openCenter is a command-line tool that transforms a single declarative YAML configuration into a production-ready Kubernetes cluster with GitOps management.
It standardizes cluster deployment across OpenStack, VMware, Baremetal, and Kind, providing configuration validation, secrets management, and automated GitOps repository generation.
- Configuration-First Workflow: Single YAML file defines your entire cluster (infrastructure, Kubernetes, services, secrets)
- Multi-Provider Support: Deploy to OpenStack, VMware, Baremetal, or Kind with the same configuration structure
- Built-in Validation: Schema validation, business rules, and provider-specific checks catch errors before deployment
- GitOps Native: Generates complete FluxCD-ready repository with Kustomize overlays for cluster-specific customization
- Secrets Management: SOPS Age encryption for safe version control of sensitive data
- Platform Services: 20+ pre-configured services (monitoring, logging, ingress, auth, storage, backup)
# Install tools
mise install
# Build CLI
mise run build
# Initialize cluster
./bin/opencenter cluster init my-cluster --org my-org
# Edit configuration
$EDITOR ~/.config/opencenter/clusters/my-org/.my-cluster-config.yaml
# Validate
./bin/opencenter cluster validate my-cluster
# Generate GitOps repository
./bin/opencenter cluster generate my-cluster
# Deploy
./bin/opencenter cluster deploy my-clusterTime to first cluster: 10 minutes configuration + 30-50 minutes deployment
See Getting Started Tutorial for complete walkthrough.
- Cluster Lifecycle: Initialize, configure, validate, generate, deploy, destroy
- Configuration Management: Schema-driven with defaults, validation, and override capabilities
- Secrets Operations: Generate keys, encrypt/decrypt, rotate, check expiration, sync, validate drift
- GitOps Repository: Automated generation with infrastructure (Terraform/Kubespray) and applications (FluxCD/Kustomize)
- Provider Abstraction: Unified interface across OpenStack, VMware, Baremetal, and Kind
- Service Management: Enable/disable platform services, customize configurations, view options
- Operational Tools: Drift detection, backup/restore, audit logging, cluster doctor, import
opencenter:
cluster:
cluster_name: production
organization: acme-corp
infrastructure:
provider: openstack
cloud:
openstack:
auth_url: https://identity.api.rackspacecloud.com/v3
region: sjc3
application_credential_id: ${OPENSTACK_APP_CRED_ID}
application_credential_secret: ${OPENSTACK_APP_CRED_SECRET}
kubernetes:
version: 1.33.5
control_plane_count: 3
worker_count: 2
cni: calico
services:
keycloak:
enabled: true
kube-prometheus-stack:
enabled: true
loki:
enabled: true
velero:
enabled: true
secrets:
sops:
age_keys:
- age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8pSee Configuration Schema Reference for complete structure.
# Cluster Lifecycle
opencenter cluster init <name> --org <org> # Initialize new cluster
opencenter cluster configure <name> --guided # Guided provider configuration
opencenter cluster validate <name> # Validate configuration
opencenter cluster generate <name> # Generate GitOps repository
opencenter cluster deploy <name> # Deploy cluster
opencenter cluster destroy <name> # Destroy cluster
# Cluster Management
opencenter cluster list # List all clusters
opencenter cluster use <name> # Set active cluster
opencenter cluster active # Show active cluster
opencenter cluster status <name> # Show cluster status
opencenter cluster describe <name> # Detailed cluster description
opencenter cluster doctor <name> # Check tools and readiness
# Configuration
opencenter cluster set <name> <path=value> # Update configuration value
opencenter cluster edit <name> # Edit in $EDITOR
opencenter cluster normalize <name> # Add missing defaults
opencenter cluster export <name> # Export effective config
# Service Management
opencenter cluster service enable <svc> # Enable a platform service
opencenter cluster service disable <svc> # Disable a platform service
opencenter cluster service status # Show all service states
opencenter cluster service options <svc> # Show service config options
# Secrets Management
opencenter secrets keys generate # Generate Age key pair
opencenter secrets keys rotate --type sops # Rotate encryption keys
opencenter secrets keys check # Check key expiration
opencenter secrets keys backup # Backup Age keys
opencenter secrets sync <name> # Sync secrets to manifests
opencenter secrets validate <name> # Validate secrets for drift
opencenter secrets encrypt # Encrypt secrets in YAML
opencenter secrets decrypt # Decrypt secrets in YAML
opencenter secrets status # Show encryption status
opencenter secrets login # Refresh Keystone token
opencenter secrets list # List secrets
opencenter secrets get <name> # Download and decrypt
opencenter secrets set <name> # Create or update
# Operations
opencenter cluster drift detect <name> # Detect infrastructure drift
opencenter cluster drift reconcile <name> # Reconcile drift
opencenter cluster backup create <name> # Create backup
opencenter cluster backup restore <id> # Restore from backup
opencenter cluster lock <name> # Lock cluster
opencenter cluster import scan # Scan repo for import
opencenter cluster migrate-layout --org <org> # Migrate to secure layout
# CLI Settings
opencenter settings view # Display current settings
opencenter settings set <key> <value> # Set a value (dot notation)
opencenter settings get <key> # Get a value
opencenter settings path # Show settings file path
opencenter settings edit # Edit settings in editor
opencenter settings ide # Generate schema + editor setup
opencenter settings explain # Explain config effects
# Plugins
opencenter plugins list # List external plugins
# Utilities
opencenter version # Show version information
opencenter shell-init # Output shell integration script
opencenter --help # Show helpSee CLI Commands Reference for complete documentation with all flags.
Comprehensive documentation organized by the DiΓ‘taxis framework:
π Tutorials (Learning-Oriented)
- Getting Started - Your first cluster in 10 minutes
- OpenStack First Cluster - Deploy on OpenStack
- Kind Local Development - Local development setup
- VMware Deployment - Deploy on pre-provisioned VMs
- Multi-Cluster Management - Manage multiple clusters
π§ How-To Guides (Task-Oriented)
- Validate Configuration - Pre-deployment validation
- Manage Secrets - SOPS encryption and key rotation
- Customize Services - Configure platform services
- Add Worker Pools - Scale your cluster
- Backup and Restore - Disaster recovery
- Upgrade Kubernetes - Safe version upgrades
- Troubleshoot Deployment - Common issues and solutions
- Migrate Clusters - Provider/region migration
- Integrate CI/CD - Pipeline integration
- Create and Install a CLI Plugin - External plugins
π Reference (Information-Oriented)
- CLI Commands - Complete command reference
- Configuration Schema - Configuration file structure
- Default Values - Default configuration values
- Platform Services - Available services and versions
- Providers - Infrastructure provider details
- Validation Rules - Configuration constraints
- Environment Variables - Environment configuration
- Exit Codes - CLI exit codes and meanings
- File Locations - Configuration file paths
- Configuration Precedence - Resolution order
- Mise Tasks - Development and build tasks
π‘ Explanation (Understanding-Oriented)
- Architecture - System design and decisions
- GitOps Workflow - Repository structure and reconciliation
- Security Model - Security architecture and controls
- Configuration Lifecycle - Configuration management
- Provider Comparison - Choosing infrastructure providers
- Drift Detection - Configuration drift and reconciliation
- Services & Templates - Service rendering system
- Plugin Internal Services - Service plugin architecture
- Plugin External CLI - Command plugin model
π οΈ Developer Documentation
- Contributing Guide - Contribution guidelines
- Development Setup - Local development environment
- Testing Guide - Writing and running tests
- Code Structure - Codebase organization
- Adding Providers - Implement new infrastructure providers
- Adding Services - Add new platform services
- Build System - Mise-based build and release
- Release Process - Creating releases
πΊοΈ Codemaps (Architecture Maps)
- Index - Package map and cross-references
- CLI Commands - Command tree and registration
- Config System - Loader pipeline and types
- GitOps Engine - Generation pipeline
- Cluster Lifecycle - Lifecycle services
- Secrets Management - Secrets architecture
- Providers - Cloud provider implementations
- DI Container - Dependency injection
Start here: Documentation Home | Navigation Guide
# Install tools
mise install
# Build binary
mise run build
# Run unit tests
mise run test
# Run BDD tests
mise run godog
# Run property-based tests
mise run test-properties
# Lint code
mise run lint
# Format code
mise run fmt# Build for multiple platforms
mise run build-all
# Create release
mise run release v1.0.0
# Generate JSON schema
mise run schema
# Validate templates
mise run validate-templates
# Run a Kind cluster with openCenter-managed CNI
opencenter cluster init dev-cluster --type kind --kind-disable-default-cni
opencenter cluster validate dev-cluster
opencenter cluster generate dev-cluster
opencenter cluster deploy dev-cluster
# Setup local Gitea for testing
mise run gitea-upSee Mise Tasks Reference for complete list.
Tagged releases are published by GitHub Actions. Use mise run release for local preflight builds, then push a v* tag to create the signed release artifacts.
openCenter-cli/
βββ cmd/ # CLI commands (Cobra)
β βββ root.go # Root command and global flags
β βββ cluster*.go # Cluster lifecycle commands
β βββ secrets*.go # Secrets management commands
β βββ config*.go # Settings commands (Cobra Use: "settings")
β βββ plugins.go # Plugin management
βββ internal/ # Internal packages
β βββ config/ # Configuration management (loader, builder, types, v2)
β βββ cluster/ # Cluster lifecycle services (init, validate, setup, bootstrap)
β βββ gitops/ # GitOps repository generation (pipeline, templates, rendering)
β βββ secrets/ # Multi-cluster secrets management (rotation, registry, hooks)
β βββ sops/ # SOPS encryption (Age keys, file encrypt/decrypt)
β βββ cloud/ # Provider adapters (OpenStack, VMware, Kind)
β βββ security/ # Audit logging, input validation, command sanitization
β βββ di/ # Dependency injection container
β βββ services/ # Platform service plugin registry
β βββ operations/ # Drift detection, backup, disaster recovery
β βββ resilience/ # Retry, circuit breaker, distributed locks
β βββ provision/ # Embedded provisioning templates
β βββ template/ # Template engine with caching and sandboxing
β βββ plugins/ # External CLI plugin discovery
β βββ importer/ # Live cluster import/scan
β βββ credentials/ # Cloud credential extraction
β βββ barbican/ # OpenStack Key Manager client
β βββ localdev/ # Local dev environment (Kind, Gitea, Flux)
β βββ observability/ # Structured logging, credential masking
β βββ ansible/ # Kubespray inventory generation
β βββ tofu/ # OpenTofu/Terraform execution
β βββ ui/ # Prompts, error formatting, guided flows
β βββ core/ # Shared: path resolution, validation engine
β βββ util/ # Files, errors, crypto, security, metrics
βββ docs/ # Documentation (DiΓ‘taxis)
β βββ CODEMAPS/ # Architecture maps (generated from code)
β βββ tutorials/ # Learning-oriented guides
β βββ how-to/ # Task-oriented guides
β βββ reference/ # Information-oriented specs
β βββ explanation/ # Understanding-oriented concepts
β βββ dev/ # Developer documentation
βββ tests/ # BDD tests (Godog)
β βββ features/ # Gherkin feature files
βββ schema/ # JSON schema definitions
βββ hack/ # Development scripts and local Gitea setup
βββ .mise.toml # Mise configuration and tasks
βββ go.mod # Go module definition
βββ main.go # CLI entrypoint
See Code Structure and Codemaps for detailed explanation.
- Cluster configurations:
~/.config/opencenter/clusters/<org>/.<cluster>-config.yaml - CLI settings:
~/.config/opencenter/config.yaml - Active cluster:
~/.config/opencenter/active - SOPS Age keys:
~/.config/opencenter/clusters/<org>/secrets/age/ - SSH keys:
~/.config/opencenter/clusters/<org>/secrets/ssh/
Override CLI configuration storage with OPENCENTER_CONFIG_DIR and cluster storage with OPENCENTER_CLUSTERS_DIR.
See File Locations Reference for complete paths.
| Variable | Description | Default |
|---|---|---|
OPENCENTER_CONFIG_DIR |
Configuration directory | ~/.config/opencenter |
OPENCENTER_CLUSTERS_DIR |
Cluster storage directory | ${OPENCENTER_CONFIG_DIR}/clusters |
OPENCENTER_PLUGINS_DIR |
Plugins directory | ${OPENCENTER_CONFIG_DIR}/plugins |
OPENCENTER_LOG_LEVEL |
Log level (debug, info, warn, error) | warn |
SOPS_AGE_KEY_FILE |
Path to Age key file | |
SOPS_AGE_RECIPIENTS |
Age public keys for encryption | |
KUBECONFIG |
Kubernetes config file | ~/.kube/config |
See Environment Variables Reference for complete list.
We welcome contributions! Please see our Contributing Guide to get started.
- Fork and clone the repository
- Create a feature branch
- Make your changes
- Run tests:
mise run test && mise run godog - Submit a pull request
- Custom Providers: Add new infrastructure providers in
internal/cloud/<provider>/ - Custom Services: Add platform services in
internal/config/services/<service>.go - Custom Validators: Add validation rules in
internal/core/validation/ - Plugins: Create external plugins as
opencenter-<plugin>executables
See Developer Documentation for detailed guides.
This project is licensed under the Apache 2.0 License. See LICENSE for details.
- Documentation: docs/
- Security Policy: SECURITY.md
- Issues: GitHub Issues
- Discussions: GitHub Discussions
openCenter CLI is part of the openCenter ecosystem:
- openCenter-gitops-base - Platform services library with security-hardened Helm values
- openCenter-customer-app-example - Reference application deployment patterns
- openCenter-AirGap - Air-gapped deployment packaging
- opencenter-windows - Windows worker node support