Key Capabilities

Capability 1 — Service Self-Service

A product engineer runs create-service in Backstage and selects the system (domain, repo, and AppProject resolve automatically), service name and type (api / worker / frontend / grpc / cronjob), container image, port, resource profile, and target environments.

The template scaffolds a complete GitHub application repository (with Dockerfile, GitHub Actions CI pipeline, and TechDocs base), generates k8s manifests for each environment with correct labels, ResourceQuota, NetworkPolicy, HPA, and PDB — opens two GitOps PRs and registers the Component in the catalog. The service is running in dev within minutes of both PRs being merged.

Capability 2 — Infrastructure Self-Service

A tech lead runs create-resource in Backstage and selects a cloud provider and resource type, the ownership level (domain / system / component), and provider-specific config.

The template creates Crossplane Claims per environment with env-appropriate sizing (dev: minimal, prod: HA), sets deletionPolicy: Orphan on prod, opens one PR on the domain repo, and registers Resource entities in the catalog. No platform team involvement required.

Capability 3 — Full-Stack Observability in Backstage

On the Component page for gateway-api:

Kubernetes tab — pod health per env per cluster via a single label selector (project=payments,service=api finds all envs on all clusters automatically)
ArgoCD tab — sync status and current image tag per env
Relations tab — full dependency graph (databases, queues, caches this service uses)
Resource pages — each linked resource shows Crossplane READY/SYNCED status

Capability 4 — Convention Enforcement

Every domain repo runs a validation CI workflow (validate-conventions.yaml) that checks namespace naming (via validate-namespaces.sh), all 9 required labels, container resource limits, Kubernetes schema validation (kubeconform), and ArgoCD dry-run diff. Convention violations block the PR merge. No exception path exists.

Capability 5 — Team Onboarding in Minutes

create-group — creates Group entity, RBAC bindings for owned domains, ArgoCD project roles
create-user (once per member) — creates User entity, RBAC bindings, ArgoCD user access

After merging both PRs, new members can log into Backstage, ArgoCD, and Kubernetes with the correct access level. No manual ticket required.

Capability 6 — Secure Secrets Management

A developer needing to store sensitive configuration runs the create-secret template in Backstage. They locally encrypt their plain-text secret using the kubeseal CLI with the cluster's public certificate, and provide the encrypted payload to the template.

The template securely registers the SealedSecret manifest in the domain's GitOps repository. The platform's sealed-secrets controller automatically decrypts it inside the cluster into a standard Kubernetes Secret. No plain-text secrets are ever committed to Git, and developers self-serve without opening tickets.

Capability 1 — Service Self-Service​

Capability 2 — Infrastructure Self-Service​

Capability 3 — Full-Stack Observability in Backstage​

Capability 4 — Convention Enforcement​

Capability 5 — Team Onboarding in Minutes​

Capability 6 — Secure Secrets Management​