@claude
Context: FuzeFront (and future consumer repos) now declare infra needs in git and dispatch to FuzeInfra to reconcile — FuzeFront PR #76 adds deploy/terraform/node-request.tf (referencing a FuzeInfra-owned module) + .github/workflows/infra-dispatch.yml that fires repository_dispatch (event_type: infra-request) at this repo. FuzeInfra is the sole credential holder. Build the handler side.
Please add to FuzeInfra:
modules/contabo-k3s-node — a Terraform module using the official contabo/contabo provider's contabo_instance (+ contabo_private_network attach): creates the VPS, injects an SSH key, and via user_data cloud-init runs k3s agent join to the existing cluster (server URL + node-token from variables) and labels the node (node-role=<role>). Inputs: requests[] ({name, product_id, region, role, labels}); creds + k3s_server_url + k3s_node_token as variables (from secrets, never hardcoded).
.github/workflows/infra-request-handler.yml — on: repository_dispatch: types: [infra-request]: check out the requesting repo's deploy/terraform/ + deploy/argocd/; validate each request against a whitelist (allowed product_id tier(s), region == EU, role ∈ {workload}, bounded node-count) → auto-apply (terraform apply with FuzeInfra's Contabo creds + k3s join token + a FuzeInfra-owned remote TF state backend), then k3s-join+label the node and kubectl apply/argocd-sync the changed Argo Applications. Non-whitelisted → open a gated PR with terraform plan (manual approval), do not auto-apply.
- Document the scoped token the consumer needs: a fine-grained PAT or GitHub App with permission ONLY to trigger
repository_dispatch on FuzeInfra — the consumer stores it as FUZEINFRA_DISPATCH_TOKEN. (Izzy: create it + add to FuzeFront repo secrets.)
Also (separate, for CI parity): publish a consumer test-harness compose (docker-compose.consumer-test.yml or similar) — a trimmed set of the shared base services (Postgres/Redis/Kafka/ChromaDB/MailHog) pinned to the SAME image versions prod runs — so consumer repos' CI can stand up version-accurate ephemeral infra (via the FuzeInfra submodule) instead of hand-rolling and drifting. Expose the canonical image versions in one place.
Constraints: generic (works for any consumer repo, not FuzeFront-specific); secrets via FuzeInfra's CI secrets only; PR against main; whitelist auto-apply per above. On completion, open the PR(s) and post links.
@claude
Context: FuzeFront (and future consumer repos) now declare infra needs in git and dispatch to FuzeInfra to reconcile — FuzeFront PR #76 adds
deploy/terraform/node-request.tf(referencing a FuzeInfra-owned module) +.github/workflows/infra-dispatch.ymlthat firesrepository_dispatch (event_type: infra-request)at this repo. FuzeInfra is the sole credential holder. Build the handler side.Please add to FuzeInfra:
modules/contabo-k3s-node— a Terraform module using the officialcontabo/contaboprovider'scontabo_instance(+contabo_private_networkattach): creates the VPS, injects an SSH key, and viauser_datacloud-init runsk3s agentjoin to the existing cluster (server URL + node-token from variables) and labels the node (node-role=<role>). Inputs:requests[]({name, product_id, region, role, labels}); creds +k3s_server_url+k3s_node_tokenas variables (from secrets, never hardcoded)..github/workflows/infra-request-handler.yml—on: repository_dispatch: types: [infra-request]: check out the requesting repo'sdeploy/terraform/+deploy/argocd/; validate each request against a whitelist (allowedproduct_idtier(s),region == EU,role ∈ {workload}, bounded node-count) → auto-apply (terraform applywith FuzeInfra's Contabo creds + k3s join token + a FuzeInfra-owned remote TF state backend), thenk3s-join+label the node andkubectl apply/argocd-sync the changed Argo Applications. Non-whitelisted → open a gated PR withterraform plan(manual approval), do not auto-apply.repository_dispatchon FuzeInfra — the consumer stores it asFUZEINFRA_DISPATCH_TOKEN. (Izzy: create it + add to FuzeFront repo secrets.)Also (separate, for CI parity): publish a consumer test-harness compose (
docker-compose.consumer-test.ymlor similar) — a trimmed set of the shared base services (Postgres/Redis/Kafka/ChromaDB/MailHog) pinned to the SAME image versions prod runs — so consumer repos' CI can stand up version-accurate ephemeral infra (via the FuzeInfra submodule) instead of hand-rolling and drifting. Expose the canonical image versions in one place.Constraints: generic (works for any consumer repo, not FuzeFront-specific); secrets via FuzeInfra's CI secrets only; PR against
main; whitelist auto-apply per above. On completion, open the PR(s) and post links.