TazLab Secret And Identity Flow

Scope

This page explains how operator identity, secret custody, and secret delivery currently move across the main TazLab layers.

Current Synthesis

TazLab uses a layered secret model rather than a single monolithic secret store. Operator-side custody is centered on TazPod and its encrypted vault, infrastructure bootstrap consumes selected secrets from the operator environment, and cluster workloads consume secrets through external secret delivery rather than inline manifest values.

The concrete deployment points for these flows are documented in TazLab Flux DAG.

Main Flows

Operator Secret Custody

  • tazpod unlocks the working secret set into RAM
  • the durable operator recovery artifact is the encrypted vault stored in S3
  • common operator credentials include GitHub, AWS, Proxmox, and Infisical or runtime-specific credentials

Infrastructure Bootstrap Consumption

  • ephemeral-castle consumes selected credentials from ~/secrets/ for bootstrap and destroy flows
  • examples include Proxmox API credentials, Infisical machine identity, GitHub token, and Tailscale bootstrap material

Cluster Secret Delivery

  • tazlab-k8s does not keep plaintext secrets in git
  • workloads consume secrets through ExternalSecret resources and the logical ClusterSecretStore tazlab-secrets
  • the current live backend remains Infisical-backed, but the declared architectural direction is migration toward the lushycorp-vault / Vault-backed delivery track

Runtime-Specific Secret Custody

  • the Hetzner Vault runtime under ephemeral-castle keeps host-side material deliberately minimal
  • operator recovery artifacts remain primarily in TazPod while runtime-local artifacts are constrained to what is needed for operation and local recovery behavior

Architectural Tension

The current system is intentionally transitional. The cluster secret-consumption pattern already abstracts through tazlab-secrets, but the live backend is still Infisical-backed today, while the intended future direction is to move toward the lushycorp-vault / Vault runtime as the long-term controlled replacement.

Relationships

Source Basis

  • AGENTS.ctx/tazpod/CONTEXT.md
  • AGENTS.ctx/ephemeral-castle/CONTEXT.md
  • AGENTS.ctx/tazlab-k8s/CONTEXT.md
  • AGENTS.ctx/memory/system-state.md