Platform Services
Flux CD GitOps manifests for all platform services deployed on the RKE2 cluster. This is Layer 2 of the SRE architecture β everything here is reconciled automatically by Flux from this Git repository.
Structure
platform/
βββ flux-system/ # Flux toolkit components and root sync configuration
βββ core/ # Required platform services (installed on every cluster)
β βββ istio/ # Service mesh with mTLS
β βββ kyverno/ # Policy enforcement engine
β βββ monitoring/ # Prometheus + Grafana + AlertManager
β βββ logging/ # Loki + Alloy log collection
β βββ runtime-security/ # NeuVector runtime protection
β βββ cert-manager/ # TLS certificate automation
β βββ openbao/ # Secrets management (OpenBao + External Secrets Operator)
β βββ backup/ # Velero backup and disaster recovery
βββ addons/ # Optional services (enabled per-deployment)
βββ argocd/ # ArgoCD for app teams who prefer its UI
βββ backstage/ # Developer portal
βββ harbor/ # Container registry with Trivy scanning
βββ keycloak/ # SSO/OIDC identity provider
Reconciliation Order
Flux deploys components in dependency order via dependsOn:
istio β cert-manager β kyverno β monitoring β logging β openbao β harbor β neuvector β keycloak β tempo β velero
Each Component Contains
namespace.yamlβ Namespace withistio-injection: enabledhelmrepository.yamlβ Upstream Helm chart sourcehelmrelease.yamlβ Flux HelmRelease with pinned version, health checks, remediationkustomization.yamlβ Flux Kustomization for orchestrationnetwork-policies/β Default deny + explicit allowsREADME.mdβ Configuration and troubleshooting docs
See adding a platform component for the full pattern.