This directory contains GitOps application manifests that are deployed as part of the openCenter cluster provisioning workflow. All applications are managed using Flux CD and follow GitOps principles for declarative, version-controlled deployments.
applications/
├── base/ # Base application configurations
│ ├── genestack-sources/ # Genestack GitOps repository sources
│ ├── managed-services/ # Rackspace-managed services
│ └── services/ # Core cluster services
└── policies/ # Security and network policies
├── network-policies/ # Kubernetes network policies
├── pod-security-policies/ # Pod security standards
└── rbac/ # Role-based access controls
| Application | Category | Namespace | Purpose |
|---|---|---|---|
| cert-manager | Core Service | cert-manager |
Automated certificate management |
| gateway-api | Core Service | gateway-api |
Kubernetes Gateway API implementation |
| ingress-nginx | Core Service | ingress-nginx |
NGINX-based ingress controller |
| keycloak | Core Service | keycloak |
Identity and access management |
| kube-prometheus-stack | Core Service | observability |
Complete monitoring and alerting stack |
| metallb | Core Service | metallb-system |
Bare metal load balancer |
| olm | Core Service | olm |
Operator Lifecycle Manager |
| opentelemetry-kube-stack | Core Service | observability |
Complete OpenTelemetry observability stack |
| sealed-secrets | Core Service | sealed-secrets |
Encrypted secrets management |
| velero | Core Service | velero |
Cluster backup and disaster recovery |
| alert-proxy | Managed Service | rackspace |
Rackspace alert aggregation |
| genestack-repo | Source Repository | flux-system |
Genestack OpenStack deployment |
| openstack-helm | Source Repository | flux-system |
OpenStack Helm charts |
| network-policies | Security Policy | Various | Kubernetes network segmentation |
| pod-security-policies | Security Policy | Various | Pod security standards enforcement |
| rbac | Security Policy | Various | Role-based access control |
- Purpose: Automated certificate management for Kubernetes
- Source: Jetstack Helm repository (
https://charts.jetstack.io) - Namespace:
cert-manager - Features:
- Let's Encrypt integration
- Automatic certificate renewal
- TLS certificate provisioning for ingress
- Purpose: Kubernetes Gateway API implementation
- Namespace:
gateway-api - Features:
- Next-generation ingress and traffic management
- Advanced routing capabilities
- Service mesh integration ready
- Purpose: NGINX-based ingress controller
- Namespace:
ingress-nginx - Features:
- HTTP/HTTPS load balancing
- SSL termination
- Path-based and host-based routing
- Purpose: Identity and access management
- Namespace:
keycloak - Features:
- Single sign-on (SSO)
- OAuth 2.0 and OpenID Connect
- Multi-realm support
- LDAP/Active Directory integration
- Purpose: Complete monitoring and alerting stack
- Namespace:
observability - Components:
- Prometheus for metrics collection
- Grafana for visualization
- Alertmanager for alert handling
- Node Exporter for node metrics
- Features:
- Pre-configured dashboards
- Alert rules for common scenarios
- ServiceMonitor auto-discovery
- Purpose: Bare metal load balancer for Kubernetes
- Namespace:
metallb-system - Features:
- Layer 2 and BGP load balancing
- IP address pool management
- Service type LoadBalancer support
- Purpose: Operator Lifecycle Manager
- Namespace:
olm - Features:
- Operator installation and management
- Dependency resolution
- Automatic updates
- Purpose: Complete OpenTelemetry observability stack for Kubernetes
- Source: OpenTelemetry Kube Stack Helm repository (
https://charts.opentelemetry.io) - Namespace:
observability - Features:
- OpenTelemetry Operator for auto-instrumentation and collector management
- Pre-configured OpenTelemetry Collector for metrics, traces, and logs
- Automatic service discovery and monitoring
- Multi-language auto-instrumentation support (Java, Node.js, Python, .NET, Go)
- Integration with Prometheus and Jaeger for complete observability
- Custom resource definitions for OpenTelemetry configuration
- Purpose: Encrypted secrets management
- Namespace:
sealed-secrets - Features:
- GitOps-friendly secret encryption
- Public/private key encryption
- Automatic secret decryption in cluster
- Purpose: Cluster backup and disaster recovery
- Namespace:
velero - Features:
- Backup and restore Kubernetes resources
- Persistent volume snapshots
- Scheduled backups
- Cross-cluster migration
- Purpose: Rackspace alert aggregation and forwarding
- Namespace:
rackspace - Features:
- Alert collection from monitoring systems
- Integration with Rackspace support systems
- Alert routing and escalation
- Purpose: GitOps source for Genestack OpenStack deployment
- Source:
https://github.com/rackerlabs/genestack.git - Version:
release-2025.2.6 - Features:
- OpenStack deployment automation
- Helm chart aggregation
- GitOps workflow integration
- Purpose: OpenStack Helm charts repository
- Features:
- Production-ready OpenStack charts
- Multi-node deployment support
- HA configuration templates
- Purpose: Kubernetes network segmentation
- Status: Template directory (placeholder.txt)
- Planned Features:
- Namespace isolation
- Ingress/egress traffic control
- Zero-trust networking
- Purpose: Pod security standards enforcement
- Status: Template directory (placeholder.txt)
- Planned Features:
- Security context enforcement
- Privilege escalation prevention
- Container security standards
- Purpose: Role-based access control
- Features:
- Service account management
- Role and ClusterRole definitions
- Principle of least privilege
All applications follow these patterns:
- HelmRepository: Defines Helm chart sources
- HelmRelease: Manages application deployments
- Kustomization: Handles plain Kubernetes manifests
- GitRepository: References external Git sources
- Interval: 5-minute reconciliation cycles
- Timeout: 10-minute installation/upgrade timeouts
- Drift Detection: Enabled for configuration consistency
- Remediation: 3-retry policy with last-failure remediation
cert-manager: Certificate managementingress-nginx: Ingress controllersobservability: Monitoring and alertingmetallb-system: Load balancingvelero: Backup and recoverykeycloak: Identity and access managementrackspace: Managed servicesgateway-api: Next-gen traffic management
Applications are automatically deployed during cluster provisioning via the openCenter workflow:
- Cluster Bootstrap: Infrastructure provisioning
- Flux Installation: GitOps controller setup
- Application Deployment: Flux processes application manifests
- Configuration Sync: Continuous reconciliation with Git state
# Check application status
kubectl get helmreleases -A
# View application logs
kubectl logs -n flux-system deploy/helm-controller
# Force reconciliation
flux reconcile helmrelease <app-name> -n <namespace>Applications can be customized through:
- Helm Values: Override default chart values
- Kustomizations: Patch base configurations
- Overlays: Environment-specific modifications
- ConfigMaps/Secrets: Runtime configuration
- All Helm repositories use HTTPS
- Applications follow least-privilege access patterns
- Network policies enforce traffic segmentation
- Pod security standards prevent privilege escalation
- Secrets are encrypted using sealed-secrets or SOPS
The kube-prometheus-stack provides comprehensive monitoring:
- Metrics: Application and infrastructure metrics via Prometheus
- Dashboards: Pre-configured Grafana dashboards
- Alerts: Production-ready alerting rules
- Logs: Integration with cluster logging stack
- Updates: Managed through GitOps workflow
- Backup: Velero provides application backup/restore
- Security: Regular security updates via Flux automation
- Monitoring: Health checks via Prometheus/Grafana
For application-specific documentation, see individual application directories and their respective upstream documentation.