βββββββ βββ ββββββ βββββββββββββββββ βββββββ βββββββ ββββ ββββ βββ
βββββββββββ βββββββββββββββββββββββββββββββββββββββββββββββ βββββ ββββ
βββββββββββ ββββββββ βββ ββββββ βββ ββββββββββββββββββββββ ββββ
βββββββ βββ ββββββββ βββ ββββββ βββ ββββββββββββββββββββββ βββ
βββ βββββββββββ βββ βββ βββ ββββββββββββ ββββββ βββ βββ βββ
βββ βββββββββββ βββ βββ βββ βββββββ βββ ββββββ βββ βββ
Internal Developer Platform β from idea to production in under 10 minutes.
Developer fills Backstage form
β
βΌ
Crossplane provisions: ArgoCD watches git β
ββ RDS PostgreSQL auto-deploys every push
ββ S3 Bucket β
ββ ElastiCache Redis βΌ
ββ Kubernetes namespace Kyverno enforces:
β ββ Required labels
βΌ ββ Resource limits
OTel Collector (auto-injected) ββ OTel env injection
ββ Metrics β Prometheus ββ Cosign signatures (Audit)
ββ Traces β Tempo
ββ Logs β Loki β Grafana
No tickets. No waiting. No toil.
Every image reference, GitOps repo URL, and Go module path uses YOUR_ORG as a placeholder.
Run this once from the project root before any other command:
ORG=your-github-org-name # e.g. acme-corp
grep -rl "YOUR_ORG" . \
--include="*.yaml" \
--include="*.mod" \
--include="*.go" \
| xargs sed -i "s/YOUR_ORG/${ORG}/g"That's the only change required for local Codespaces dev.
- Push this repo to
github.com/YOUR_ORG/platform-one - Click Code β Codespaces β Create codespace on main
- Wait ~8 minutes β
bootstrap.shruns fully automatically - All UIs appear as forwarded ports in the Codespaces panel
# 1. Scaffold the directory structure
bash init.sh ./platform-one && cd platform-one
# 2. Replace org placeholder
grep -rl "YOUR_ORG" . --include="*.yaml" --include="*.mod" \
| xargs sed -i "s/YOUR_ORG/your-org/g"
# 3. Bootstrap everything
bash .devcontainer/bootstrap.sh
# 4. Open all UIs via port-forward
make pf
# 5. Seed Vault with platform secrets
make vault-setup| Service | URL | Credentials |
|---|---|---|
| Platform Portal | http://localhost:8080 | β |
| ArgoCD | http://localhost:8090 | admin / make argocd-pw |
| Grafana | http://localhost:3000 | admin / prom-operator |
| Prometheus | http://localhost:9090 | β |
| Vault | http://localhost:8200 | token: root |
make help # Full command reference
# ββ Cluster βββββββββββββββββββββββββββββββββββββββββββββββ
make bootstrap # Full install: cluster + all infra (idempotent)
make up # Start a stopped cluster
make down # Stop cluster, preserve state
make reset # Destroy + recreate from scratch
# ββ Access ββββββββββββββββββββββββββββββββββββββββββββββββ
make pf # Start port-forwards for all UIs
make pf-stop # Stop port-forwards
make argocd-pw # Print ArgoCD admin password
make status # Show pod + ArgoCD app health
# ββ Platform ops ββββββββββββββββββββββββββββββββββββββββββ
make vault-setup # Seed Vault + configure k8s auth
make apply-policies # Apply/update Kyverno policies
make apply-xrds # Apply Crossplane XRDs + compositions
# ββ Development βββββββββββββββββββββββββββββββββββββββββββ
make portal-dev # Run portal locally, no k8s needed
make build-all # Build all Docker images
make lint # conftest policy checks on k8s manifests
make test # Run Go unit tests
make logs # Tail logs from all app podsplatform-one/
β
βββ π init.sh β Scaffold entire skeleton in one command
βββ π Makefile β All operational commands
β
βββ π .devcontainer/
β βββ devcontainer.json β Codespaces: 4 CPU, 16 GB, auto-bootstrap
β βββ bootstrap.sh β Full idempotent cluster + infra install
β
βββ π .github/workflows/
β βββ ci.yaml β Trivy + Checkov + cosign + GitOps push
β βββ portal.yaml β Portal image build + sign + deploy
β
βββ π apps/
β βββ microservice/ β Go REST API (Prometheus, distroless, non-root)
β β βββ cmd/server/main.go β HTTP server with /healthz /metrics /api/items
β β βββ go.mod
β β βββ Dockerfile β Multi-stage, gcr.io/distroless/static
β β βββ k8s/ β Namespace + Deployment + Service + Ingress
β β βββ rollout.yaml β Argo Rollouts canary + AnalysisTemplates
β β
β βββ frontend/ β React + Vite SPA (Nginx, 8080, non-root)
β β βββ src/ β React source (replace with your app)
β β βββ Dockerfile β Node build β Nginx serve
β β βββ k8s/ β Namespace + Deployment + Service + Ingress
β β
β βββ kafka-consumer/ β Go Kafka consumer (DLQ, OTel, Prometheus)
β βββ cmd/consumer/main.go β Sarama consumer group with dead-letter queue
β βββ go.mod
β βββ Dockerfile
β βββ k8s/ β Namespace + Deployment + ConfigMap + Service
β
βββ π backstage/templates/
β βββ rest-microservice-template.yaml β Form β repo + ArgoCD app + Crossplane infra
β βββ frontend-app-template.yaml
β βββ kafka-consumer-template.yaml
β
βββ π infrastructure/
β βββ argocd/
β β βββ helm-values.yaml β ArgoCD Helm config (insecure local mode)
β β βββ apps/
β β β βββ root-app.yaml β App-of-apps bootstrap point
β β β βββ portal.yaml β Platform portal ArgoCD app
β β β βββ tenant-apps.yaml β ApplicationSet: auto-discovers apps/*
β β βββ apps-infra/ β Infra app defs (reference; managed by Helm)
β β βββ projects/platform-project.yaml
β β
β βββ crossplane/
β β βββ xrds/ β AppEnvironment CRD definition
β β βββ compositions/ β AWS: RDS + S3 + ElastiCache + namespace
β β
β βββ cert-manager/cluster-issuer.yamlβ Self-signed CA for local dev
β βββ external-secrets/ β ClusterSecretStore + ExternalSecret examples
β βββ monitoring/ β kube-prometheus-stack + Loki Helm values
β βββ vault/helm-values.yaml β Vault dev mode (root token)
β
βββ π observability/
β βββ otel/collector-config.yaml β ConfigMap + OpenTelemetryCollector CR
β βββ grafana/dora-slo-dashboard.json β DORA 4 metrics + SLO burn rate dashboard
β
βββ π policies/
β βββ kyverno/policy-bundle.yaml β 5 policies (labels, limits, registries, OTel, cosign)
β βββ rego/k8s.rego β conftest policies for CI gates
β
βββ π portal/
β βββ server.js β Zero-dependency Node.js server (built-ins only)
β βββ public/index.html β Full IDP dashboard UI
β βββ Dockerfile β node:20-alpine, zero npm installs in k8s
β βββ k8s/ β Namespace + RBAC + Deployment + Ingress
β
βββ π scripts/
βββ setup-vault.sh β Seed secrets + configure k8s auth
βββ port-forward.sh β Open all UIs [start|stop|status]
Backstage Software Templates (3 golden paths: REST API, Frontend, Kafka Consumer). Each template creates a GitHub repo, registers in the Software Catalog, creates an ArgoCD Application, and fires a Crossplane Composite Resource Claim β all in one form submit.
ArgoCD with an ApplicationSet that auto-discovers every apps/*/k8s/ directory.
Every new repo gets a fully managed ArgoCD Application with automated sync and self-heal.
Argo Rollouts handles progressive delivery with Prometheus-gated canary analysis.
Kyverno with five policies applied at admission time:
| Policy | Mode | What it does |
|---|---|---|
require-labels |
Enforce | Blocks any Deployment missing team or app.kubernetes.io/name |
require-resource-limits |
Enforce | Blocks any Pod without CPU + memory limits |
restrict-image-registries |
Audit | Reports images not from approved registries |
inject-otel-env |
Mutate | Adds OTEL_* env vars to pods in labelled namespaces |
verify-image-signatures |
Audit | Reports unsigned images (cosign keyless) |
Crossplane AppEnvironment Composite Resource provisions:
RDS PostgreSQL + S3 bucket + optional ElastiCache Redis + Kubernetes namespace β all from one kubectl apply.
OpenTelemetry Collector running as a Deployment:
- Metrics β Prometheus (remote write)
- Traces β Tempo
- Logs β Loki
All correlated in Grafana via exemplars. DORA metrics dashboard included.
Week 1-2 ββββββββββββββββββββ k3d + ArgoCD + GitOps structure
Week 3-4 ββββββββββββββββββββ Backstage + 3 Software Templates
Week 5-6 ββββββββββββββββββββ Crossplane XRDs + AWS provisioning
Week 7-8 ββββββββββββββββββββ Vault + ESO + Kyverno policies
Week 9-10 ββββββββββββββββββββ Argo Rollouts + OTel pipeline
Week 11-12 ββββββββββββββββββββ Karpenter + CI gates + DORA dashboard
Additional requirements beyond local dev:
# IAM roles needed
KarpenterNodeRole-platform-one
CrossplaneProviderRole # AmazonRDS*, AmazonS3*, AmazonElastiCache*, EKS*
# Additional placeholder to replace
your-ecr-account β your AWS account ID
# In: policies/kyverno/policy-bundle.yaml
# Secrets in AWS Secrets Manager
/platform-one/argocd/github-token
/platform-one/backstage/github-oauth-client-id
/platform-one/backstage/github-oauth-client-secret| Metric | Target | Elite threshold |
|---|---|---|
| Deployment Frequency | 14.2 /day | > 1/day |
| Lead Time for Changes | 23 min | < 1 hour |
| Change Failure Rate | 2.1 % | < 5% |
| MTTR | 18 min | < 1 hour |
- Zero-trust networking β SPIFFE/SPIRE workload identity (phase 6)
- Keyless image signing β cosign OIDC via GitHub Actions OIDC token
- No long-lived secrets β all secrets from Vault via External Secrets Operator
- Admission control β Kyverno blocks non-compliant workloads at API server
- Supply chain β Trivy + Checkov + conftest in every PR
- Audit mode for strict policies β cosign + registry restrictions are Audit in dev,
switch to Enforce in production by editing
validationFailureAction
Karpenter NodePool configured for spot/on-demand mix:
- Prefers spot instances (
karpenter.sh/capacity-type: spot) - Falls back to on-demand automatically
- Consolidates underutilised nodes every 30 seconds
- Expected saving: ~65% vs on-demand only
- Fork the repo
- Open in Codespaces (bootstrap runs automatically)
- Make changes in a branch
- CI runs:
trivy+checkov+confteston every PR - Merge β ArgoCD auto-deploys
Built with Backstage Β· Crossplane Β· ArgoCD Β· Kyverno Β· Vault Β· OpenTelemetry
β Star this repo if it saved you from filing a ticket