Ephemeral Castle: Terragrunt Layers Detail
Level 3 (Detail) — Terragrunt dependency chain and env.hcl variables.
Concept
Each Terragrunt layer under clusters/tazlab-k8s/live/ corresponds to one Terraform module. Layers are ordered by dependencies, with gitops and networking running in parallel after engine.
Dependency Chain
┌─────────────────────────────────────────────┐
│ │
secrets ──► platform ──► engine ──┬──► networking ──► storage
│ ▲
└──► gitops ┘
│
└──► (Flux reconciled from tazlab-k8s)
Layer Inventory
secrets/ (Layer 1)
Dependencies: none
Module: secrets-fetcher
Purpose: Fetch PROXMOX_TOKEN, TALOS_SECRETBOX_KEY from operator env vars (set by create.sh from ~/secrets/ files)
Wait: true
platform/ (Layer 2)
Dependencies: secrets
Module: proxmox-talos
Purpose: Proxmox VMs → Talos cluster → kubeconfig
Wait: true
engine/ (Layer 3)
Dependencies: platform
Module: k8s-engine
Purpose: ESO + ClusterSecretStore → Vault (tazlab-secrets-vault)
Wait: true
networking/ (Layer 4a, parallel to gitops)
Dependencies: engine
Module: k8s-networking
Purpose: MetalLB, IP pool
Wait: true
gitops/ (Layer 4b, parallel to networking)
Dependencies: engine
Module: k8s-flux
Purpose: cluster-vars ConfigMap, Flux bootstrap → tazlab-k8s
Wait: true
storage/ (Layer 5)
Dependencies: networking (waits for MetalLB)
Module: k8s-storage
Purpose: Longhorn, S3 backup config
Wait: true
gcp-services/ (standalone)
Dependencies: none (independent of cluster) Purpose: AlloyDB on GCP Wait: true
env.hcl
File: live/env.hcl
Key variables:
| Variable | Value | Purpose |
|---|---|---|
cluster_name | tazlab-k8s | Cluster identity |
base_domain | tazlab.net | Cluster DNS domain |
acme_email | admin@tazlab.net | Let’s Encrypt contact |
proxmox_endpoint | https://192.168.1.200:8006 | Proxmox API |
vip_address | 192.168.1.210 | Talos API VIP |
metallb_ip_range | 192.168.1.240-192.168.1.250 | MetalLB pool |
talos_version | v1.12.0 | Talos OS version |
control_plane_nodes | { "01" = "192.168.1.211" } | CP node map |
worker_nodes | { "01" = "192.168.1.214" } | Worker node map |
git_repository_url | https://github.com/tazzo/tazlab-k8s | Flux repo |
Secret Injection
Secrets are injected into Terragrunt via environment variables, sourced by create.sh:
- Primary source: Vault (Hetzner) —
create.shStep 0 fetcha tramite bootstrap token (~/secrets/bootstrap-token.txt):PROXMOX_TOKEN_ID,PROXMOX_TOKEN_SECRET,GITHUB_TOKEN,TALOS_SECRETBOX_KEYTAILSCALE_OPERATOR_CLIENT_ID,TAILSCALE_OPERATOR_CLIENT_SECRETVAULT_CA_CRT,ESO_READER_TOKEN
- Fallback:
~/secrets/files (immutable recovery anchor, mai modificati)
env.hcl legge via get_env() e passa ai moduli Terraform.
Vault bootstrap secrets path: secret/data/tazlab-k8s/bootstrap (KV v2, 8 field in unico secret)
Bootstrap token policy: sola lettura su quel path.
Per dettagli: Bootstrap Secret Vault Migration
See Also
- Detail: Terraform Modules Detail
- Topic: Terragrunt Layers
- Reference: env.hcl
- Hub: Ephemeral Castle