Ephemeral Castle: Terragrunt Layers Detail

Level 3 (Detail) — Terragrunt dependency chain and env.hcl variables.

Concept

Each Terragrunt layer under clusters/tazlab-k8s/live/ corresponds to one Terraform module. Layers are ordered by dependencies, with gitops and networking running in parallel after engine.

Dependency Chain

         ┌─────────────────────────────────────────────┐
         │                                             │
secrets ──► platform ──► engine ──┬──► networking ──► storage
                                  │         ▲
                                  └──► gitops ┘
                                          │
                                          └──► (Flux reconciled from tazlab-k8s)

Layer Inventory

secrets/ (Layer 1)

Dependencies: none Module: secrets-fetcher Purpose: Fetch PROXMOX_TOKEN, TALOS_SECRETBOX_KEY from operator env vars (set by create.sh from ~/secrets/ files) Wait: true

platform/ (Layer 2)

Dependencies: secrets Module: proxmox-talos Purpose: Proxmox VMs → Talos cluster → kubeconfig Wait: true

engine/ (Layer 3)

Dependencies: platform Module: k8s-engine Purpose: ESO + ClusterSecretStore → Vault (tazlab-secrets-vault) Wait: true

networking/ (Layer 4a, parallel to gitops)

Dependencies: engine Module: k8s-networking Purpose: MetalLB, IP pool Wait: true

gitops/ (Layer 4b, parallel to networking)

Dependencies: engine Module: k8s-flux Purpose: cluster-vars ConfigMap, Flux bootstrap → tazlab-k8s Wait: true

storage/ (Layer 5)

Dependencies: networking (waits for MetalLB) Module: k8s-storage Purpose: Longhorn, S3 backup config Wait: true

gcp-services/ (standalone)

Dependencies: none (independent of cluster) Purpose: AlloyDB on GCP Wait: true

env.hcl

File: live/env.hcl

Key variables:

VariableValuePurpose
cluster_nametazlab-k8sCluster identity
base_domaintazlab.netCluster DNS domain
acme_emailadmin@tazlab.netLet’s Encrypt contact
proxmox_endpointhttps://192.168.1.200:8006Proxmox API
vip_address192.168.1.210Talos API VIP
metallb_ip_range192.168.1.240-192.168.1.250MetalLB pool
talos_versionv1.12.0Talos OS version
control_plane_nodes{ "01" = "192.168.1.211" }CP node map
worker_nodes{ "01" = "192.168.1.214" }Worker node map
git_repository_urlhttps://github.com/tazzo/tazlab-k8sFlux repo

Secret Injection

Secrets are injected into Terragrunt via environment variables, sourced by create.sh:

  1. Primary source: Vault (Hetzner) — create.sh Step 0 fetcha tramite bootstrap token (~/secrets/bootstrap-token.txt):
    • PROXMOX_TOKEN_ID, PROXMOX_TOKEN_SECRET, GITHUB_TOKEN, TALOS_SECRETBOX_KEY
    • TAILSCALE_OPERATOR_CLIENT_ID, TAILSCALE_OPERATOR_CLIENT_SECRET
    • VAULT_CA_CRT, ESO_READER_TOKEN
  2. Fallback: ~/secrets/ files (immutable recovery anchor, mai modificati)

env.hcl legge via get_env() e passa ai moduli Terraform.

Vault bootstrap secrets path: secret/data/tazlab-k8s/bootstrap (KV v2, 8 field in unico secret) Bootstrap token policy: sola lettura su quel path.

Per dettagli: Bootstrap Secret Vault Migration

See Also