openCenter Platform Foundation
Purpose: For platform engineers, explains the services and capabilities every openCenter cluster receives regardless of which blueprint is layered on top.
Overview
The platform foundation is upstream Kubernetes with built-in observability, layered security, and GitOps operations. It deploys via a single CLI command and reconciles 20+ pre-hardened services through FluxCD.
Source: openCenter-gitops-base repository (applications/base/services/).
Core Pillars
Observability
| Component | Role |
|---|---|
| kube-prometheus-stack | Metrics collection, Alertmanager, pre-configured alerting rules |
| Grafana | Dashboards (deployed with pre-built dashboards) |
| Loki | Log aggregation (LogQL) |
| Tempo | Distributed tracing (TraceQL) |
| OpenTelemetry (kube-stack) | Auto-instrumentation, data processing pipelines, multi-backend export |
| Mimir | Long-term metrics storage (enterprise layer) |
Security
| Component | Role |
|---|---|
| Kyverno | Policy engine — 17 ClusterPolicies (disallow-privileged-containers, require-run-as-nonroot, restrict-seccomp, etc.) |
| Keycloak | IAM — OIDC provider with PostgreSQL backend |
| RBAC Manager | Declarative RBAC from RBACDefinition CRs |
| Pod Security Admission | Baseline enforcement, restricted audit/warn (configured via Kubespray) |
| SOPS (Age) | Secrets encryption in Git — 90-day Age key rotation, 180-day SSH key rotation, dual-key zero-downtime strategy |
| NetworkPolicies | Platform service isolation (FluxCD, OLM) |
| Sealed Secrets | Alternative sealed secrets controller |
GitOps
| Component | Role |
|---|---|
| FluxCD | GitOps reconciliation with SOPS decryption |
| Kustomize | Base + overlay composition model |
| Headlamp | Cluster UI |
| Weave GitOps | GitOps dashboard |
| OLM | Operator Lifecycle Manager |
Platform Services (from gitops-base)
| Service | Category | Purpose |
|---|---|---|
| cert-manager | Security | TLS certificate automation |
| external-snapshotter | Storage | Volume snapshot support |
| gateway-api | Networking | Modern ingress (Gateway API CRDs) |
| harbor | Registry | Container registry with vulnerability scanning |
| headlamp | Management | Cluster UI |
| istio | Networking | Service mesh — mTLS, traffic management (optional) |
| keycloak | Security | IAM — Postgres + Operator + Keycloak + OIDC RBAC |
| kyverno | Security | Policy engine + default-ruleset (17 ClusterPolicies) |
| longhorn | Storage | Distributed block storage with PVC replication |
| metallb | Networking | Load balancer for bare-metal/on-prem |
| observability | Observability | kube-prometheus-stack, loki, mimir, opentelemetry-kube-stack, tempo |
| olm | Management | Operator Lifecycle Manager |
| openstack-ccm | Provider | OpenStack Cloud Controller Manager |
| openstack-csi | Provider | OpenStack Cinder CSI driver |
| postgres-operator | Data | PostgreSQL operator (internal platform use) |
| rbac-manager | Security | Declarative RBAC management |
| sealed-secrets | Security | Sealed secrets controller |
| strimzi-kafka-operator | Data | Apache Kafka operator |
| velero | Backup | Backup and disaster recovery |
| vsphere-csi | Provider | vSphere CSI driver |
Total: 20 service directories (observability alone contains 5 sub-services).
Cluster Lifecycle
| Phase | Tool | Action |
|---|---|---|
| Configure | opencenter cluster init | Single YAML defines provider, services, secrets |
| Provision | OpenTofu/Terraform | CLI generates IaC; Terraform provisions infrastructure |
| Deploy | Kubespray | Kubernetes installation with security hardening (k8s_hardening.yml) |
| Bootstrap | opencenter cluster bootstrap | FluxCD bootstraps GitOps; services reconcile from gitops-base |
| Operate | Git + FluxCD | Drift detection, upgrades, key rotation — all through Git |
Provider Support
| Provider | Status | Notes |
|---|---|---|
| OpenStack | GA | Full cloud integration, drift detection |
| VMware vSphere | GA | Full cloud integration, drift detection |
| Kind | GA | Local development clusters |
| Bare Metal | GA | Via Kubespray direct inventory |
| AWS | Available | Mentioned in website; CLI supports provider type |
Air-Gap Support
Every foundation service is packageable for disconnected deployment via openCenter-AirGap:
- Container images bundled into
.tar.zstpackages - SHA-256 checksums + Cosign signatures + SBOMs
- Three-zone model: Factory (connected build) → Airlock (transfer) → Field (disconnected)
- Bastion serves as local registry and package repository
Enterprise Layer
openCenter-gitops-enterprise adds on top of the base:
- Private chart and image sources (enterprise-approved registries)
- Hardened values overlays
- Enterprise-only managed services (e.g., alert-proxy)
- Same base service structure preserved for cluster-level overrides
Further Reading
- Blueprints Overview — how blueprints extend this foundation
- Blueprint Catalog — all available blueprints
- Data Services — managed data infrastructure