Ephemeral Castle Rebirth Protocol

The Rebirth Protocol (create.sh V11.1) is a high-level orchestrator that moves the cluster from “Nothing” to “Blog Online” in approximately 12 minutes.

The `create.sh` Logic (Step-by-Step)

1. Secret Resolution

Uses the resolve() bash function to extract credentials from the TazPod Vault (/home/tazpod/secrets/).

If a file exists in the vault, it’s exported as an env var.

2. Tailscale AuthKey Minting

The script executes mint_tailscale_authkey():

Authenticates with Tailscale OAuth (client_id + client_secret).
Requests a short-lived (3600s), reusable, ephemeral key with tag:tazlab-k8s.
The key is kept in memory and never committed to Terraform state.

3. Terragrunt Execution

Applies secrets and platform sequentially.
Talos Patching: Injects the TS_AUTHKEY into nodes via talosctl apply-config using a Python inline patcher.
Applies engine.
Launches networking, gitops, and storage in the background (&).

4. GitOps Harmonization

Forces a Flux reconcile for the entire stack.
Waits for Kustomizations to reach Ready state.
Grafana Secret Sync: A Python helper synchronizes the dynamic Postgres credentials from the tazlab-db namespace to the monitoring namespace to avoid a bootstrap circular dependency.

Log Locations

Logs are stored in clusters/tazlab-k8s/proxmox/logs/ with a timestamped directory structure.

Ephemeral Castle Rebirth Protocol#

The create.sh Logic (Step-by-Step)#

1. Secret Resolution#

2. Tailscale AuthKey Minting#

3. Terragrunt Execution#

4. GitOps Harmonization#

Log Locations#

See Also#