Adding a Service

Purpose: For contributors, shows how to add a new platform service to gitops-base.

Prerequisites

A working Kubernetes cluster with FluxCD bootstrapped
kubectl, flux, and kustomize CLI tools installed
Familiarity with HelmRelease and Kustomize overlay patterns (see Kustomize Patterns)

Steps

1. Create the base service directory

All platform services live under applications/base/services/ in the openCenter-gitops-base repo.

applications/base/services/my-service/
├── namespace.yaml
├── source.yaml          # HelmRepository
├── helmrelease.yaml     # HelmRelease
└── helm-values/
    └── hardened-values-v1.0.0.yaml

2. Define the namespace

# namespace.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: my-service

3. Add the Helm source

# source.yaml
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
  name: my-service
  namespace: flux-system
spec:
  interval: 1h
  url: https://charts.example.com

4. Create the HelmRelease

# helmrelease.yaml
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: my-service
  namespace: my-service
spec:
  interval: 30m
  chart:
    spec:
      chart: my-service
      version: "1.0.0"
      sourceRef:
        kind: HelmRepository
        name: my-service
        namespace: flux-system
  valuesFrom:
    - kind: ConfigMap
      name: my-service-values
      valuesKey: values.yaml

5. Write hardened Helm values

Create helm-values/hardened-values-v1.0.0.yaml with security-focused defaults. Follow the patterns used by existing services (e.g., cert-manager, Kyverno):

Set securityContext.runAsNonRoot: true
Drop all capabilities, add only what's needed
Set resource requests and limits
Disable unnecessary features
Pin image tags (no latest)

6. Add a Kustomization entry point

Create kustomization.yaml in the service directory:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - namespace.yaml
  - source.yaml
  - helmrelease.yaml

7. Register in the CLI service catalog

If the service should be selectable during opencenter cluster init, add it to the service definitions in the CLI's internal/services/ package. This controls which services appear in the interactive editor and which GitRepository sources get generated.

8. Test with a local cluster

# Apply the base manifests directly
kustomize build applications/base/services/my-service/ | kubectl apply -f -

# Or test via FluxCD reconciliation
flux reconcile kustomization my-service --with-source

Verification

flux get helmreleases -n my-service shows the release as Ready
kubectl get pods -n my-service shows pods running
The service responds to health checks

Troubleshooting

Symptom	Cause	Fix
HelmRelease stuck in `Not Ready`	Values incompatible with chart version	Check `flux logs --kind=HelmRelease --name=my-service`
Namespace not created	Missing from kustomization.yaml	Add `namespace.yaml` to the resources list
Kyverno blocks pods	Security context doesn't meet policy	Review Kyverno audit logs: `kubectl get policyreport -n my-service`

Prerequisites​

Steps​

1. Create the base service directory​

2. Define the namespace​

3. Add the Helm source​

4. Create the HelmRelease​

5. Write hardened Helm values​

6. Add a Kustomization entry point​

7. Register in the CLI service catalog​

8. Test with a local cluster​

Verification​

Troubleshooting​