NEVER modify cluster resources directly. All changes must be made through Infrastructure as Code:
- Terraform/Terragrunt for infrastructure (Hetzner servers, DNS, Talos images)
- ArgoCD Applications for Kubernetes resources
- Git commits to persist all changes
If we cannot replicate everything with IaC, the mission has failed.
kubectl delete/apply/patchdirectlytalosctlcommands that modify state (upgrade is acceptable only if not automatable via Terraform)- Manual helm installs
- Any imperative commands that change cluster state
- Modify ArgoCD manifests in
argocd/base/orargocd/overlays/ - Update Terraform/Terragrunt configurations
- Commit changes to git
- Let ArgoCD sync automatically or trigger sync via ArgoCD CLI
terraform/live/- Per-cluster Terragrunt stacksterraform/modules/- Reusable Terraform modules (cluster, dns, firewall)argocd/base/- Shared manifests with placeholdersargocd/overlays/- Per-cluster config (secrets, domains, patches)tasks/- Taskfile automation scripts