Entity: TazLab K8s (GitOps Layer)

K8s v1.35.0 on Talos v1.12.0 (1CP+1W). CNI: Flannel.

This page is the repository hub for the provider-agnostic Flux GitOps desired-state layer.

Overview

tazlab-k8s/ defines the entire desired state of the cluster after Talos bootstrap. It is managed by Flux CD, which continuously reconciles the cluster against the master branch of github.com/tazzo/tazlab-k8s.

Repository Structure

tazlab-k8s/
├── clusters/tazlab-k8s/             # 12 Flux Kustomization entrypoints (the DAG)
├── infrastructure/
│   ├── operators/                   # HelmReleases for cluster controllers
│   │   ├── core/                    # cert-manager, traefik, reloader, dex, auth, cloudflare-ddns, tailscale
│   │   ├── data/                    # postgres-operator (Crunchy PGO)
│   │   ├── monitoring/              # kube-prometheus-stack + dashboards
│   │   └── namespaces/              # Explicit namespace declarations (incl. tailscale/)
│   ├── configs/                     # ExternalSecrets + static ConfigMaps
│   │   ├── cert-manager/            # Cloudflare DNS01 issuer + API token
│   │   ├── tailscale/               # Tailscale Operator OAuth ExternalSecret
│   │   ├── wildcard-tls/            # Wildcard TLS (*.tazlab.net)
│   │   ├── hugo-wiki/               # Wiki-specific ExternalSecrets
│   │   ├── tazlab-db/               # S3 backup credentials
│   │   ├── dex/                     # Dex OIDC ExternalSecrets
│   │   ├── ai-agents/               # OpenClaw gateway/telegram secrets
│   │   └── github-external-secret.yaml
│   ├── instances/                   # Deployed workload instances (PostgresCluster, Services)
│   │   ├── tazlab-db/               # PostgresCluster CR (Crunchy PGO)
│   │   ├── traefik/                 # Traefik Service + Ingress
│   │   ├── longhorn/                # Longhorn Ingress
│   │   ├── dex/                     # Dex Deployment + Ingress + ConfigMap
│   │   ├── pgadmin/                 # PGAdmin Deployment + PVC
│   │   ├── homepage/                # Homepage dashboard
│   │   ├── cloudflare-ddns/         # DDNS Deployment + ExternalSecret
│   ├── cluster-instances/           # Aggregator: instances + automation
│   ├── cluster-bridge/              # Aggregator: bridge
│   ├── bridge/                      # IngressClass + ClusterIssuer + DNSConfig (raw manifests)
│   ├── automation/                  # ImageRepository + ImagePolicy + ImageUpdateAutomation
│   │   ├── hugo-blog/
│   │   ├── hugo-wiki/
│   │   ├── mnemosyne-mcp/
│   ├── auth/                        # OAuth2 Proxy (Deployment + Ingress + Middleware)
│   └── common/                      # Shared patches (wait-for-db-patch.yaml)
├── apps/
│   ├── base/                        # Cluster-agnostic app manifests
│   │   ├── hugo-blog/
│   │   ├── hugo-wiki/
│   │   └── mnemosyne-mcp/
│   └── cluster/                     # Thin Kustomize overlays (→ apps/base/)
│       ├── hugo-blog/
│       ├── hugo-wiki/
│       └── mnemosyne-mcp/
└── tests/
    └── verify_manifest_purity.sh

Quick Facts

PropertyValue
Repositorytazlab-k8s/
Default branchmaster
Git remotegithub.com/tazzo/tazlab-k8s
Flux interval1m (source), 1h (kustomizations)
Secret backendVault (tazlab-secrets-vault)
Kubeconfig../ephemeral-castle/clusters/tazlab-k8s/proxmox/configs/kubeconfig

Canonical Starting Pages for Agents

Architecture & Design

Operators & Infrastructure

Secrets & Delivery

Networking & Auth

Details (Implementation)

Known Issues

TDAreaSummary
TD-020Vault integrationVault ClusterSecretStore + CoreDNS tailnet DNS forwarding pending (Phase 2 of 09-vault-k8s-integration-prep)
TD-025TLSWildcard *.tazlab.net cert has no automated renewal — HTTP01-only ClusterIssuer can’t issue wildcards. Expired 2026-05-01 causing full TLS outage. Manual lego reload expires 2026-07-30.

Relationships

See Also