Purpose: For platform engineers, shows how to enable, disable, and configure platform services, covering service selection through custom values.
openCenter deploys 20+ platform services by default. This guide shows you how to customize which services are deployed and how they’re configured.
Prerequisites
-
openCenter CLI installed
-
Cluster configuration created
-
Understanding of Kubernetes services (helpful but not required)
List Available Services
See all available platform services:
opencenter cluster describe my-clusterThis shows services organized by category:
-
Networking: Calico, Gateway API, Ingress
-
Security: cert-manager, Keycloak, Kyverno
-
Storage: Longhorn, OpenStack CSI, vSphere CSI
-
Observability: Prometheus, Grafana, Loki, Tempo
-
GitOps: FluxCD, Weave GitOps
-
Backup: Velero, etcd-backup
-
Management: Headlamp, OLM, RBAC Manager
Enable/Disable Services
Configure Service Settings
cert-manager Configuration
Configure Let’s Encrypt email and server:
opencenter:
services:
cert-manager:
enabled: true
email: "admin@example.com"
letsencrypt_server: "https://acme-v02.api.letsencrypt.org/directory"
region: "us-east-1"For staging (testing):
opencenter:
services:
cert-manager:
letsencrypt_server: "https://acme-staging-v02.api.letsencrypt.org/directory"Keycloak Configuration
Configure identity and access management:
opencenter:
services:
keycloak:
enabled: true
hostname: "auth.my-org.my-cluster.sjc3.k8s.opencenter.cloud"
realm: "opencenter"
client_id: "kubernetes"
frontend_url: "https://auth.my-org.my-cluster.sjc3.k8s.opencenter.cloud"
secrets:
keycloak:
client_secret: "your-client-secret"
admin_password: "your-admin-password"Prometheus Stack Configuration
Configure monitoring with custom storage:
opencenter:
services:
kube-prometheus-stack:
enabled: true
prometheus_volume_size: 100 # GB
prometheus_storage_class: "csi-cinder-sc-delete"
grafana_volume_size: 20 # GB
grafana_storage_class: "csi-cinder-sc-delete"
alertmanager_volume_size: 20 # GB
alertmanager_storage_class: "csi-cinder-sc-delete"
secrets:
grafana:
admin_password: "your-grafana-password"Loki Configuration
Configure log aggregation with S3 backend:
opencenter:
services:
loki:
enabled: true
volume_size: 50 # GB
storage_class: "csi-cinder-sc-delete"
bucket_name: "my-cluster-loki"
swift_auth_url: "https://keystone.api.sjc3.rackspacecloud.com/v3/"
swift_region: "SJC3"
swift_domain_name: "Default"
secrets:
loki:
swift_password: "your-swift-password"Tempo Configuration
Configure distributed tracing:
opencenter:
services:
tempo:
enabled: true
storage_type: "s3"
bucket_name: "my-cluster-tempo"
volume_size: 20 # GB
storage_class: "csi-cinder-sc-delete"
s3_endpoint: "https://swift.api.sjc3.rackspacecloud.com"
s3_region: "SJC3"
s3_force_path_style: false
s3_insecure: false
secrets:
tempo:
access_key: "your-access-key"
secret_key: "your-secret-key"Headlamp Configuration
Configure Kubernetes dashboard:
opencenter:
services:
headlamp:
enabled: true
hostname: "dashboard.my-org.my-cluster.sjc3.k8s.opencenter.cloud"
oidc_issuer_url: "https://auth.my-org.my-cluster.sjc3.k8s.opencenter.cloud/realms/opencenter"
oidc_client_id: "kubernetes"
secrets:
headlamp:
oidc_client_secret: "your-oidc-secret"Velero Configuration
Configure backup and disaster recovery:
opencenter:
services:
velero:
enabled: true
backup_bucket: "my-cluster-backups"
region: "us-east-1"vSphere CSI Configuration
For VMware environments only:
opencenter:
services:
vsphere-csi:
enabled: true
image_repository: "registry.k8s.io/csi-vsphere"
image_tag: "v3.3.0"
secrets:
vsphere_csi:
vcenter_host: "vcenter.example.com"
username: "administrator@vsphere.local"
password: "your-vcenter-password"
datacenters: "Datacenter1"
insecure_flag: "false"
port: "443"Service Dependencies
Some services depend on others. Ensure dependencies are enabled:
Keycloak Dependencies
Keycloak requires:
-
cert-manager (for TLS certificates)
-
Gateway API (for ingress)
-
postgres-operator (for database)
opencenter:
services:
cert-manager:
enabled: true
gateway-api:
enabled: true
postgres-operator:
enabled: true
keycloak:
enabled: trueProvider-Specific Services
Minimal Service Configuration
For development or resource-constrained environments:
opencenter:
services:
# Core services only
calico:
enabled: true
cert-manager:
enabled: true
fluxcd:
enabled: true
gateway-api:
enabled: true
gateway:
enabled: true
kyverno:
enabled: true
sources:
enabled: true
# Disable optional services
keycloak:
enabled: false
headlamp:
enabled: false
kube-prometheus-stack:
enabled: false
loki:
enabled: false
tempo:
enabled: false
velero:
enabled: false
weave-gitops:
enabled: falseProduction Service Configuration
For production environments with full observability:
opencenter:
services:
# Core services
calico:
enabled: true
cert-manager:
enabled: true
fluxcd:
enabled: true
gateway-api:
enabled: true
gateway:
enabled: true
kyverno:
enabled: true
# Security and access
keycloak:
enabled: true
rbac-manager:
enabled: true
# Observability
kube-prometheus-stack:
enabled: true
prometheus_volume_size: 100
loki:
enabled: true
volume_size: 50
tempo:
enabled: true
# Management
headlamp:
enabled: true
olm:
enabled: true
# Backup
velero:
enabled: true
etcd-backup:
enabled: true
# Storage
external-snapshotter:
enabled: trueCustom Service Images
Override default image repository and tag:
opencenter:
services:
vsphere-csi:
enabled: true
image_repository: "my-registry.example.com/csi-vsphere"
image_tag: "v3.3.1"GitOps Source Configuration
For managed services, configure GitOps source:
opencenter:
managed_service:
alert-proxy:
enabled: true
image_repository: "ghcr.io/opencenter-cloud/alert-proxy"
image_tag: "latest"
gitops_source_repo: "ssh://git@github.com/opencenter-cloud/opencenter-gitops-base.git"
gitops_source_release: "v0.1.0"
gitops_source_branch: "main"
alertmanager_base_url: "http://alertmanager:9093"
httproute_fqdn: "https://alerts.my-org.my-cluster.sjc3.k8s.opencenter.cloud"Verify Service Configuration
After customizing services, validate configuration:
opencenter cluster validateCheck for:
-
Missing required secrets
-
Invalid service dependencies
-
Configuration conflicts
Apply Service Changes
Regenerate GitOps repository with new service configuration:
opencenter cluster generateThis updates:
-
Service manifests in
applications/overlays/<cluster>/services/ -
FluxCD Kustomization resources
-
Service-specific configurations
Commit and push changes:
cd <git_dir>
git add .
git commit -m "Update service configuration"
git pushFluxCD will reconcile changes automatically (within 5-15 minutes).
Troubleshooting
Service Not Deploying
Problem: Service enabled but not deploying
Solution: Check FluxCD status:
kubectl get kustomizations -n flux-system
kubectl describe kustomization <service-name> -n flux-systemCommon causes:
-
Missing dependencies
-
Invalid configuration
-
SOPS decryption failure
Next Steps
-
configure-networking.md[Configure Networking] - CNI and load balancer configuration
-
manage-secrets.md[Manage Secrets] - Encrypt service secrets
-
backup-and-restore.md[Backup and Restore] - Configure Velero backups
Evidence
This how-to guide is based on:
-
Service configuration:
internal/config/defaults.go:293-388 -
Base service config:
internal/config/services/base.go:1-35 -
Service defaults:
internal/config/defaults.go:295-388 -
Platform services list: Session 2 B0 section 6
-
Ecosystem services: Ecosystem.md infrastructure services
-
Session 1 architecture: A2