Skip to content

[infra] infra-request dispatch handler + contabo-k3s-node module + consumer test-harness #33

Description

@izzywdev

@claude

Context: FuzeFront (and future consumer repos) now declare infra needs in git and dispatch to FuzeInfra to reconcile — FuzeFront PR #76 adds deploy/terraform/node-request.tf (referencing a FuzeInfra-owned module) + .github/workflows/infra-dispatch.yml that fires repository_dispatch (event_type: infra-request) at this repo. FuzeInfra is the sole credential holder. Build the handler side.

Please add to FuzeInfra:

  1. modules/contabo-k3s-node — a Terraform module using the official contabo/contabo provider's contabo_instance (+ contabo_private_network attach): creates the VPS, injects an SSH key, and via user_data cloud-init runs k3s agent join to the existing cluster (server URL + node-token from variables) and labels the node (node-role=<role>). Inputs: requests[] ({name, product_id, region, role, labels}); creds + k3s_server_url + k3s_node_token as variables (from secrets, never hardcoded).
  2. .github/workflows/infra-request-handler.ymlon: repository_dispatch: types: [infra-request]: check out the requesting repo's deploy/terraform/ + deploy/argocd/; validate each request against a whitelist (allowed product_id tier(s), region == EU, role ∈ {workload}, bounded node-count) → auto-apply (terraform apply with FuzeInfra's Contabo creds + k3s join token + a FuzeInfra-owned remote TF state backend), then k3s-join+label the node and kubectl apply/argocd-sync the changed Argo Applications. Non-whitelisted → open a gated PR with terraform plan (manual approval), do not auto-apply.
  3. Document the scoped token the consumer needs: a fine-grained PAT or GitHub App with permission ONLY to trigger repository_dispatch on FuzeInfra — the consumer stores it as FUZEINFRA_DISPATCH_TOKEN. (Izzy: create it + add to FuzeFront repo secrets.)

Also (separate, for CI parity): publish a consumer test-harness compose (docker-compose.consumer-test.yml or similar) — a trimmed set of the shared base services (Postgres/Redis/Kafka/ChromaDB/MailHog) pinned to the SAME image versions prod runs — so consumer repos' CI can stand up version-accurate ephemeral infra (via the FuzeInfra submodule) instead of hand-rolling and drifting. Expose the canonical image versions in one place.

Constraints: generic (works for any consumer repo, not FuzeFront-specific); secrets via FuzeInfra's CI secrets only; PR against main; whitelist auto-apply per above. On completion, open the PR(s) and post links.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions