Entity: TazLab K8s (GitOps Layer)
K8s v1.35.0 on Talos v1.12.0 (1CP+1W). CNI: Flannel.
This page is the repository hub for the provider-agnostic Flux GitOps desired-state layer.
Overview
tazlab-k8s/ defines the entire desired state of the cluster after Talos bootstrap. It is managed by Flux CD, which continuously reconciles the cluster against the master branch of github.com/tazzo/tazlab-k8s.
Repository Structure
tazlab-k8s/
├── clusters/tazlab-k8s/ # 12 Flux Kustomization entrypoints (the DAG)
├── infrastructure/
│ ├── operators/ # HelmReleases for cluster controllers
│ │ ├── core/ # cert-manager, traefik, reloader, dex, auth, cloudflare-ddns, tailscale
│ │ ├── data/ # postgres-operator (Crunchy PGO)
│ │ ├── monitoring/ # kube-prometheus-stack + dashboards
│ │ └── namespaces/ # Explicit namespace declarations (incl. tailscale/)
│ ├── configs/ # ExternalSecrets + static ConfigMaps
│ │ ├── cert-manager/ # Cloudflare DNS01 issuer + API token
│ │ ├── tailscale/ # Tailscale Operator OAuth ExternalSecret
│ │ ├── wildcard-tls/ # Wildcard TLS (*.tazlab.net)
│ │ ├── hugo-wiki/ # Wiki-specific ExternalSecrets
│ │ ├── tazlab-db/ # S3 backup credentials
│ │ ├── dex/ # Dex OIDC ExternalSecrets
│ │ ├── ai-agents/ # OpenClaw gateway/telegram secrets
│ │ └── github-external-secret.yaml
│ ├── instances/ # Deployed workload instances (PostgresCluster, Services)
│ │ ├── tazlab-db/ # PostgresCluster CR (Crunchy PGO)
│ │ ├── traefik/ # Traefik Service + Ingress
│ │ ├── longhorn/ # Longhorn Ingress
│ │ ├── dex/ # Dex Deployment + Ingress + ConfigMap
│ │ ├── pgadmin/ # PGAdmin Deployment + PVC
│ │ ├── homepage/ # Homepage dashboard
│ │ ├── cloudflare-ddns/ # DDNS Deployment + ExternalSecret
│ ├── cluster-instances/ # Aggregator: instances + automation
│ ├── cluster-bridge/ # Aggregator: bridge
│ ├── bridge/ # IngressClass + ClusterIssuer + DNSConfig (raw manifests)
│ ├── automation/ # ImageRepository + ImagePolicy + ImageUpdateAutomation
│ │ ├── hugo-blog/
│ │ ├── hugo-wiki/
│ │ ├── mnemosyne-mcp/
│ ├── auth/ # OAuth2 Proxy (Deployment + Ingress + Middleware)
│ └── common/ # Shared patches (wait-for-db-patch.yaml)
├── apps/
│ ├── base/ # Cluster-agnostic app manifests
│ │ ├── hugo-blog/
│ │ ├── hugo-wiki/
│ │ └── mnemosyne-mcp/
│ └── cluster/ # Thin Kustomize overlays (→ apps/base/)
│ ├── hugo-blog/
│ ├── hugo-wiki/
│ └── mnemosyne-mcp/
└── tests/
└── verify_manifest_purity.sh
Quick Facts
| Property | Value |
|---|---|
| Repository | tazlab-k8s/ |
| Default branch | master |
| Git remote | github.com/tazzo/tazlab-k8s |
| Flux interval | 1m (source), 1h (kustomizations) |
| Secret backend | Vault (tazlab-secrets-vault) |
| Kubeconfig | ../ephemeral-castle/clusters/tazlab-k8s/proxmox/configs/kubeconfig |
Canonical Starting Pages for Agents
Architecture & Design
- Flux DAG — Reconciliation order and dependency graph
- Kustomize Structure — Base vs cluster layering
- Bootstrap Logic — Handoff from ephemeral-castle
Operators & Infrastructure
- Operators Inventory — All cluster controllers
- Repository Mapping — File-by-file responsibility map
- Conventions — Naming, purity, resource standards
Secrets & Delivery
- Secrets Mapping — ExternalSecret → Vault (primary), Infisical (legacy)
- Image Automation — Flux image update pipeline
Networking & Auth
- Ingress & Auth — Traefik, MetalLB, Dex/OAuth2
- Monitoring & Dashboards — Prometheus, Grafana, dashboards as code
Details (Implementation)
- Flux Kustomizations Detail — All 12 Kustomizations with exact spec
- Image Automation Detail — 4 pipeline specs with tags
Known Issues
| TD | Area | Summary |
|---|---|---|
| TD-020 | Vault integration | Vault ClusterSecretStore + CoreDNS tailnet DNS forwarding pending (Phase 2 of 09-vault-k8s-integration-prep) |
| TD-025 | TLS | Wildcard *.tazlab.net cert has no automated renewal — HTTP01-only ClusterIssuer can’t issue wildcards. Expired 2026-05-01 causing full TLS outage. Manual lego reload expires 2026-07-30. |
Relationships
- Base infrastructure: ephemeral-castle — provisions VMs, Talos, Flux bootstrap
- Semantic memory: mnemosyne-mcp-server — deployed as
apps-data - Static sites: blog-src, wiki.tazlab.net — deployed as
apps-static/apps-static-wiki - Context governance: AGENTS.ctx — operational memory and rules