Skip to content

Infrastructure Manifests

Reference documentation for the FluxCD infrastructure manifests. These manifests define HelmRepository sources, HelmRelease operators, and infrastructure custom resources that provision the shared platform services required by OpenStack operators. Deployment is split into two phases: base resources (namespaces, sources, releases) and CRD-dependent infrastructure resources (applied after operators install their CRDs).

Directory Layout

text
deploy/
└── flux-system/
    ├── kustomization.yaml                Base kustomize overlay (namespaces, FluxInstance, sources, releases)
    ├── namespaces.yaml                   Namespace resources for all components
    ├── fluxinstance.yaml                 FluxInstance CR driving the flux-operator
    ├── sources/                          FluxCD HelmRepository CRs
    │   ├── cert-manager.yaml             Jetstack Helm chart registry
    │   ├── mariadb-operator.yaml         MariaDB Operator Helm chart registry
    │   ├── external-secrets.yaml         External Secrets Operator Helm chart registry
    │   ├── openbao.yaml                  OpenBao Helm chart registry
    │   ├── c5c3-charts.yaml              C5C3 shared OCI chart registry
    │   ├── k-orc.yaml                    K-ORC (OpenStack Resource Controller) Helm chart registry
    │   ├── prometheus-community.yaml     Prometheus Community OCI chart registry
    │   └── chaos-mesh.yaml               Chaos Mesh Helm chart registry (kind-only addon — see "Kind Overlay Demo Addons")
    ├── releases/                         FluxCD HelmRelease CRs
    │   ├── cert-manager.yaml             cert-manager
    │   ├── prometheus-operator-crds.yaml Prometheus Operator CRDs
    │   ├── mariadb-operator-crds.yaml    MariaDB Operator CRDs
    │   ├── mariadb-operator.yaml         MariaDB Operator
    │   ├── external-secrets.yaml         External Secrets Operator
    │   ├── memcached-operator.yaml       Memcached Operator (from c5c3-charts)
    │   ├── openbao.yaml                  OpenBao HA Raft cluster
    │   ├── keystone-operator.yaml        Keystone Operator (from c5c3-charts)
    │   ├── k-orc.yaml                    K-ORC OpenStack Resource Controller
    │   ├── c5c3-operator.yaml            c5c3-operator ControlPlane orchestrator (from c5c3-charts)
    │   └── chaos-mesh.yaml               Chaos Mesh (kind-only addon — see "Kind Overlay Demo Addons")
    └── infrastructure/                   CRD-dependent infrastructure resources
        ├── kustomization.yaml            Infrastructure kustomize overlay
        ├── cluster-issuer.yaml           Self-signed ClusterIssuer (requires cert-manager CRDs)
        ├── db-ca-issuer.yaml             OpenStack DB CA Certificate + ClusterIssuer
        ├── mariadb.yaml                  MariaDB Galera cluster for OpenStack (with TLS)
        └── memcached.yaml                Memcached cluster for OpenStack

All YAML files carry the SPDX Apache-2.0 license header (3 lines: copyright, blank comment, license identifier).

Namespaces

Ten Namespace resources are defined in namespaces.yaml and included as the first entry in the base kustomization. Kustomize applies Namespace resources before other resource kinds, ensuring target namespaces exist before any namespaced resources are created.

NamespacePurpose
cert-managercert-manager operator and its resources
mariadb-systemMariaDB Operator
external-secretsExternal Secrets Operator
monitoringPrometheus Operator CRDs (consumed by the optional kube-prometheus-stack kind overlay)
memcached-systemMemcached Operator
keystone-systemKeystone Operator controller (workload CRs continue to live in openstack)
openstackInfrastructure instance CRs (MariaDB cluster, Memcached cluster)
openbao-systemOpenBao HA Raft cluster
c5c3-systemc5c3-operator controller; the ControlPlane and its child CRs are created in the ControlPlane's own namespace
orc-systemK-ORC (OpenStack Resource Controller) and its installer resources

The chaos-mesh namespace is not part of the production base. It is created inline by the kind-only opt-in overlay at deploy/kind/chaos-mesh/ when WITH_CHAOS_MESH=true make deploy-infra is used. See Chaos Mesh (kind-only opt-in) below.

Note: The install.createNamespace: true setting on HelmReleases instructs FluxCD's helm-controller to create namespaces when installing charts. However, this does not help when applying HelmRelease CRs via kubectl apply -k — the target namespace must already exist for the API server to accept namespaced resources. The explicit Namespace resources solve this chicken-and-egg problem.

FluxInstance

File: deploy/flux-system/fluxinstance.yaml

A single FluxInstance CR drives the flux-operator, which replaces the imperative flux install / flux bootstrap path with a declarative, operator-managed Flux lifecycle. The flux-operator reconciles the Flux controller Deployments from this spec and publishes a FluxReport/flux summarizing the installation state.

PropertyValue
API versionfluxcd.controlplane.io/v1
KindFluxInstance
Nameflux
Namespaceflux-system

Spec fields:

FieldValuePurpose
distribution.version"2.x"Minor-version track pinned by the operator; picks the latest Flux 2.x release
distribution.registryghcr.io/fluxcdController image registry
componentssource-controller, kustomize-controller, helm-controller, notification-controllerFour Flux controllers installed — image-automation and image-reflector controllers are omitted (not used in this project)
cluster.typekubernetesGeneric Kubernetes distribution (not OpenShift/EKS-specific)
cluster.sizesmallSmall resource profile suitable for single-node kind and low-traffic management clusters
cluster.multitenantfalseCross-namespace references allowed — simplifies the single-tenant management cluster model
cluster.networkPolicyfalseNo NetworkPolicies applied to flux-system (kind overlay assumes a permissive default; production overlays opt in)

No spec.sync block. The kind Quick Start applies Helm sources and releases directly via kubectl apply -k deploy/kind/base/, so the FluxInstance here does not carry a GitRepository sync. Production overlays that want continuous reconciliation from Git add a spec.sync block on top of this base.

Kustomize ordering. Kustomize applies Namespace resources first by default, so flux-system exists before the FluxInstance is created. The flux-operator itself is installed out-of-band by hack/deploy-infra.sh (pinned FLUX_OPERATOR_VERSION, applied via kubectl apply -f install.yaml) before this kustomization is applied.

HelmRepository Sources

Six HelmRepository CRs define the Helm chart registries that FluxCD pulls from. All use apiVersion: source.toolkit.fluxcd.io/v1, are deployed to the flux-system namespace, and poll at interval: 1h.

Filemetadata.nameRegistry URLType
sources/cert-manager.yamlcert-managerhttps://charts.jetstack.ioHTTPS
sources/mariadb-operator.yamlmariadb-operatorhttps://mariadb-operator.github.io/mariadb-operatorHTTPS
sources/external-secrets.yamlexternal-secretshttps://charts.external-secrets.ioHTTPS
sources/openbao.yamlopenbaohttps://openbao.github.io/openbao-helmHTTPS
sources/c5c3-charts.yamlc5c3-chartsoci://ghcr.io/c5c3/chartsOCI
sources/prometheus-community.yamlprometheus-communityoci://ghcr.io/prometheus-community/chartsOCI

K-ORC is sourced from Git, not Helm. K-ORC publishes no Helm chart (its github.io page serves no Helm index), so sources/k-orc.yaml is a GitRepository — still source.toolkit.fluxcd.io/v1, in flux-system, polling at interval: 1h — pinned to the upstream release tag v2.5.0 and scoped to /dist via spec.ignore. It is applied by a Flux Kustomization, not a HelmRelease; see K-ORC (OpenStack Resource Controller).

The chaos-mesh HelmRepository ships in the kind-only opt-in overlay at deploy/kind/chaos-mesh/source.yaml — it is intentionally absent from deploy/flux-system/{sources,kustomization.yaml}. See Chaos Mesh (kind-only opt-in).

The c5c3-charts and prometheus-community repositories are OCI-type sources (spec.type: oci). c5c3-charts hosts internally-built operator charts (e.g., memcached-operator) in the GitHub Container Registry. prometheus-community hosts Prometheus community charts (e.g., prometheus-operator-crds). All other repositories use standard HTTPS Helm registries.

HelmRelease Operators

Nine HelmRelease CRs deploy the infrastructure operators and CRD charts (K-ORC is applied separately via a Flux Kustomization — see K-ORC (OpenStack Resource Controller)). All use apiVersion: helm.toolkit.fluxcd.io/v2 and share these common settings:

SettingValuePurpose
spec.interval30mReconciliation interval
spec.install.crdsCreateReplaceInstall CRDs if missing, replace if outdated
spec.install.createNamespacetrueAuto-create target namespace
spec.upgrade.crdsCreateReplaceUpdate CRDs on chart upgrade
spec.upgrade.remediation.retries3Retry failed upgrades up to 3 times

Dependency Order

cert-manager is the base layer (no dependsOn). The CRD-only charts (prometheus-operator-crds, mariadb-operator-crds) also have no dependencies. All other operators depend on cert-manager because they require TLS certificates for webhook servers. Some operators have additional dependencies on CRD charts or other operators:

text
cert-manager              (base — no dependencies)
prometheus-operator-crds  (no dependencies)
mariadb-operator-crds     (no dependencies)
├── mariadb-operator      dependsOn: cert-manager, mariadb-operator-crds
├── external-secrets      dependsOn: cert-manager
├── memcached-operator    dependsOn: cert-manager, prometheus-operator-crds
├── openbao               dependsOn: cert-manager
├── keystone-operator     dependsOn: cert-manager, mariadb-operator, memcached-operator, external-secrets
└── c5c3-operator         dependsOn: keystone-operator, external-secrets, mariadb-operator, memcached-operator

K-ORC is not in this graph: it is applied by a Flux Kustomization, not a HelmRelease, and a HelmRelease dependsOn can only reference other HelmReleases. The c5c3-operator therefore does not dependsOn K-ORC even though K-ORC is a hard dependency: SetupWithManager Owns the K-ORC kinds, so the manager only starts once those CRDs are installed (until then the pod restarts), and converges once they appear.

The c5c3-operator HelmRelease sits at the top of this graph: it dependsOn the four operators whose CRs it projects (keystone-operator, external-secrets, mariadb-operator, memcached-operator). It also drives K-ORC's ApplicationCredential / Service / Endpoint CRDs, but K-ORC is applied by the separate Flux Kustomization above, so it cannot be a dependsOn edge — the c5c3-operator's manager instead requires those CRDs to be present at startup.

FluxCD resolves this dependency graph and installs operators in the correct order. If cert-manager is not ready, dependent operators are held in a pending state.

The kind-only chaos-mesh HelmRelease (deploy/kind/chaos-mesh/) also declares dependsOn: cert-manager but is only installed when WITH_CHAOS_MESH=true make deploy-infra is used. Production overlays do not install it. See Chaos Mesh (kind-only opt-in).

cert-manager

File: deploy/flux-system/releases/cert-manager.yaml

PropertyValue
Target namespacecert-manager
Chartcert-manager
Version constraint>=1.16.0 <2.0.0
Sourcecert-manager HelmRepository
DependenciesNone (base layer)

Helm values:

KeyValuePurpose
crds.enabledtrueInstall CRDs via the Helm chart
prometheus.enabledfalsePrometheus metrics disabled
startupapicheck.enabledfalseDisable startup API check job

Prometheus Operator CRDs

File: deploy/flux-system/releases/prometheus-operator-crds.yaml

PropertyValue
Target namespacemonitoring
Chartprometheus-operator-crds
Version constraint>=17.0.0 <20.0.0
Sourceprometheus-community HelmRepository
DependenciesNone

The Prometheus Operator CRDs chart installs ServiceMonitor, PodMonitor, PrometheusRule, and related monitoring.coreos.com CRDs. These are required by the memcached-operator controller, which unconditionally watches ServiceMonitor resources via Owns().

MariaDB Operator CRDs

File: deploy/flux-system/releases/mariadb-operator-crds.yaml

PropertyValue
Target namespacemariadb-system
Chartmariadb-operator-crds
Version constraint>=0.30.0 <1.0.0
Sourcemariadb-operator HelmRepository
DependenciesNone

A separate CRD chart is required since mariadb-operator v0.35.0. Must be installed before mariadb-operator so CRDs are available for the operator and for infrastructure CRs (e.g., MariaDB Galera cluster).

MariaDB Operator

File: deploy/flux-system/releases/mariadb-operator.yaml

PropertyValue
Target namespacemariadb-system
Chartmariadb-operator
Version constraint>=0.30.0 <1.0.0
Sourcemariadb-operator HelmRepository
Dependenciescert-manager in cert-manager namespace, mariadb-operator-crds in mariadb-system namespace

Helm values:

KeyValuePurpose
metrics.enabledfalsePrometheus metrics disabled
webhook.enabledtrueEnable admission webhooks for MariaDB CRDs

External Secrets Operator

File: deploy/flux-system/releases/external-secrets.yaml

PropertyValue
Target namespaceexternal-secrets
Chartexternal-secrets
Version constraint>=0.10.0 <1.0.0
Sourceexternal-secrets HelmRepository
Dependenciescert-manager in cert-manager namespace

Helm values:

KeyValuePurpose
installCRDstrueInstall CRDs via the Helm chart
webhook.port9443Webhook server listen port
certController.enabledtrueManage webhook TLS certificates

Memcached Operator

File: deploy/flux-system/releases/memcached-operator.yaml

PropertyValue
Target namespacememcached-system
Chartmemcached-operator
Version constraint>=0.1.0 <1.0.0
Sourcec5c3-charts HelmRepository (shared OCI registry)
Dependenciescert-manager in cert-manager namespace, prometheus-operator-crds in monitoring namespace

Source reference: The Memcached Operator chart is published to the shared c5c3-charts OCI registry (oci://ghcr.io/c5c3/charts), not a dedicated HelmRepository. The sourceRef.name is c5c3-charts, matching the OCI HelmRepository in sources/.

Helm values:

KeyValuePurpose
metrics.enabledtrueExpose Prometheus metrics
webhook.enabledtrueEnable admission webhooks for Memcached CRDs

OpenBao

File: deploy/flux-system/releases/openbao.yaml

PropertyValue
Target namespaceopenbao-system
Chartopenbao
Version constraint>=0.5.0 <1.0.0
Sourceopenbao HelmRepository
Dependenciescert-manager in cert-manager namespace

OpenBao is deployed as a 3-replica HA Raft cluster with mutual TLS (mTLS) enforced on the API listener. The injector is disabled. The server TLS certificate is sourced from a cert-manager-provisioned Secret (openbao-tls), and two additional cert-manager-provisioned client certificates (openbao-client-tls, eso-openbao-client-tls) are required so that the OpenBao pods themselves (Raft retry_join + in-pod bao exec wrappers) and the External Secrets Operator can complete the TLS handshake. The listener carries tls_client_ca_file = "/openbao/tls/ca.crt" and tls_require_and_verify_client_cert = true, so every connection on :8200 — whether from a Raft peer, the in-pod bootstrap script, or ClusterSecretStore/openbao-cluster-store — must present a client certificate that chains to the same self-signed CA bundle as the server cert; the Kubernetes-token auth method (auth.kubernetes) is unchanged and runs after the transport-layer admission gate. See architecture/docs/09-implementation/09-openbao-deployment.md for design rationale.

Helm values:

KeyValuePurpose
global.tlsDisablefalseEnable TLS globally
server.authDelegator.enabledtrueEnable ClusterRoleBinding for TokenReview API (ESO auth)
server.ha.enabledtrueEnable HA mode
server.ha.replicas33-node Raft cluster
server.ha.raft.enabledtrueUse Raft storage backend
server.ha.raft.config listener tls_client_ca_file/openbao/tls/ca.crtCA the listener uses to verify presented client certs (same bundle as server cert)
server.ha.raft.config listener tls_require_and_verify_client_certtrueReject any TLS handshake without a valid client cert before app-layer auth runs
server.ha.raft.config retry_join.leader_client_cert_file × 3/openbao/client-tls/tls.crtClient cert each Raft peer presents on retry_join to every other peer (same value in all three stanzas)
server.ha.raft.config retry_join.leader_client_key_file × 3/openbao/client-tls/tls.keyMatching private key for leader_client_cert_file
server.volumes / server.volumeMountsclient-tlsSecret openbao-client-tls/openbao/client-tls (readOnly: true)Mounts the in-pod client keypair distinct from the server cert at /openbao/tls so server and client lifecycles do not collide
server.dataStorage.size10GiPersistent volume size
injector.enabledfalseDisable the Vault/Bao agent injector

Client certificates. The two client Certificate resources are declared in deploy/flux-system/infrastructure/openbao-client-tls-cert.yaml and registered in deploy/flux-system/infrastructure/kustomization.yaml immediately after openbao-tls-cert.yaml, so cert-manager reconciles them before the OpenBao StatefulSet and ClusterSecretStore consume them (first-apply ordering, see also "Apply ordering" notes below):

CertificateSecret (namespace)ConsumerReference
openbao-client-tlsopenbao-client-tls (openbao-system)OpenBao pods — Raft retry_join + in-pod bao execStatefulSet volume client-tls mounted at /openbao/client-tls; env vars VAULT_CLIENT_CERT / VAULT_CLIENT_KEY in every exec wrapper (deploy/openbao/bootstrap/common.sh, init-unseal.sh, hack/deploy-infra.sh)
eso-openbao-client-tlseso-openbao-client-tls (openbao-system)ESO ClusterSecretStore/openbao-cluster-storespec.provider.vault.tls.certSecretRef / keySecretRef in deploy/eso/clustersecretstore.yaml; auth.kubernetes block (mountPath kubernetes/management, role eso-management) is unchanged — mTLS is purely transport-layer

Both client certs are issued from the same openbao-ca-issuer as openbao-tls (a CA-type ClusterIssuer defined in deploy/flux-system/infrastructure/openbao-ca-issuer.yaml and itself bootstrapped by selfsigned-cluster-issuer). Sharing one CA is what makes the listener's tls_client_ca_file = /openbao/tls/ca.crt validate every presented client cert — a SelfSigned issuer would mint each Certificate as its own root and leave the chains unrelated. Both client certs carry usages: ["client auth"], with the same duration / renewBefore as openbao-tls so server and client rotation cadences stay aligned. See OpenBao Bootstrap Procedure — TLS Configuration for the full SAN/usages table, the VAULT_CLIENT_CERT / VAULT_CLIENT_KEY operator interface, and the runnable mTLS-enforcement probe.

Keystone Operator

File: deploy/flux-system/releases/keystone-operator.yaml

PropertyValue
Target namespacekeystone-system (controller); operator-managed Keystone workload remains in openstack
Chartkeystone-operator
Version constraint>=0.1.0 <1.0.0
Sourcec5c3-charts HelmRepository (shared OCI registry)
Dependenciescert-manager, mariadb-operator, memcached-operator, external-secrets

The Keystone Operator manages OpenStack Keystone identity service instances. It depends on four upstream operators: cert-manager for TLS, mariadb-operator for database provisioning, memcached-operator for caching, and external-secrets for secret management.

Helm values:

KeyValuePurpose
replicas2Run 2 controller replicas for HA
leaderElection.enabledtrueEnable leader election for HA
image.taglatestUse latest image until a versioned release publishes a semver tag

K-ORC (OpenStack Resource Controller)

File: deploy/flux-system/releases/k-orc.yaml

PropertyValue
KindKustomization (kustomize.toolkit.fluxcd.io/v1)
Target namespaceorc-system (the upstream installer self-namespaces)
Sourcek-orc GitRepository (tag v2.5.0)
Path./dist
DependenciesNone

K-ORC (the OpenStack Resource Controller) installs the declarative Keystone resource CRDs — ApplicationCredential, Service, Endpoint, and related kinds — that the c5c3-operator drives to project a ControlPlane's desired state into Keystone.

K-ORC ships no Helm chart, so it is applied as a Flux Kustomization over the upstream release manifest rather than a HelmRelease. The GitRepository source vendors ./dist from the pinned tag v2.5.0; dist/install.yaml there is byte-identical to the published install.yaml release asset. The path carries no kustomization.yaml, so the kustomize-controller generates one over dist/install.yaml and applies it verbatim (prune: true, wait: true). The installer already declares the orc-system Namespace and namespaces every resource into it, so no spec.targetNamespace is set. The short, stable name k-orc (not the upstream openstack-resource-controller) keeps diagnostics and cross-references terse.

The upstream installer has no global-cloud-config knob (the previous HelmRelease set globalCloudConfig.secretName). That is not on the credential critical path: K-ORC authenticates per resource via each CR's CloudCredentialsRef, resolved in the CR's own (control-plane) namespace, so the credential chain below materialises a co-located k-orc-clouds-yaml copy there via the per-ControlPlane ExternalSecret the c5c3-operator creates and owns (reconcileKORC). K-ORC therefore needs no global default clouds.yaml mount, so there is no longer an orc-system copy — the static manifest that previously declared it has been removed. The orc-system Namespace itself remains because the K-ORC installer's own resources land there. See Admin Credential Chain below.

c5c3-operator

File: deploy/flux-system/releases/c5c3-operator.yaml

PropertyValue
Target namespacec5c3-system
Chartc5c3-operator
Version constraint>=0.1.0 <1.0.0
Sourcec5c3-charts HelmRepository (shared OCI registry)
Dependencieskeystone-operator, external-secrets, mariadb-operator, memcached-operator

The c5c3-operator runs the ControlPlane reconciler that orchestrates a Keystone control plane end-to-end. It depends on the four operators whose CRs it projects — keystone-operator for the Keystone instance, external-secrets and mariadb-operator and memcached-operator for the supporting platform services. It also drives K-ORC's ApplicationCredential / Service / Endpoint CRDs to register the catalog and rotate the admin credential, but K-ORC is the separate Flux Kustomization above, not a dependsOn edge (so K-ORC, like the other CRD providers, is a hard dependency the manager requires at startup rather than tolerating). The operator child CRs are created in the ControlPlane's own namespace, not a hard-coded one. For the reconciliation contract see the upstream design chapter architecture/docs/09-implementation/08-c5c3-operator.md.

Helm values:

KeyValuePurpose
replicas2Run 2 controller replicas for HA
leaderElection.enabledtrueEnable leader election for HA
image.taglatestUse latest image until a versioned release publishes a semver tag

HelmRelease–HelmRepository Cross-Reference

Each HelmRelease sourceRef.name must match a HelmRepository metadata.name in sources/. This table shows the mapping:

HelmReleasesourceRef.nameHelmRepository file
cert-managercert-managersources/cert-manager.yaml
prometheus-operator-crdsprometheus-communitysources/prometheus-community.yaml
mariadb-operator-crdsmariadb-operatorsources/mariadb-operator.yaml
mariadb-operatormariadb-operatorsources/mariadb-operator.yaml
external-secretsexternal-secretssources/external-secrets.yaml
memcached-operatorc5c3-chartssources/c5c3-charts.yaml
openbaoopenbaosources/openbao.yaml
keystone-operatorc5c3-chartssources/c5c3-charts.yaml
c5c3-operatorc5c3-chartssources/c5c3-charts.yaml

k-orc is not in this table: it is a Flux Kustomization whose sourceRef is the k-orc GitRepository (sources/k-orc.yaml), not a HelmRelease backed by a HelmRepository.

The kind-only chaos-mesh HelmRelease ships in the opt-in overlay at deploy/kind/chaos-mesh/release.yaml, with its own local source.yaml. It is intentionally absent from this always-on table because production overlays do not install it.

Infrastructure Custom Resources

Infrastructure CRs are instance-level resources managed by the operators installed via HelmReleases above. They are separated into their own kustomization (infrastructure/kustomization.yaml) because they depend on CRDs that are only available after the corresponding operator HelmReleases install their Helm charts.

Self-Signed ClusterIssuer

File: deploy/flux-system/infrastructure/cluster-issuer.yaml

PropertyValue
API versioncert-manager.io/v1
KindClusterIssuer
Nameselfsigned-cluster-issuer
ScopeCluster-scoped (no namespace)

The self-signed ClusterIssuer provides a default certificate issuer for development environments. It requires cert-manager CRDs (cert-manager.io/v1) which are installed by the cert-manager HelmRelease.

OpenStack DB CA Issuer

File: deploy/flux-system/infrastructure/db-ca-issuer.yaml

Provisions the dedicated cert-manager CA that anchors the OpenStack database trust domain. The file declares two resources:

ResourceAPI versionKindNameNamespace
CA keypair Certificatecert-manager.io/v1Certificateopenstack-db-cacert-manager
CA ClusterIssuercert-manager.io/v1ClusterIssueropenstack-db-ca-issuerCluster-scoped

The selfsigned-cluster-issuer mints a self-signed CA Certificate (isCA: true, 3-year lifetime, 30-day renewBefore) into the openstack-db-ca Secret in the cert-manager namespace — cert-manager's default --cluster-resource-namespace, which is where a CA-type ClusterIssuer looks up its secretName. The openstack-db-ca-issuer ClusterIssuer then signs every leaf certificate inside the OpenStack DB trust domain:

  • MariaDB Galera server TLS material (spec.tls.serverCertIssuerRef, see below).
  • MaxScale listener TLS material (same issuer via inheritance / explicit serverCertIssuerRef).
  • The Keystone DB-client keypair issued by the keystone-operator's reconcileDatabaseTLS sub-reconciler — the constant dbCAIssuerName hard-codes the same string ("openstack-db-ca-issuer"), so a rename here MUST be matched in the operator.

Apply ordering. This manifest is also applied out-of-band from the infrastructure kustomization by hack/deploy-infra.sh (Phase 2, alongside cluster-issuer.yaml and openbao-tls-cert.yaml) so that MariaDB has the issuer available the moment it tries to render its server certificate. The infrastructure kustomization still references db-ca-issuer.yaml so subsequent kubectl apply -k runs are idempotent.

For the end-to-end TLS path the issuer participates in, see the Enable Keystone Database TLS how-to.

MariaDB Galera Cluster

File: deploy/flux-system/infrastructure/mariadb.yaml

PropertyValue
API versionk8s.mariadb.com/v1alpha1
KindMariaDB
Nameopenstack-db
Namespaceopenstack
Replicas3
GaleraEnabled (spec.galera.enabled: true)
MaxScaleEnabled, 2 replicas (spec.maxScale.enabled: true, spec.maxScale.replicas: 2)
Storage100Gi, storage class ceph-rbd

The MariaDB CR provisions a 3-node Galera cluster with synchronous replication managed by the mariadb-operator. MaxScale is enabled with 2 replicas to provide intelligent query routing and read/write splitting across the Galera nodes.

The root password is sourced from a Kubernetes Secret (mariadb-root-password, key password). The production stack ships no ExternalSecret for it — a non-kind Flux MariaDB baseline is expected to provide the mariadb-root-password Secret itself. On kind, a kind-only overlay shim (deploy/kind/infrastructure/mariadb-root-password-externalsecret.yaml) materialises it from the OpenBao path infrastructure/mariadb so the single-node Quick Start stays self-contained.

Non-Goal — operator-owned root credential. Unlike the Keystone admin password (which the c5c3-operator now projects per ControlPlane as a dedicated ExternalSecret), the MariaDB root password is deliberately not operator-owned. Provisioning it is left to the MariaDB baseline — the kind shim above, or a production Flux baseline — keeping the operator off the database superuser credential path.

Services:

ServiceTypePurpose
PrimaryClusterIPRead-write endpoint for application connections
SecondaryClusterIPRead-only endpoint for read replicas

Monitoring: Prometheus metrics are enabled (spec.metrics.enabled: true).

TLS. Galera inter-node replication, the MaxScale client listener, and every Keystone-to-database connection all sit inside the OpenStack DB trust domain rooted at the openstack-db-ca-issuer ClusterIssuer documented above. The MariaDB CR enables TLS in spec.tls and the MaxScale sub-spec inherits it:

FieldValuePurpose
spec.tls.enabledtrueTurn on TLS for the MariaDB cluster
spec.tls.requiredtrueReject any non-TLS connection at the transport layer (verified by the chainsaw plaintext-rejection probe in tests/e2e/keystone/database-tls/chainsaw-test.yaml)
spec.tls.serverCertIssuerRefopenstack-db-ca-issuer (ClusterIssuer, cert-manager.io)Issue server certs for Galera + MaxScale from the shared DB CA
spec.tls.clientCertIssuerRefopenstack-db-ca-issuer (ClusterIssuer, cert-manager.io)Trust client certs minted by the same DB CA (the Keystone operator issues its DB-client keypair from this issuer; see reconcile_databasetls.go)
spec.maxScale.tls.enabledtrueMaxScale terminates TLS on its client listener (proxy-side); explicit block documents intent even where the proxy would otherwise inherit spec.tls

The rendered YAML in deploy/flux-system/infrastructure/mariadb.yaml is:

yaml
spec:
  tls:
    enabled: true
    required: true
    serverCertIssuerRef:
      name: openstack-db-ca-issuer
      kind: ClusterIssuer
      group: cert-manager.io
    clientCertIssuerRef:
      name: openstack-db-ca-issuer
      kind: ClusterIssuer
      group: cert-manager.io
  maxScale:
    enabled: true
    replicas: 2
    tls:
      enabled: true

The mariadb-operator (v0.30+) auto-derives the server and client CA bundles from the referenced issuer, so explicit serverCASecretRef / clientCASecretRef entries are intentionally omitted — see the inline DECISION comment in mariadb.yaml for the trade-off against the cross-namespace *CASecretRef form. End-to-end verification that the live connection is encrypted lives in tests/e2e/keystone/database-tls/chainsaw-test.yaml (asserts SHOW STATUS LIKE 'Ssl_cipher' reports a non-empty cipher).

To turn the path on for a Keystone CR, follow the Enable Keystone Database TLS guide.

Memcached Cluster

File: deploy/flux-system/infrastructure/memcached.yaml

PropertyValue
API versionmemcached.c5c3.io/v1beta1
KindMemcached
Nameopenstack-memcached
Namespaceopenstack
Replicas3
Imagememcached:1.6

The Memcached CR provisions a 3-replica Memcached cluster for OpenStack session and token caching. The memcached-operator manages pod lifecycle and provides stable DNS-based service discovery for operator consumers.

API group: The API group is memcached.c5c3.io, matching the CRD definition shipped by the memcached-operator Helm chart.

Admin Credential Chain

The c5c3-operator mints a single restricted admin Application Credential per cluster and mirrors it to OpenBao, from where the External Secrets Operator materialises it as the clouds.yaml Secret that K-ORC authenticates with. The chain materialises the Kubernetes Secret k-orc-clouds-yaml via a single ExternalSecret, created per ControlPlane by the operator:

NamespaceSourcePurpose
openstack (control-plane)operator-created per-CR (reconcileKORCensureKORCCloudsYAMLExternalSecret)C1 co-location — the c5c3-operator creates the K-ORC ApplicationCredential/Service/Endpoint CRs in the control-plane namespace, and K-ORC resolves each CR's CloudCredentialsRef Secret in that same namespace, so the admin clouds.yaml must live here for K-ORC to authenticate. This is the copy the AdminCredentialReady gate waits on.

Control-plane copy (operator-created per ControlPlane) — the control-plane-namespace k-orc-clouds-yaml ExternalSecret is not a static manifest: the c5c3-operator creates and owns one per ControlPlane (reconcileKORCensureKORCCloudsYAMLExternalSecret), owner-ref'd to the CR for GC and created in the ControlPlane's child namespace. It is named after spec.korc.adminCredential.cloudCredentialsRef.secretName (default k-orc-clouds-yaml) and reads the per-CR OpenBao key openstack/keystone/{namespace}/{name}/admin/app-credential (property clouds.yaml, store-relative to the KV-v2 mount) via the openbao-cluster-storeClusterSecretStore, with creationPolicy: Owner and refreshInterval: 1h. Because both the ExternalSecret name and the OpenBao key are derived per-CR, an arbitrarily named ControlPlane resolves to the correct key with no manifest edit — the operator now resolves what was previously deferred for this ExternalSecret.

No orc-system copy — the static deploy/eso/externalsecrets/k-orc-clouds-yaml.yaml manifest that previously declared K-ORC's global default clouds.yaml mount has been removed. K-ORC authenticates per resource via each CR's CloudCredentialsRef, resolved in the control-plane namespace, so no cluster-global default mount is needed. The orc-system Namespace itself is retained (co-declared in deploy/flux-system/namespaces.yaml) because the K-ORC installer's own resources land there — it no longer hosts a clouds.yaml copy.

On a fresh cluster the bootstrap clouds.yaml at the per-CR OpenBao key is seeded by the operator (reconcileKORCseedBootstrapCloudsYAML, write-if-empty): it writes a password-based bootstrap clouds.yaml into the admin Application Credential Secret, and the operator's PushSecret mirrors it to OpenBao so the ExternalSecrets can materialise before any credential is minted. Once the c5c3-operator mints the admin Application Credential the same PushSecret overwrites the key with the App-Cred-based clouds.yaml.

OpenBao policydeploy/openbao/policies/push-app-credentials.hcl

This policy grants the write path for each ControlPlane's admin credential PushSecret. Because the admin credential path is keyed per ControlPlane (openstack/keystone/{namespace}/{name}/admin/app-credential), the grants template the namespace and name as two +/+ segments. The pre-existing mid-path grant kv-v2/data/openstack/*/app-credential matches only a single mid-segment (openstack/<svc>/app-credential) and therefore does not cover the four-segment per-CR shape. Rather than widening that glob, the policy adds two per-ControlPlane +/+ grants:

PathCapabilitiesPurpose
kv-v2/data/openstack/keystone/+/+/admin/app-credentialcreate, update, readWrite each ControlPlane's admin Application Credential clouds.yaml data leaf (the two + segments are its namespace and name)
kv-v2/metadata/openstack/keystone/+/+/admin/app-credentialcreate, update, readAllow ESO's Vault provider to write custom_metadata on the KV-v2 PushSecret (a data-only grant 403s on the metadata PUT and the PushSecret never reaches Ready)

A + matches exactly one path segment, so even though the namespace and name vary per ControlPlane the grant still terminates at the literal /admin/app-credential leaf and admits no deeper or sibling paths. Read coverage needs no widening: eso-management's read-only kv-v2/data/openstack/keystone/* trailing wildcard already covers every per-CR +/+/admin/app-credential leaf. Both grants stay scoped to the per-ControlPlane +/+ admin-credential leaves, adding no blast radius beyond admin app-credentials. For the mTLS transport gate and the openbao-cluster-store auth path these manifests ride on, see OpenBao Bootstrap Procedure.

Kustomization

Deployment is split into two kustomize overlays to separate base resources from CRD-dependent infrastructure resources:

Base Kustomization

File: deploy/flux-system/kustomization.yaml

The base kustomization uses apiVersion: kustomize.config.k8s.io/v1beta1 and includes namespaces, the FluxInstance CR, HelmRepository sources, and HelmRelease operators. These resources do not depend on any custom CRDs.

Resource count: 19 files producing 28 Kubernetes resources.

CategoryCountResources
Namespace10cert-manager, mariadb-system, external-secrets, monitoring, memcached-system, keystone-system, openstack, openbao-system, c5c3-system, orc-system
FluxInstance1flux (drives the flux-operator)
HelmRepository6cert-manager, mariadb-operator, external-secrets, openbao, c5c3-charts, prometheus-community
GitRepository1k-orc
HelmRelease9cert-manager, prometheus-operator-crds, mariadb-operator-crds, mariadb-operator, external-secrets, memcached-operator, openbao, keystone-operator, c5c3-operator
Kustomization1k-orc
Total28

The chaos-mesh HelmRepository, HelmRelease, and Namespace ship in the kind-only opt-in overlay at deploy/kind/chaos-mesh/ and are not counted here.

Infrastructure Kustomization

File: deploy/flux-system/infrastructure/kustomization.yaml

The infrastructure kustomization includes CRD-dependent resources that require their operator CRDs to be installed first. This kustomization must be applied after the base kustomization and after operators have finished installing their CRDs.

Resource count: 4 manifests producing 6 Kubernetes resources (the db-ca-issuer.yaml manifest declares two resources: a CA Certificate and the CA-type ClusterIssuer that signs from it).

CategoryCountResources
ClusterIssuer3selfsigned-cluster-issuer, openstack-db-ca-issuer, openbao-ca-issuer (all require cert-manager CRDs)
Certificate2openstack-db-ca, openbao-ca — both CA keypair Secrets in the cert-manager namespace, signed by selfsigned-cluster-issuer
MariaDB1openstack-db (requires mariadb-operator CRDs; TLS enabled per MariaDB Galera Cluster)
Memcached1openstack-memcached (requires memcached-operator CRDs)
Total6

Deployment

Step 1: Apply base resources

bash
kubectl apply -k deploy/flux-system/

This applies 28 resources: 10 namespaces, 1 FluxInstance, 7 HelmRepository sources, and 10 HelmRelease operators. FluxCD resolves the dependency graph between HelmReleases and installs operators in the correct order. Wait for all operators to finish installing before proceeding to step 2.

Step 2: Apply infrastructure resources

bash
kubectl apply -k deploy/flux-system/infrastructure/

This applies the CRD-dependent resources: the selfsigned-cluster-issuer ClusterIssuer, the openstack-db-ca-issuer ClusterIssuer plus its backing CA Certificate, the openbao-ca-issuer ClusterIssuer plus its backing CA Certificate, the MariaDB Galera cluster, and the Memcached cluster. These resources require CRDs that are installed by the operator HelmReleases in step 1. If CRDs are not yet available, the apply will fail — wait for the operators to finish installing and retry.

hack/deploy-infra.sh ordering. The end-to-end deploy script applies the three TLS-prerequisite manifests (cluster-issuer.yaml, openbao-tls-cert.yaml, db-ca-issuer.yaml) directly in its Phase 2, before the main infrastructure kustomization, so that MariaDB has openstack-db-ca-issuer available the moment it tries to render its server certificate. The kustomization apply that follows is idempotent — the same manifests are listed in infrastructure/kustomization.yaml so a manual kubectl apply -k path also works.

Expected transient failure: The MariaDB cluster references a rootPasswordSecretKeyRef Secret (mariadb-root-password). On kind, the overlay shim materialises it from OpenBao via the External Secrets Operator; in production a Flux MariaDB baseline must provide it. Until that Secret exists, the mariadb-operator will enter a failed reconciliation loop with Secret "mariadb-root-password" not found errors. This is expected and resolves automatically once the Secret is provisioned.

Validate manifests locally

bash
kustomize build deploy/flux-system/
kustomize build deploy/flux-system/infrastructure/

These commands render the manifest output without applying it. Use them to verify YAML syntax and resource inclusion before deployment.

Prerequisites

  • A Kubernetes cluster with FluxCD installed (source-controller and helm-controller)
  • kubectl configured with cluster access
  • For local validation only: kustomize CLI

Extensibility

The manifest structure is designed for straightforward extension. Adding a new operator (e.g., OpenBao) requires four steps:

  1. Add a source file in sources/ (e.g., sources/openbao.yaml) — or reuse an existing HelmRepository if the chart is in a shared registry
  2. Add a release file in releases/ (e.g., releases/openbao.yaml) with the HelmRelease CR, dependsOn for cert-manager, and the standard install/upgrade settings
  3. Add both paths to the resources list in kustomization.yaml
  4. Add the operator namespace to namespaces.yaml (e.g., openbao-system) so the namespace exists before kubectl apply -k creates the namespaced HelmRelease CR

Infrastructure instance CRs (e.g., a new database or cache cluster) follow the same pattern: add a file in infrastructure/ and list it in infrastructure/kustomization.yaml.

Design Decisions

Two-phase kustomization

Resources are split into a base kustomization (namespaces, sources, releases) and an infrastructure kustomization (CRD-dependent resources). This separation ensures that kubectl apply -k does not attempt to create CRD-dependent resources before the corresponding CRDs exist. The base kustomization can be applied independently, and the infrastructure kustomization is applied after operators have installed their CRDs.

In FluxCD-managed clusters, this pattern maps to two FluxCD Kustomization CRs where the infrastructure Kustomization depends on the base Kustomization (using spec.dependsOn), eliminating noisy first-apply failures.

Explicit namespace resources

All target namespaces are defined as explicit Namespace resources in namespaces.yaml. While HelmReleases set install.createNamespace: true for FluxCD's helm-controller, the explicit namespace resources ensure namespaces exist before kubectl apply -k attempts to create namespaced resources (HelmRelease CRs specify a target namespace in their metadata).

Namespace auto-creation

All HelmReleases set install.createNamespace: true as a safety net for FluxCD deployments. This is complementary to the explicit Namespace resources — the explicit resources handle the kubectl apply -k path, while createNamespace handles edge cases in FluxCD reconciliation.

No secret configuration

The manifests intentionally contain no password, credential, or secret configuration. Secret management is handled by the External Secrets Operator integration, which provisions secrets from an external vault into the cluster.

Memcached Operator source

The Memcached Operator chart is sourced from the shared c5c3-charts OCI registry rather than a dedicated HelmRepository. This follows the project convention of publishing internally-built charts to oci://ghcr.io/c5c3/charts (see architecture/docs/09-implementation/07-ci-cd-and-packaging.md).

c5c3-operator and K-ORC design source

The upstream design for the c5c3-operator, K-ORC, and the admin-credential lifecycle documented above lives in the architecture/ git submodule:

  • architecture/docs/09-implementation/08-c5c3-operator.md — the c5c3-operator ControlPlane reconciler contract
  • architecture/docs/03-components/01-control-plane/05-korc.md — the K-ORC component and chart constraint
  • architecture/docs/05-deployment/01-gitops-fluxcd/01-credential-lifecycle.md — the restricted admin Application Credential lifecycle

These chapters are the authoritative design source. They are updated upstream only and reach this repository through a submodule pointer bump — they are not edited from this repository or worktree. Treat any divergence between these chapters and the manifests above as a drift to reconcile at the source, not by editing the submodule in place.

Kind Overlay Demo Addons

The kind overlay (deploy/kind/base/kustomization.yaml) layers a small set of kind-only demo manifests on top of the production base. These files live under deploy/kind/base/ and are not referenced from deploy/flux-system/kustomization.yaml, so they never reach production clusters. The section below catalogues these addons; earlier kind-only manifests (Headlamp, OpenBao UI patch) are documented in the Quick Start. Chaos Mesh ships as a separate opt-in kind overlay at deploy/kind/chaos-mesh/ — applied only when WITH_CHAOS_MESH=true is set on make deploy-infra; see Chaos Mesh (kind-only opt-in) below.

Flux Web UI ResourceSet

File: deploy/kind/base/flux-web.yaml

A single ResourceSet CR drives the flux-operator's bundled Flux Web UI as a demo surface for the kind Quick Start (Step 4a). The ResourceSet renders two sibling resources — an OCIRepository pointing at the official flux-operator Helm chart and a HelmRelease that installs that chart with only the Web UI sub-chart enabled.

PropertyValue
API versionfluxcd.controlplane.io/v1
KindResourceSet
Nameflux-web
Namespaceflux-system
Chart URLoci://ghcr.io/controlplaneio-fluxcd/charts/flux-operator
Version pin (input)0.47.x — SemVer range locked to the minor track of FLUX_OPERATOR_VERSION in hack/deploy-infra.sh

Helm values on the nested HelmRelease:

KeyValuePurpose
web.serverOnlytrueRender only the Web UI Deployment + Service; skip the operator Deployment, CRDs, and RBAC that the original install.yaml bootstrap already owns
installCRDsfalseThe flux-operator CRDs (FluxInstance, ResourceSet, ResourceSetInputProvider, …) are already installed by the out-of-band install.yaml apply in hack/deploy-infra.sh — re-applying them here would fight the bootstrap on every reconcile
fullnameOverrideflux-webGive the Web UI Deployment / Service / ServiceAccount a distinct identity so they do not collide with the operator's own flux-operator-* workload names

Version tracking. The spec.inputs[0].version SemVer range is updated automatically by a Renovate customManager entry in renovate.json that targets deploy/kind/base/flux-web.yaml and pulls release metadata from controlplaneio-fluxcd/flux-operator GitHub releases. The customManager shares the same packageRules as hack/deploy-infra.sh — major upgrades are disabled, minor/patch upgrades auto-merge after a three-day minimumReleaseAge cooldown.

Production opt-out. deploy/flux-system/kustomization.yaml deliberately does not list deploy/kind/base/flux-web.yaml. The flux-operator Web UI ships without token authentication, without TLS termination, and without an Ingress story — it is safe as a localhost port-forward demo on a single-node kind cluster, not as a shared-cluster surface. Production overlays can opt back in explicitly once upstream adds those prerequisites.

Access (kind Quick Start, Step 4a):

bash
kubectl port-forward svc/flux-web -n flux-system 9080:9080

Browse http://localhost:9080 — no login required. The Web UI complements Headlamp by rendering the three flux-operator-specific CRDs (ResourceSet, ResourceSetInputProvider, FluxReport) that the generic Headlamp Flux plugin does not know about.

Chaos Mesh (kind-only opt-in)

File: deploy/kind/chaos-mesh/kustomization.yaml

Chaos Mesh ships as a separate opt-in kind overlay. The default make deploy-infra flow does not install it — first-run deployments skip the privileged chaos-daemon DaemonSet, the chaos-mesh namespace, and the upstream HelmRepository / HelmRelease pair so that developers who never run chaos E2E suites pay zero install cost. The production deploy/flux-system/ overlay also does not install Chaos Mesh.

The overlay is self-contained: the HelmRepository lives in deploy/kind/chaos-mesh/source.yaml and the HelmRelease in deploy/kind/chaos-mesh/release.yaml (both relocated from the former deploy/flux-system/{sources,releases}/chaos-mesh.yaml locations). The overlay bundles them with:

PropertyValue
Target namespacechaos-mesh (created inline with the privileged PodSecurity label required by chaos-daemon's host PID/network access)
Chartchaos-mesh
Version constraint>=2.6.0 <3.0.0
Sourcechaos-mesh HelmRepository (deploy/kind/chaos-mesh/source.yaml)
Dependenciescert-manager in cert-manager namespace

Kind-tuning patch (relocated here from deploy/kind/base/kustomization.yaml because kustomize requires the patch target to live in the same overlay):

Helm valueOverridePurpose
chaosDaemon.runtimecontainerdMatch the kind node's container runtime
chaosDaemon.socketPath/run/containerd/containerd.sockMount the kind containerd socket so chaos-daemon can attack pods
chaosDaemon.resources25m / 64Mi requestsReduce footprint on single-node kind
dashboard.createfalseDashboard is unnecessary in CI
controllerManager.resources25m / 64Mi requestsReduce footprint on single-node kind

These overrides diverge intentionally from the upstream chart defaults (dashboard enabled, larger resource requests, auto-detected runtime), which target multi-node production clusters. Because the patch and the HelmRelease both live in the kind-only overlay, production environments that opt into Chaos Mesh start from the upstream defaults instead of inheriting the kind-tuning values.

No load-restrictor flag required. The overlay has no parent-directory ../../ references — every resource (namespace.yaml, source.yaml, release.yaml) lives under deploy/kind/chaos-mesh/. Kustomize's default LoadRestrictionsRootOnly security check is therefore satisfied without --load-restrictor=LoadRestrictionsNone, which matters because kubectl's embedded kustomize does not expose that flag (kubernetes/kubectl#948) and hack/deploy-infra.sh invokes the apply via kubectl apply -k.

Opt-in usage:

bash
WITH_CHAOS_MESH=true make deploy-infra

This is the prerequisite for make e2e-chaos. See Chaos E2E Tests for the full workflow.

kube-prometheus-stack (kind-only opt-in)

File: deploy/kind/prometheus/kustomization.yaml

kube-prometheus-stack ships as a separate opt-in kind overlay. The default make deploy-infra flow does not install it — the monitoring namespace stays absent, and Prometheus / Grafana / the prometheus-operator pods do not consume any of the kind node's CPU or memory budget unless a contributor explicitly opts in. The production deploy/flux-system/ overlay also does not install the stack: production clusters are expected to run their own Prometheus and widen its serviceMonitorSelector to pick up the keystone-operator chart's ServiceMonitor (see Enable Keystone Operator Metrics for that wiring path).

The overlay is self-contained: the Namespace and HelmRelease live in deploy/kind/prometheus/namespace.yaml and deploy/kind/prometheus/release.yaml, and the upstream prometheus-community HelmRepository in deploy/flux-system/sources/prometheus-community.yaml is reused (it is already present for the prometheus-operator-crds HelmRelease in the production base, so no new source manifest is added to the production tree). The overlay bundles the resources with:

PropertyValue
Target namespacemonitoring (created inline; no PodSecurity label override required)
Chartkube-prometheus-stack
Version constraint>=65.0.0 <70.0.0
Sourceprometheus-community HelmRepository (reused from deploy/flux-system/sources/)
Dependenciescert-manager in cert-manager namespace

Kind-tuned values (deliberately too lean for a real workload — they exist so the stack fits in a single-node kind cluster alongside Flux, the operators, and the OpenStack control plane):

Helm valueOverridePurpose
crds.enabledfalseThe monitoring.coreos.com CRDs are already installed by the production-base prometheus-operator-crds HelmRelease — re-installing them from the chart would fight that release on every reconcile
alertmanager.enabledfalseNo alert routing in a developer cluster
nodeExporter.enabledfalseSingle-node kind has no meaningful node-level metrics worth scraping
kubeStateMetrics.enabledfalseKube-state-metrics adds noise the kind dashboards do not consume
prometheus.prometheusSpec.retention6hShort retention keeps the Prometheus PVC tiny on kind
prometheus.prometheusSpec.serviceMonitorSelectorNilUsesHelmValuesfalseAllow the operator chart's ServiceMonitor to be scraped without forcing a release: kube-prometheus-stack label on it
prometheus.prometheusSpec.serviceMonitorSelector{}Match every ServiceMonitor in the cluster (kind only — production overlays should use a tighter selector)
prometheus.prometheusSpec.serviceMonitorNamespaceSelector{}Match every namespace (kind only — see above)
prometheus.prometheusSpec.resources / grafana.resources100m CPU / 256Mi mem capsHard cap on kind resource use

Dashboard provisioning. The overlay also adds a configMapGenerator that bundles the keystone-operator dashboard JSON (operators/keystone/dashboards/keystone-operator.json — the single source of truth, never forked into the overlay) with the grafana_dashboard: "1" and app.kubernetes.io/part-of: kube-prometheus-stack labels. Grafana's sidecar discovers the labelled ConfigMap on startup and imports it into the Dashboards → Keystone Operator entry without any manual API call. Because the dashboard JSON lives outside the overlay directory, hack/deploy-infra.sh performs an idempotent copy into deploy/kind/prometheus/keystone-operator.json immediately before kubectl apply -k runs — this satisfies kustomize's default LoadRestrictionsRootOnly constraint (the overlay has no ../ references) without requiring --load-restrictor=LoadRestrictionsNone.

Local validation (make stage-prometheus-dashboard). The staged deploy/kind/prometheus/keystone-operator.json is git-ignored — the canonical file lives only at operators/keystone/dashboards/keystone-operator.json. Developers who want to run kustomize build deploy/kind/prometheus/, kubectl apply -k deploy/kind/prometheus/, or chainsaw lint against the overlay without running WITH_PROMETHEUS=true make deploy-infra first must stage the dashboard manually:

bash
make stage-prometheus-dashboard

The target performs the same cp -f that hack/deploy-infra.sh runs at deploy time, so local renders match CI exactly. make deploy-infra re-runs the copy on every invocation, so explicit staging is not needed when going through the full deploy path.

ServiceMonitor enablement. The keystone-operator chart defaults to monitoring.serviceMonitor.enabled=false so production overlays inherit the safe default. When WITH_PROMETHEUS=true, hack/deploy-infra.sh waits for the kube-prometheus-stack HelmRelease to become Ready, then runs:

bash
kubectl patch helmrelease keystone-operator -n keystone-system --type=merge \
  -p '{"spec":{"values":{"monitoring":{"serviceMonitor":{"enabled":true}}}}}'

…and waits for the keystone-operator HelmRelease to reconcile back to Ready=True on the new values. The patch is only applied when WITH_PROMETHEUS=true — the chart values themselves are never modified, which keeps the production posture unchanged.

Opt-in usage:

bash
WITH_PROMETHEUS=true make deploy-infra

This is the prerequisite for make e2e-prometheus (see CI / e2e-prometheus job for the workflow). For the kind UI walkthrough — port-forward, default Grafana credentials, the bundled Keystone Operator dashboard, and a Prometheus targets sanity-check — see Extended Quick Start — Step 4c.

Posture summary. Reviewers checking new kind-only opt-ins should treat this entry as a parallel of the Chaos Mesh (kind-only opt-in) example above: the production omission is explicit, the opt-in flag has a single documented name (WITH_PROMETHEUS), and the kind overlay is self-contained under deploy/kind/prometheus/ so the production kustomization root is untouched. The document-intentional-environment-divergence-in-overlays review pattern catalogues the full surface area.