foundation
id: foundation title: "openCenter Platform Foundation" sidebar_label: Foundation description: Technical documentation for the openCenter platform foundation — upstream Kubernetes with built-in observability, layered security, GitOps operations, and pre-hardened platform services. doc_type: explanation audience: "platform engineers, operators" tags: [platform-foundation, kubernetes, platform-services, gitops]
Purpose: For platform engineers and operators, describes the openCenter platform foundation, how its core pillars work together, and what every higher-level blueprint builds on.
Overview
openCenter is the Kubernetes foundation. It is not a blueprint layered on top of something else. It is the base platform every higher-level blueprint builds on: upstream Kubernetes, built-in observability, layered security, GitOps operations, and a path to data governance. One CLI, one config, every environment.
Blueprints extend or specialize this foundation for a workload, an industry, or a data-services use case. The foundation is the thing you always have. A blueprint is the thing you add when you need a more opinionated operating model on top of it.
- Upstream Kubernetes — no proprietary runtime, no vendor lock-in, no fork tax.
- Multi-provider: OpenStack, VMware vSphere, AWS, Kind, and bare metal. Same ops everywhere.
- 10 minutes to configure, under an hour to a production cluster with security and observability.
- 20+ pre-hardened platform services deployed via FluxCD. Not installed — operated.
- Air-gap ready with signed Zarf artifacts. Government and defense deployments covered.
Core Pillars
Observability
Every cluster ships with a pre-wired observability stack. Prometheus and Grafana handle metrics and dashboards. Loki aggregates logs with LogQL querying. Tempo provides distributed tracing with TraceQL. OpenTelemetry ties it all together with auto-instrumentation, data processing pipelines, and multi-backend export. Pre-configured alerting rules and Grafana dashboards deploy automatically.
Services: Prometheus, Grafana, Alertmanager, Loki, Tempo, OpenTelemetry.
See Observability Stack Overview for configuration details.
Security
Security is layered across the stack. Kubespray configures Pod Security Admission at the cluster level (baseline enforcement, restricted audit and warn). Kyverno enforces 17 ClusterPolicies covering privileged containers, host namespaces, non-root requirements, seccomp profiles, and volume restrictions. NetworkPolicies isolate platform services. Keycloak provides OIDC authentication with group-based RBAC via RBAC Manager. SOPS Age encryption protects secrets in Git with automated key rotation (90-day Age keys, 180-day SSH keys) and zero-downtime dual-key strategy.
Services: Kyverno, Keycloak, RBAC Manager, SOPS, Pod Security Admission, NetworkPolicies.
See Defense-in-Depth Model for the full security architecture.
GitOps
The openCenter CLI generates a complete FluxCD-ready repository from a single YAML config. Infrastructure-as-code (OpenTofu/Terraform) provisions compute. Kubespray deploys Kubernetes with security hardening. FluxCD bootstraps and continuously reconciles platform services from the gitops-base repository using Kustomize base + overlay composition. Cluster-specific overrides stay in the overlay directory. Drift detection, auto-remediation, and SOPS decryption happen at reconciliation time.
Services: FluxCD, Kustomize, OpenTofu, Kubespray, Weave GitOps, Headlamp.
Data Governance (Roadmap)
openCenter will integrate OpenMetadata to bring data governance into the platform layer: automated data discovery and cataloging, lineage tracking, classification and tagging for sensitive data, and policy-driven access controls for data assets. This capability is on the roadmap and not yet available.
Platform Services Included
Pre-hardened Helm releases managed via FluxCD. Enable or disable per cluster through config.
| Category | Services |
|---|---|
| Security & Policy | cert-manager, Kyverno, Sealed Secrets |
| Identity & Access | Keycloak, RBAC Manager |
| Networking | Calico, MetalLB, Gateway API |
| Storage | Longhorn, vSphere CSI, OpenStack CSI |
| Observability | Prometheus, Grafana, Loki, Tempo, OpenTelemetry |
| Registry | Harbor |
| Backup | Velero |
| UI | Headlamp |
| Database Operators | PostgreSQL Operator |
See Service Catalog for versions, namespaces, and dependencies.
Config-to-Cluster Workflow
| Step | Action | What Happens |
|---|---|---|
| 1. Configure | Define cluster, provider, services, and secrets in one YAML file. | opencenter cluster init + opencenter cluster edit |
| 2. Provision | CLI generates IaC and Kubespray inventory. Terraform provisions infrastructure. | opencenter cluster setup + terraform apply |
| 3. Bootstrap | FluxCD bootstraps GitOps. Services reconcile from the gitops-base repo. | opencenter cluster bootstrap |
| 4. Operate | Drift detection, upgrades, backup, key rotation — all through Git. | Day-2 operations via GitOps |
See Infrastructure Provisioning and FluxCD Bootstrap for step-by-step procedures.
Provider Support
| Provider | Status | Notes |
|---|---|---|
| OpenStack | GA | Full support including Cinder CSI and CCM. |
| VMware vSphere | GA | Full support including vSphere CSI. |
| AWS | GA | EBS CSI and cloud controller manager. |
| Kind | GA | Local development and testing. Not for production. |
| Bare Metal | GA | Via Kubespray direct provisioning. |
See Provider Comparison for trade-offs and capabilities matrix.