TazLab K8s Operators Inventory

The TazLab cluster is an operator-driven ecosystem. This page lists all controllers, their manifests, and their responsibilities.

Core Services Stack

1. cert-manager (Trust Engine)

  • Manifests: infrastructure/operators/cert-manager/
  • Controller: HelmRelease (cert-manager v1.16.2)
  • Issuer: infrastructure/configs/cert-manager/issuer.yaml — ClusterIssuer tazlab-issuer (Let’s Encrypt prod, HTTP01)
  • Auth: infrastructure/configs/cert-manager/cloudflare-external-secret.yaml — Cloudflare API token for DNS01

2. Traefik (Edge Router)

  • Manifests: infrastructure/operators/traefik/
  • Controller: HelmRelease (traefik v34.0.0)
  • Instance: infrastructure/instances/traefik/service.yaml — LoadBalancer Service, IP 192.168.1.240
  • IngressClass: infrastructure/bridge/ingress-class.yaml

3. External Secrets Operator (ESO)

  • Manifests: infrastructure/operators/core/ (part of core bundle)
  • ClusterSecretStore: tazlab-secrets-vault → HashiCorp Vault (Hetzner).
  • Consumer pattern: ExternalSecret CRDs in infrastructure/configs/

4. Stakater Reloader

  • Manifests: infrastructure/operators/reloader/
  • Function: Automatically rolls Deployments when ConfigMaps/Secrets change
  • Annotations: secret.reloader.stakater.com/reload or configmap.reloader.stakater.com/reload

5. Dex (OIDC Provider)

  • Manifests: infrastructure/operators/dex/
  • Instance: infrastructure/instances/dex/ — Deployment + Ingress + ConfigMap
  • Backend: Google OAuth
  • Config: infrastructure/configs/dex/ — OIDC client ExternalSecrets

6. OAuth2 Proxy

  • Manifests: infrastructure/operators/auth/
  • Instance: infrastructure/auth/oauth2-proxy/ — Deployment + Ingress + ForwardAuth middleware
  • Integration: Works with Dex for Google OAuth authentication
  • Protected services: Grafana, PGAdmin

7. Cloudflare DDNS

  • Manifests: infrastructure/operators/cloudflare-ddns/
  • Instance: infrastructure/instances/cloudflare-ddns/ — Deployment + ExternalSecret
  • Function: Keeps DNS records updated for Traefik LoadBalancer IP

Data & Persistence Stack

8. Crunchy PostgreSQL Operator (PGO)

  • Manifests: infrastructure/operators/postgres-operator/
  • Controller: HelmRelease (PGO v5.7.2)
  • Instance: infrastructure/instances/tazlab-db/cluster.yaml — PostgresCluster tazlab-db
  • Topology: 1 replica, 4Gi RWO (tazlab-storage), pgBouncer enabled
  • Backup: PGBackrest → S3 (tazlab-storage, eu-central-1)

9. Longhorn (Block Storage)

  • Manifests: infrastructure/instances/longhorn/ — Ingress + Service
  • Namespace: longhorn-system
  • StorageClass: tazlab-storage (default, 1 replica, ext4)

Monitoring & Observability

10. kube-prometheus-stack

  • Manifests: infrastructure/operators/monitoring/
  • Components: Prometheus + Grafana + Alertmanager
  • Grafana backend: PostgreSQL (tazlab-db, database grafana)
  • Dashboards: infrastructure/operators/monitoring/dashboards/ — ConfigMap, loaded via sidecar

11. metrics-server

  • Manifests: infrastructure/operators/monitoring/metrics-server.yaml
  • Function: Resource metrics (used by kubectl top, HPA)

Management & Auxiliary

12. pgadmin

  • Manifests: infrastructure/instances/pgadmin/
  • Function: Web UI for PostgreSQL administration
  • Auth: Protected by Dex/OAuth2 ForwardAuth

13. Homepage

  • Manifests: infrastructure/instances/homepage/
  • Function: TazLab service dashboard

14. Tailscale Operator (Deployed 2026-05-08 — CRISP 10-operator-dns-resolution)

  • Manifests: infrastructure/tailscale/ (Layer 1: namespace + ESO secret), infrastructure/operators/tailscale/ (Layer 2: HelmRelease), infrastructure/tailscale-dns/ (Layer 3: DNS relay)
  • Controller: HelmRelease (tailscale-operator v1.96.5, repo https://pkgs.tailscale.com/helmcharts)
  • Flux Kustomizations: infrastructure-tailscale (Layer 1), infrastructure-operators-tailscale (Layer 2), infrastructure-tailscale-dns (Layer 3)
  • OAuth: ExternalSecret in infrastructure/tailscale/ → dedicated client k8s_operator (tag tag:k8s-operator, scopes devices:core, auth_keys, services), credentials in Vault at tazlab-k8s/static/infra/tailscale/TAILSCALE_OPERATOR_CLIENT_*
  • Namespace: tailscale
  • DNS resolution: Enables MagicDNS resolution (magellanic-gondola.ts.net) via hostNetwork CoreDNS relay DaemonSet with static hosts mapping. The Operator’s own DNSConfig CR only resolves operator-managed proxy names (not arbitrary tailnet nodes like lushycorp-vault).
  • Notes: The 3-layer Flux DAG guarantees zero transient errors — Layer 2 HelmRelease only installs after Layer 1 Secret exists, Layer 3 DNS resources only apply after Layer 2 CRDs are ready.
  • Pending: Postgres tailnet exposure, admin dashboard migration — CRISP 20-tailscale-service-exposure (deferred)

Namespace Inventory

Explicit namespaces declared in the repository:

NamespaceDeclared inPurpose
cert-manageroperators/cert-manager/TLS certificates
traefikoperators/traefik/Edge routing
reloaderoperators/reloader/Secret reload
dexoperators/dex/OIDC provider
authoperators/auth/OAuth2 proxy
cloudflare-ddnsoperators/cloudflare-ddns/DynDNS
tazlab-dboperators/tazlab-db/PostgreSQL
hugo-blogoperators/hugo-blog/Blog
hugo-wikioperators/hugo-wiki/Wiki
monitoringoperators/monitoring/Observability
ai-agentsoperators/namespaces/ai-agents/AI workloads
tailscaleoperators/namespaces/tailscale/Tailscale Operator
longhorn-system(installed by Helm)Block storage
flux-system(bootstrap)Flux controllers
kube-system(Talos)Kubernetes system
external-secrets(installed by ephemeral-castle)ESO controllers

See Also