Platform Lifecycle Model

Purpose: For platform engineers and architects, explains the boundary between Day-1 (provisioning, bootstrap, initial configuration) and Day-2 (upgrades, scaling, backup, drift management) in openCenter, including which tools own each phase and how handoffs work.

Concept Summary

openCenter splits cluster lifecycle into two distinct phases:

Day-1: Everything needed to go from zero to a running, GitOps-managed cluster.
Day-2: Everything needed to keep it running, healthy, and up-to-date.

The boundary between phases is the moment FluxCD starts reconciling from Git. Before that point, the CLI orchestrates. After it, Git + FluxCD own desired state.

Day-1: Provision and Bootstrap

Day-1 transforms a cluster configuration file into a running Kubernetes cluster with platform services.

Stages

Stage	Owner	Input	Output
1. Configure	`opencenter cluster init` / `configure`	User answers	`<cluster>-config.yaml`
2. Validate	`opencenter cluster validate`	Config file	Pass/fail + issues
3. Generate	`opencenter cluster generate`	Config file	GitOps repository (manifests, Terraform, Ansible)
4. Provision infrastructure	`opencenter cluster deploy` (OpenTofu)	`main.tf`	VMs, networks, LBs, volumes
5. Deploy Kubernetes	`opencenter cluster deploy` (Kubespray)	Ansible inventory	Running K8s cluster + kubeconfig
6. Bootstrap GitOps	`opencenter cluster deploy` (FluxCD)	GitRepository + Kustomizations	FluxCD reconciling platform services

Tools per Stage

Stage 1-3: opencenter CLI (Go binary)
  ↓
Stage 4:   OpenTofu (infrastructure provisioning)
  ↓
Stage 5:   Kubespray via Ansible (Kubernetes installation)
  ↓
Stage 6:   flux bootstrap (FluxCD installation + first reconciliation)

Day-1 Artifacts

After Day-1 completes, these artifacts exist:

Artifact	Location	Purpose
Cluster config	`clusters/state/<org>/<cluster>/<cluster>-config.yaml`	Source of truth for cluster parameters
GitOps repository	`clusters/gitops/<org>/`	FluxCD reconciliation source
SOPS Age key	`clusters/secrets/<org>/<cluster>/age/keys/`	Secret decryption in cluster
SSH key pair	`clusters/secrets/<org>/<cluster>/ssh/`	Node access
Kubeconfig	`clusters/state/<org>/<cluster>/kubeconfig.yaml`	Cluster admin access
Terraform state	`clusters/state/<org>/<cluster>/terraform.tfstate`	Infrastructure state

Day-2: Operate and Evolve

Day-2 starts once FluxCD is reconciling. The cluster is "alive" — changes flow through Git.

Operations

Operation	Tool	Trigger	Mechanism
Kubernetes upgrade	`opencenter cluster upgrade`	Operator decision	Kubespray rolling upgrade playbook
Service upgrade	Git PR (update gitops-base tag)	New release available	FluxCD reconciles new HelmRelease versions
Worker scaling	Git PR (add/remove worker pool)	Capacity need	OpenTofu + Kubespray for new nodes
Backup	Velero (scheduled)	CronJob	Snapshot to S3/Swift
Certificate rotation	cert-manager (automatic)	30 days before expiry	cert-manager renews via ACME
Drift detection	`opencenter cluster drift`	Operator or scheduled	Compares desired (config) vs actual (cloud API)
Drift reconciliation	`opencenter cluster drift --reconcile`	Operator approval	Cloud API calls to fix divergence
Secret rotation	`opencenter secrets rotate`	Security policy	Re-encrypt with new key, update cluster
Disaster recovery	`velero restore`	Incident	Restore from backup
Configuration change	`opencenter cluster configure --guided`	Operator decision	Regenerate manifests → Git PR → FluxCD reconciles

Day-2 Ownership Model

┌─────────────────────────────────────────────────────┐
│                   Git Repository                     │
│  (source of truth for cluster desired state)        │
└──────────────────────┬──────────────────────────────┘
                       │
          ┌────────────┼────────────┐
          ▼            ▼            ▼
┌─────────────┐ ┌───────────┐ ┌──────────────┐
│   FluxCD    │ │  Kyverno  │ │ cert-manager │
│ reconciles  │ │ enforces  │ │  rotates     │
│ manifests   │ │ policy    │ │  certs       │
└─────────────┘ └───────────┘ └──────────────┘

Concern	Owner	How
Manifest desired state	Git	PRs, reviews, merge
Manifest enforcement	FluxCD	Continuous reconciliation
Policy enforcement	Kyverno	Admission control
TLS lifecycle	cert-manager	ACME renewal
Backup schedule	Velero	CronJob
Infrastructure state	OpenTofu	Terraform state file
Node OS patches	Operator	SSH + package manager (outside openCenter scope)

Handoff Boundaries

CLI → FluxCD Handoff

The CLI generates and pushes manifests. FluxCD reconciles them. After Day-1, the CLI no longer directly applies resources to the cluster (except for upgrade playbooks and infrastructure changes).

CLI writes to Git → FluxCD reads from Git → Cluster state matches Git

If you need to change a service configuration:

Don't kubectl edit or kubectl apply.
Do update the manifest in Git. FluxCD will enforce it.

FluxCD → Operator Handoff

Some operations require human judgment:

Kubernetes version upgrades: FluxCD cannot upgrade kubelet on nodes. The CLI + Kubespray handles this.
Infrastructure scaling: Adding nodes requires OpenTofu to provision VMs first.
Disaster recovery: Deciding what to restore and validating post-restore state.

openCenter-gitops-base → Customer Repo Handoff

Base manifests provide hardened defaults. Customer overlays provide cluster-specific values.

Owned by gitops-base	Owned by customer overlay
HelmRelease spec (chart version, default values)	Value overrides (replicas, resources, domains)
Kyverno ClusterPolicy definitions	Namespace-scoped exceptions
Default NetworkPolicies for platform namespaces	Tenant NetworkPolicies

Lifecycle Diagram

         Day-1                          │             Day-2
                                        │
  ┌──────────┐   ┌──────────┐         │   ┌──────────┐   ┌──────────┐
  │Configure │──▶│ Validate │         │   │ Upgrade  │   │  Scale   │
  └──────────┘   └──────────┘         │   └──────────┘   └──────────┘
                       │                │
                       ▼                │   ┌──────────┐   ┌──────────┐
                 ┌──────────┐          │   │  Backup  │   │  Drift   │
                 │ Generate │          │   └──────────┘   └──────────┘
                 └──────────┘          │
                       │                │   ┌──────────┐   ┌──────────┐
                       ▼                │   │  Rotate  │   │ Recover  │
                 ┌──────────┐          │   │  Certs   │   │          │
                 │ Provision│          │   └──────────┘   └──────────┘
                 └──────────┘          │
                       │                │
                       ▼                │
                 ┌──────────┐          │
                 │Deploy K8s│          │
                 └──────────┘          │
                       │                │
                       ▼                │
                 ┌──────────┐          │
                 │Bootstrap │──────────┼──▶ FluxCD reconciling
                 │  GitOps  │          │    (continuous)
                 └──────────┘          │

When to Use Each Tool

Task	Tool	Phase
Create cluster from scratch	`opencenter cluster deploy`	Day-1
Change Helm values for a service	Git PR to overlay	Day-2
Add a new platform service	Git PR (add Kustomization + source)	Day-2
Upgrade Kubernetes version	`opencenter cluster upgrade`	Day-2
Add worker nodes	Update config → `opencenter cluster generate` → OpenTofu → Kubespray	Day-2
Rotate SOPS keys	`opencenter secrets rotate`	Day-2
Investigate drift	`opencenter cluster drift`	Day-2
Restore from backup	`velero restore create`	Day-2
Decommission cluster	`opencenter cluster deploy --destroy` or manual teardown	End of life

Concept Summary​

Day-1: Provision and Bootstrap​

Stages​

Tools per Stage​

Day-1 Artifacts​

Day-2: Operate and Evolve​

Operations​

Day-2 Ownership Model​

Handoff Boundaries​

CLI → FluxCD Handoff​

FluxCD → Operator Handoff​

openCenter-gitops-base → Customer Repo Handoff​

Lifecycle Diagram​

When to Use Each Tool​