An opinionated, production-ready Kubernetes platform using GitOps principles.
This repository demonstrates how to build and operate a secure, scalable cloud-native platform. It showcases modern cloud-native technologies, GitOps workflows, and platform engineering best practices.
This is a reference implementation of a complete cloud-native platform that includes:
- 🔧 Infrastructure as Code: OpenTofu for AWS resources, Crossplane for application infrastructure
- 🚀 GitOps: Flux for continuous delivery and reconciliation
- 🔒 Security-First: Private PKI (OpenBao), zero-trust networking (Cilium), secrets management
- 📊 Observability: Metrics (VictoriaMetrics), logs (VictoriaLogs), dashboards (Grafana)
- 🎯 Developer Experience: Simple abstractions for complex infrastructure (Crossplane compositions)
- 💰 Cost-Optimized: SPOT instances, efficient monitoring, right-sized resources
The platform is organized in three layers:
- AWS Managed Services (left): Route53, ELB, KMS, IAM, S3 (Could be any other cloud provider that has these basic managed services)
- Platform Services (center): EKS cluster with Flux, Crossplane, security, networking, observability
- Applications (right): Harbor, Grafana, VictoriaMetrics, demo apps
Private Access: Tailscale VPN provides secure access to platform tools.
Secrets Management: OpenBao (open-source Vault fork) provides PKI and secret storage.
Get a complete platform running in under 30 minutes.
Ensure you have these tools and accounts ready:
- ✅ AWS Account with admin permissions
- ✅ Tools: OpenTofu, Terramate, kubectl, jq
- ✅ GitHub Account for GitOps (personal access token or GitHub App)
- ✅ Tailscale Account for VPN access
- ✅ Domain: Registered domain for Route53 DNS
Detailed prerequisites: OpenTofu Deployment Guide
1. Configure Global Variables
Edit opentofu/config.tm.hcl with your environment:
globals {
region = "eu-west-3"
eks_cluster_name = "mycluster-0"
# Helm versions for EKS bootstrap
cilium_version = "1.18.5"
flux_operator_version = "0.38.1"
flux_instance_version = "0.38.1"
# Flux sync and OpenBao configuration
flux_sync_repository_url = "https://github.com/YOUR_ORG/cloud-native-ref.git"
openbao_url = "https://bao.priv.cloud.example.com:8200"
}2. Set Secrets
export TF_VAR_tailscale_api_key=<YOUR_TAILSCALE_API_KEY>3. Deploy Infrastructure
# Deploy network and OpenBao
cd opentofu
terramate script run deploy
# Deploy EKS (two-stage: cluster + Cilium/Flux)
cd eks/init && terramate script run deployThis deploys in order:
- Network: VPC, subnets, Route53, Tailscale VPN (~5 min)
- OpenBao: 5-node HA cluster for secrets/PKI (~10 min)
- EKS: Kubernetes with Cilium CNI and Flux (~15 min)
4. Verify Deployment
# Network access
tailscale status
# OpenBao
export VAULT_ADDR=https://bao.priv.cloud.example.com:8200
export VAULT_SKIP_VERIFY=true
bao status
# Kubernetes
aws eks update-kubeconfig --region eu-west-3 --name mycluster-0
kubectl get nodes
flux get allFlux automatically deploys: Security (External Secrets, cert-manager), Infrastructure (Cilium, Gateway API), Observability (VictoriaMetrics, Grafana), and Tooling (Harbor, Headlamp, Homepage).
Full deployment guide: OpenTofu Documentation
Once deployed, access the Homepage dashboard for a unified view of all platform services:
Homepage provides:
- Quick links to all platform tools (Grafana, Harbor, Headlamp)
- Kubernetes cluster metrics
- Service health status
- Documentation bookmarks
This platform embraces progressive complexity: start simple, grow sophisticated without platform migrations.
Example: Deploy an application with just a container image:
apiVersion: cloud.ogenki.io/v1alpha1
kind: App
metadata:
name: xplane-myapp
namespace: apps
spec:
image:
repository: ghcr.io/myorg/myapp
tag: v1.0.0As needs grow, add databases, caching, autoscaling, HA—all through the same interface. No rewriting, no migration.
Learn more: Crossplane App Composition
Git is the source of truth for infrastructure and applications:
- Commit to Git → Flux detects change → Reconciles to cluster
- No manual
kubectl apply - Complete audit trail
- Easy rollback (revert Git commit)
Learn more: GitOps with Flux
Security is built-in, not bolted-on:
- 🔐 Private PKI: OpenBao three-tier CA for TLS certificates
- 🛡️ Zero-Trust: Cilium Network Policies for micro-segmentation
- 🔑 Secrets Management: External Secrets syncs from AWS Secrets Manager/OpenBao
- 🚪 Private Access: Platform tools only via Tailscale VPN
- 👤 Identity: ZITADEL for authentication, EKS Pod Identity for AWS access
Learn more: Ingress and Network Access
- 📖 OpenTofu Deployment - Infrastructure deployment guide
- 🔄 GitOps with Flux - How continuous delivery works
- 🏗️ Crossplane - Infrastructure compositions
- 🔐 Ingress and Network Access - Gateway API, TLS, Tailscale
- 👁️ Observability - Metrics, logs, tracing, alerting, dashboards
- 🧪 CI/CD Workflows - GitHub Actions, security scanning, validation
- 🛠️ Technology Choices - Why we chose each technology
- App Composition Detailed Guide - Complete reference (507 lines!)
- OpenBao PKI Setup - Certificate authority configuration
- cert-manager Integration - Automated TLS certificates
- ✅ High availability (multi-AZ, HA databases, Raft consensus)
- ✅ Disaster recovery (S3 backups, snapshot automation)
- ✅ Security hardening (private endpoints, least privilege IAM)
- ✅ Cost optimization (SPOT instances, efficient monitoring)
- ✅ Operational excellence (alerting, runbooks, observability)
.
├── docs/ # 📚 Documentation (you are here)
├── opentofu/ # 🔧 Infrastructure as Code
│ ├── network/ # VPC, Tailscale VPN
│ ├── openbao/ # Secrets management
│ └── eks/ # Kubernetes cluster (two-stage)
│ ├── init/ # Stage 1: EKS + bootstrap addons
│ └── configure/ # Stage 2: Cilium + Flux
├── flux/ # 🚀 Flux operator and configuration
├── clusters/mycluster-0/ # Cluster-specific Kustomizations
├── infrastructure/ # 🏗️ Platform infrastructure
│ └── base/crossplane/ # Crossplane compositions
├── security/ # 🔒 Security components
├── observability/ # 👁️ Monitoring and logging
├── tooling/ # 🛠️ Platform tools
├── crds/ # Custom Resource Definitions
└── scripts/ # Automation scripts
| Technology | Purpose |
|---|---|
| Kubernetes (EKS) | Container orchestration platform |
| Crossplane | Infrastructure composition and abstraction |
| OpenTofu | Infrastructure as Code (Terraform alternative) |
| Terramate | OpenTofu orchestration and stack management |
| Flux | GitOps continuous delivery |
| Cilium | eBPF-based networking and security |
| Gateway API | Modern ingress and traffic routing |
| OpenBao | Secrets management and private PKI |
| VictoriaMetrics | High-performance metrics and monitoring |
| VictoriaLogs | Log aggregation and search |
| Grafana | Dashboards and visualization |
| CloudNativePG | PostgreSQL operator with HA |
| Harbor | Container and Helm registry |
| Tailscale | Zero-config VPN for private access |
| ZITADEL | Identity and access management |
| Karpenter | Kubernetes node autoscaling |
Full stack with rationale: Technology Choices
This repository is documented through a series of blog posts:
- Crossplane: Compositions and Functions
- TLS with Gateway API and Private PKI
- Tailscale: Simplifying Cloud Access
- VictoriaMetrics and Grafana Operators
- Effective Alerting with VictoriaMetrics
- Dagger: The Missing Piece of Developer Experience
- Crossplane Documentation
- Flux Documentation
- Gateway API
- Cilium Documentation
- VictoriaMetrics Documentation
We welcome contributions, feedback, and questions!
- 🗨️ Slack Channel: Chat with the community
- 💬 Discussions: Ideas, questions, roadmap
- 🐛 Issues: Bug reports and feature requests
- 📅 Project Board: Task tracking and priorities
Before contributing: Review SECURITY.md for security policy and CLAUDE.md for development guidelines.
This project is provided as a reference implementation. Please review individual component licenses.
This platform builds on the excellent work of many open-source projects:
- Crossplane team and community
- Flux maintainers and CNCF
- Cilium and eBPF ecosystem
- VictoriaMetrics developers
- OpenBao and Linux Foundation
- All the maintainers of the tools in this stack
Ready to get started? → OpenTofu Deployment Guide
Questions? → Join our Slack
Exploring? → Technology Choices