Platform Services

Platform services (monitoring, logging, ingress, cert-manager) use the platform project and follow the same convention. They run on the management cluster or on all clusters depending on type.

Namespace Layout

cluster-mgmt
├── argocd/                   ← fixed, not convention
├── crossplane-system/        ← fixed, not convention
├── platform-mgmt-monitoring/
├── platform-mgmt-logging/
└── platform-mgmt-ingress/

cluster-dev / cluster-staging
├── platform-{env}-monitoring/
└── platform-{env}-logging/

cluster-prod (additional prod-only services)
├── platform-prod-monitoring/
├── platform-prod-logging/
├── platform-prod-ingress/        ← prod-only
└── platform-prod-cert-manager/   ← prod-only

Fixed Namespaces Carry Platform Labels

argocd and crossplane-system do not follow the naming convention but carry semantic labels for traceability:

metadata:
  name: argocd
  labels:
    project: platform
    service: argocd
    env: mgmt
    backstage.io/component: platform-argocd

ApplicationSets for Platform (Multiple Sources)

Platform services use ArgoCD's Multiple Sources feature to deploy external Helm charts directly from their upstream repositories while injecting values.yaml from our GitOps repository. This avoids maintaining local Chart.yaml files.

# platform-gitops/argocd/applicationsets/platform-services-all.yaml
spec:
  generators:
    - matrix:
        generators:
          - list:
              elements:
                - service: sealed-secrets
                  wave: "-20"
                  chartRepo: https://bitnami-labs.github.io/sealed-secrets
                  chart: sealed-secrets
                  version: "2.13.3"
                # ...
          - clusters:
              selector:
                matchExpressions:
                  - {key: env, operator: In, values: [mgmt, dev, staging, prod]}
  template:
    spec:
      sources:
        - repoURL: "{{chartRepo}}"
          chart: "{{chart}}"
          targetRevision: "{{version}}"
          helm:
            valueFiles:
              - $values/k8s/platform/_base/{{service}}/values.yaml
              - $values/k8s/platform/{{name}}/{{service}}/values.yaml
        - repoURL: https://github.com/myorg/platform-gitops
          targetRevision: HEAD
          ref: values

Platform Services — Tier and Wave Reference

Wave	Service	Tier
-20	sealed-secrets	All clusters
-10	cert-manager, reflector	All clusters
-5	cloudnative-pg	All clusters
0	kong, kube-prometheus-stack, redis	All / mgmt
+5	alloy, loki, pgadmin, redisinsight	All / mgmt
+10	headlamp, n8n, ollama	mgmt only

Tier A (all clusters): sealed-secrets, cert-manager, reflector, kong, kube-prometheus-stack, alloy, cloudnative-pg
Tier B (mgmt only): loki, headlamp, redis, redisinsight, pgadmin, n8n, ollama, argocd