Component Dependencies & Requirements¶
This document analyzes which Platform Mesh components are essential for core functionality versus optional for extended features, based on the official Platform Mesh documentation.
Overview¶
Platform Mesh follows a modular architecture where components can be enabled or disabled via the PlatformMesh custom resource. However, certain components form the architectural foundation and cannot be disabled without breaking core functionality.
Essential Core Components¶
These components are mandatory for Platform Mesh to function:
Control Plane Layer¶
| Component | Role | Documentation Reference |
|---|---|---|
| kcp (via kcp-operator) | Core control plane providing hierarchical workspaces, APIExport/APIBinding pattern, KRM-based API management | Control Planes |
| etcd-druid | Manages etcd cluster backend for kcp | Required by kcp |
| kcp-operator | Lifecycle management for kcp instances | Required for kcp deployment |
Why Essential:
"kcp serves as the foundation for service management through acting as the declarative API layer between providers and consumers, providing a consistent control plane for service management." — Platform Mesh Documentation
Account & Security Layer¶
| Component | Role | Documentation Reference |
|---|---|---|
| account-operator | Implements the Account Model - manages organizations, shadow accounts, tenant spaces | Account Model |
| security-operator | Manages ReBAC tuples in OpenFGA, Keycloak realm provisioning for organizations | Account Model - Identity Management |
| OpenFGA | Relationship-Based Access Control (ReBAC) engine | Authorization backbone |
| rebac-authz-webhook | Authorization webhook connecting kcp to OpenFGA | Required when kcp.webhook.enabled: true |
Why Essential:
"The Account Model serves as the foundational fabric for managing interactions across a distributed cloud-edge continuum." — Platform Mesh Documentation
Identity Layer¶
| Component | Role | Documentation Reference |
|---|---|---|
| Keycloak | Identity Provider for authentication | Account Model - Identity Management |
| Crossplane | Declarative provisioning of Keycloak realms and clients | Required for Keycloak automation |
Why Essential:
"Identity management within the account model delivers consistent authentication across the platform while preserving organizational control over user management." — Platform Mesh Documentation
Infrastructure Layer¶
| Component | Role | Documentation Reference |
|---|---|---|
| Cert-Manager | TLS certificate management for all internal services | Getting Started |
| Flux | GitOps engine for deploying all Platform Mesh components via OCM | Core infrastructure |
| Traefik or Istio | Ingress controller / API Gateway (one required) | Networking layer |
| infra (Helm chart) | Bundles kcp configuration, Keycloak-Crossplane setup, Gateway resources | Configuration aggregator |
Conditionally Required Components¶
These components are required for specific features but can be replaced or disabled in certain scenarios:
| Component | Condition | Alternatives |
|---|---|---|
| Traefik | Required if using Gateway API | Can use Istio instead (istio.enabled: true) |
| Istio | Required if using Istio service mesh | Can use Traefik instead (gatewayApi.enabled: true) |
| organization-idp | Required for multi-tenant identity | Part of Account Model |
| virtual-workspaces | Required if Portal is enabled | Provides Virtual Workspace API |
Optional Components¶
These components provide extended functionality but are not required for core Platform Mesh operation:
User Interface Layer¶
| Component | Purpose | Default | Notes |
|---|---|---|---|
| portal | Web UI for onboarding, self-service | enabled: true |
Recommended for user experience |
| kubernetes-graphql-gateway | GraphQL API for Portal/UI | enabled: true |
Required when Portal is used |
| marketplace-ui | Marketplace view in Portal | enabled: true |
For marketplace scenarios |
| iam-service | Extended IAM functionality | enabled: false |
Advanced identity scenarios |
| iam-ui | IAM administration UI | enabled: false |
Advanced identity scenarios |
Operations Layer¶
| Component | Purpose | Default | Notes |
|---|---|---|---|
| observability | Grafana, OpenTelemetry, tracing | enabled: false |
Recommended for production |
| mailpit | Email testing (development only) | enabled: true (local) |
Not for production |
Extension Layer¶
| Component | Purpose | Default | Notes |
|---|---|---|---|
| extension-manager-operator | Extension lifecycle management | enabled: true |
For advanced scenarios |
Dependency Graph¶
┌─────────────────────────────────────────┐
│ INFRASTRUCTURE │
│ Cert-Manager ← Flux ← OCM Controller │
│ ↓ ↓ │
│ Traefik Gateway API │
└─────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────────────┐
│ CONTROL PLANE (CORE) │
│ ┌─────────────┐ ┌─────────────┐ ┌──────────────────┐ │
│ │ kcp-operator│───→│ kcp │←───│ etcd-druid │ │
│ └─────────────┘ └─────────────┘ └──────────────────┘ │
│ ↓ │
│ ┌─────────────┐ │
│ │ infra │ (Gateway, Keycloak-Config) │
│ └─────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────────────┐
│ IDENTITY & AUTHORIZATION │
│ ┌─────────────┐ ┌─────────────┐ ┌──────────────────┐ │
│ │ Keycloak │←───│ Crossplane │ │ OpenFGA │ │
│ └─────────────┘ └─────────────┘ └──────────────────┘ │
│ ↓ ↓ │
│ ┌─────────────────────┐ ┌──────────────────────┐ │
│ │ security-operator │──────────→│ rebac-authz-webhook │ │
│ └─────────────────────┘ └──────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────────────┐
│ ACCOUNT MANAGEMENT │
│ ┌──────────────────┐ ┌──────────────────────┐ │
│ │ account-operator │ │ extension-manager-op │ │
│ └──────────────────┘ └──────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘
↓
┌─────────────────────────────────────────────────────────────────────────┐
│ USER INTERFACE (OPTIONAL) │
│ ┌─────────────┐ ┌─────────────────────────┐ ┌──────────────┐ │
│ │ Portal │←───│ kubernetes-graphql-gw │←───│ virtual-ws │ │
│ └─────────────┘ └─────────────────────────┘ └──────────────┘ │
│ ↓ │
│ ┌─────────────────────┐ │
│ │ marketplace-ui │ │
│ └─────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘
Configuration Profiles¶
Minimal Configuration (Core Only)¶
The absolute minimum to run Platform Mesh:
spec:
values:
# CONTROL PLANE (mandatory)
kcp-operator:
enabled: true
# etcd-druid is implicitly required by kcp
infra:
enabled: true
# AUTHORIZATION (mandatory for multi-tenancy)
openfga:
enabled: true
# rebac-authz-webhook deployed via infra when kcp.webhook.enabled: true
# IDENTITY (mandatory)
keycloak:
enabled: true
crossplane:
enabled: true # For Keycloak provisioning
# ACCOUNT MANAGEMENT (mandatory)
# account-operator, security-operator are always deployed
# OPTIONAL - can be disabled
portal:
enabled: false
kubernetes-graphql-gateway:
enabled: false
marketplace-ui:
enabled: false
iam-service:
enabled: false
iam-ui:
enabled: false
Recommended Configuration (Full Platform)¶
Complete Platform Mesh with user interface:
spec:
values:
# CONTROL PLANE
kcp-operator:
enabled: true
infra:
enabled: true
values:
gatewayApi:
enabled: true # Use Gateway API (Traefik)
# AUTHORIZATION
openfga:
enabled: true
# IDENTITY
keycloak:
enabled: true
crossplane:
enabled: true
# USER INTERFACE
portal:
enabled: true
kubernetes-graphql-gateway:
enabled: true
virtual-workspaces:
enabled: true
marketplace-ui:
enabled: true
# OPTIONAL
iam-service:
enabled: false # Enable for advanced IAM features
observability:
enabled: false # Enable for production monitoring
Component Toggle Reference¶
Complete list of components with their toggle paths in PlatformMesh spec:
| Component | Toggle Path | Default |
|---|---|---|
| kcp-operator | values.kcp-operator.enabled |
true |
| kcp (direct) | values.kcp.enabled |
false |
| infra | values.infra.enabled |
true |
| keycloak | values.keycloak.enabled |
true |
| crossplane | values.crossplane.enabled |
true |
| openfga | values.openfga.enabled |
true |
| portal | values.portal.enabled |
false |
| kubernetes-graphql-gateway | values.kubernetes-graphql-gateway.enabled |
true |
| virtual-workspaces | values.virtual-workspaces.enabled |
true |
| marketplace-ui | values.marketplace-ui.enabled |
true |
| iam-service | values.iam-service.enabled |
false |
| iam-ui | values.iam-ui.enabled |
false |
| observability | services.observability.enabled |
false |
Infra Sub-Toggles¶
| Feature | Toggle Path | Default |
|---|---|---|
| Gateway API (Traefik) | values.infra.values.gatewayApi.enabled |
false |
| Istio | values.infra.values.istio.enabled |
false |
| CORS | values.infra.values.cors.enabled |
false |
| Mailpit | values.infra.values.mailpit.enabled |
false |
| Host Aliases | values.infra.values.hostAliases.enabled |
false |
| KCP Webhook | values.infra.values.kcp.webhook.enabled |
true |
Summary¶
| Category | Components | Removable? |
|---|---|---|
| Control Plane | kcp, kcp-operator, etcd-druid, infra | No |
| Identity | Keycloak, Crossplane | No (could use external IdP) |
| Authorization | OpenFGA, rebac-authz-webhook, security-operator | No |
| Account | account-operator | No |
| Networking | Traefik OR Istio, Cert-Manager | No (one gateway required) |
| GitOps | Flux, OCM Toolkit | No |
| UI | Portal, GraphQL Gateway, Marketplace UI | Yes |
| Extended | IAM Service, IAM UI, Observability | Yes |