TazLab K8s Operators Inventory
The TazLab cluster is an operator-driven ecosystem. This page lists all controllers, their manifests, and their responsibilities.
Core Services Stack
1. cert-manager (Trust Engine)
- Manifests:
infrastructure/operators/cert-manager/ - Controller: HelmRelease (cert-manager v1.16.2)
- Issuer:
infrastructure/configs/cert-manager/issuer.yaml— ClusterIssuertazlab-issuer(Let’s Encrypt prod, HTTP01) - Auth:
infrastructure/configs/cert-manager/cloudflare-external-secret.yaml— Cloudflare API token for DNS01
2. Traefik (Edge Router)
- Manifests:
infrastructure/operators/traefik/ - Controller: HelmRelease (traefik v34.0.0)
- Instance:
infrastructure/instances/traefik/service.yaml— LoadBalancer Service, IP192.168.1.240 - IngressClass:
infrastructure/bridge/ingress-class.yaml
3. External Secrets Operator (ESO)
- Manifests:
infrastructure/operators/core/(part of core bundle) - ClusterSecretStore:
tazlab-secrets-vault→ HashiCorp Vault (Hetzner). - Consumer pattern:
ExternalSecretCRDs ininfrastructure/configs/
4. Stakater Reloader
- Manifests:
infrastructure/operators/reloader/ - Function: Automatically rolls Deployments when ConfigMaps/Secrets change
- Annotations:
secret.reloader.stakater.com/reloadorconfigmap.reloader.stakater.com/reload
5. Dex (OIDC Provider)
- Manifests:
infrastructure/operators/dex/ - Instance:
infrastructure/instances/dex/— Deployment + Ingress + ConfigMap - Backend: Google OAuth
- Config:
infrastructure/configs/dex/— OIDC client ExternalSecrets
6. OAuth2 Proxy
- Manifests:
infrastructure/operators/auth/ - Instance:
infrastructure/auth/oauth2-proxy/— Deployment + Ingress + ForwardAuth middleware - Integration: Works with Dex for Google OAuth authentication
- Protected services: Grafana, PGAdmin
7. Cloudflare DDNS
- Manifests:
infrastructure/operators/cloudflare-ddns/ - Instance:
infrastructure/instances/cloudflare-ddns/— Deployment + ExternalSecret - Function: Keeps DNS records updated for Traefik LoadBalancer IP
Data & Persistence Stack
8. Crunchy PostgreSQL Operator (PGO)
- Manifests:
infrastructure/operators/postgres-operator/ - Controller: HelmRelease (PGO v5.7.2)
- Instance:
infrastructure/instances/tazlab-db/cluster.yaml— PostgresClustertazlab-db - Topology: 1 replica, 4Gi RWO (tazlab-storage), pgBouncer enabled
- Backup: PGBackrest → S3 (
tazlab-storage, eu-central-1)
9. Longhorn (Block Storage)
- Manifests:
infrastructure/instances/longhorn/— Ingress + Service - Namespace:
longhorn-system - StorageClass:
tazlab-storage(default, 1 replica, ext4)
Monitoring & Observability
10. kube-prometheus-stack
- Manifests:
infrastructure/operators/monitoring/ - Components: Prometheus + Grafana + Alertmanager
- Grafana backend: PostgreSQL (
tazlab-db, databasegrafana) - Dashboards:
infrastructure/operators/monitoring/dashboards/— ConfigMap, loaded via sidecar
11. metrics-server
- Manifests:
infrastructure/operators/monitoring/metrics-server.yaml - Function: Resource metrics (used by
kubectl top, HPA)
Management & Auxiliary
12. pgadmin
- Manifests:
infrastructure/instances/pgadmin/ - Function: Web UI for PostgreSQL administration
- Auth: Protected by Dex/OAuth2 ForwardAuth
13. Homepage
- Manifests:
infrastructure/instances/homepage/ - Function: TazLab service dashboard
14. Tailscale Operator (Deployed 2026-05-08 — CRISP 10-operator-dns-resolution)
- Manifests:
infrastructure/tailscale/(Layer 1: namespace + ESO secret),infrastructure/operators/tailscale/(Layer 2: HelmRelease),infrastructure/tailscale-dns/(Layer 3: DNS relay) - Controller: HelmRelease (tailscale-operator v1.96.5, repo
https://pkgs.tailscale.com/helmcharts) - Flux Kustomizations:
infrastructure-tailscale(Layer 1),infrastructure-operators-tailscale(Layer 2),infrastructure-tailscale-dns(Layer 3) - OAuth:
ExternalSecretininfrastructure/tailscale/→ dedicated clientk8s_operator(tagtag:k8s-operator, scopesdevices:core,auth_keys,services), credentials in Vault attazlab-k8s/static/infra/tailscale/TAILSCALE_OPERATOR_CLIENT_* - Namespace:
tailscale - DNS resolution: Enables MagicDNS resolution (
magellanic-gondola.ts.net) via hostNetwork CoreDNS relay DaemonSet with static hosts mapping. The Operator’s own DNSConfig CR only resolves operator-managed proxy names (not arbitrary tailnet nodes likelushycorp-vault). - Notes: The 3-layer Flux DAG guarantees zero transient errors — Layer 2 HelmRelease only installs after Layer 1 Secret exists, Layer 3 DNS resources only apply after Layer 2 CRDs are ready.
- Pending: Postgres tailnet exposure, admin dashboard migration — CRISP
20-tailscale-service-exposure(deferred)
Namespace Inventory
Explicit namespaces declared in the repository:
| Namespace | Declared in | Purpose |
|---|---|---|
cert-manager | operators/cert-manager/ | TLS certificates |
traefik | operators/traefik/ | Edge routing |
reloader | operators/reloader/ | Secret reload |
dex | operators/dex/ | OIDC provider |
auth | operators/auth/ | OAuth2 proxy |
cloudflare-ddns | operators/cloudflare-ddns/ | DynDNS |
tazlab-db | operators/tazlab-db/ | PostgreSQL |
hugo-blog | operators/hugo-blog/ | Blog |
hugo-wiki | operators/hugo-wiki/ | Wiki |
monitoring | operators/monitoring/ | Observability |
ai-agents | operators/namespaces/ai-agents/ | AI workloads |
tailscale | operators/namespaces/tailscale/ | Tailscale Operator |
longhorn-system | (installed by Helm) | Block storage |
flux-system | (bootstrap) | Flux controllers |
kube-system | (Talos) | Kubernetes system |
external-secrets | (installed by ephemeral-castle) | ESO controllers |
See Also
- Detail: Flux Kustomizations Detail — How these operators are orchestrated
- Mapping: Repository Mapping — Where to find files
- Hub: tazlab-k8s