OpenStack Deployed Cluster Logical Diagram
Purpose: For platform engineers, shows the logical layout of a fully deployed openCenter Kubernetes cluster on OpenStack — namespaces, service placement, and inter-component communication.
Simplified Overview
Namespace Layout
| Namespace | Services | Purpose |
|---|---|---|
flux-system | Source, Kustomize, Helm, Notification controllers | GitOps reconciliation engine |
olm | Operator Lifecycle Manager, OLM Catalog | Installs and manages operators (Kafka, Keycloak, etc.) |
cert-manager | cert-manager, ClusterIssuers | Automated TLS certificate lifecycle |
kyverno | Kyverno engine, admission webhook | Policy enforcement (17 baseline policies) |
keycloak | Keycloak, PostgreSQL | Identity and access management via OIDC |
rbac-manager | RBAC Manager | Declarative RBAC from Keycloak group claims |
metallb-system | MetalLB speakers, controller | Bare-metal load balancer (L2/BGP) |
kube-system | kube-vip, OpenStack Cloud Controller Manager | Control-plane HA VIP and cloud-provider integration |
gateway-system | Gateway API controller, HTTPRoutes | L7 traffic routing |
observability | Prometheus, Grafana, Alertmanager, Loki, Promtail, Tempo, OTel Collector, Kafka | Metrics, logs, traces, event streaming, and alerting |
cinder-csi | Cinder CSI driver, external-snapshotter | Block volume provisioning via OpenStack Cinder |
harbor | Harbor Core, Registry, Trivy | Private container registry with vulnerability scanning |
headlamp | Headlamp UI, branding plugin | Kubernetes web dashboard with OIDC authentication |
velero | Velero server | Cluster backup and disaster recovery |
customer-apps | Customer deployments | Application workloads routed via Gateway API |
Data Flow Summary
- Ingress path: External traffic → MetalLB → Gateway API → HTTPRoute → Application Service → Pod
- Control-plane HA path: kube-vip elects leader on control-plane nodes → advertises virtual IP → all clients/nodes reach Kubernetes API via stable VIP
- GitOps path: Git push → FluxCD Source Controller → Kustomize/Helm Controller → Kubernetes API → Resources deployed
- Secrets path: SOPS-encrypted YAML in Git → FluxCD decrypts with Age key → Kubernetes Secret created
- Observability path: Pods emit metrics/logs/traces → OpenTelemetry Collector → Kafka → Prometheus + Loki + Tempo → Grafana dashboards
- Policy path: Resource admission → Kyverno webhook → validate against 17 ClusterPolicies → admit or reject
- Auth path: User login → Keycloak OIDC → JWT with group claims → RBAC Manager → RoleBindings → API Server authorization
- Headlamp path: Operator browser → MetalLB → Gateway API → Headlamp UI → Keycloak OIDC login → Kubernetes API (scoped by RBAC)
- OLM path: FluxCD deploys OLM → OLM installs operators from catalog → operators provision Prometheus, Keycloak, and other stateful services
- Storage path: PVC created → Cinder CSI driver → OpenStack Cinder API → block volume provisioned → attached to Nova instance
- Cloud controller path: OpenStack CCM → syncs node metadata, manages Neutron LBaaS, handles node lifecycle events
OpenStack-Specific Differences
| Concern | Generic Cluster | OpenStack Cluster |
|---|---|---|
| Storage backend | Longhorn (distributed block storage) | Cinder CSI (OpenStack block storage) |
| Storage namespace | longhorn-system | cinder-csi |
| Volume provisioner | driver.longhorn.io | cinder.csi.openstack.org |
| Cloud Controller Manager | None | OpenStack CCM (node lifecycle, LB integration) |
| Infrastructure provisioning | Manual / pre-provisioned | Terraform/OpenTofu (Nova instances, Neutron networks) |
| External dependency | None (self-contained) | OpenStack API (Keystone, Nova, Cinder, Neutron) |
| API call serialization | N/A | Enabled by default to prevent LB race conditions |
Related
- Logical Diagram — generic cluster architecture
- OpenStack Setup — step-by-step provider configuration
- OpenStack Cinder CSI — StorageClass and volume provisioning
- Infrastructure Provisioning — Terraform/OpenTofu workflow