Cloud Providers

Teabar can provision infrastructure on multiple cloud providers and virtualization platforms. Configure your credentials to get started.

Supported Providers

Hetzner Cloud

Getting Credentials

1. Log in to Hetzner Cloud Console
2. Select your project (or create one)
3. Go to Security → API Tokens
4. Click Generate API Token
5. Select Read & Write permissions
6. Copy the token

Configure in Teabar

Option 1: Web Dashboard

Go to Settings → Providers and add your Hetzner token.

Option 2: CLI

teactl provider add hetzner 
  --token "your-hetzner-api-token" 
  --default

Option 3: Environment Variable

export HCLOUD_TOKEN="your-hetzner-api-token"

Available Regions

Proxmox VE

Run environments on your own Proxmox VE infrastructure. Perfect for:

• Local development - Test blueprints on your own hardware
• Home labs - Run workshops without cloud costs
• Air-gapped environments - No internet required after setup
• Custom hardware - Use specialized GPUs or high-memory machines

Prerequisites

• Proxmox VE 7.0+ installed and accessible
• API token with appropriate permissions
• Network connectivity from Teabar operator to Proxmox API

Getting Credentials

1. Log in to Proxmox VE web interface (https://your-pve:8006)
2. Go to Datacenter → Permissions → API Tokens
3. Click Add
4. Select a user (e.g., root@pam)
5. Give it a name (e.g., teabar)
6. Uncheck “Privilege Separation” (or add required permissions)
7. Copy the Token ID and Secret

Configure in Teabar

Option 1: Local Operator (Recommended for Development)

For local development, run the operator on your machine:

# Set Proxmox credentials
export TEABAR_PROXMOX_URL=https://pve.local:8006
export TEABAR_PROXMOX_TOKEN_ID="root@pam!teabar"
export TEABAR_PROXMOX_SECRET="your-token-secret"

# For self-signed certificates (common in local Proxmox)
export TEABAR_PROXMOX_TLS_INSECURE=true

# Start local operator
teactl local start --provider=proxmox

# Create environment
teactl env create --blueprint proxmox-vm --name my-local-env

Option 2: Cloud Operator

For production deployments, configure the operator with Proxmox credentials:

# Operator environment variables
export TEABAR_PROXMOX_URL=https://pve.company.com:8006
export TEABAR_PROXMOX_TOKEN_ID="api-token-id"
export TEABAR_PROXMOX_TOKEN_SECRET="api-token-secret"
export TEABAR_PROXMOX_TLS_INSECURE=false

# Start operator
teabar-operator

Option 3: Blueprint-Level Configuration

Specify Proxmox connection per environment:

# blueprint.yaml
spec:
  provider: proxmox
  proxmox:
    url: https://pve.local:8006
    token_id: root@pam!teabar
    token_secret: ${PROXMOX_SECRET}  # From environment
    tls_insecure: true
    node: pve  # Target node
    template: ubuntu-22.04-template  # VM template to clone

Available Resources

Proxmox-Specific Blueprint Syntax

spec:
  provider: proxmox
  resources:
    vms:
      - name: web-server
        provider: proxmox
        # Format: cores,memory(MB),disk
        type: "4,8192,64G"
        image: "ubuntu-22.04-template"  # Template to clone
        # Cloud-init configuration
        user_data: |
          #cloud-config
          users:
            - name: teabar
              sudo: ALL=(ALL) NOPASSWD:ALL
              ssh_authorized_keys:
                - ssh-rsa AAAAB3...

Authentication Methods

Proxmox supports two authentication methods:

API Token (Recommended):

• More secure (can be revoked independently)
• No password in configuration
• Fine-grained permissions

Username/Password:

spec:
  proxmox:
    url: https://pve.local:8006
    username: root
    password: ${PROXMOX_PASSWORD}
    realm: pam  # or 'pve' for PVE realm

Local Operator vs Cloud Operator

See Local Execution for detailed teactl local commands.

Troubleshooting

“Certificate signed by unknown authority”

For self-signed certificates (default in Proxmox), set:

export TEABAR_PROXMOX_TLS_INSECURE=true

For production, use valid certificates or add the CA to the system trust store.

“Permission denied”

Check the API token has the required permissions listed above. You can test with:

curl -H "Authorization: PVEAPIToken=root@pam!teabar=secret" 
  https://pve.local:8006/api2/json/nodes

“Cannot connect to Proxmox”

Verify network connectivity and firewall rules:

telnet pve.local 8006
# Should connect successfully

AWS

Getting Credentials

1. Go to AWS IAM Console
2. Create a new user or use existing
3. Attach the TeabarProviderPolicy (see below)
4. Generate access keys

Required IAM Policy

Create this policy and attach it to your IAM user:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"ec2:*",
				"eks:*",
				"elasticloadbalancing:*",
				"autoscaling:*",
				"iam:CreateServiceLinkedRole",
				"iam:PassRole"
			],
			"Resource": "*",
			"Condition": {
				"StringEquals": {
					"aws:RequestTag/teabar": "true"
				}
			}
		}
	]
}

Configure in Teabar

Option 1: Web Dashboard

Go to Settings → Providers and add your AWS credentials.

Option 2: CLI

teactl provider add aws 
  --access-key-id "AKIAIOSFODNN7EXAMPLE" 
  --secret-access-key "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" 
  --region us-east-1

Option 3: Environment Variables

export AWS_ACCESS_KEY_ID="AKIAIOSFODNN7EXAMPLE"
export AWS_SECRET_ACCESS_KEY="wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
export AWS_DEFAULT_REGION="us-east-1"

Using IAM Roles (Recommended for EC2)

If running teactl on an EC2 instance, use IAM roles instead of access keys:

1. Create an IAM role with the policy above
2. Attach the role to your EC2 instance
3. Teabar will automatically use the instance credentials

Azure

Getting Credentials

1. Go to Azure Portal
2. Navigate to Azure Active Directory → App registrations
3. Create a new registration
4. Generate a client secret
5. Assign the Contributor role to your subscription

Required Permissions

Assign these roles at the subscription level:

• Contributor - For creating resources
• User Access Administrator - For managing RBAC (optional)

Configure in Teabar

Option 1: Web Dashboard

Go to Settings → Providers and add your Azure credentials.

Option 2: CLI

teactl provider add azure 
  --subscription-id "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 
  --tenant-id "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 
  --client-id "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" 
  --client-secret "your-client-secret"

Option 3: Environment Variables

export AZURE_SUBSCRIPTION_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
export AZURE_TENANT_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
export AZURE_CLIENT_ID="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
export AZURE_CLIENT_SECRET="your-client-secret"

Using Multiple Providers

You can configure multiple providers and specify which to use per blueprint:

# blueprint.yaml
spec:
  provider: aws
  region: eu-west-1
  # ...

Or at runtime:

teactl env create -f blueprint.yaml --provider aws --region eu-west-1

Setting Default Provider

# Set default provider
teactl config set defaults.provider hetzner
teactl config set defaults.region eu-central

Verifying Credentials

Test your provider configuration:

teactl provider verify hetzner

✓ Hetzner Cloud credentials valid
✓ Can create servers in eu-central
✓ Can create networks
✓ Can create load balancers

Account:
  Organization: My Company
  Servers limit: 100
  Current usage: 3 servers

Troubleshooting

“Invalid credentials”

Verify your credentials are correct:

# Hetzner
curl -H "Authorization: Bearer $HCLOUD_TOKEN" 
  https://api.hetzner.cloud/v1/servers

# AWS
aws sts get-caller-identity

“Permission denied”

Check that your credentials have the required permissions. See the IAM policies above.

“Region not available”

Some regions may not be available for your account. Check provider documentation for region availability.