openCenter LogoopenCenter
Back to Home

How It Actually Works

The openCenter platform architecture — from Git commit to production-ready cluster.

We're not just another managed Kubernetes. openCenter is a complete platform that goes beyond Day 1 deployment with GitOps automation, security hardening, observability, backup, and lifecycle management built in. These components are deployed and managed across the openCenter platform repositories, not this marketing site.

Phase 1 — Configure & Generate

openCenter CLI

Single YAML → full cluster

  • Declarative config for infra, K8s, services, and secrets
  • Multi-provider: OpenStack, VMware, AWS, Kind
  • Schema validation and business-rule checks
  • SOPS Age encryption with key lifecycle (90/180-day rotation)

GitOps Repository

Generated by CLI

  • Infrastructure-as-Code (OpenTofu / Terraform)
  • Kubespray inventory with security hardening
  • FluxCD manifests with Kustomize overlays
  • Encrypted secrets safe for version control

Air-Gap Packaging

openCenter AirGap

  • All images, charts, binaries in one Zarf artifact
  • Cryptographic signing and SBOM generation
  • Three-zone model: Factory → Airlock → Field
  • Bastion serves local registry and package repos
generates & provisions

Phase 2 — Platform Services (GitOps Base)

20+ Pre-Hardened Services

cert-managerKyvernoKeycloakHarborVeleroMetalLBLonghornGateway APICalicoHeadlampRBAC ManagerSealed SecretsPostgreSQL OperatorvSphere CSIOpenStack CSIOLM

Observability

Full-stack telemetry

  • Prometheus + Grafana + Alertmanager
  • Loki log aggregation
  • Tempo distributed tracing
  • OpenTelemetry collection

Security Layers

Defense in depth

  • 17 Kyverno ClusterPolicies
  • Pod Security Admission (baseline + restricted)
  • NetworkPolicies for platform services
  • RBAC via Keycloak OIDC groups
FluxCD reconciles

Phase 3 — Production Kubernetes Cluster

Infrastructure

Multi-provider

  • HA control plane (3 nodes)
  • Scalable worker pools
  • OpenStack / VMware / AWS / Bare Metal

GitOps Lifecycle

FluxCD continuous reconciliation

  • Drift detection and auto-remediation
  • Kustomize base + overlay composition
  • SOPS decryption at reconciliation time

Secrets Management

Dual encryption

  • SOPS Age encryption in Git
  • Kubernetes encryption at rest
  • Zero-downtime key rotation

Day-2 Operations

Ongoing management

  • Backup and disaster recovery (Velero)
  • Kubernetes version upgrades
  • Configuration drift detection
Runs on:OpenStack|VMware vSphere|AWS|Bare Metal|Air-Gapped Sites