Management Plane · runs on host Talos cluster
ArgoCD Hub
Manages all 3 clusters
App-of-Apps across host + vClusters
planned
Cilium + Cluster Mesh
CNI · eBPF · kube-proxy replacement
Hubble observability · Cluster Mesh hub
planned
Vault + ESO
Single secrets source of truth
ESO distributes to child clusters
planned
Keycloak
Single identity provider
SSO across all clusters
planned
Longhorn + MinIO
Shared block storage · Object storage
Synced to vClusters · Velero backend
planned
Prometheus · Loki · Grafana
Aggregated observability
Metrics + logs across all clusters
planned
Velero
Backs up all clusters
MinIO S3 backend
planned
vCluster: production · namespace: vcluster-production
Nextcloud
Production workload
Keycloak SSO · DSGVO/Schrems II
production
CNPG
Production PostgreSQL cluster
WAL archiving · PITR · MinIO
production
Homepage
Production service dashboard
Single pane of glass
production
vCluster: staging · namespace: vcluster-staging
Nextcloud
Staging workload
Validates image promotions before production
staging
CNPG
Staging PostgreSQL cluster
Isolated from production DB
staging
Security · host cluster + vClusters
Falco
Runtime threat detection
Watches host + all vCluster pods
planned
CiliumNetworkPolicy
Default-deny · eBPF enforcement
Replaces Calico NetworkPolicy
planned
cert-manager
Webhook TLS for CNPG · ESO
Same role as current cluster
planned
Cloudflare Tunnel
Edge TLS termination · Zero Trust
Cloudflare Access for unauthenticated UIs
planned