This directory contains GitOps application manifests that are deployed as part of the openCenter cluster provisioning workflow. All applications are managed using Flux CD and follow GitOps principles for declarative, version-controlled deployments.
applications/
├── base/ # Base application configurations
│ ├── managed-services/ # Rackspace-managed services
│ └── services/ # Core cluster services
│ └── observability/ # Observability stack components
└── policies/ # Security and network policies
├── network-policies/ # Kubernetes network policies
├── pod-security-policies/ # Pod security standards
└── rbac/ # Role-based access controls
| Service | Namespace | Purpose | Documentation |
|---|---|---|---|
| cert-manager | cert-manager |
Automated TLS certificate management | README |
| external-snapshotter | kube-system |
Volume snapshot management | README |
| gateway-api | gateway-system |
Next-generation ingress API | README |
| harbor | harbor |
Container registry with security scanning | README |
| headlamp | headlamp |
Modern Kubernetes dashboard | README |
| keycloak | keycloak |
Identity and access management | README |
| kyverno | kyverno |
Kubernetes-native policy engine | README |
| longhorn | longhorn-system |
Distributed block storage | README |
| metallb | metallb-system |
Load balancer for bare-metal clusters | README |
| olm | olm |
Operator Lifecycle Manager | README |
| openstack-ccm | kube-system |
OpenStack Cloud Controller Manager | README |
| openstack-csi | kube-system |
OpenStack Cinder CSI driver | README |
| postgres-operator | postgres-operator |
PostgreSQL cluster management | README |
| rbac-manager | rbac-manager |
RBAC management automation | README |
| sealed-secrets | kube-system |
GitOps-friendly secret management | README |
| velero | velero |
Backup and disaster recovery | README |
| vsphere-csi | vmware-system-csi |
vSphere storage integration | README |
| weave-gitops | flux-system |
GitOps dashboard for Flux | README |
| Component | Namespace | Purpose | Documentation |
|---|---|---|---|
| observability | observability |
Complete observability stack | README |
| kube-prometheus-stack | observability |
Prometheus, Grafana, Alertmanager | README |
| loki | observability |
Log aggregation and storage | README |
| tempo | observability |
Distributed tracing backend | README |
| opentelemetry-kube-stack | observability |
OpenTelemetry collection framework | README |
| Service | Namespace | Purpose | Documentation |
|---|---|---|---|
| alert-proxy | rackspace |
Rackspace alert aggregation | README |
| Policy | Scope | Purpose |
|---|---|---|
| network-policies | Various | Kubernetes network segmentation |
| pod-security-policies | Various | Pod security standards enforcement |
| rbac | Various | Role-based access control |
All applications follow these patterns:
- HelmRepository: Defines Helm chart sources
- HelmRelease: Manages application deployments
- Kustomization: Handles plain Kubernetes manifests
- GitRepository: References external Git sources
- Interval: 5-minute reconciliation cycles
- Timeout: 10-minute installation/upgrade timeouts
- Drift Detection: Enabled for configuration consistency
- Remediation: 3-retry policy with last-failure remediation
cert-manager: TLS certificate managementgateway-system: Gateway API controllersharbor: Container registry and security scanningheadlamp: Kubernetes dashboardkeycloak: Identity and access managementkyverno: Policy engine and governancelonghorn-system: Distributed storagemetallb-system: Load balancing for bare-metalobservability: Complete monitoring, logging, and tracing stackolm: Operator lifecycle managementpostgres-operator: PostgreSQL database managementrbac-manager: RBAC automationvelero: Backup and disaster recoveryvmware-system-csi: vSphere storage integrationflux-system: GitOps controllers and dashboardsrackspace: Managed services
Applications are automatically deployed during cluster provisioning via the openCenter workflow:
- Cluster Bootstrap: Infrastructure provisioning
- Flux Installation: GitOps controller setup
- Application Deployment: Flux processes application manifests
- Configuration Sync: Continuous reconciliation with Git state
# Check application status
kubectl get helmreleases -A
# View application logs
kubectl logs -n flux-system deploy/helm-controller
# Force reconciliation
flux reconcile helmrelease <app-name> -n <namespace>Applications can be customized through:
- Helm Values: Override default chart values
- Kustomizations: Patch base configurations
- Overlays: Environment-specific modifications
- ConfigMaps/Secrets: Runtime configuration
- All Helm repositories use HTTPS
- Applications follow least-privilege access patterns
- Network policies enforce traffic segmentation
- Pod security standards prevent privilege escalation
- Secrets are encrypted using sealed-secrets or SOPS
The observability stack provides comprehensive monitoring, logging, and tracing:
- Kube-Prometheus-Stack: Prometheus, Grafana, and Alertmanager
- Metrics Collection: Application and infrastructure metrics
- Dashboards: Pre-configured Grafana dashboards for Kubernetes and applications
- Alerting: Production-ready alerting rules with notification routing
- Loki: Cost-effective log aggregation and storage
- Log Collection: Kubernetes and application logs via OpenTelemetry
- Log Querying: LogQL for powerful log filtering and analysis
- Retention: Configurable log retention policies
- Tempo: Distributed tracing backend
- Trace Collection: OpenTelemetry-based trace ingestion
- Trace Analysis: TraceQL for trace querying and analysis
- Integration: Unified view with metrics and logs in Grafana
- OpenTelemetry: Unified observability framework
- Auto-instrumentation: Automatic telemetry collection for applications
- Data Processing: Transformation, filtering, and enrichment pipelines
- Multi-backend Export: Support for multiple observability backends
- Updates: Managed through GitOps workflow with Flux CD
- Backup: Velero provides application and persistent volume backup/restore
- Security: Regular security updates via Flux automation and Kyverno policies
- Monitoring: Health checks via Prometheus/Grafana
- Storage: Longhorn for distributed block storage or vSphere CSI/OpenStack CSI for cloud storage
- Secrets Management: Sealed Secrets for GitOps-friendly secret encryption
- Identity Management: Keycloak for OIDC authentication and authorization
For detailed configuration and troubleshooting information, see the individual service documentation:
- Service Templates: docs/templates/ - Templates for creating new service documentation
- Configuration Guides: Each service directory contains comprehensive README files with:
- Configuration options and examples
- Cluster-specific override guidance
- Verification and troubleshooting steps
- References to upstream documentation
- Review Service Documentation: Check individual service README files for configuration requirements
- Customize Overrides: Create cluster-specific configuration overrides as needed
- Deploy via GitOps: Commit changes to trigger Flux reconciliation
- Monitor Deployment: Use Weave GitOps or Headlamp dashboards to monitor deployment status
- Verify Services: Follow verification steps in each service's documentation
For application-specific documentation, see individual application directories and their respective upstream documentation.