Deployment & Configuration¶
Scope: Installation, configuration, and bootstrapping of kcp within Platform-Mesh. Source: platform-mesh/helm-charts and platform-mesh/platform-mesh-operator
Installation¶
Helm Chart: infra¶
Source: platform-mesh/helm-charts/charts/infra
The infra Helm chart deploys the kcp infrastructure including:
- etcd cluster (via
etcd-kcp) - kcp RootShard
- kcp FrontProxy
- Authorization webhook integration
helm install infra platform-mesh/infra \
--namespace platform-mesh-system \
--set kcp.external.hostname=<your-hostname> \
--set kcp.external.port=8443
kcp-operator Resources¶
kcp is deployed via two primary custom resources from kcp-operator:
RootShard (operator.kcp.io/v1alpha1):
The root shard is the primary kcp API server component.
FrontProxy (operator.kcp.io/v1alpha1):
The front proxy handles request routing and authentication, including custom path mappings to virtual workspaces.
Configuration¶
Default Values¶
Source: charts/infra/values.yaml
| Configuration | Default Value | Description |
|---|---|---|
kcp.namespace |
platform-mesh-system |
Deployment namespace |
kcp.external.hostname |
localhost |
External hostname for kcp API |
kcp.external.port |
8443 |
External port |
kcp.rootShard.replicas |
1 |
RootShard replicas |
kcp.frontProxy.replicas |
1 |
FrontProxy replicas |
kcp.oidc.enabled |
false |
OIDC authentication |
etcd Configuration:
| Configuration | Default Value | Description |
|---|---|---|
kcp.etcd.name |
etcd-kcp |
etcd cluster name |
kcp.etcd.service.name |
etcd-kcp-client |
etcd service name |
kcp.etcd.service.port |
2379 |
etcd client port |
kcp.etcd.quota |
8Gi |
Storage quota |
kcp.etcd.defragmentationSchedule |
0 */24 * * * |
Daily defragmentation |
kcp.etcd.backup.fullSnapshotSchedule |
0 */24 * * * |
Daily backup |
Non-default Configurations¶
The following configurations are applied by Platform-Mesh beyond kcp-operator defaults:
| Configuration | Value | Purpose |
|---|---|---|
--feature-gates=WorkspaceAuthentication=true |
Enabled | Per-workspace OIDC authentication |
| Authorization webhook | rebac-authz-webhook at port 9443 |
ReBAC-based authorization |
| Additional path mappings | /services/contentconfigurations, /services/marketplace |
Virtual workspace routing |
Feature Flags (via extraArgs):
kcp:
rootShard:
extraArgs:
- --feature-gates=WorkspaceAuthentication=true
frontProxy:
extraArgs:
- --feature-gates=WorkspaceAuthentication=true
Authorization Webhook:
kcp:
webhook:
enabled: true
server: https://rebac-authz-webhook.platform-mesh-system.svc.cluster.local:9443/authz
authorizationWebhookSecretName: kcp-webhook-secret
port: 9443
FrontProxy Path Mappings:
kcp:
frontProxy:
additionalPathMappings:
- path: /services/contentconfigurations
backend: https://virtual-workspaces.platform-mesh-system:8443
- path: /services/marketplace
backend: https://virtual-workspaces.platform-mesh-system:8443
Bootstrapped Structure¶
Workspace Hierarchy¶
Source: platform-mesh-operator/manifests/kcp
The platform-mesh-operator bootstraps the following workspace structure:
root
├── platform-mesh-system # System components and APIExports
├── orgs # Container for organization workspaces
│ └── {org-name} # Per-organization workspace (type: org)
│ └── {account-name} # Account workspaces (type: account)
└── providers # Container for provider workspaces (optional)
└── {provider-name} # Provider workspace (type: provider)
Bootstrap Order (from manifests/kcp):
01-platform-mesh-system/- APIResourceSchemas, APIExports, ContentConfigurations02-orgs/- Organization-related resources03-platform-mesh-system/- Additional system setup
Workspace Types¶
Source: platform-mesh-operator/manifests/kcp/workspace-type-*.yaml
| WorkspaceType | Extends | Default Child | Allowed Parents | Purpose |
|---|---|---|---|---|
security |
— | — | — | Initializer for security configuration |
orgs |
universal |
org |
— | Container for organizations |
org |
security |
account |
orgs |
Organization workspace |
account |
universal |
account |
org, account |
Account/project workspace |
providers |
— | provider |
— | Container for providers |
provider |
— | — | providers |
Provider workspace |
org WorkspaceType:
apiVersion: tenancy.kcp.io/v1alpha1
kind: WorkspaceType
metadata:
name: org
spec:
extend:
with:
- name: security
path: root
defaultAPIBindings:
- export: core.platform-mesh.io
path: root:platform-mesh-system
- export: tenancy.kcp.io
path: root
- export: topology.kcp.io
path: root
defaultChildWorkspaceType:
name: account
path: root
limitAllowedChildren:
types:
- name: account
path: root
limitAllowedParents:
types:
- name: orgs
path: root
security WorkspaceType (initializer):
apiVersion: tenancy.kcp.io/v1alpha1
kind: WorkspaceType
metadata:
name: security
spec:
initializer: true
The security workspace type acts as an initializer. When a workspace extends this type, the security-operator is triggered to configure:
- OpenFGA stores for authorization
- Keycloak realms and clients for authentication
- WorkspaceAuthenticationConfiguration for the organization
APIExports¶
Source: platform-mesh-operator/manifests/kcp/01-platform-mesh-system
The following APIExport is created in root:platform-mesh-system:
core.platform-mesh.io:
| Resource | API Group | Description |
|---|---|---|
| Accounts | core.platform-mesh.io | Account management |
| AccountInfos | core.platform-mesh.io | Account metadata |
| AuthorizationModels | core.platform-mesh.io | OpenFGA authorization models |
| Stores | core.platform-mesh.io | OpenFGA stores |
| IdentityProviderConfigurations | core.platform-mesh.io | Keycloak realm configuration |
| Invites | core.platform-mesh.io | User invitation management |
| ContentConfigurations | ui.platform-mesh.io | Portal UI configuration |
| ProviderMetadatas | ui.platform-mesh.io | Provider UI metadata |
Permission Claims:
The APIExport core.platform-mesh.io claims access to the following resources. All claims use all: true, which grants full access (all verbs: get, list, watch, create, update, patch, delete) and matchAll selector.
| Resource | API Group | Verbs | Selector | Identity Hash |
|---|---|---|---|---|
workspaces |
tenancy.kcp.io |
all | matchAll | {{ apiExportRootTenancyKcpIoIdentityHash }} |
workspacetypes |
tenancy.kcp.io |
all | matchAll | {{ apiExportRootTenancyKcpIoIdentityHash }} |
apibindings |
apis.kcp.io |
all | matchAll | (empty) |
apiexports |
apis.kcp.io |
all | matchAll | (empty) |
apiresourceschemas |
apis.kcp.io |
all | matchAll | (empty) |
logicalclusters |
core.kcp.io |
all | matchAll | (empty) |
secrets |
(core) | all | matchAll | (empty) |
The identity hash for tenancy.kcp.io resources is templated and resolved at deployment time to bind to the correct root tenancy API export.
system:admin Workspace¶
The system:admin workspace is a built-in kcp workspace used for administrative operations. It provides cluster-wide administrative access and is primarily used for:
- Health checks and readiness probes (
/readyz,/livez) - API discovery (
/apis) - Direct administrative operations
Access:
Admin kubeconfig contexts typically include both root and system:admin clusters:
clusters:
- name: kcp-root
cluster:
server: https://<hostname>:<port>/clusters/root
- name: kcp-system-admin
cluster:
server: https://<hostname>:<port>/clusters/system:admin
Resources Modified/Added:
No custom Platform-Mesh resources are added to the system:admin workspace. It retains the default kcp system workspace configuration. All Platform-Mesh specific resources are deployed to the root workspace hierarchy, specifically:
- System components in
root:platform-mesh-system - Organization workspaces in
root:orgs:{org-name} - Provider workspaces in
root:providers:{provider-name}(if configured)