TazLab K8s Flux DAG (Dependency Graph)
The cluster desired state is reconciled through a directed acyclic graph (DAG) of 15 Flux Kustomizations. This DAG ensures foundational resources (CNI, DNS, namespaces) are ready before higher-level operators or applications are applied.
The Build Chain
The following order is defined by the dependsOn property in clusters/tazlab-k8s/*.yaml.
Level 0 — Foundation (Parallel Roots)
These four Kustomizations have no dependencies and run in parallel:
infrastructure-operators-namespaces→ Createsai-agentsnamespace. HealthChecks onkube-flannel(DaemonSet) andcoredns(Deployment) to ensure the network is operational.infrastructure-operators-core→ Installs cert-manager, Traefik, reloader, dex, OAuth2 Proxy, cloudflare-ddns, and namespace declarations for tazlab-db, hugo-blog, hugo-wiki.infrastructure-operators-data→ Installs Crunchy PostgreSQL Operator (PGO).infrastructure-tailscale→ Createstailscalenamespace, ExternalSecret for Operator OAuth credentials (k8s_operatorclient), and HelmRepository for the Tailscale chart.
Level 1 — Bridge, Monitoring & Tailscale
infrastructure-bridge→ Configures IngressClass (traefik) and ClusterIssuer (tazlab-issuer, Let’s Encrypt prod). DependsOn:operators-core,operators-namespaces.infrastructure-monitoring→ Installs kube-prometheus-stack (Grafana + Prometheus). DependsOn:operators-namespaces.infrastructure-operators-tailscale→ Installs the Tailscale Operator HelmRelease (v1.96.5). DependsOn:infrastructure-tailscale.
Level 2 — Tailscale DNS
infrastructure-tailscale-dns→ Deploys hostNetwork CoreDNS relay DaemonSet (port 5353) formagellanic-gondola.ts.netresolution, static ClusterIP Service (10.96.0.101), and patches thecorednsConfigMap with a tailnet forwarding zone. Not needed for general pod DNS. DependsOn:infrastructure-operators-tailscale.
Level 3 — Secrets & Identity
infrastructure-configs→ Deploys all ExternalSecrets (Cloudflare token, wildcard TLS, S3, Dex OIDC, GitHub token, OpenClaw secrets). DependsOn:infrastructure-bridge.
Level 4 — Workloads (Parallel)
All five depend on infrastructure-configs. They apply in parallel with wait: false where appropriate:
infrastructure-instances→ Deploys PostgresCluster, Traefik Service/LoadBalancer, Longhorn, Dex, pgadmin, homepage, cloudflare-ddns, OpenClaw, plus all 4 image automation pipelines. DependsOn:infrastructure-configs,infrastructure-operators-data. Useswait: false— pods handle Pending/Init states naturally.apps-static→ Deployshugo-blog(nginx + static files). DependsOn:infrastructure-configs.apps-static-wiki→ Deployshugo-wiki(nginx + static wiki). DependsOn:infrastructure-configs.apps-data→ Deploysmnemosyne-mcp(Go MCP server). DependsOn:infrastructure-configs.
Level 5 — Access Management
infrastructure-auth→ Deploys OAuth2 Proxy + ForwardAuth middleware. DependsOn:infrastructure-instances.
Wait Policy
Not all Kustomizations use the same synchronization strategy:
| Kustomization | wait | Notes |
|---|---|---|
| operators-namespaces | true | Blocks until flannel + coredns ready |
| operators-core | true | |
| operators-data | true | |
| tailscale | true | |
| bridge | true | |
| monitoring | default (true) | |
| operators-tailscale | true | |
| tailscale-dns | true | |
| configs | true | Blocks until secrets available |
| instances | false | Non-blocking — init containers handle readiness |
| apps-static | default (true) | |
| apps-static-wiki | default (true) | |
| apps-data | default (true) | |
| auth | true | Blocks until Dex + OAuth2 healthy |
The key architectural insight: infrastructure-instances uses wait: false because it bundles database, storage, and workloads that take variable time to become ready. Flux applies the manifests quickly and lets Kubernetes handle the Pending/Init states through init containers (e.g., wait-for-db).
Health Checks
Only two Kustomizations use explicit health checks:
infrastructure-operators-namespaces: DaemonSetkube-flannel+ Deploymentcorednsinfrastructure-tailscale: Deploymenttailscale-operator(HelmRelease target)
This is deliberate: once the network is proven healthy, the rest of the DAG relies on dependsOn ordering and init containers rather than health check polling.
See Also
- Detail: Flux Kustomizations Detail — Full 15-table inventory with exact specs
- Logic: Bootstrap Logic — Hand-off from ephemeral-castle
- Mapping: Repository Mapping — Where files live
- Hub: tazlab-k8s