Skip to main content

Customer Repository Structure

Purpose: For platform engineers, provides the standard directory layout for customer GitOps repositories.

Directory Layout

opencenter cluster setup generates this structure:

customers/<customer-id>-<customer-name>/
├── .opencenter                          # Organization metadata
├── .sops.yaml                           # SOPS encryption rules
├── README.md

├── infrastructure/
│   └── clusters/
│       └── <cluster-name>/
│           ├── main.tf                  # OpenTofu/Terraform entry point
│           ├── provider.tf              # Provider configuration
│           ├── variables.tf             # Input variables
│           ├── kubeconfig.yaml          # Cluster access (post-provision)
│           ├── .sops.yaml               # Cluster-level encryption rules
│           └── inventory/
│               ├── inventory.yaml       # Kubespray host inventory
│               ├── group_vars/          # Ansible group variables
│               │   ├── all/
│               │   │   ├── all.yml
│               │   │   └── k8s_hardening.yml
│               │   └── k8s_cluster/
│               └── credentials/         # Encrypted provider credentials

├── applications/
│   └── overlays/
│       └── <cluster-name>/
│           ├── .sops.yaml               # Application secrets encryption
│           ├── kustomization.yaml       # Root kustomization
│           │
│           ├── flux-system/             # FluxCD bootstrap manifests
│           │   ├── gotk-components.yaml
│           │   └── gotk-sync.yaml
│           │
│           ├── services/                # Platform services
│           │   ├── sources/             # GitRepository CRDs
│           │   │   ├── opencenter-cert-manager.yaml
│           │   │   ├── opencenter-kyverno.yaml
│           │   │   └── ...
│           │   ├── fluxcd/              # Kustomization CRDs
│           │   │   ├── cert-manager.yaml
│           │   │   ├── kyverno.yaml
│           │   │   └── ...
│           │   └── <service-name>/      # Per-service overrides
│           │       ├── kustomization.yaml
│           │       └── override-values.yaml
│           │
│           └── managed-services/        # Customer applications
│               ├── sources/
│               ├── fluxcd/
│               └── <app-name>/

└── secrets/
    ├── age/                             # SOPS Age key files
    └── ssh/                             # SSH key pairs

Key Directories

infrastructure/clusters/<cluster>/

Contains Terraform files for provisioning VMs, networks, and storage. The inventory/ subdirectory holds Kubespray configuration including security hardening settings in group_vars/all/k8s_hardening.yml.

applications/overlays/<cluster>/services/sources/

Each YAML file defines a FluxCD GitRepository pointing to openCenter-gitops-base at a pinned tag. The SSH deploy key is referenced via secretRef.

applications/overlays/<cluster>/services/fluxcd/

Each YAML file defines a FluxCD Kustomization that pulls base manifests from the corresponding GitRepository source and applies cluster-specific variable substitution via postBuild.substituteFrom.

applications/overlays/<cluster>/services/<service>/

Per-service override directory. Contains a kustomization.yaml referencing the base path and an override-values.yaml with cluster-specific Helm values.

managed-services/

Follows the same sources/ + fluxcd/ + <app>/ pattern as services/, but for customer-owned applications rather than platform services.

secrets/

Age keys and SSH keys used by SOPS encryption and Git authentication. These files are not committed to Git; they are managed locally by the CLI and synced to the cluster as Kubernetes secrets.

Naming Conventions

  • Customer directory: <customer-id>-<customer-name> (e.g., 1861184-Metro-Bank-PLC)
  • Cluster names: lowercase with hyphens (e.g., k8s-sandbox)
  • Source files: opencenter-<service-name>.yaml
  • Override files: override-values.yaml