Extension Manager Operator - Platform Mesh¶
Overview
The Extension Manager Operator is a Kubernetes controller that manages the lifecycle of ContentConfiguration resources in Platform Mesh. It enables configuration management for Micro Frontends through both inline and remote content delivery, with built-in validation and JSON Schema generation.
Related Documentation
This operator is a key component in the Platform Mesh Portal architecture:
- OpenMFP Framework → - Micro frontend platform that consumes ContentConfigurations
- Luigi Framework → - UI framework for micro frontend composition
- Platform Mesh Portal → - How the portal integrates with Extension Manager
- Portal Overview → - Complete analysis of portal components
Context¶
Why is the Extension Manager Operator Important?
Problem/Challenge: - Platform Mesh needs a way to configure and manage Micro Frontend extensions - Dynamic content updates must be supported without redeploying applications - Configuration validation should happen at development time and runtime - Both static (inline) and dynamic (remote) configuration sources are needed
Target Audience: - Frontend Developers building Micro Frontend applications - Platform Engineers managing Platform Mesh deployments - DevOps teams responsible for extension lifecycle - Architects designing modular UI architectures
Prerequisites: - Understanding of Micro Frontend architecture - Basic knowledge of Kubernetes (CRDs, Operators) - Familiarity with JSON Schema validation - Knowledge of Platform Mesh Account Model
Core Concepts¶
What is a Content Configuration?¶
ContentConfiguration Definition
A ContentConfiguration is a Kubernetes custom resource that defines how Micro Frontend extensions should be configured within Platform Mesh. It supports two delivery modes: - Inline Configuration: Content embedded directly in the resource - Remote Configuration: Content fetched from external URLs with authentication support
What are Micro Frontends in Platform Mesh?¶
Micro Frontend Architecture
Micro Frontends in Platform Mesh are modular UI components that: - Extend the platform's user interface dynamically - Can be developed and deployed independently - Are configured via ContentConfiguration resources - Support runtime composition and configuration updates - Enable multi-tenant customization per account
ContentConfiguration Custom Resource Definition (CRD)¶
The ContentConfiguration resource is namespaced and supports flexible content delivery:
ContentConfigurationSpec¶
apiVersion: extensions.platform-mesh.io/v1alpha1
kind: ContentConfiguration
metadata:
name: example-mfe-config
namespace: acme-corp
spec:
# Option 1: Inline Configuration (for static content)
inlineConfiguration:
contentType: yaml # or json
content: |
title: "My Dashboard Extension"
version: "1.0.0"
components:
- name: "widget-1"
type: "chart"
config:
chartType: "line"
dataSource: "/api/metrics"
# Option 2: Remote Configuration (for dynamic content)
# remoteConfiguration:
# url: "https://config-server.example.com/mfe/dashboard.yaml"
# internalUrl: "http://config-service.platform-mesh-system/dashboard.yaml"
# contentType: yaml
# authentication:
# type: "bearer"
# secretRef:
# name: "config-server-token"
ContentConfigurationStatus¶
status:
# State information
conditions:
- type: Ready
status: "True"
lastTransitionTime: "2026-02-03T10:00:00Z"
reason: "ConfigurationValid"
message: "Configuration successfully validated and applied"
- type: Valid
status: "True"
lastTransitionTime: "2026-02-03T10:00:00Z"
reason: "SchemaValidationPassed"
message: "Content validated against JSON Schema"
# Last processed generation
observedGeneration: 1
# Next scheduled reconcile time
nextReconcileTime: "2026-02-03T10:05:00Z"
# Result of configuration processing
configurationResult:
validatedContent: |
# Processed and validated content
title: "My Dashboard Extension"
version: "1.0.0"
# ...
schemaVersion: "v1"
lastValidated: "2026-02-03T10:00:00Z"
Main Features¶
Automated Extension Management
- Dual Configuration Modes: Support for inline and remote content sources
- JSON Schema Validation: Automatic schema generation and validation
- Runtime Validation Services: Developer-friendly validation during development
- Graceful Error Handling: Preserves last valid configuration on validation errors
- Dynamic Updates: Remote configurations update automatically (5-minute interval)
- Authentication Support: Secure remote content fetching with secret-based auth
Architecture¶
Controller Components¶
┌─────────────────────────────────────────────────────────────────┐
│ Extension Manager Operator Pod │
├─────────────────────────────────────────────────────────────────┤
│ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ ContentConfiguration Controller (Reconciler) │ │
│ │ │ │
│ │ • Watches ContentConfiguration CRDs │ │
│ │ • Manages Inline/Remote Configuration Logic │ │
│ │ • Handles Reconciliation Queue │ │
│ └────────────────┬───────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ Configuration Processor │ │
│ │ │ │
│ │ ┌──────────────────────────────────────────────┐ │ │
│ │ │ Inline Configuration Handler │ │ │
│ │ │ • Reads embedded content │ │ │
│ │ │ • Parses YAML/JSON │ │ │
│ │ │ • Daily reconciliation │ │ │
│ │ └──────────────────────────────────────────────┘ │ │
│ │ ┌──────────────────────────────────────────────┐ │ │
│ │ │ Remote Configuration Handler │ │ │
│ │ │ • Fetches content from URL │ │ │
│ │ │ • Handles authentication │ │ │
│ │ │ • 5-minute reconciliation interval │ │ │
│ │ └──────────────────────────────────────────────┘ │ │
│ └────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ Validation Engine │ │
│ │ │ │
│ │ • JSON Schema Generation │ │
│ │ • Content Validation │ │
│ │ • Error Reporting │ │
│ │ • Last-Valid-Config Preservation │ │
│ └────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ Validation Service (Server) │ │
│ │ │ │
│ │ • Runtime validation API for developers │ │
│ │ • Schema serving endpoint │ │
│ │ • Development-time feedback │ │
│ └────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────┐
│ Kubernetes API Server │
│ │
│ • ContentConfiguration CRDs │
│ • Secrets (for authentication) │
│ • ConfigMaps (for schemas) │
└────────────────────────────────────────┘
│
▼
┌────────────────────────────────────────┐
│ External Configuration Sources │
│ │
│ • Config Servers │
│ • Git Repositories (via HTTP) │
│ • Object Storage (S3, etc.) │
└────────────────────────────────────────┘
Reconciliation Flow¶
Reconciliation Process
1. ContentConfiguration change detected
↓
2. Determine configuration type
├─→ Inline Configuration
│ ├─→ Parse embedded content (YAML/JSON)
│ ├─→ Validate against schema
│ ├─→ Update status with result
│ └─→ Schedule next reconcile (24 hours)
│
└─→ Remote Configuration
├─→ Fetch content from URL
├─→ Handle authentication (if configured)
├─→ Parse fetched content (YAML/JSON)
├─→ Validate against schema
├─→ Update status with result
└─→ Schedule next reconcile (5 minutes)
↓
3. On validation success:
├─→ Store validated content in status
├─→ Update conditions (Ready=True, Valid=True)
└─→ Make content available to consumers
↓
4. On validation failure:
├─→ Preserve last valid configuration
├─→ Update conditions (Ready=False, Valid=False)
└─→ Report error details
Configuration Modes¶
Inline Configuration¶
When to Use Inline Configuration
Best for: - Static configuration that rarely changes - Small configuration files - Version-controlled configurations (GitOps) - Testing and development environments
Characteristics: - Content embedded directly in the resource - Reconciles once per day (static content) - No external dependencies - Immediate availability after apply
Example:
apiVersion: extensions.platform-mesh.io/v1alpha1
kind: ContentConfiguration
metadata:
name: dashboard-widgets
namespace: acme-engineering
spec:
inlineConfiguration:
contentType: yaml
content: |
widgets:
- id: "cpu-usage"
title: "CPU Usage"
type: "metric"
query: "sum(rate(cpu_usage[5m]))"
refreshInterval: 30
- id: "memory-usage"
title: "Memory Usage"
type: "metric"
query: "avg(memory_usage_bytes)"
refreshInterval: 60
layout:
columns: 2
gap: 16
Remote Configuration¶
When to Use Remote Configuration
Best for: - Dynamic configurations that update frequently - Large configuration files - Configurations managed by external systems - Multi-environment deployments (dev/staging/prod)
Characteristics: - Content fetched from external URL - Reconciles every 5 minutes (dynamic updates) - Supports authentication - Allows centralized configuration management
Example:
apiVersion: extensions.platform-mesh.io/v1alpha1
kind: ContentConfiguration
metadata:
name: feature-flags
namespace: acme-engineering
spec:
remoteConfiguration:
# External URL for public access
url: "https://config.acme.com/api/v1/feature-flags"
# Internal URL for cluster-internal access (faster)
internalUrl: "http://config-service.platform-mesh-system/feature-flags"
contentType: json
# Optional: Authentication configuration
authentication:
type: "bearer" # bearer, basic, or custom
secretRef:
name: "config-service-credentials"
Secret for Authentication:
apiVersion: v1
kind: Secret
metadata:
name: config-service-credentials
namespace: acme-engineering
type: Opaque
stringData:
token: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
JSON Schema Validation¶
Automated Validation
The Extension Manager Operator automatically generates JSON Schemas for content validation:
Schema Generation¶
# The operator generates schemas based on content structure
# These schemas are available to developers for validation
{
"$schema": "http://json-schema.org/draft-07/schema#",
"type": "object",
"properties": {
"widgets": {
"type": "array",
"items": {
"type": "object",
"properties": {
"id": { "type": "string" },
"title": { "type": "string" },
"type": { "type": "string" },
"query": { "type": "string" },
"refreshInterval": { "type": "number" }
},
"required": ["id", "title", "type"]
}
}
}
}
Runtime Validation Service¶
The operator exposes a validation service for developers:
# Validate configuration during development
curl -X POST http://extension-manager-operator/validate \
-H "Content-Type: application/yaml" \
--data-binary @my-config.yaml
# Response on success:
{
"valid": true,
"message": "Configuration is valid",
"schemaVersion": "v1"
}
# Response on error:
{
"valid": false,
"errors": [
{
"field": "widgets[0].type",
"message": "must be one of: metric, chart, table",
"value": "unknown-type"
}
]
}
Integration in Platform Mesh¶
Interaction with Other Components¶
Platform Mesh Integration
┌─────────────────────────────────────────────────────────┐
│ Platform Mesh Ecosystem │
├─────────────────────────────────────────────────────────┤
│ │
│ Account Operator ──→ Creates Namespaces │
│ ↓ │
│ Extension Manager Operator ←→ ContentConfigurations │
│ ↓ │
│ Portal/UI ←→ Consumes Validated Configurations │
│ ↓ │
│ Micro Frontends ←→ Runtime Configuration Loading │
│ │
└─────────────────────────────────────────────────────────┘
Core Integrations:
- Account Operator: ContentConfigurations are namespaced per account
- Portal/Marketplace UI: Consumes configurations for UI extensions
- Micro Frontend Applications: Load configurations at runtime
- Config Servers: Provide remote configuration sources
- Secrets Management: Secure authentication credentials
Use Cases¶
Common Use Cases
- Dashboard Widgets: Configure custom dashboard components per account
- Feature Flags: Dynamic feature toggles without redeployment
- Theme Customization: Account-specific UI themes and branding
- Navigation Menus: Dynamic menu structures based on permissions
- Plugin Configuration: Settings for marketplace extensions
Technical Details¶
Technology Stack¶
Technologies Used
- Language: Go (see
go.modfor version) - Framework: Kubernetes controller-runtime
- API Version:
v1alpha1(Alpha stage, APIs may change) - Build: Docker, multi-stage builds
- Task Runner: Taskfile for development workflows
- Testing: Mockery for test mocking
- License: Apache 2.0
Reconciliation Intervals¶
| Configuration Type | Reconciliation Interval | Reason |
|---|---|---|
| Inline | 24 hours | Static content, rarely changes |
| Remote | 5 minutes | Dynamic content, frequent updates |
Installation & Deployment¶
Deployment via Helm
The Extension Manager Operator is deployed as part of Platform Mesh:
# Install Platform Mesh (including Extension Manager Operator)
helm repo add platform-mesh https://platform-mesh.github.io/helm-charts
helm install platform-mesh platform-mesh/platform-mesh \
--namespace platform-mesh-system \
--create-namespace
Configuration in PlatformMesh CR:
apiVersion: platform-mesh.io/v1alpha1
kind: PlatformMesh
metadata:
name: platform-mesh
spec:
values:
extension-manager-operator:
enabled: true
replicas: 1
resources:
limits:
cpu: "500m"
memory: "512Mi"
requests:
cpu: "100m"
memory: "128Mi"
# Validation service configuration
validationService:
enabled: true
port: 8080
Practical Examples¶
Example 1: Simple Inline Configuration¶
apiVersion: extensions.platform-mesh.io/v1alpha1
kind: ContentConfiguration
metadata:
name: welcome-banner
namespace: acme-corp
spec:
inlineConfiguration:
contentType: json
content: |
{
"message": "Welcome to ACME Corporation Platform",
"backgroundColor": "#1E3A8A",
"textColor": "#FFFFFF",
"link": {
"text": "Get Started",
"url": "/onboarding"
}
}
What happens automatically:
- ✅ Content is parsed and validated
- ✅ JSON Schema is generated
- ✅ Status is updated with validated content
- ✅ Conditions are set (Ready=True, Valid=True)
- ✅ Configuration is available to Portal UI
Example 2: Remote Configuration with Authentication¶
apiVersion: extensions.platform-mesh.io/v1alpha1
kind: ContentConfiguration
metadata:
name: feature-toggles
namespace: acme-engineering
spec:
remoteConfiguration:
url: "https://api.featureflags.io/v1/acme/engineering"
internalUrl: "http://feature-service.platform-mesh-system/engineering"
contentType: yaml
authentication:
type: "bearer"
secretRef:
name: "feature-flags-token"
---
apiVersion: v1
kind: Secret
metadata:
name: feature-flags-token
namespace: acme-engineering
type: Opaque
stringData:
token: "ff_live_1234567890abcdef"
Example 3: Dashboard Widget Configuration¶
apiVersion: extensions.platform-mesh.io/v1alpha1
kind: ContentConfiguration
metadata:
name: monitoring-dashboard
namespace: acme-ops
spec:
inlineConfiguration:
contentType: yaml
content: |
dashboard:
title: "Operations Dashboard"
refreshInterval: 30
sections:
- title: "System Health"
widgets:
- type: "status-indicator"
title: "API Status"
endpoint: "/api/health"
expected: "healthy"
- type: "metric-chart"
title: "Request Rate"
query: "sum(rate(http_requests_total[5m]))"
chartType: "line"
unit: "req/s"
- title: "Resource Usage"
widgets:
- type: "gauge"
title: "CPU Usage"
query: "avg(cpu_usage_percent)"
thresholds:
warning: 70
critical: 90
- type: "gauge"
title: "Memory Usage"
query: "avg(memory_usage_percent)"
thresholds:
warning: 80
critical: 95
layout:
type: "grid"
columns: 2
gap: 16
Example 4: Query Status and Validation¶
# Get ContentConfiguration status
kubectl get contentconfiguration welcome-banner -n acme-corp -o yaml
# Check validation status
kubectl get contentconfiguration welcome-banner -n acme-corp \
-o jsonpath='{.status.conditions[?(@.type=="Valid")].status}'
# Get validated content
kubectl get contentconfiguration welcome-banner -n acme-corp \
-o jsonpath='{.status.configurationResult.validatedContent}'
# List all ContentConfigurations
kubectl get contentconfiguration --all-namespaces
# Output:
# NAMESPACE NAME READY VALID AGE
# acme-corp welcome-banner True True 5m
# acme-engineering feature-toggles True True 3m
# acme-ops monitoring-dashboard True True 10m
Best Practices¶
Configuration Management Best Practices
1. Configuration Type Selection - Use inline for static, rarely-changing configurations - Use remote for dynamic configurations that update frequently - Consider inline for GitOps workflows - Use remote for centralized configuration management
2. Content Type - Use YAML for human-readable configurations - Use JSON for machine-generated configurations - Be consistent within your organization
3. Authentication - Always use secrets for authentication credentials - Rotate tokens regularly - Use minimal permissions (principle of least privilege) - Consider using service accounts for internal URLs
4. Validation - Use the validation service during development - Test configurations in non-production environments first - Monitor validation errors in production - Keep JSON schemas version-controlled
5. Naming Conventions
- Use descriptive names: dashboard-widgets, feature-flags
- Include purpose in name: monitoring-dashboard, user-preferences
- Use kebab-case consistently
6. Status Monitoring
- Monitor Ready and Valid conditions
- Set up alerts for validation failures
- Check configurationResult for validation details
- Track nextReconcileTime for timing issues
Common Pitfalls¶
Pitfall 1: Invalid Content Type¶
Problem
Problem: Specifying unsupported content type
spec:
inlineConfiguration:
contentType: xml # Error: Only yaml and json are supported
content: |
<config>...</config>
Solution:
- Only use yaml or json as contentType
- Convert XML to YAML or JSON format
- Use transformation tools if necessary
Pitfall 2: Missing Authentication Secret¶
Problem
Problem: Remote configuration fails due to missing or invalid secret
spec:
remoteConfiguration:
url: "https://secure-config.example.com/config"
authentication:
secretRef:
name: "nonexistent-secret" # Error: Secret not found
Solution: - Ensure secret exists in the same namespace - Verify secret contains correct credentials - Check RBAC permissions for secret access
Pitfall 3: Validation Errors Ignored¶
Problem
Problem: Deploying invalid configurations that fail validation
Solution: - Always check status conditions after creating/updating - Use the validation service during development - Implement CI/CD validation gates
Pitfall 4: Remote URL Not Reachable¶
Problem
Problem: Remote configuration URL is unreachable from cluster
Solution:
- Use cluster-accessible URLs
- Provide internalUrl for in-cluster services
- Test URL reachability from within cluster
Pitfall 5: Large Inline Configurations¶
Problem
Problem: Embedding very large configurations inline causing resource size limits
Solution: - Use remote configuration for large files - Split large configurations into multiple resources - Consider using ConfigMaps for very large static content - Kubernetes resources have size limits (~1MB for etcd)
Related Topics¶
Portal & UI Components¶
Related Components
Micro Frontend Architecture:
- OpenMFP Framework → - Configuration-driven micro frontend platform
- Luigi Framework → - SAP's micro frontend orchestration framework
- Platform Mesh Portal → - Complete portal integration guide
- GraphQL Gateway → - Kubernetes API gateway for portal
Portal Overview:
- Portal & GraphQL Analysis → - Component analysis and assessment
Authorization & Security¶
For information about authorization and security in Platform Mesh:
- ReBAC Authorization → - Relationship-based access control
- Authorization Model → - OpenFGA authorization model
- Security Operator → - Integration with extension authorization
Additional Resources¶
Internal Documentation¶
- Platform Mesh component overview and architecture
- Security and maintenance analysis
External Links¶
- GitHub Repository
- Platform Mesh Documentation
- Helm Charts Repository
- JSON Schema Specification
- Micro Frontend Architecture
API Reference¶
- API Version:
extensions.platform-mesh.io/v1alpha1 - Kind: ContentConfiguration
- Scope: Namespaced
- Status: Alpha (breaking changes possible)
Monitoring & Troubleshooting¶
Important Metrics to Monitor
# Operator logs
kubectl logs -n platform-mesh-system \
deployment/extension-manager-operator -f
# Check ContentConfiguration status
kubectl get contentconfiguration -A
# Find validation errors
kubectl get contentconfiguration -A -o json | \
jq '.items[] | select(.status.conditions[]? |
select(.type=="Valid" and .status=="False"))'
# Check remote fetch errors
kubectl get events --field-selector \
involvedObject.kind=ContentConfiguration
# Test validation service
curl http://extension-manager-operator.platform-mesh-system:8080/health
Common Issues¶
| Problem | Symptom | Solution |
|---|---|---|
| Remote fetch fails | Valid=False, "URL unreachable" | Check network policies, DNS resolution, firewall rules |
| Authentication fails | Valid=False, "401 Unauthorized" | Verify secret exists and contains valid credentials |
| Validation fails | Valid=False, schema errors | Use validation service to test, check schema compatibility |
| Configuration not updated | Old content in status | Check reconciliation interval, manually trigger reconcile |
| High memory usage | Operator pod OOMKilled | Reduce configuration sizes, increase resource limits |
Development Workflow¶
Developer Workflow
# 1. Create configuration locally
cat > my-config.yaml <<EOF
apiVersion: extensions.platform-mesh.io/v1alpha1
kind: ContentConfiguration
metadata:
name: my-extension
namespace: dev
spec:
inlineConfiguration:
contentType: yaml
content: |
# Your configuration here
EOF
# 2. Validate against schema (optional)
curl -X POST http://extension-manager-operator/validate \
-H "Content-Type: application/yaml" \
--data-binary @my-config.yaml
# 3. Apply to cluster
kubectl apply -f my-config.yaml
# 4. Wait for validation
kubectl wait --for=condition=Valid \
contentconfiguration/my-extension \
-n dev --timeout=30s
# 5. Check result
kubectl get contentconfiguration my-extension -n dev -o yaml
Open Questions / TODOs¶
- [x] CRD structure documented
- [x] Inline vs Remote configuration explained
- [x] Validation process described
- [ ] RFC document analysis for detailed workflow
- [ ] Micro Frontend integration examples
- [ ] Performance benchmarks for large configurations
- [ ] Migration path from v1alpha1 to v1beta1/v1
- [ ] Advanced authentication methods (mTLS, OAuth2)