These principles shaped every architectural decision:

Most openCenter deployments should start with:

| Component | Recommendation | | --- | --- | | Control plane nodes | 3 (HA with VRRP or load balancer) | | Worker nodes | 2 minimum, 3+ for production | | Bastion host | 1 (SSH jump host, required) | | CNI | Calico with VXLAN encapsulation | | Load balancer | MetalLB (bare metal/VMware) or Octavia (OpenStack) | | Ingress | Gateway API with Envoy | | Identity | Keycloak with OIDC | | Secrets | SOPS Age encryption + Kubernetes encryption at rest | | Monitoring | kube-prometheus-stack + Loki + Tempo | | Backup | Velero + etcd snapshots | | Policy | Kyverno (17 default ClusterPolicies) | | Storage | Provider CSI driver + Longhorn (optional) | | Certificate management | cert-manager with Let’s Encrypt |

Evidence: internal/config/defaults.go, docs/reference/platform-services.md

Every openCenter cluster operates on three non-overlapping IP networks:

| Network | Default CIDR | Purpose | Typical Size | | --- | --- | --- | --- | | Node network | 10.2.128.0/22 | Physical/virtual node IPs, bastion, VIP | /22 (1,024 IPs) | | Pod network | 10.42.0.0/16 | Pod-to-pod communication (CNI-managed) | /16 (65,536 IPs) | | Service network | 10.43.0.0/16 | ClusterIP services (kube-proxy/eBPF) | /16 (65,536 IPs) |

These three networks must not overlap with each other or with any existing infrastructure networks (VPNs, corporate LANs, other clusters).

The Kubernetes API server is exposed through one of these mechanisms (provider-dependent):

| Provider | API HA Mechanism | Configuration | | --- | --- | --- | | OpenStack (with Octavia) | Octavia load balancer | use_octavia: true | | OpenStack (without Octavia) | VRRP virtual IP | vrrp_enabled: true, vrrp_ip: <IP> | | VMware | VRRP or kube-vip | vrrp_enabled: true or kube_vip_enabled: true | | Bare metal | VRRP | vrrp_enabled: true, vrrp_ip: <IP> | | Kind | localhost port mapping | api_server_port: <port> |

Evidence: internal/config/types_cluster.go ClusterNetworkingConfig

For a /22 node network (10.2.128.0/22, 1,024 addresses):

| Range | Purpose | Example | | --- | --- | --- | | .1 | Network gateway | 10.2.128.1 | | .2–.9 | Infrastructure (DNS, NTP, bastion) | 10.2.128.2 (bastion) | | .10 | Kubernetes API VIP (VRRP) | 10.2.128.10 | | .20–.22 | Control plane nodes | 10.2.128.20–22 | | .23–.25 | Worker nodes (initial pool) | 10.2.128.23–25 | | .26–.99 | Additional worker pools / future growth | Reserved | | .100–.200 | MetalLB address pool (LoadBalancer services) | 10.2.128.100–200 | | .201–.254 | Reserved | Future use |

Configure the allocation pool to match:

Keep defaults unless they conflict with existing infrastructure:

If your corporate network uses 10.42.x.x or 10.43.x.x, shift to non-conflicting ranges:

Every cluster requires at least one DNS nameserver and one NTP server:

Use internal DNS and NTP servers when available. Public servers are acceptable for development but introduce an external dependency in production.

Evidence: docs/operations/configure-networking.md, internal/config/types_cluster.go

These services are production-supported and enabled by default:

| Service | Category | Purpose | | --- | --- | --- | | cert-manager | Security | Automated TLS certificate lifecycle | | Keycloak | Identity | OIDC provider, user federation, MFA | | Kyverno | Policy | 17 ClusterPolicies for baseline security | | RBAC Manager | Access | Declarative RBAC from Keycloak groups | | kube-prometheus-stack | Observability | Prometheus, Grafana, Alertmanager | | Loki | Observability | Log aggregation with LogQL | | Tempo | Observability | Distributed tracing | | Gateway API + Envoy | Networking | Modern ingress with HTTPRoute | | Calico | Networking | CNI with network policy support | | MetalLB | Networking | Bare metal load balancer | | Velero | Backup | Application backup and restore | | etcd-backup | Backup | Cluster state snapshots to S3 | | FluxCD | GitOps | Continuous reconciliation engine | | Headlamp | Management | Kubernetes dashboard with OIDC | | OLM | Management | Operator lifecycle management | | PostgreSQL Operator | Management | Database for Keycloak and other services |

| Service | Status | Notes | | --- | --- | --- | | Cilium CNI | Preview | eBPF-based networking, kube-proxy replacement | | Kube-OVN | Preview | Software-defined networking with Cilium integration | | Istio | Optional | Service mesh with mTLS (for zero-trust requirements) | | Weave GitOps | Optional | Web UI for FluxCD | | Windows workers | Informational | Not a supported deployment target at GA | | Talos Linux | Preview | Immutable OS with disk encryption, WireGuard, vTPM |

Evidence: docs/reference/platform-services.md, docs/concepts/provider-comparison.md

| Registry | Services | | --- | --- | | registry.k8s.io | Kubernetes components, vSphere CSI | | ghcr.io | FluxCD, openCenter services, alert-proxy | | docker.io | Calico, Longhorn, various Helm charts | | quay.io | cert-manager, Prometheus, OLM |

Service versions are pinned in openCenter-gitops-base via Git tags. Clusters reference a specific tag:

Individual service images can be overridden per-cluster:

For disconnected environments, the bastion host serves as a local registry on port 5000. All images are rewritten to pull from bastion:5000/ instead of public registries.

Evidence: internal/config/types_services.go ServiceCfg, Ecosystem.md air-gap section

openCenter uses "flavors" (instance types) to define compute resources. The minimum recommended sizes:

| Role | vCPUs | RAM | Disk | Config Field | | --- | --- | --- | --- | --- | | Control plane | 4 | 8 GB | 40 GB | flavor_master | | Worker | 4 | 16 GB | 100 GB | flavor_worker | | Bastion | 2 | 4 GB | 20 GB | flavor_bastion |

Production clusters should use larger flavors for workers depending on workload density.

| Role | Minimum | Recommended | Maximum | | --- | --- | --- | --- | | Control plane | 1 (dev) | 3 (HA) | 100 | | Workers | 1 | 2—​3 | 1,000 | | Windows workers | 0 | 0 | 100 |

For heterogeneous workloads, define additional worker pools with different flavors, images, or affinity rules:

Each pool gets its own naming convention, flavor, and optional subnet placement.

For HA, use anti-affinity to spread nodes across physical hosts:

Evidence: internal/config/types_kubernetes.go KubernetesConfig, AdditionalServerPool

This configures the API server flags:

RBAC Manager converts Keycloak groups to Kubernetes RoleBindings:

| Keycloak Group | Kubernetes Role | Scope | | --- | --- | --- | | cluster-admins | cluster-admin | Cluster-wide | | viewers | view | Cluster-wide |

Custom groups can be added via RBACDefinition CRDs in the GitOps repository.

Evidence: internal/config/types_kubernetes.go OIDCConfig, docs/reference/platform-services.md keycloak/rbac-manager

| Service | OIDC Config Location | Purpose | | --- | --- | --- | | Headlamp | services.headlamp.oidc_* | Kubernetes dashboard SSO | | Grafana | kube-prometheus-stack values | Monitoring dashboard SSO | | Weave GitOps | services.weave-gitops | GitOps UI SSO |

A global OIDC block configures shared settings for all services:

Individual services reference this global configuration. The Gateway API can enforce OIDC authentication at the ingress layer, so services behind the gateway inherit authentication without implementing it themselves.

Evidence: internal/config/types_opencenter.go GlobalOIDCConfig, GatewayGlobalConfig

openCenter supports three CNI plugins. Only one can be active per cluster.

| CNI | Encapsulation | kube-proxy | Best For | | --- | --- | --- | --- | | Calico (default) | VXLAN, IPIP, or None (BGP) | Standard | Most deployments. Mature, well-understood, strong network policy support. | | Cilium (preview) | VXLAN or native | Replaceable (eBPF) | Teams wanting eBPF observability and kube-proxy replacement. | | Kube-OVN (preview) | Geneve | Standard | Software-defined networking with subnet isolation. Optional Cilium integration. |

| Mode | Overhead | Requirements | Use When | | --- | --- | --- | --- | | VXLAN | ~50 bytes/packet | None | Default. Works everywhere. | | IPIP | ~20 bytes/packet | IP-in-IP protocol allowed | Lower overhead than VXLAN, but some clouds block it. | | None (BGP) | Zero | BGP-capable network fabric | Bare metal with ToR switches that peer BGP. Best performance. |

| Provider | Type | Use When | | --- | --- | --- | | MetalLB | L2 ARP or BGP | Bare metal, VMware, any environment without cloud LB | | Octavia | Cloud LB | OpenStack with Octavia service available | | OVN | Cloud LB | OpenStack with OVN networking | | cloud-native | Provider LB | AWS (not GA for cluster provisioning, but usable for services) |

Evidence: internal/config/types_kubernetes.go NetworkPlugin, docs/operations/configure-networking.md

openCenter uses Gateway API as the standard ingress model. It replaces the older Ingress resource with a more expressive, role-oriented API.

Services follow a predictable hostname pattern:

Example: auth.my-org.production.sjc3.k8s.opencenter.cloud

Configure the base domain and cluster FQDN:

cert-manager automatically provisions TLS certificates for HTTPRoute hostnames using Let’s Encrypt (or a custom ACME server):

For internal CAs, provide a custom CA certificate:

Evidence: docs/reference/platform-services.md gateway-api/gateway/cert-manager

Kubespray configures the API server with Pod Security Admission:

| Level | Mode | Effect | | --- | --- | --- | | Baseline | Enforce | Blocks known privilege escalations (no privileged containers, no host namespaces) | | Restricted | Audit | Logs violations of restricted policy | | Restricted | Warn | Warns users about restricted violations |

Specific namespaces can be exempted:

17 ClusterPolicies enforce baseline security across all namespaces:

Kyverno operates independently of Pod Security Admission, providing a second enforcement layer.

Platform services (FluxCD, OLM) ship with NetworkPolicies that restrict traffic to known peers. Application teams should add their own NetworkPolicies following the patterns in openCenter-customer-app-example.

When os_hardening: true, Kubespray applies kernel-level security:

For zero-trust or multi-tenant environments, Istio provides mTLS between all pods. This is not enabled by default because it adds operational complexity.

Evidence: internal/config/types_security.go, docs/concepts/security-model.md

openCenter uses a dual-encryption strategy:

| Key Type | Rotation Period | Storage | | --- | --- | --- | | Age encryption key | 90 days | secrets/age/<cluster>_keys.txt | | SSH deploy key | 180 days | secrets/ssh/ |

Rotation uses a dual-key strategy: the new key encrypts new secrets while the old key remains valid for decryption, ensuring zero-downtime rotation.

Evidence: internal/sops/manager.go, docs/concepts/security-model.md

The storage driver depends on the infrastructure provider:

| Provider | CSI Driver | Default Storage Class | Dynamic Provisioning | | --- | --- | --- | --- | | OpenStack | Cinder CSI | csi-cinder-sc-delete | Yes | | VMware | vSphere CSI | vsphere-sc | Yes | | Bare metal | Longhorn | longhorn | Yes | | Kind | Local path | standard | Yes (host path) |

Longhorn provides replicated block storage for environments without a cloud storage backend. It runs on worker nodes and replicates data across them.

Enable Longhorn:

Longhorn is recommended for bare metal and can supplement cloud CSI drivers for workloads that need cross-node replication.

The external-snapshotter service provides VolumeSnapshot CRDs. It works with any CSI driver that supports snapshots (Cinder, vSphere, Longhorn).

Node boot volumes are configurable per provider:

Evidence: internal/config/types_storage.go, internal/config/types_kubernetes.go StoragePlugin

openCenter enforces policy at two independent layers:

| Layer | Engine | Scope | Action | | --- | --- | --- | --- | | Cluster | Pod Security Admission | Namespace-level | Enforce/Audit/Warn | | Resource | Kyverno | Resource-level | Validate/Mutate/Generate |

The 17 default ClusterPolicies cover the Kubernetes Pod Security Standards baseline:

These policies are deployed via FluxCD from openCenter-gitops-base and apply to all namespaces except those explicitly exempted.

Add custom Kyverno policies in the cluster overlay:

Namespaces that need elevated privileges (e.g., kube-system, flux-system) are exempted at the Pod Security Admission level via pod_security_exemptions in the cluster configuration.

Evidence: docs/concepts/security-model.md, docs/reference/platform-services.md kyverno

Add workers by updating the configuration and re-running setup:

For OpenStack, new VMs are provisioned automatically. For VMware and bare metal, pre-provision the hosts and add their IPs to the worker_nodes array.

Separate pools allow different instance types for different workloads:

| Dimension | Validated Maximum | | --- | --- | | Control plane nodes | 100 | | Worker nodes (per pool) | 1,000 | | Windows workers (per pool) | 100 | | Additional worker pools | No hard limit (validated per pool) |

Pod density depends on the CNI and node size. Calico and Cilium both support the Kubernetes default of 110 pods per node. Adjust via Kubespray if needed.

Evidence: internal/config/types_kubernetes.go KubernetesConfig validation tags

openCenter provides two complementary backup mechanisms:

| Mechanism | What It Backs Up | Schedule | Retention | | --- | --- | --- | --- | | etcd snapshots | Cluster state (all API objects) | Every 6h (prod) | 30 days | | Velero | Application resources + persistent volumes | Daily (prod) | 90 days |

| Scenario | Recovery Method | RTO | | --- | --- | --- | | Single pod failure | Kubernetes self-healing | Seconds | | Node failure | Kubernetes reschedules pods | Minutes | | etcd corruption | Restore from etcd snapshot | 30—​60 minutes | | Application deletion | Velero restore | 15—​30 minutes | | Full cluster loss | Rebuild from GitOps repo + restore data | 1—​2 hours | | Cross-cluster migration | Velero backup/restore to new cluster | 1—​2 hours |

Because all cluster configuration lives in Git, a full cluster rebuild is deterministic:

The Git repository is the recovery artifact. Protect it accordingly.

For multi-region deployments, each region gets its own cluster with its own GitOps overlay. Shared configuration lives in openCenter-gitops-base. Region-specific overrides live in the cluster overlay.

Evidence: docs/operations/backup-and-restore.md, docs/reference/platform-services.md velero/etcd-backup

openCenter deploys a complete observability pipeline:

Components: Prometheus, Grafana, Alertmanager, node-exporter, kube-state-metrics.

Configure storage:

Alertmanager supports webhook integration for external alerting systems:

Loki supports two storage backends:

| Backend | Use When | Configuration | | --- | --- | --- | | Swift (OpenStack) | OpenStack deployments | loki_storage_type: "swift" | | S3 | AWS or S3-compatible storage | loki_storage_type: "s3" |

Tempo receives OpenTelemetry (OTLP) spans and stores them in S3-compatible storage. Grafana queries Tempo for trace visualization.

The OpenTelemetry Collector can be enabled to receive, process, and export telemetry data (metrics, logs, traces) in a vendor-neutral format.

Evidence: docs/reference/platform-services.md kube-prometheus-stack/loki/tempo

| Stage | Command | What It Does | | --- | --- | --- | | Initialize | opencenter cluster init | Creates configuration file with defaults | | Edit | opencenter cluster edit | Opens configuration in editor | | Validate | opencenter cluster validate | Schema + business rules + provider checks | | Setup | opencenter cluster generate | Generates GitOps repository | | Bootstrap | opencenter cluster deploy | Deploys FluxCD, starts reconciliation | | Status | opencenter cluster status | Shows cluster and service health | | Destroy | opencenter cluster destroy | Tears down infrastructure |

openCenter can detect configuration drift between the desired state (Git) and actual state (cluster/infrastructure):

| Provider | Drift Detection | Auto-Reconcile | | --- | --- | --- | | OpenStack | Yes | Limited | | VMware | Yes | No | | Bare metal | No | No | | Kind | No | No |

FluxCD handles application-level drift automatically by continuously reconciling Git state to the cluster.

| Operation | Method | | --- | --- | | Upgrade Kubernetes | Update version in config, re-run setup, Kubespray handles rolling upgrade | | Add workers | Update worker_count, re-run setup | | Enable/disable services | Toggle enabled flag, commit, FluxCD reconciles | | Rotate secrets | opencenter secrets keys rotate --cluster <cluster> --type age | | Backup | Automated via etcd-backup and Velero schedules | | Restore | velero restore create --from-backup <name> |

Evidence: docs/reference/cli-commands.md, docs/concepts/drift-detection.md

| Provider | Cost Lever | Approach | | --- | --- | --- | | OpenStack | Instance flavors | Right-size flavors for workload. Use smaller flavors for dev/staging. | | OpenStack | Storage | Use HA-Standard volumes for non-critical workloads, HA-Performance for databases. | | VMware | VM sizing | Align VM resources with actual utilization. Monitor via Prometheus. | | Bare metal | Hardware utilization | Maximize pod density per node. Use additional worker pools for burst capacity. | | All | Observability storage | Set appropriate retention periods for Prometheus (15d default), Loki, and Tempo. | | All | Backup retention | Match retention to compliance requirements, not "just in case." |

Use the deployed kube-prometheus-stack to monitor resource utilization:

Right-size nodes and storage based on observed utilization, not initial estimates.