TazLab Flux DAG

Scope

This page documents the actual Flux reconciliation DAG for the active tazlab-k8s cluster, including what depends on what and which Kubernetes objects each layer installs.

Current Synthesis

Flux bootstraps from clusters/tazlab-k8s/flux-system/gotk-sync.yaml, whose GitRepository points at github.com/tazzo/tazlab-k8s and whose root Kustomization targets ./clusters/tazlab-k8s.

The cluster then converges through a layered graph. Some layers are true DAG roots and can be applied in parallel after bootstrap; others wait for specific prerequisites such as namespaces, bridge objects, or config secrets.

Flux Root

Flux controllers installed by bootstrap:

  • source-controller
  • kustomize-controller
  • helm-controller
  • notification-controller
  • image-reflector-controller
  • image-automation-controller

Root reconciliation entrypoint:

  • flux-system GitRepository
  • flux-system Kustomization at ./clusters/tazlab-k8s

DAG Layers

LayerDepends OnWhat It InstallsMain Runtime Surface
infrastructure-operators-namespacesFlux root onlyNamespace ai-agentsai-agents namespace for agent workloads
infrastructure-operators-coreFlux root onlycert-manager, traefik, reloader, namespace scaffolding for dex, auth, cloudflare-ddns, tazlab-db, hugo-blogcluster ingress, certificate management, reload automation, app namespace scaffolding
infrastructure-operators-dataFlux root onlypostgres-operator (Crunchy PGO)Postgres operator and its CRDs/controllers
infrastructure-monitoringinfrastructure-operators-namespacesmetrics-server, kube-prometheus-stack, Grafana ingress, Grafana bootstrap secret sync, dashboardsPrometheus, Grafana, node-exporter, kube-state-metrics, metrics-server
infrastructure-bridgeinfrastructure-operators-core, infrastructure-operators-namespacesIngressClass, ClusterIssuer tazlab-issuerTraefik ingress class and ACME issuer prerequisites
infrastructure-configsinfrastructure-bridgeExternalSecrets and static config for cert-manager, wildcard TLS, tazlab-db, Dex, ai-agents, GitHub automationsecret/config objects consumed by later layers
infrastructure-instancesinfrastructure-configs, infrastructure-operators-datatazlab-db cluster, cloudflare-ddns, pgadmin, homepage, traefik service, longhorn service, dex deployment/service, tazlab-db-external servicedatabase, dashboards, homepage, DNS updater, Dex, Longhorn UI, Traefik dashboard
infrastructure-authinfrastructure-instancesoauth2-proxy deployment/service/ingress/middleware plus secret/config wiringforward-auth gate for protected services
apps-staticinfrastructure-configshugo-blog deployment/service, certificates, redirect middleware, ingress rulespublic blog site
apps-datainfrastructure-configsmnemosyne-mcp deployment/service, ExternalSecret, RBACsemantic memory service

Ordering Rules

Roots

These layers are DAG roots after Flux bootstrap:

  • infrastructure-operators-namespaces
  • infrastructure-operators-core
  • infrastructure-operators-data

Downstream Dependencies

  • infrastructure-monitoring waits for namespaces because it needs the monitoring namespace and the shared cluster baseline first.
  • infrastructure-bridge waits for core ingress/certificate prerequisites.
  • infrastructure-configs waits for bridge because the TLS and secret wiring it creates is consumed later by ingress-backed workloads.
  • infrastructure-instances waits for both configs and data, but wait: false keeps Flux from blocking on runtime readiness that Kubernetes already models through its own probes and initContainers.
  • infrastructure-auth waits for instances so the auth gateway can sit on top of already-created service targets.
  • apps-static and apps-data wait for configs because they both consume cluster variables and secret-backed configuration.

Installed Pods And Services

Operator and Core Surfaces

  • cert-manager controller and CRDs
  • traefik Deployment plus LoadBalancer service on 192.168.1.240
  • reloader controller
  • namespace-only scaffolding for dex, auth, cloudflare-ddns, tazlab-db, hugo-blog

Data Surfaces

  • postgres-operator controller
  • tazlab-db Postgres cluster with primary, pgBouncer, backups, and users pgadmin, mnemosyne, tazlab-admin, grafana

Monitoring Surfaces

  • metrics-server
  • kube-prometheus-stack components, including Prometheus, Grafana, node-exporter, and kube-state-metrics
  • Grafana LoadBalancer service on 192.168.1.240:8005

Instance Surfaces

  • cloudflare-ddns deployment
  • pgadmin deployment and LoadBalancer service on 192.168.1.240:8001
  • homepage deployment and LoadBalancer service on 192.168.1.240:8000
  • traefik dashboard LoadBalancer service on 192.168.1.240:8003
  • longhorn dashboard LoadBalancer service on 192.168.1.240:8002
  • dex deployment and ClusterIP service on ports 5556 and 5558
  • tazlab-db-external LoadBalancer service on 192.168.1.241:5432

Auth Surface

  • oauth2-proxy deployment, ClusterIP service, ingress, and Traefik forward-auth middleware on auth.tazlab.net

Application Surfaces

  • hugo-blog deployment, service, ingress, certificate, and redirect middleware on blog.tazlab.net
  • mnemosyne-mcp deployment and LoadBalancer service on 192.168.1.240:8004

Scope Note

The repository also contains an apps-openclaw Flux branch, but this wiki pass intentionally excludes it because the user asked to leave OpenClaw out of the current documentation work.

Relationships

Source Basis

  • AGENTS.ctx/tazlab-k8s/CONTEXT.md
  • AGENTS.ctx/cluster/CONTEXT.md
  • tazlab-k8s/clusters/tazlab-k8s/flux-system/gotk-sync.yaml
  • tazlab-k8s/clusters/tazlab-k8s/*.yaml
  • tazlab-k8s/infrastructure/operators/*
  • tazlab-k8s/infrastructure/instances/*
  • tazlab-k8s/infrastructure/auth/oauth2-proxy/*
  • tazlab-k8s/apps/base/hugo-blog/*
  • tazlab-k8s/apps/base/mnemosyne-mcp/*