Level 3 (Detail) — The 6 reusable Terraform modules for cluster provisioning.
Concept#
Each Terragrunt layer maps to a Terraform module under clusters/tazlab-k8s/modules/. Modules are reusable across clusters; cluster-specific configuration comes from live/env.hcl.
Module Inventory#
1. secrets-fetcher#
| Field | Value |
|---|
| Layer | secrets (Layer 1) |
| Purpose | Fetch bootstrap secrets from operator environment (env vars da Vault o ~/secrets/) |
| Key inputs | PROXMOX_TOKEN_ID, PROXMOX_TOKEN_SECRET, TALOS_SECRETBOX_KEY (from env vars) |
| Key outputs | PROXMOX_TOKEN, TALOS_SECRETBOX_KEY |
2. proxmox-talos#
| Field | Value |
|---|
| Layer | platform (Layer 2) |
| Purpose | Create Proxmox VMs, bootstrap Talos cluster |
| Key inputs | Proxmox token, Talos config |
| Key outputs | Kubeconfig, talosconfig |
3. k8s-engine#
| Field | Value |
|---|
| Layer | engine (Layer 3) |
| Purpose | Install ESO v0.10.3, CoreDNS user-managed, bootstrap secrets per Vault |
| Key inputs | vault_ca_cert, vault_eso_token, tailscale_client_id, tailscale_client_secret (stringhe dirette da env vars, non file path) |
| Key outputs | vault-ca-cert Secret, vault-eso-token Secret, tailscale-operator-oauth Secret, CoreDNS, ESO HelmRelease |
Il modulo crea 3 K8s Secret Opaque direttamente (senza ExternalSecret né VSO):
vault-ca-cert (ca.crt) — per ESO ClusterSecretStore TLS validationvault-eso-token (token) — per ESO authentication su Vaulttailscale-operator-oauth (clientId + clientSecret) — per Tailscale Operator join tailnet
4. k8s-networking#
| Field | Value |
|---|
| Layer | networking (Layer 4a) |
| Purpose | Install MetalLB v0.14.8, IPAddressPool, memberlist secret |
| Key inputs | MetalLB IP range (192.168.1.240-250) |
| Key outputs | LoadBalancer IP assignment |
5. k8s-flux#
| Field | Value |
|---|
| Layer | gitops (Layer 4b) |
| Purpose | Create cluster-vars ConfigMap, bootstrap Flux |
| Key inputs | GitHub token, Flux repo URL |
| Key outputs | Flux reconciliation of tazlab-k8s |
6. k8s-storage#
| Field | Value |
|---|
| Layer | storage (Layer 5) |
| Purpose | Install Longhorn v1.7.2, StorageClass, S3 backup |
| Key inputs | S3 bucket credentials (da Vault via ExternalSecret) |
| Key outputs | tazlab-storage StorageClass |
Build Order#
1. secrets ──► 2. platform ──► 3. engine ──► 4a. networking ──► 5. storage
└► 4b. gitops (parallel to networking)
6. gcp-services (standalone)
See Also#