openCenter Deployed Cluster Logical Diagram
Purpose: For platform engineers, shows the logical layout of a fully deployed openCenter Kubernetes cluster — namespaces, service placement, and inter-component communication.
Simplified Overview
Namespace Layout
| Namespace | Services | Purpose |
|---|---|---|
flux-system | Source, Kustomize, Helm, Notification controllers | GitOps reconciliation engine |
olm | Operator Lifecycle Manager, OLM Catalog | Installs and manages operators (Kafka, Keycloak, etc.) |
cert-manager | cert-manager, ClusterIssuers | Automated TLS certificate lifecycle |
kyverno | Kyverno engine, admission webhook | Policy enforcement (17 baseline policies) |
keycloak | Keycloak, PostgreSQL | Identity and access management via OIDC |
rbac-manager | RBAC Manager | Declarative RBAC from Keycloak group claims |
metallb-system | MetalLB speakers, controller | Bare-metal load balancer (L2/BGP) |
kube-system | kube-vip | Virtual IP for control-plane HA (stable API server endpoint) |
gateway-system | Gateway API controller, HTTPRoutes | L7 traffic routing |
observability | Prometheus, Grafana, Alertmanager, Loki, Promtail, Tempo, OTel Collector, Kafka | Metrics, logs, traces, event streaming, and alerting |
longhorn-system | Longhorn Manager, CSI driver | Distributed block storage |
csi-driver | vSphere CSI / Cinder CSI | Cloud-provider storage integration |
harbor | Harbor Core, Registry, Trivy | Private container registry with vulnerability scanning |
headlamp | Headlamp UI, branding plugin | Kubernetes web dashboard with OIDC authentication |
velero | Velero server | Cluster backup and disaster recovery |
customer-apps | Customer deployments | Application workloads routed via Gateway API |
Data Flow Summary
- Ingress path: External traffic → MetalLB → Gateway API → HTTPRoute → Application Service → Pod
- Control-plane HA path: kube-vip elects leader on control-plane nodes → advertises virtual IP → all clients/nodes reach Kubernetes API via stable VIP
- GitOps path: Git push → FluxCD Source Controller → Kustomize/Helm Controller → Kubernetes API → Resources deployed
- Secrets path: SOPS-encrypted YAML in Git → FluxCD decrypts with Age key → Kubernetes Secret created
- Observability path: Pods emit metrics/logs/traces → OpenTelemetry Collector → Kafka → Prometheus + Loki + Tempo → Grafana dashboards
- Policy path: Resource admission → Kyverno webhook → validate against 17 ClusterPolicies → admit or reject
- Auth path: User login → Keycloak OIDC → JWT with group claims → RBAC Manager → RoleBindings → API Server authorization
- Headlamp path: Operator browser → MetalLB → Gateway API → Headlamp UI → Keycloak OIDC login → Kubernetes API (scoped by RBAC)
- OLM path: FluxCD deploys OLM → OLM installs operators from catalog → operators provision Kafka, Keycloak, and other stateful services