        // when
+        val res = prov.installKubeconform()
+
+        // then
+        assertTrue(res.success)
+        assertTrue(prov.checkFile("bin/kubeconform"))
+    }
+}
\ No newline at end of file

From 055d302022aad36dc29cb07cb1c689bbf691370f Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Tue, 5 Mar 2024 23:34:15 +0100
Subject: [PATCH 18/32] release: 0.34.0

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index a93e17e..00ad8fd 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.33.2-SNAPSHOT"
+version = "0.34.0"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index 64d9074..5c02889 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.33.2-dev"
+version = "0.34.0"
 
 
 @init

From 771d7f7b89c14590731a76a04b95dfa1f293a227 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Tue, 5 Mar 2024 23:34:15 +0100
Subject: [PATCH 19/32] bump version to: 0.34.1-SNAPSHOT

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 00ad8fd..2255617 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.34.0"
+version = "0.34.1-SNAPSHOT"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index 5c02889..8bf3dc4 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.34.0"
+version = "0.34.1-dev"
 
 
 @init

From a20b1a9144914817e484ebe0e966a0e9e1d320ec Mon Sep 17 00:00:00 2001
From: Mirco <mirco.zachmann@meissa.de>
Date: Fri, 8 Mar 2024 11:12:02 +0100
Subject: [PATCH 20/32] refactor kubeconform, installpath, check, test

---
 .../provs/desktop/infrastructure/DevOps.kt    | 24 +++++++++++++++++
 .../desktop/infrastructure/Kubeconform.kt     | 26 -------------------
 .../desktop/infrastructure/DevOpsKtTest.kt    | 14 ++++++++++
 .../infrastructure/KubeconformKtTest.kt       | 23 ----------------
 4 files changed, 38 insertions(+), 49 deletions(-)
 delete mode 100644 src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/Kubeconform.kt
 delete mode 100644 src/test/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/KubeconformKtTest.kt

diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/DevOps.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/DevOps.kt
index d485fd6..cee8b10 100644
--- a/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/DevOps.kt
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/DevOps.kt
@@ -49,9 +49,33 @@ fun Prov.installKubectlAndTools(): ProvResult = task {
         }
     }
 
+    task("installKubeconform") {
+
+        installKubeconform()
+    }
     installDevopsScripts()
 }
 
+fun Prov.installKubeconform() = task {
+    // check for latest stable release on: https://github.com/yannh/kubeconform/releases
+    val version = "0.6.4"
+    val installationPath = "/usr/local/bin/"
+    val tmpDir = "~/tmp"
+    val filename = "kubeconform-linux-amd64"
+    val packedFilename = "$filename.tar.gz"
+
+    if ( !chk("kubeconform -v") || "v$version" != cmd("kubeconform -v").out?.trim() ) {
+        downloadFromURL(
+            "https://github.com/yannh/kubeconform/releases/download/v$version/$packedFilename",
+            path = tmpDir,
+            sha256sum = "2b4ebeaa4d5ac4843cf8f7b7e66a8874252b6b71bc7cbfc4ef1cbf85acec7c07"
+        )
+        cmd("sudo tar -xzf $packedFilename -C $installationPath", tmpDir)
+    } else {
+        ProvResult(true, out = "Kubeconform $version already installed")
+    }
+}
+
 fun Prov.installKubectl(): ProvResult = task {
 
     // see https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/Kubeconform.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/Kubeconform.kt
deleted file mode 100644
index 1810e3a..0000000
--- a/src/main/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/Kubeconform.kt
+++ /dev/null
@@ -1,26 +0,0 @@
-package org.domaindrivenarchitecture.provs.desktop.infrastructure
-
-import org.domaindrivenarchitecture.provs.framework.core.Prov
-import org.domaindrivenarchitecture.provs.framework.ubuntu.filesystem.base.createDirs
-import org.domaindrivenarchitecture.provs.framework.ubuntu.web.base.downloadFromURL
-
-
-fun Prov.installKubeconform() = task {
-    // check for latest stable release on: https://github.com/yannh/kubeconform/releases
-    val version = "0.6.4"
-    val installationPath = "~/bin/"
-    val filename = "kubeconform-linux-amd64"
-    val packedFilename = "$filename.tar.gz"
-
-    createDirs(installationPath)
-
-    downloadFromURL(
-        "https://github.com/yannh/kubeconform/releases/download/v$version/$packedFilename",
-        path = installationPath,
-        sha256sum = "2b4ebeaa4d5ac4843cf8f7b7e66a8874252b6b71bc7cbfc4ef1cbf85acec7c07"
-    )
-    cmd("tar -xvf $packedFilename", installationPath)
-    cmd("chmod +x kubeconform", installationPath)
-}
-
-
diff --git a/src/test/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/DevOpsKtTest.kt b/src/test/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/DevOpsKtTest.kt
index 12ffb16..b18acfe 100644
--- a/src/test/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/DevOpsKtTest.kt
+++ b/src/test/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/DevOpsKtTest.kt
@@ -6,6 +6,7 @@ import org.domaindrivenarchitecture.provs.framework.ubuntu.filesystem.base.creat
 import org.domaindrivenarchitecture.provs.framework.ubuntu.filesystem.base.createDirs
 import org.domaindrivenarchitecture.provs.framework.ubuntu.filesystem.base.fileContainsText
 import org.domaindrivenarchitecture.provs.test.defaultTestContainer
+import org.domaindrivenarchitecture.provs.test.tags.ContainerTest
 import org.domaindrivenarchitecture.provs.test.tags.ExtensiveContainerTest
 import org.junit.jupiter.api.Assertions.assertTrue
 import org.junit.jupiter.api.Disabled
@@ -48,4 +49,17 @@ internal class DevOpsKtTest {
         // then
         assertTrue(res.success)
     }
+
+    @ContainerTest
+    fun installKubeconform() {
+        // given
+        val prov = defaultTestContainer()
+
+        // when
+        val res = prov.installKubeconform()
+
+        // then
+        assertTrue(res.success)
+        assertTrue(prov.checkFile("/usr/local/bin/kubeconform"))
+    }
 }
diff --git a/src/test/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/KubeconformKtTest.kt b/src/test/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/KubeconformKtTest.kt
deleted file mode 100644
index 9366457..0000000
--- a/src/test/kotlin/org/domaindrivenarchitecture/provs/desktop/infrastructure/KubeconformKtTest.kt
+++ /dev/null
@@ -1,23 +0,0 @@
-package org.domaindrivenarchitecture.provs.desktop.infrastructure
-
-import org.domaindrivenarchitecture.provs.framework.ubuntu.filesystem.base.checkFile
-import org.domaindrivenarchitecture.provs.test.defaultTestContainer
-import org.domaindrivenarchitecture.provs.test.tags.ContainerTest
-
-import org.junit.jupiter.api.Assertions.*
-
-class KubeconformKtTest {
-
-    @ContainerTest
-    fun installKubeconform() {
-        // given
-        val prov = defaultTestContainer()
-
-        // when
-        val res = prov.installKubeconform()
-
-        // then
-        assertTrue(res.success)
-        assertTrue(prov.checkFile("bin/kubeconform"))
-    }
-}
\ No newline at end of file

From 965f2e31017b37c583592f50bf469d1263f5984e Mon Sep 17 00:00:00 2001
From: Mirco <mirco.zachmann@meissa.de>
Date: Fri, 8 Mar 2024 11:14:14 +0100
Subject: [PATCH 21/32] release: 0.35.0

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 2255617..cd11b07 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.34.1-SNAPSHOT"
+version = "0.35.0"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index 8bf3dc4..b4dea5f 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.34.1-dev"
+version = "0.35.0"
 
 
 @init

From 989f80c41fc7a4e802afa4d562c3e95ab195160b Mon Sep 17 00:00:00 2001
From: Mirco <mirco.zachmann@meissa.de>
Date: Fri, 8 Mar 2024 11:14:14 +0100
Subject: [PATCH 22/32] bump version to: 0.35.1-SNAPSHOT

---
 build.gradle | 2 +-
 build.py     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index cd11b07..99cb8ca 100644
--- a/build.gradle
+++ b/build.gradle
@@ -16,7 +16,7 @@ plugins {
 apply plugin: "maven-publish"
 
 
-version = "0.35.0"
+version = "0.35.1-SNAPSHOT"
 group = "org.domaindrivenarchitecture.provs"
 
 
diff --git a/build.py b/build.py
index b4dea5f..a9e4338 100644
--- a/build.py
+++ b/build.py
@@ -8,7 +8,7 @@ name = "provs"
 PROJECT_ROOT_PATH = "."
 
 
-version = "0.35.0"
+version = "0.35.1-dev"
 
 
 @init

From 9d3f43975b977d9cdcaf5a0a6494698e65abc93b Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Fri, 8 Mar 2024 23:02:15 +0100
Subject: [PATCH 23/32] update Kotlin version

---
 build.gradle | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 99cb8ca..795dc8c 100644
--- a/build.gradle
+++ b/build.gradle
@@ -1,5 +1,5 @@
 buildscript {
-    ext.kotlin_version_no = "1.7.20"
+    ext.kotlin_version_no = "1.8.20"
     ext.CI_PROJECT_ID = System.env.CI_PROJECT_ID
 
     repositories {

From f0fa8d5ca562e80a9949fade6cfed2d345c77b97 Mon Sep 17 00:00:00 2001
From: Mirco <mirco.zachmann@meissa.de>
Date: Fri, 8 Mar 2024 15:58:03 +0100
Subject: [PATCH 24/32] [Skip-CI] Added doc, "Howto update gradle wrapper"

---
 doc/dev/upgradingGradleWrapper.md | 10 ++++++++++
 1 file changed, 10 insertions(+)
 create mode 100644 doc/dev/upgradingGradleWrapper.md

diff --git a/doc/dev/upgradingGradleWrapper.md b/doc/dev/upgradingGradleWrapper.md
new file mode 100644
index 0000000..3214165
--- /dev/null
+++ b/doc/dev/upgradingGradleWrapper.md
@@ -0,0 +1,10 @@
+### Howto update gradle wrapper
+
+1. To *latest* version (be aware for deprecated parts in future versions):
+    ```shell
+    ./gradlew wrapper --gradle-version latest
+    ```
+2. To *specific version:
+    ```shell
+    ./gradlew wrapper --gradle-version 8.6
+    ```
\ No newline at end of file

From 5bd824dee56c94b15e4cc5adf2bf45509418efa3 Mon Sep 17 00:00:00 2001
From: bom <mattis.boeckle@meissa-gmbh.de>
Date: Fri, 10 May 2024 13:44:20 +0200
Subject: [PATCH 25/32] Server: Add support for hetzner csi with encryption

---
 README.md                                     |  18 +
 .../server/domain/hetzner_csi/HetznerCSI.kt   |   7 +
 .../domain/hetzner_csi/HetznerCSIConfig.kt    |  23 +
 .../provs/server/domain/k3s/K3sService.kt     |  26 +-
 .../server/domain/k3s/ServerSubModule.kt      |   3 +-
 .../provs/server/infrastructure/HetznerCSI.kt |  53 +++
 .../infrastructure/HetznerCSIRepository.kt    |  31 ++
 .../provs/server/infrastructure/K3s.kt        |   7 +-
 .../hcloud-api-token-secret.template.yaml     |   7 +
 .../infrastructure/hetznerCSI/hcloud-csi.yaml | 401 ++++++++++++++++++
 .../hcloud-encrypted-storage-class.yaml       |  11 +
 .../hcloud-encryption-secret.template.yaml    |   7 +
 .../HetznerCSIRepositoryKtTest.kt             |  35 ++
 .../k3s-server-config-with-hetzner.yaml       |  18 +
 14 files changed, 644 insertions(+), 3 deletions(-)
 create mode 100644 src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/hetzner_csi/HetznerCSI.kt
 create mode 100644 src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/hetzner_csi/HetznerCSIConfig.kt
 create mode 100644 src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSI.kt
 create mode 100644 src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSIRepository.kt
 create mode 100644 src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-api-token-secret.template.yaml
 create mode 100644 src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-csi.yaml
 create mode 100644 src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-encrypted-storage-class.yaml
 create mode 100644 src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-encryption-secret.template.yaml
 create mode 100644 src/test/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSIRepositoryKtTest.kt
 create mode 100644 src/test/resources/k3s-server-config-with-hetzner.yaml

diff --git a/README.md b/README.md
index 03c0cb9..78ac719 100644
--- a/README.md
+++ b/README.md
@@ -106,6 +106,24 @@ To provision the grafana agent only to an existing k8s system, ensure that the c
 provs-server.jar k3s myuser@myhost.com -o grafana
 ```
 
+To add the hetzner csi driver and encrypted volumes to your k3s installation add the following to the config:
+
+```yaml
+hetzner:
+  hcloudApiToken:
+    source: "PLAIN"           # PLAIN, GOPASS or PROMPT
+    parameter: "mypassword"   # the api key for the hetzner cloud
+  encryptionPassphrase:
+    source: "PLAIN"           # PLAIN, GOPASS or PROMPT
+    parameter: "mypassword"   # the encryption passphrase for created volumes
+```
+
+To provision the grafana agent only to an existing k8s system, ensure that the config (as above) is available and execute:
+
+```bash
+provs-server.jar k3s myuser@myhost.com -o grafana
+```
+
 Reprovisioning the server can easily be done using the -r or --reprovision option.
 
 ```bash
diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/hetzner_csi/HetznerCSI.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/hetzner_csi/HetznerCSI.kt
new file mode 100644
index 0000000..2d5df8b
--- /dev/null
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/hetzner_csi/HetznerCSI.kt
@@ -0,0 +1,7 @@
+package org.domaindrivenarchitecture.provs.server.domain.hetzner_csi
+
+import org.domaindrivenarchitecture.provs.framework.core.Prov
+import org.domaindrivenarchitecture.provs.server.infrastructure.provisionHetznerCSIForK8s
+
+fun Prov.provisionHetznerCSI(configResolved: HetznerCSIConfigResolved) =
+    provisionHetznerCSIForK8s(configResolved.hcloudApiToken, configResolved.encryptionPassphrase)
\ No newline at end of file
diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/hetzner_csi/HetznerCSIConfig.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/hetzner_csi/HetznerCSIConfig.kt
new file mode 100644
index 0000000..acb991c
--- /dev/null
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/hetzner_csi/HetznerCSIConfig.kt
@@ -0,0 +1,23 @@
+package org.domaindrivenarchitecture.provs.server.domain.hetzner_csi
+
+import kotlinx.serialization.Serializable
+import org.domaindrivenarchitecture.provs.framework.core.Secret
+import org.domaindrivenarchitecture.provs.framework.ubuntu.secret.SecretSupplier
+
+@Serializable
+data class HetznerCSIConfig (
+    val hcloudApiToken: SecretSupplier,
+    val encryptionPassphrase: SecretSupplier,
+) {
+    fun resolveSecret(): HetznerCSIConfigResolved = HetznerCSIConfigResolved(this)
+}
+
+data class HetznerCSIConfigResolved(val configUnresolved: HetznerCSIConfig) {
+    val hcloudApiToken: Secret = configUnresolved.hcloudApiToken.secret()
+    val encryptionPassphrase: Secret = configUnresolved.encryptionPassphrase.secret()
+}
+
+@Serializable
+data class HetznerCSIConfigHolder(
+    val hetzner: HetznerCSIConfig
+)
\ No newline at end of file
diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/k3s/K3sService.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/k3s/K3sService.kt
index 6f8af87..bcee2a7 100644
--- a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/k3s/K3sService.kt
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/k3s/K3sService.kt
@@ -2,6 +2,8 @@ package org.domaindrivenarchitecture.provs.server.domain.k3s
 
 import org.domaindrivenarchitecture.provs.configuration.infrastructure.DefaultConfigFileRepository
 import org.domaindrivenarchitecture.provs.framework.core.Prov
+import org.domaindrivenarchitecture.provs.server.domain.hetzner_csi.HetznerCSIConfigResolved
+import org.domaindrivenarchitecture.provs.server.domain.hetzner_csi.provisionHetznerCSI
 import org.domaindrivenarchitecture.provs.server.domain.k8s_grafana_agent.GrafanaAgentConfigResolved
 import org.domaindrivenarchitecture.provs.server.domain.k8s_grafana_agent.provisionGrafanaAgent
 import org.domaindrivenarchitecture.provs.server.infrastructure.*
@@ -11,6 +13,7 @@ import kotlin.system.exitProcess
 fun Prov.provisionK3sCommand(cli: K3sCliCommand) = task {
 
     val grafanaConfigResolved: GrafanaAgentConfigResolved? = findK8sGrafanaConfig(cli.configFileName)?.resolveSecret()
+    val hcloudConfigResolved: HetznerCSIConfigResolved? = findHetznerCSIConfig(cli.configFileName)?.resolveSecret()
 
     if (cli.onlyModules == null) {
         val k3sConfig: K3sConfig = getK3sConfig(cli.configFileName)
@@ -18,9 +21,10 @@ fun Prov.provisionK3sCommand(cli: K3sCliCommand) = task {
         val k3sConfigReprovision = k3sConfig.copy(reprovision = cli.reprovision || k3sConfig.reprovision)
 
         val applicationFile = cli.applicationFileName?.let { DefaultApplicationFileRepository(cli.applicationFileName).getFile() }
-        provisionK3s(k3sConfigReprovision, grafanaConfigResolved, applicationFile)
+        provisionK3s(k3sConfigReprovision, grafanaConfigResolved, hcloudConfigResolved, applicationFile)
     } else {
         provisionGrafana(cli.onlyModules, grafanaConfigResolved)
+        provisionHetznerCSI(cli.onlyModules, hcloudConfigResolved)
     }
 }
 
@@ -30,6 +34,7 @@ fun Prov.provisionK3sCommand(cli: K3sCliCommand) = task {
 fun Prov.provisionK3s(
     k3sConfig: K3sConfig,
     grafanaConfigResolved: GrafanaAgentConfigResolved? = null,
+    hetznerCSIConfigResolved: HetznerCSIConfigResolved? = null,
     applicationFile: ApplicationFile? = null
 ) = task {
 
@@ -53,6 +58,10 @@ fun Prov.provisionK3s(
         provisionGrafanaAgent(grafanaConfigResolved)
     }
 
+    if (hetznerCSIConfigResolved != null) {
+        provisionHetznerCSI(hetznerCSIConfigResolved)
+    }
+
     if (applicationFile != null) {
         provisionK3sApplication(applicationFile)
     }
@@ -75,3 +84,18 @@ private fun Prov.provisionGrafana(
         provisionGrafanaAgent(grafanaConfigResolved)
     }
 }
+
+private fun Prov.provisionHetznerCSI(
+    onlyModules: List<String>?,
+    hetznerCSIConfigResolved: HetznerCSIConfigResolved?
+) = task {
+
+    if (onlyModules != null && onlyModules.contains(ServerOnlyModule.HETZNER_CSI.name.lowercase())) {
+        if (hetznerCSIConfigResolved == null) {
+            println("ERROR: Could not find grafana config.")
+            exitProcess(7)
+        }
+        provisionHetznerCSI(hetznerCSIConfigResolved)
+    }
+
+}
diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/k3s/ServerSubModule.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/k3s/ServerSubModule.kt
index eccc637..07613f2 100644
--- a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/k3s/ServerSubModule.kt
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/domain/k3s/ServerSubModule.kt
@@ -1,5 +1,6 @@
 package org.domaindrivenarchitecture.provs.server.domain.k3s
 
 enum class ServerOnlyModule {
-    GRAFANA
+    GRAFANA,
+    HETZNER_CSI
 }
diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSI.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSI.kt
new file mode 100644
index 0000000..32f59f2
--- /dev/null
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSI.kt
@@ -0,0 +1,53 @@
+package org.domaindrivenarchitecture.provs.server.infrastructure
+
+import org.domaindrivenarchitecture.provs.framework.core.Prov
+import org.domaindrivenarchitecture.provs.framework.core.Secret
+import org.domaindrivenarchitecture.provs.framework.ubuntu.filesystem.base.createFileFromResource
+import org.domaindrivenarchitecture.provs.framework.ubuntu.filesystem.base.createFileFromResourceTemplate
+import org.domaindrivenarchitecture.provs.server.domain.k3s.FileMode
+import java.io.File
+
+private const val hetznerCSIResourceDir = "org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/"
+fun Prov.provisionHetznerCSIForK8s(hetznerApiToken: Secret, encryptionPassphrase: Secret) {
+    // CSI Driver
+    createFileFromResourceTemplate(
+        k3sManualManifestsDir + "hcloud-api-token-secret.yaml",
+        "hcloud-api-token-secret.template.yaml",
+        resourcePath = hetznerCSIResourceDir,
+        posixFilePermission = "644",
+        values = mapOf(
+            "HETZNER_API_TOKEN" to hetznerApiToken.plain()
+        ))
+    applyHetznerCSIFileFromResource(File(k3sManualManifestsDir, "hcloud-api-token-secret.yaml"))
+    applyHetznerCSIFileFromResource(File(k3sManualManifestsDir, "hcloud-csi.yaml"))
+
+    // Encryption
+    createFileFromResourceTemplate(
+        k3sManualManifestsDir + "hcloud-encryption-secret.yaml",
+        "hcloud-encryption-secret.template.yaml",
+        resourcePath = hetznerCSIResourceDir,
+        posixFilePermission = "644",
+        values = mapOf(
+            "HETZNER_ENCRYPTION_PASSPHRASE" to encryptionPassphrase.plain()
+        ))
+    applyHetznerCSIFileFromResource(File(k3sManualManifestsDir, "hcloud-encryption-secret.yaml"))
+    applyHetznerCSIFileFromResource(File(k3sManualManifestsDir, "hcloud-encrypted-storage-class.yaml"))
+}
+
+private fun Prov.createHetznerCSIFileFromResource(
+    file: File,
+    posixFilePermission: FileMode? = "644"
+) = task {
+    createFileFromResource(
+        file.path,
+        file.name,
+        hetznerCSIResourceDir,
+        posixFilePermission,
+        sudo = true
+    )
+}
+
+private fun Prov.applyHetznerCSIFileFromResource(file: File, posixFilePermission: FileMode? = "644") = task {
+    createHetznerCSIFileFromResource(file, posixFilePermission)
+    cmd("kubectl apply -f ${file.path}", sudo = true)
+}
\ No newline at end of file
diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSIRepository.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSIRepository.kt
new file mode 100644
index 0000000..7049f4a
--- /dev/null
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSIRepository.kt
@@ -0,0 +1,31 @@
+package org.domaindrivenarchitecture.provs.server.infrastructure
+
+import com.charleskorn.kaml.MissingRequiredPropertyException
+import org.domaindrivenarchitecture.provs.configuration.domain.ConfigFileName
+import org.domaindrivenarchitecture.provs.framework.core.readFromFile
+import org.domaindrivenarchitecture.provs.framework.core.toYaml
+import org.domaindrivenarchitecture.provs.framework.core.yamlToType
+import org.domaindrivenarchitecture.provs.server.domain.hetzner_csi.HetznerCSIConfig
+import org.domaindrivenarchitecture.provs.server.domain.hetzner_csi.HetznerCSIConfigHolder
+import java.io.File
+import java.io.FileWriter
+
+private const val DEFAULT_CONFIG_FILE = "server-config.yaml"
+
+fun findHetznerCSIConfig(fileName: ConfigFileName? = null): HetznerCSIConfig? {
+    val filePath = fileName?.fileName ?: DEFAULT_CONFIG_FILE
+
+    return if(File(filePath).exists()) {
+        try {
+            readFromFile(filePath).yamlToType<HetznerCSIConfigHolder>().hetzner
+        } catch (e: MissingRequiredPropertyException) {
+            if (e.message.contains("Property 'hetzner'")) null else throw e
+        }
+    } else {
+        null
+    }
+}
+
+@Suppress("unused")
+internal fun writeConfig(config: HetznerCSIConfigHolder, fileName: String = "hetzner-config.yaml") =
+    FileWriter(fileName).use { it.write(config.toYaml()) }
\ No newline at end of file
diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/K3s.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/K3s.kt
index 4ac8d13..cb77751 100644
--- a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/K3s.kt
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/K3s.kt
@@ -37,8 +37,9 @@ private val k3sEchoWithTls = File(k3sManualManifestsDir, "echo-tls.yaml")
 private val k3sEchoNoTls = File(k3sManualManifestsDir, "echo-no-tls.yaml")
 private val selfSignedCertificate = File(k3sManualManifestsDir, "selfsigned-certificate.yaml")
 
-private val localPathProvisionerConfig = File(k3sManualManifestsDir, "local-path-provisioner-config.yaml")
+private val hetznerCSIDriver = File(k3sManualManifestsDir, "hcloud-csi.yaml")
 
+private val localPathProvisionerConfig = File(k3sManualManifestsDir, "local-path-provisioner-config.yaml")
 
 // -----------------------------------  public functions  --------------------------------
 
@@ -124,6 +125,10 @@ fun Prov.installK3s(k3sConfig: K3sConfig): ProvResult {
             applyK3sFileFromResource(k3sMiddleWareHttpsRedirect)
         }
 
+        // hetzner csi-driver
+        applyK3sFileFromResource(hetznerCSIDriver)
+
+        // other
         applyK3sFileFromResource(localPathProvisionerConfig)
 
         cmd("kubectl set env deployment -n kube-system local-path-provisioner DEPLOY_DATE=\"$(date)\"", sudo = true)
diff --git a/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-api-token-secret.template.yaml b/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-api-token-secret.template.yaml
new file mode 100644
index 0000000..997a7dd
--- /dev/null
+++ b/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-api-token-secret.template.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: hcloud
+  namespace: kube-system
+stringData:
+  token: $HETZNER_API_TOKEN
\ No newline at end of file
diff --git a/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-csi.yaml b/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-csi.yaml
new file mode 100644
index 0000000..d988dca
--- /dev/null
+++ b/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-csi.yaml
@@ -0,0 +1,401 @@
+# Version 2.6.0
+# Source: hcloud-csi/templates/controller/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hcloud-csi-controller
+  namespace: "kube-system"
+  labels:
+    app.kubernetes.io/name: hcloud-csi
+    app.kubernetes.io/instance: hcloud-csi
+    app.kubernetes.io/component: controller
+automountServiceAccountToken: true
+---
+# Source: hcloud-csi/templates/core/storageclass.yaml
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: hcloud-volumes
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "true"
+provisioner: csi.hetzner.cloud
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+reclaimPolicy: "Delete"
+---
+# Source: hcloud-csi/templates/controller/clusterrole.yaml
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hcloud-csi-controller
+  labels:
+    app.kubernetes.io/name: hcloud-csi
+    app.kubernetes.io/instance: hcloud-csi
+    app.kubernetes.io/component: controller
+rules:
+  # attacher
+  - apiGroups: [""]
+    resources: [persistentvolumes]
+    verbs: [get, list, watch, update, patch]
+  - apiGroups: [""]
+    resources: [nodes]
+    verbs: [get, list, watch]
+  - apiGroups: [csi.storage.k8s.io]
+    resources: [csinodeinfos]
+    verbs: [get, list, watch]
+  - apiGroups: [storage.k8s.io]
+    resources: [csinodes]
+    verbs: [get, list, watch]
+  - apiGroups: [storage.k8s.io]
+    resources: [volumeattachments]
+    verbs: [get, list, watch, update, patch]
+  - apiGroups: [storage.k8s.io]
+    resources: [volumeattachments/status]
+    verbs: [patch]
+  # provisioner
+  - apiGroups: [""]
+    resources: [secrets]
+    verbs: [get, list]
+  - apiGroups: [""]
+    resources: [persistentvolumes]
+    verbs: [get, list, watch, create, delete, patch]
+  - apiGroups: [""]
+    resources: [persistentvolumeclaims, persistentvolumeclaims/status]
+    verbs: [get, list, watch, update, patch]
+  - apiGroups: [storage.k8s.io]
+    resources: [storageclasses]
+    verbs: [get, list, watch]
+  - apiGroups: [""]
+    resources: [events]
+    verbs: [list, watch, create, update, patch]
+  - apiGroups: [snapshot.storage.k8s.io]
+    resources: [volumesnapshots]
+    verbs: [get, list]
+  - apiGroups: [snapshot.storage.k8s.io]
+    resources: [volumesnapshotcontents]
+    verbs: [get, list]
+  # resizer
+  - apiGroups: [""]
+    resources: [pods]
+    verbs: [get, list, watch]
+  # node
+  - apiGroups: [""]
+    resources: [events]
+    verbs: [get, list, watch, create, update, patch]
+---
+# Source: hcloud-csi/templates/controller/clusterrolebinding.yaml
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: hcloud-csi-controller
+  labels:
+    app.kubernetes.io/name: hcloud-csi
+    app.kubernetes.io/instance: hcloud-csi
+    app.kubernetes.io/component: controller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: hcloud-csi-controller
+subjects:
+  - kind: ServiceAccount
+    name: hcloud-csi-controller
+    namespace: "kube-system"
+---
+# Source: hcloud-csi/templates/controller/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: hcloud-csi-controller-metrics
+  namespace: "kube-system"
+  labels:
+    app.kubernetes.io/name: hcloud-csi
+    app.kubernetes.io/instance: hcloud-csi
+    app.kubernetes.io/component: controller
+spec:
+  ports:
+    - name: metrics
+      port: 9189
+  selector:
+    app.kubernetes.io/name: hcloud-csi
+    app.kubernetes.io/instance: hcloud-csi
+    app.kubernetes.io/component: controller
+---
+# Source: hcloud-csi/templates/node/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: hcloud-csi-node-metrics
+  namespace: "kube-system"
+  labels:
+    app.kubernetes.io/name: hcloud-csi
+    app.kubernetes.io/instance: hcloud-csi
+    app.kubernetes.io/component: node
+spec:
+  ports:
+    - name: metrics
+      port: 9189
+  selector:
+    app.kubernetes.io/name: hcloud-csi
+    app.kubernetes.io/instance: hcloud-csi
+    app.kubernetes.io/component: node
+---
+# Source: hcloud-csi/templates/node/daemonset.yaml
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: hcloud-csi-node
+  namespace: "kube-system"
+  labels:
+    app.kubernetes.io/name: hcloud-csi
+    app.kubernetes.io/instance: hcloud-csi
+    app.kubernetes.io/component: node
+    app: hcloud-csi
+spec:
+  updateStrategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: hcloud-csi
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: hcloud-csi
+        app.kubernetes.io/instance: hcloud-csi
+        app.kubernetes.io/component: node
+        app: hcloud-csi
+    spec:
+
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: instance.hetzner.cloud/is-root-server
+                    operator: NotIn
+                    values:
+                      - "true"
+      tolerations:
+        - effect: NoExecute
+          operator: Exists
+        - effect: NoSchedule
+          operator: Exists
+        - key: CriticalAddonsOnly
+          operator: Exists
+      securityContext:
+        fsGroup: 1001
+      initContainers:
+      containers:
+        - name: csi-node-driver-registrar
+          image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.7.0
+          imagePullPolicy: IfNotPresent
+          args:
+            - --kubelet-registration-path=/var/lib/kubelet/plugins/csi.hetzner.cloud/socket
+          volumeMounts:
+            - name: plugin-dir
+              mountPath: /run/csi
+            - name: registration-dir
+              mountPath: /registration
+          resources:
+            limits: {}
+            requests: {}
+        - name: liveness-probe
+          image: registry.k8s.io/sig-storage/livenessprobe:v2.9.0
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - mountPath: /run/csi
+              name: plugin-dir
+          resources:
+            limits: {}
+            requests: {}
+        - name: hcloud-csi-driver
+          image: docker.io/hetznercloud/hcloud-csi-driver:v2.6.0 # x-release-please-version
+          imagePullPolicy: IfNotPresent
+          command: [/bin/hcloud-csi-driver-node]
+          volumeMounts:
+            - name: kubelet-dir
+              mountPath: /var/lib/kubelet
+              mountPropagation: "Bidirectional"
+            - name: plugin-dir
+              mountPath: /run/csi
+            - name: device-dir
+              mountPath: /dev
+          securityContext:
+            privileged: true
+          env:
+            - name: CSI_ENDPOINT
+              value: unix:///run/csi/socket
+            - name: METRICS_ENDPOINT
+              value: "0.0.0.0:9189"
+            - name: ENABLE_METRICS
+              value: "true"
+          ports:
+            - containerPort: 9189
+              name: metrics
+            - name: healthz
+              protocol: TCP
+              containerPort: 9808
+          resources:
+            limits: {}
+            requests: {}
+          livenessProbe:
+            failureThreshold: 5
+            initialDelaySeconds: 10
+            periodSeconds: 2
+            successThreshold: 1
+            timeoutSeconds: 3
+            httpGet:
+              path: /healthz
+              port: healthz
+      volumes:
+        - name: kubelet-dir
+          hostPath:
+            path: /var/lib/kubelet
+            type: Directory
+        - name: plugin-dir
+          hostPath:
+            path: /var/lib/kubelet/plugins/csi.hetzner.cloud/
+            type: DirectoryOrCreate
+        - name: registration-dir
+          hostPath:
+            path: /var/lib/kubelet/plugins_registry/
+            type: Directory
+        - name: device-dir
+          hostPath:
+            path: /dev
+            type: Directory
+---
+# Source: hcloud-csi/templates/controller/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hcloud-csi-controller
+  namespace: "kube-system"
+  labels:
+    app.kubernetes.io/name: hcloud-csi
+    app.kubernetes.io/instance: hcloud-csi
+    app.kubernetes.io/component: controller
+    app: hcloud-csi-controller
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app: hcloud-csi-controller
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: hcloud-csi
+        app.kubernetes.io/instance: hcloud-csi
+        app.kubernetes.io/component: controller
+        app: hcloud-csi-controller
+    spec:
+      serviceAccountName: hcloud-csi-controller
+
+      securityContext:
+        fsGroup: 1001
+      initContainers:
+      containers:
+        - name: csi-attacher
+          image: registry.k8s.io/sig-storage/csi-attacher:v4.1.0
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits: {}
+            requests: {}
+          args:
+            - --default-fstype=ext4
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /run/csi
+
+        - name: csi-resizer
+          image: registry.k8s.io/sig-storage/csi-resizer:v1.7.0
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits: {}
+            requests: {}
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /run/csi
+
+        - name: csi-provisioner
+          image: registry.k8s.io/sig-storage/csi-provisioner:v3.4.0
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits: {}
+            requests: {}
+          args:
+            - --feature-gates=Topology=true
+            - --default-fstype=ext4
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /run/csi
+
+        - name: liveness-probe
+          image: registry.k8s.io/sig-storage/livenessprobe:v2.9.0
+          imagePullPolicy: IfNotPresent
+          resources:
+            limits: {}
+            requests: {}
+          volumeMounts:
+            - mountPath: /run/csi
+              name: socket-dir
+
+        - name: hcloud-csi-driver
+          image: docker.io/hetznercloud/hcloud-csi-driver:v2.6.0 # x-release-please-version
+          imagePullPolicy: IfNotPresent
+          command: [/bin/hcloud-csi-driver-controller]
+          env:
+            - name: CSI_ENDPOINT
+              value: unix:///run/csi/socket
+            - name: METRICS_ENDPOINT
+              value: "0.0.0.0:9189"
+            - name: ENABLE_METRICS
+              value: "true"
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: spec.nodeName
+            - name: HCLOUD_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: hcloud
+                  key: token
+          resources:
+            limits: {}
+            requests: {}
+          ports:
+            - name: metrics
+              containerPort: 9189
+            - name: healthz
+              protocol: TCP
+              containerPort: 9808
+          livenessProbe:
+            failureThreshold: 5
+            initialDelaySeconds: 10
+            periodSeconds: 2
+            successThreshold: 1
+            timeoutSeconds: 3
+            httpGet:
+              path: /healthz
+              port: healthz
+          volumeMounts:
+            - name: socket-dir
+              mountPath: /run/csi
+
+      volumes:
+        - name: socket-dir
+          emptyDir: {}
+---
+# Source: hcloud-csi/templates/core/csidriver.yaml
+apiVersion: storage.k8s.io/v1
+kind: CSIDriver
+metadata:
+  name: csi.hetzner.cloud
+spec:
+  attachRequired: true
+  fsGroupPolicy: File
+  podInfoOnMount: true
+  volumeLifecycleModes:
+    - Persistent
diff --git a/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-encrypted-storage-class.yaml b/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-encrypted-storage-class.yaml
new file mode 100644
index 0000000..3eb0b85
--- /dev/null
+++ b/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-encrypted-storage-class.yaml
@@ -0,0 +1,11 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: hcloud-volumes-encrypted
+provisioner: csi.hetzner.cloud
+reclaimPolicy: Delete
+volumeBindingMode: WaitForFirstConsumer
+allowVolumeExpansion: true
+parameters:
+  csi.storage.k8s.io/node-publish-secret-name: encryption-secret
+  csi.storage.k8s.io/node-publish-secret-namespace: kube-system
\ No newline at end of file
diff --git a/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-encryption-secret.template.yaml b/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-encryption-secret.template.yaml
new file mode 100644
index 0000000..ef94802
--- /dev/null
+++ b/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/hetznerCSI/hcloud-encryption-secret.template.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: encryption-secret
+  namespace: kube-system
+stringData:
+  encryption-passphrase: $HETZNER_ENCRYPTION_PASSPHRASE
\ No newline at end of file
diff --git a/src/test/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSIRepositoryKtTest.kt b/src/test/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSIRepositoryKtTest.kt
new file mode 100644
index 0000000..43cf44e
--- /dev/null
+++ b/src/test/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSIRepositoryKtTest.kt
@@ -0,0 +1,35 @@
+package org.domaindrivenarchitecture.provs.server.infrastructure
+
+import org.domaindrivenarchitecture.provs.configuration.domain.ConfigFileName
+import org.domaindrivenarchitecture.provs.framework.ubuntu.secret.SecretSourceType
+import org.domaindrivenarchitecture.provs.framework.ubuntu.secret.SecretSupplier
+import org.domaindrivenarchitecture.provs.server.domain.hetzner_csi.HetznerCSIConfig
+import org.domaindrivenarchitecture.provs.server.domain.k8s_grafana_agent.GrafanaAgentConfig
+import org.junit.jupiter.api.Assertions.assertEquals
+import org.junit.jupiter.api.Test
+
+internal class HetznerCSIRepositoryKtTest {
+
+    @Test
+    fun findHetznerCSIConfig_returns_config() {
+        // when
+        val config = findHetznerCSIConfig(ConfigFileName("src/test/resources/k3s-server-config-with-hetzner.yaml"))
+
+        // then
+        assertEquals(
+            HetznerCSIConfig(
+                hcloudApiToken = SecretSupplier(SecretSourceType.GOPASS, "path/to/apitoken"),
+                encryptionPassphrase = SecretSupplier(SecretSourceType.GOPASS, "path/to/encryption"),
+            ), config
+        )
+    }
+
+    @Test
+    fun findHetznerCSIConfig_returns_null_if_no_hetzner_data_available() {
+        // when
+        val config = findHetznerCSIConfig(ConfigFileName("src/test/resources/k3s-server-config.yaml"))
+
+        // then
+        assertEquals(null, config)
+    }
+}
\ No newline at end of file
diff --git a/src/test/resources/k3s-server-config-with-hetzner.yaml b/src/test/resources/k3s-server-config-with-hetzner.yaml
new file mode 100644
index 0000000..3fbe1e5
--- /dev/null
+++ b/src/test/resources/k3s-server-config-with-hetzner.yaml
@@ -0,0 +1,18 @@
+fqdn: statistics.test.meissa-gmbh.de
+node:
+  ipv4: 162.55.164.138
+  ipv6: 2a01:4f8:c010:672f::1
+certmanager:
+  email: admin@meissa-gmbh.de
+  letsencryptEndpoint: prod
+echo: true
+reprovision: true
+
+
+hetzner:
+  hcloudApiToken:
+    source: "GOPASS"           # PLAIN, GOPASS or PROMPT
+    parameter: "path/to/apitoken"     # the api key for the hetzner cloud
+  encryptionPassphrase:
+    source: "GOPASS"           # PLAIN, GOPASS or PROMPT
+    parameter: "path/to/encryption"   # the encryption passphrase for created volumes
\ No newline at end of file

From 80476532d73c7319a32f276155d4792397f7c712 Mon Sep 17 00:00:00 2001
From: bom <mattis.boeckle@meissa-gmbh.de>
Date: Fri, 10 May 2024 14:15:59 +0200
Subject: [PATCH 26/32] Server: Remove obsolete resources

---
 .../provs/server/infrastructure/K3s.kt                       | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/K3s.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/K3s.kt
index cb77751..cd2ff12 100644
--- a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/K3s.kt
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/K3s.kt
@@ -37,8 +37,6 @@ private val k3sEchoWithTls = File(k3sManualManifestsDir, "echo-tls.yaml")
 private val k3sEchoNoTls = File(k3sManualManifestsDir, "echo-no-tls.yaml")
 private val selfSignedCertificate = File(k3sManualManifestsDir, "selfsigned-certificate.yaml")
 
-private val hetznerCSIDriver = File(k3sManualManifestsDir, "hcloud-csi.yaml")
-
 private val localPathProvisionerConfig = File(k3sManualManifestsDir, "local-path-provisioner-config.yaml")
 
 // -----------------------------------  public functions  --------------------------------
@@ -125,9 +123,6 @@ fun Prov.installK3s(k3sConfig: K3sConfig): ProvResult {
             applyK3sFileFromResource(k3sMiddleWareHttpsRedirect)
         }
 
-        // hetzner csi-driver
-        applyK3sFileFromResource(hetznerCSIDriver)
-
         // other
         applyK3sFileFromResource(localPathProvisionerConfig)
 

From e568b5aa824e6e31cc6824056ab5b804f4a594e0 Mon Sep 17 00:00:00 2001
From: bom <mattis.boeckle@meissa-gmbh.de>
Date: Fri, 10 May 2024 14:46:29 +0200
Subject: [PATCH 27/32] Server: Fix hetzner csi resource paths

---
 .../provs/server/infrastructure/HetznerCSI.kt                 | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSI.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSI.kt
index 32f59f2..5bc04d8 100644
--- a/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSI.kt
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/server/infrastructure/HetznerCSI.kt
@@ -18,7 +18,7 @@ fun Prov.provisionHetznerCSIForK8s(hetznerApiToken: Secret, encryptionPassphrase
         values = mapOf(
             "HETZNER_API_TOKEN" to hetznerApiToken.plain()
         ))
-    applyHetznerCSIFileFromResource(File(k3sManualManifestsDir, "hcloud-api-token-secret.yaml"))
+    cmd("kubectl apply -f hcloud-api-token-secret.yaml", k3sManualManifestsDir)
     applyHetznerCSIFileFromResource(File(k3sManualManifestsDir, "hcloud-csi.yaml"))
 
     // Encryption
@@ -30,7 +30,7 @@ fun Prov.provisionHetznerCSIForK8s(hetznerApiToken: Secret, encryptionPassphrase
         values = mapOf(
             "HETZNER_ENCRYPTION_PASSPHRASE" to encryptionPassphrase.plain()
         ))
-    applyHetznerCSIFileFromResource(File(k3sManualManifestsDir, "hcloud-encryption-secret.yaml"))
+    cmd("kubectl apply -f hcloud-encryption-secret.yaml", k3sManualManifestsDir)
     applyHetznerCSIFileFromResource(File(k3sManualManifestsDir, "hcloud-encrypted-storage-class.yaml"))
 }
 

From b8b7091ec262c0aec6b261972965aeaf490983dc Mon Sep 17 00:00:00 2001
From: bom <mattis.boeckle@meissa-gmbh.de>
Date: Fri, 17 May 2024 13:15:34 +0200
Subject: [PATCH 28/32] Update deprecated ingress.class

---
 .../provs/server/infrastructure/k3s/echo-no-tls.yaml           | 3 +--
 .../provs/server/infrastructure/k3s/echo-tls.template.yaml     | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/k3s/echo-no-tls.yaml b/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/k3s/echo-no-tls.yaml
index 538adaf..9e237fd 100644
--- a/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/k3s/echo-no-tls.yaml
+++ b/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/k3s/echo-no-tls.yaml
@@ -2,9 +2,8 @@ kind: Ingress
 apiVersion: networking.k8s.io/v1
 metadata:
   name: echo-ingress
-  annotations:
-    kubernetes.io/ingress.class: "traefik"
 spec:
+  ingressClassName: traefik
   rules:
   - http:
       paths:
diff --git a/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/k3s/echo-tls.template.yaml b/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/k3s/echo-tls.template.yaml
index 944d329..4aa358e 100644
--- a/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/k3s/echo-tls.template.yaml
+++ b/src/main/resources/org/domaindrivenarchitecture/provs/server/infrastructure/k3s/echo-tls.template.yaml
@@ -3,9 +3,9 @@ apiVersion: networking.k8s.io/v1
 metadata:
   name: echo-ingress
   annotations:
-    kubernetes.io/ingress.class: "traefik"
     cert-manager.io/cluster-issuer: ${issuer_name}
 spec:
+  ingressClassName: traefik
   rules:
     - host: ${fqdn}
       http:

From e2b7732a5e0f2a1a50cb67f54cc13bc13d2bd5e3 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Fri, 24 May 2024 10:49:13 +0200
Subject: [PATCH 29/32] add installation of adduser for integration tests

---
 .run/test_incl_containtertests.run.xml                        | 2 +-
 Dockerfile                                                    | 2 +-
 .../provs/framework/core/docker/dockerimages/DockerImages.kt  | 2 +-
 .../provs/framework/core/platformTest/UbuntuProvTest.kt       | 2 +-
 .../org/domaindrivenarchitecture/provs/test/TestSetup.kt      | 4 +++-
 5 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.run/test_incl_containtertests.run.xml b/.run/test_incl_containtertests.run.xml
index 37fcb0e..af66d1a 100644
--- a/.run/test_incl_containtertests.run.xml
+++ b/.run/test_incl_containtertests.run.xml
@@ -1,6 +1,6 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="test_incl_containtertests" type="JUnit" factoryName="JUnit">
-    <module name="provs.test" />
+    <module name="org.domaindrivenarchitecture.provs.provs.test" />
     <option name="PACKAGE_NAME" value="org" />
     <option name="MAIN_CLASS_NAME" value="" />
     <option name="METHOD_NAME" value="" />
diff --git a/Dockerfile b/Dockerfile
index 2181d03..347a5a1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ FROM ubuntu:latest
 
 ARG DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update && apt-get -y install apt-utils sudo
+RUN apt-get update && apt-get -y install apt-utils adduser sudo
 
 RUN useradd -m testuser && echo "testuser:testuserpw" | chpasswd && adduser testuser sudo
 RUN echo "testuser ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/testuser
diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/framework/core/docker/dockerimages/DockerImages.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/framework/core/docker/dockerimages/DockerImages.kt
index 6261b6a..208ea36 100644
--- a/src/main/kotlin/org/domaindrivenarchitecture/provs/framework/core/docker/dockerimages/DockerImages.kt
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/framework/core/docker/dockerimages/DockerImages.kt
@@ -21,7 +21,7 @@ FROM ubuntu:20.04
 
 ARG DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update && apt-get -y install sudo
+RUN apt-get update && apt-get -y install adduser sudo
 RUN useradd -m $userName && echo "$userName:$userName" | chpasswd && adduser $userName sudo
 RUN echo "$userName ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/$userName
 
diff --git a/src/test/kotlin/org/domaindrivenarchitecture/provs/framework/core/platformTest/UbuntuProvTest.kt b/src/test/kotlin/org/domaindrivenarchitecture/provs/framework/core/platformTest/UbuntuProvTest.kt
index 644afe0..3c0af1e 100644
--- a/src/test/kotlin/org/domaindrivenarchitecture/provs/framework/core/platformTest/UbuntuProvTest.kt
+++ b/src/test/kotlin/org/domaindrivenarchitecture/provs/framework/core/platformTest/UbuntuProvTest.kt
@@ -123,7 +123,7 @@ FROM ubuntu:18.04
 
 ARG DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update && apt-get -y install sudo
+RUN apt-get update && apt-get -y install adduser sudo
 RUN useradd -m $userName && echo "$userName:$userName" | chpasswd && adduser $userName sudo
 
 USER $userName
diff --git a/src/testFixtures/kotlin/org/domaindrivenarchitecture/provs/test/TestSetup.kt b/src/testFixtures/kotlin/org/domaindrivenarchitecture/provs/test/TestSetup.kt
index 3e9468f..522e0d5 100644
--- a/src/testFixtures/kotlin/org/domaindrivenarchitecture/provs/test/TestSetup.kt
+++ b/src/testFixtures/kotlin/org/domaindrivenarchitecture/provs/test/TestSetup.kt
@@ -16,7 +16,9 @@ const val defaultTestContainerName = "provs_test"
 private lateinit var prov: Prov
 
 fun defaultTestContainer(startMode: ContainerStartMode = ContainerStartMode.USE_RUNNING_ELSE_CREATE): Prov {
-    if (!::prov.isInitialized || !testLocal().containerRuns(defaultTestContainerName) || (startMode == ContainerStartMode.CREATE_NEW_KILL_EXISTING)) { prov = initDefaultTestContainer(startMode) }
+    if (!::prov.isInitialized || !testLocal().containerRuns(defaultTestContainerName) || (startMode == ContainerStartMode.CREATE_NEW_KILL_EXISTING)) {
+        prov = initDefaultTestContainer(startMode)
+    }
     return prov
 }
 

From 726cd5c01a0a6be58ecee220c13a12ebae7358db Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Fri, 24 May 2024 11:04:21 +0200
Subject: [PATCH 30/32] [skip ci] adjust module names for tests

---
 .run/test_incl_extensive_container_tests.run.xml | 2 +-
 .run/testquick.run.xml                           | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.run/test_incl_extensive_container_tests.run.xml b/.run/test_incl_extensive_container_tests.run.xml
index 69dd95e..459ccfc 100644
--- a/.run/test_incl_extensive_container_tests.run.xml
+++ b/.run/test_incl_extensive_container_tests.run.xml
@@ -1,6 +1,6 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="test_incl_extensive_container_tests" type="JUnit" factoryName="JUnit">
-    <module name="provs.test" />
+    <module name="org.domaindrivenarchitecture.provs.provs.test" />
     <option name="PACKAGE_NAME" value="org" />
     <option name="MAIN_CLASS_NAME" value="" />
     <option name="METHOD_NAME" value="" />
diff --git a/.run/testquick.run.xml b/.run/testquick.run.xml
index 9fcbb78..d4f2854 100644
--- a/.run/testquick.run.xml
+++ b/.run/testquick.run.xml
@@ -1,6 +1,6 @@
 <component name="ProjectRunConfigurationManager">
   <configuration default="false" name="testquick" type="JUnit" factoryName="JUnit">
-    <module name="provs.test" />
+    <module name="org.domaindrivenarchitecture.provs.provs.test" />
     <option name="PACKAGE_NAME" value="org" />
     <option name="MAIN_CLASS_NAME" value="" />
     <option name="METHOD_NAME" value="" />

From 8f90fa9d86e4eb57b9695264f81ee8c2f6b6847e Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Fri, 24 May 2024 11:23:47 +0200
Subject: [PATCH 31/32] update images for integration tests to ubuntu 22.04

---
 Dockerfile                                           | 12 ------------
 .../core/docker/dockerimages/DockerImages.kt         |  2 +-
 .../framework/core/platformTest/UbuntuProvTest.kt    |  5 +++--
 3 files changed, 4 insertions(+), 15 deletions(-)
 delete mode 100644 Dockerfile

diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index 347a5a1..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1,12 +0,0 @@
-FROM ubuntu:latest
-
-ARG DEBIAN_FRONTEND=noninteractive
-
-RUN apt-get update && apt-get -y install apt-utils adduser sudo
-
-RUN useradd -m testuser && echo "testuser:testuserpw" | chpasswd && adduser testuser sudo
-RUN echo "testuser ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/testuser
-
-USER testuser
-CMD /bin/bash
-WORKDIR /home/testuser
diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/framework/core/docker/dockerimages/DockerImages.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/framework/core/docker/dockerimages/DockerImages.kt
index 208ea36..94c69a2 100644
--- a/src/main/kotlin/org/domaindrivenarchitecture/provs/framework/core/docker/dockerimages/DockerImages.kt
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/framework/core/docker/dockerimages/DockerImages.kt
@@ -17,7 +17,7 @@ class UbuntuPlusUser(private val userName: String = "testuser") : DockerImage {
 
     override fun imageText(): String {
         return """
-FROM ubuntu:20.04
+FROM ubuntu:22.04
 
 ARG DEBIAN_FRONTEND=noninteractive
 
diff --git a/src/test/kotlin/org/domaindrivenarchitecture/provs/framework/core/platformTest/UbuntuProvTest.kt b/src/test/kotlin/org/domaindrivenarchitecture/provs/framework/core/platformTest/UbuntuProvTest.kt
index 3c0af1e..0ce8d9c 100644
--- a/src/test/kotlin/org/domaindrivenarchitecture/provs/framework/core/platformTest/UbuntuProvTest.kt
+++ b/src/test/kotlin/org/domaindrivenarchitecture/provs/framework/core/platformTest/UbuntuProvTest.kt
@@ -103,7 +103,8 @@ internal class UbuntuProvTest {
 
         // then
         assertFalse(result.success)
-        assertEquals("sudo: no tty present and no askpass program specified\n", result.err)
+        val expectedMsg = "a password is required"
+        assertTrue(result.err?.contains(expectedMsg) ?: false, "Error: [$expectedMsg] is not found in [${result.err}]")
     }
 
 }
@@ -119,7 +120,7 @@ class UbuntuUserNeedsPasswordForSudo(private val userName: String = "testuser")
 
     override fun imageText(): String {
         return """
-FROM ubuntu:18.04
+FROM ubuntu:22.04
 
 ARG DEBIAN_FRONTEND=noninteractive
 

From 7307e39ff6203d66024b552995f8028b88e772d2 Mon Sep 17 00:00:00 2001
From: ansgarz <ansgar.zwick@meissa.de>
Date: Fri, 24 May 2024 11:34:45 +0200
Subject: [PATCH 32/32] update images for integration tests to ubuntu 22.04

---
 Dockerfile                                          | 13 +++++++++++++
 .../core/docker/dockerimages/DockerImages.kt        |  4 ++--
 .../framework/core/platformTest/UbuntuProvTest.kt   |  4 ++--
 3 files changed, 17 insertions(+), 4 deletions(-)
 create mode 100644 Dockerfile

diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..fc166f1
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,13 @@
+# image for usage in ci pipeline
+FROM ubuntu:22.04
+
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get update && apt-get -y install apt-utils sudo
+
+RUN useradd -m testuser && echo "testuser:testuserpw" | chpasswd && usermod -aG sudo testuser
+RUN echo "testuser ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/testuser
+
+USER testuser
+CMD /bin/bash
+WORKDIR /home/testuser
diff --git a/src/main/kotlin/org/domaindrivenarchitecture/provs/framework/core/docker/dockerimages/DockerImages.kt b/src/main/kotlin/org/domaindrivenarchitecture/provs/framework/core/docker/dockerimages/DockerImages.kt
index 94c69a2..1a62a1b 100644
--- a/src/main/kotlin/org/domaindrivenarchitecture/provs/framework/core/docker/dockerimages/DockerImages.kt
+++ b/src/main/kotlin/org/domaindrivenarchitecture/provs/framework/core/docker/dockerimages/DockerImages.kt
@@ -21,8 +21,8 @@ FROM ubuntu:22.04
 
 ARG DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update && apt-get -y install adduser sudo
-RUN useradd -m $userName && echo "$userName:$userName" | chpasswd && adduser $userName sudo
+RUN apt-get update && apt-get -y install sudo
+RUN useradd -m $userName && echo "$userName:$userName" | chpasswd && usermod -aG sudo $userName
 RUN echo "$userName ALL=(ALL:ALL) NOPASSWD: ALL" | sudo tee /etc/sudoers.d/$userName
 
 USER $userName
diff --git a/src/test/kotlin/org/domaindrivenarchitecture/provs/framework/core/platformTest/UbuntuProvTest.kt b/src/test/kotlin/org/domaindrivenarchitecture/provs/framework/core/platformTest/UbuntuProvTest.kt
index 0ce8d9c..7128485 100644
--- a/src/test/kotlin/org/domaindrivenarchitecture/provs/framework/core/platformTest/UbuntuProvTest.kt
+++ b/src/test/kotlin/org/domaindrivenarchitecture/provs/framework/core/platformTest/UbuntuProvTest.kt
@@ -124,8 +124,8 @@ FROM ubuntu:22.04
 
 ARG DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get update && apt-get -y install adduser sudo
-RUN useradd -m $userName && echo "$userName:$userName" | chpasswd && adduser $userName sudo
+RUN apt-get update && apt-get -y install sudo
+RUN useradd -m $userName && echo "$userName:$userName" | chpasswd && usermod -aG sudo $userName
 
 USER $userName
 CMD /bin/bash