e002fddede
NOT APPLIED. Staged for a fresh-session finish (see memory runbook). Contains:
- stacks/goldmane-edge-aggregator/{main.tf,terragrunt.hcl}: namespace, TF-minted
mTLS client cert from tigera-ca-private, goldmane_edges PG DB-init Job, db +
slack ExternalSecrets, aggregate Deployment + digest CronJob.
- stacks/vault/main.tf: pg-goldmane-edges static rotation role (Tier-0).
- stacks/kyverno/.../ghcr-credentials.tf: ns added to the private-image allowlist.
KNOWN BLOCKER: the stack uses the hashicorp/tls provider (cert minting) but the
root terragrunt.hcl generate "k8s_providers" block doesn't declare it, and a
second required_providers (the removed versions.tf) is illegal. FIX = add tls to
that global block (mirrors proxmox/kubectl). Then apply order: db_init (creates
goldmane_edges role) -> kyverno -> vault (Tier-0, plan-review) -> stack
ExternalSecrets (targeted, first-apply) -> stack full -> verify mTLS to
goldmane:7443. Vault KV secret/goldmane-edge-aggregator already created.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
24 lines
848 B
HCL
24 lines
848 B
HCL
include "root" {
|
|
path = find_in_parent_folders()
|
|
}
|
|
|
|
# Tier-1 stack (PG state backend). The root terragrunt.hcl generates backend.tf
|
|
# (pg backend, schema_name = "goldmane-edge-aggregator"), providers.tf,
|
|
# cloudflare_provider.tf and tiers.tf automatically — do NOT hand-write those.
|
|
# This stack adds the hashicorp/tls provider via a local versions.tf (merged
|
|
# into the generated required_providers).
|
|
|
|
dependency "platform" {
|
|
config_path = "../platform"
|
|
skip_outputs = true
|
|
}
|
|
|
|
dependency "vault" {
|
|
config_path = "../vault"
|
|
skip_outputs = true
|
|
}
|
|
|
|
# The Vault DB static role pg-goldmane-edges (7-day rotation) and the CNPG
|
|
# connection allowlist entry live in the vault stack (stacks/vault/main.tf).
|
|
# The vault dependency above orders this stack after it so the ExternalSecret
|
|
# can materialize the rotated credential on first apply.
|