Platform Mesh

Appearance

kcp-operator

kcp-operator is the Kubernetes operator that deploys and manages a kcp installation. Platform Mesh ships kcp-operator as a chart in helm-charts and uses its CRDs to provision the kcp control plane.

This page covers the operator CRs Platform Mesh applies. The operator itself is upstream; this is reference for how Platform Mesh wires it up.

Primitives

CRDPlatform Mesh role
RootShardDefines the root kcp shard (image, etcd, certificates, cache). Platform Mesh ships one per environment.
ShardAdditional shards in a sharded deployment. See kcp sharding.
FrontProxyThe single TLS-terminating ingress. References a RootShard.
CacheServerCross-shard cache for replicated kcp resources. Embedded inside RootShard in non-sharded setups.
KubeconfigGenerates client kubeconfigs scoped to specific paths and identities. Platform Mesh uses this for operator service accounts.

RootShard and FrontProxy

The minimal kcp deployment is a RootShard plus a FrontProxy. Platform Mesh's resource-broker example ships a working pair (production setups override the etcd, image tag, hostnames, and cert issuer):

yaml
# resource-broker/examples/kcp-certs/platform/kcp.yaml
apiVersion: operator.kcp.io/v1alpha1
kind: RootShard
metadata:
  name: root
spec:
  image:
    tag: v0.30.0
  shardBaseURL: https://broker-platform-control-plane:32111
  external:
    hostname: broker-platform-control-plane
    port: 32443
  certificates:
    issuerRef:
      group: cert-manager.io
      kind: Issuer
      name: selfsigned
  cache:
    embedded:
      enabled: true
  etcd:
    endpoints: [http://kcp-etcd-client.default.svc.cluster.local:2379]
---
apiVersion: operator.kcp.io/v1alpha1
kind: FrontProxy
metadata:
  name: frontproxy
spec:
  rootShard:
    ref:
      name: root
  certificateTemplates:
    server:
      spec:
        dnsNames: [localhost]
        ipAddresses: [127.0.0.1]

In sharded local-setup, embedded.cache.enabled is replaced by a separate CacheServer and additional Shard CRs. See kcp sharding.

Kubeconfig

Platform Mesh operators (account-operator, security-operator, api-syncagent) need scoped kubeconfigs. The operator generates them from Kubeconfig CRs that reference the target RootShard or FrontProxy and the workspace path the kubeconfig should default to. The generated kubeconfig is mounted into the operator pod by helm-charts.

Repository

  • kcp — what this operator deploys
  • kcp sharding — sharded RootShard + Shard + CacheServer topology
EU and German government funding logos

Funded by the European Union – NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

Copyright © Linux Foundation Europe.

kcp-operator | Platform Mesh is a project of NeoNephos Foundation. For applicable policies including privacy policy, terms of use and trademark usage guidelines, please see https://linuxfoundation.eu. Linux is a registered trademark of Linus Torvalds.