PLATFORM ARCHITECTURE

How It All Fits Together

Every layer — from Talos Linux to the Backstage developer portal — designed as a cohesive system on bare-metal infrastructure.

CLUSTER SPECIFICATIONS

Cluster

edgit-k8s

Kubernetes

v1.34.1

Talos Linux v1.12.2

CNI

Cilium 1.18.5

Control Planes

3 (192.168.0.100-102)

Workers

2 (192.168.0.103-104)

Pod CIDR

10.244.0.0/16

Service CIDR

10.96.0.0/12

Gateway IP

192.168.0.200

LB Pool

192.168.0.200-210

DNS

10.96.0.10 (CoreDNS)

Domain

*.apps.edgeprime.io

Network Topology

All traffic enters through a single Cilium Gateway with eBPF-accelerated routing to 20+ backend services.

EXTERNAL

☁ Internet Traffic

DNS RESOLUTION

CoreDNS

*.apps.edgeprime.io → 192.168.0.200

INGRESS LAYER

Cilium Gateway API

HTTP:80 → HTTPS:443 · TLS termination · Let's Encrypt wildcard

IP: 192.168.0.200 (L2 ARP)

ROUTING LAYER

HTTPRoutes (per service)

Host-based routing · Path matching · Header injection

SERVICE LAYER

Kubernetes ClusterIP Services

20 services across 27 namespaces

GitOps Pipeline

Every change flows through Git. ArgoCD's App-of-Apps pattern auto-discovers and reconciles 40+ applications.

⟨⟩

Git Push

→↓

⚙

GitHub

→↓

🔄

ArgoCD

→↓

☸

Kubernetes

→↓

✓

Reconciled

4 DEPLOYMENT PATTERNS

Pattern A Helm + Configs

External Helm chart with local values and companion manifests

Keycloak, Cilium, ESO, Longhorn

Pattern B Helm + Inline

Single ArgoCD Application with directory exclusion

SurrealDB, Qdrant, Garage, Supabase

Pattern C Wrapper Chart

Local Chart.yaml wrapping external dependency

Homepage, Harbor, Backstage, Falco

Pattern D Raw Manifests

Plain Kubernetes YAML without Helm

ArgoCD, Dragonfly, AIBrix, Matomo

Secrets Management Flow

Zero secrets in Git. Everything flows through Vault with External Secrets Operator as the bridge.

graph TD
  TF["Terraform"]:::terraform
  VAULT["Vault 
 kv/v2"]:::vault
  CSS["ClusterSecretStore
vault-backend"]:::store
  ES["ExternalSecret
per-app, per-namespace"]:::external
  KS["Kubernetes Secret"]:::k8s
  POD["Pod
env / volume mount"]:::pod

  TF -->|provision| VAULT
  VAULT --> CSS
  CSS --> ES
  ES --> KS
  KS --> POD

  classDef terraform fill:#0e3a3a,stroke:#06b6d4,color:#67e8f9,stroke-width:2px
  classDef vault fill:#2e2a0e,stroke:#facc15,color:#fde68a,stroke-width:2px
  classDef store fill:#14332a,stroke:#4ade80,color:#86efac,stroke-width:2px
  classDef external fill:#2e1a47,stroke:#a78bfa,color:#c4b5fd,stroke-width:2px
  classDef k8s fill:#1e3a5f,stroke:#60a5fa,color:#93c5fd,stroke-width:2px
  classDef pod fill:#2e1a0e,stroke:#f97316,color:#fdba74,stroke-width:2px

Exposed Services

20 services accessible through the shared Cilium Gateway at *.apps.edgeprime.io

Backstage Portal

backstage.apps.edgeprime.io

ArgoCD

argo.apps.edgeprime.io

Vault

vault.apps.edgeprime.io

Grafana

grafana.apps.edgeprime.io

Harbor

harbor.apps.edgeprime.io

Keycloak

keycloak.apps.edgeprime.io

Homepage

homepage.apps.edgeprime.io

Supabase

supabase.apps.edgeprime.io

Longhorn

longhorn.apps.edgeprime.io

Hubble UI

hubble-ui.apps.edgeprime.io

OneDev

onedev.apps.edgeprime.io

Matomo

matomo.apps.edgeprime.io

n8n

n8n.apps.edgeprime.io

SurrealDB

surrealdb.apps.edgeprime.io

Qdrant

qdrant.apps.edgeprime.io

Garage

garage.apps.edgeprime.io

OpenCost

opencost.apps.edgeprime.io

AI Platform

ai.apps.edgeprime.io

AFFiNE

affine.apps.edgeprime.io

Policy Reporter

policy-reporter.apps.edgeprime.io

Infrastructure as Code

Terraform manages everything that can't be expressed as Kubernetes manifests.

terraform/vault

hashicorp/vault

ESO policies, tokens, app secrets, DNS credentials

terraform/keycloak

mrparkers/keycloak

OIDC realm + 10+ clients (ArgoCD, Vault, Grafana, Harbor…)

terraform/harbor

goharbor/harbor

Registry OIDC auth, robot accounts

terraform/grafana

grafana/grafana

Dashboard provisioning (JSON), data sources