syself · guettli · Nov 3, 2025 · Nov 3, 2025 · Nov 3, 2025 · Nov 4, 2025
diff --git a/api/v1beta1/types.go b/api/v1beta1/types.go
@@ -122,8 +122,11 @@ type HetznerSecretRef struct {
 // HetznerSecretKeyRef defines the key name of the HetznerSecret.
 // Need to specify either HCloudToken or both HetznerRobotUser and HetznerRobotPassword.
 type HetznerSecretKeyRef struct {
-	// HCloudToken defines the name of the key where the token for the Hetzner Cloud API is stored.
-	// We recommend to use "token", because this is the default of upstream hcloud-ccm.
+	// hcloudToken defines the name of the key where the token for the Hetzner Cloud API is stored.
+	// We recommend to use "token", because this is the default of upstream hcloud-ccm, while the
+	// legacy Syself ccm uses "hcloud". For maximal compatibility up to three keys get created in the
+	// secret for HCLOUD_TOKEN: "hcloud", "token" and the value of hcloudToken. This way we ensure
+	// that the ccm in the wl-cluster finds the secret.
 	//
 	// +optional
 	// +kubebuilder:default=token

diff --git a/controllers/hetznercluster_controller.go b/controllers/hetznercluster_controller.go
@@ -533,6 +533,10 @@ func reconcileWorkloadClusterSecrets(ctx context.Context, clusterScope *scope.Cl
 	return reconcile.Result{}, nil
 }
 
+// reconcileOneWorkloadClusterSecret creates/updates the secret in the wl-cluster. For maximal
+// compatibility up to three keys get created in the secret for HCLOUD_TOKEN: "hcloud", "token" and
+// the value of HetznerCluster.Spec.HetznerSecret.Key.HCloudToken. See docstring of
+// HetznerCluster.Spec.HetznerSecret.Key.HCloudToken.
 func reconcileOneWorkloadClusterSecret(ctx context.Context, clusterScope *scope.ClusterScope, wlClient client.Client, name string) error {
 	wlSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{