Skip to main content
Version: v0.6.x

DataPlane

A DataPlane represents a Kubernetes cluster where application workloads are deployed. It defines the connection to a target Kubernetes cluster and gateway settings for routing traffic to applications.

OpenChoreo supports two modes of communication with the DataPlane:

  • Agent-based (Recommended): The control plane communicates with the downstream cluster through a WebSocket agent running in the DataPlane cluster
  • Direct Kubernetes API access: The control plane connects directly to the Kubernetes API server using client certificates or bearer tokens

API Version​

openchoreo.dev/v1alpha1

Resource Definition​

Metadata​

DataPlanes are namespace-scoped resources that must be created within an Organization's namespace.

apiVersion: openchoreo.dev/v1alpha1
kind: DataPlane
metadata:
  name: <dataplane-name>
  namespace: <org-namespace>  # Organization namespace

Spec Fields​

FieldTypeRequiredDefaultDescription
gatewayGatewaySpecYes-API gateway configuration for this DataPlane
agentAgentConfigNo-Agent-based communication configuration (recommended)
kubernetesClusterKubernetesClusterSpecNo-Target Kubernetes cluster configuration (optional when agent is enabled)
imagePullSecretRefs[]stringNo-References to SecretReference resources for image pull secrets
secretStoreRefSecretStoreRefNo-Reference to External Secrets Operator ClusterSecretStore in the DataPlane
observerObserverAPINo-Observer API integration for monitoring and logging

AgentConfig​

Configuration for agent-based communication with the downstream cluster.

FieldTypeRequiredDefaultDescription
enabledbooleanNofalseWhether agent-based communication is enabled
clientCAValueFromNo-CA certificate to verify the agent's client certificate (base64-encoded PEM)

KubernetesClusterSpec​

Configuration for the target Kubernetes cluster. Optional when agent.enabled is true.

FieldTypeRequiredDefaultDescription
serverstringYes-URL of the Kubernetes API server
tlsKubernetesTLSYes-TLS configuration for the connection
authKubernetesAuthYes-Authentication configuration

KubernetesTLS​

TLS configuration for the Kubernetes connection.

FieldTypeRequiredDefaultDescription
caValueFromYes-CA certificate

KubernetesAuth​

Authentication configuration for the Kubernetes cluster. Either mtls or bearerToken must be specified.

FieldTypeRequiredDefaultDescription
mtlsMTLSAuthNo-Certificate-based authentication (mTLS)
bearerTokenValueFromNo-Bearer token authentication

MTLSAuth​

Certificate-based authentication (mTLS) configuration.

FieldTypeRequiredDefaultDescription
clientCertValueFromYes-Client certificate
clientKeyValueFromYes-Client private key

ValueFrom​

Common pattern for referencing secrets or providing inline values. Either secretRef or value should be specified.

FieldTypeRequiredDefaultDescription
secretRefSecretKeyReferenceNo-Reference to a secret key
valuestringNo-Inline value (not recommended for sensitive data)

SecretKeyReference​

Reference to a specific key in a Kubernetes secret.

FieldTypeRequiredDefaultDescription
namestringYes-Name of the secret
namespacestringNoSame as parent resourceNamespace of the secret
keystringYes-Key within the secret

SecretStoreRef​

Reference to an External Secrets Operator ClusterSecretStore.

FieldTypeRequiredDefaultDescription
namestringYes-Name of the ClusterSecretStore in the DataPlane

GatewaySpec​

Gateway configuration for the DataPlane.

FieldTypeRequiredDefaultDescription
publicVirtualHoststringYes-Public virtual host for external traffic
organizationVirtualHoststringYes-Organization-specific virtual host for internal traffic

ObserverAPI​

Configuration for Observer API integration.

FieldTypeRequiredDefaultDescription
urlstringYes-Base URL of the Observer API
authentication.basicAuth.usernamestringYes-Username for basic authentication
authentication.basicAuth.passwordstringYes-Password for basic authentication

Status Fields​

FieldTypeDefaultDescription
observedGenerationinteger0The generation observed by the controller
conditions[]Condition[]Standard Kubernetes conditions tracking the DataPlane state

Condition Types​

Common condition types for DataPlane resources:

  • Ready - Indicates if the DataPlane is ready to accept workloads
  • Connected - Indicates if connection to the target cluster is established
  • GatewayProvisioned - Indicates if the gateway has been configured

Examples​

Agent-based DataPlane​

This example shows a DataPlane using agent-based communication. The control plane communicates with the downstream cluster through a WebSocket agent.

apiVersion: openchoreo.dev/v1alpha1
kind: DataPlane
metadata:
  name: agent-dataplane
  namespace: my-org
spec:
  # Agent configuration
  agent:
    enabled: true
    clientCA:
      secretRef:
        name: cluster-agent-ca
        key: ca.crt

  # Gateway configuration
  gateway:
    publicVirtualHost: api.example.com
    organizationVirtualHost: internal.example.com

  # External Secrets Operator integration
  secretStoreRef:
    name: vault-backend

  # Image pull secret references
  imagePullSecretRefs:
    - docker-registry-credentials

  # Observer API (optional)
  observer:
    url: https://observer.example.com
    authentication:
      basicAuth:
        username: admin
        password: secretpassword

Direct Kubernetes API Access DataPlane​

This example shows a DataPlane using direct Kubernetes API access with mTLS authentication.

apiVersion: openchoreo.dev/v1alpha1
kind: DataPlane
metadata:
  name: production-dataplane
  namespace: my-org
spec:
  # Direct Kubernetes cluster access
  kubernetesCluster:
    server: https://k8s-api.example.com:6443
    tls:
      ca:
        secretRef:
          name: k8s-ca-cert
          key: ca.crt
    auth:
      mtls:
        clientCert:
          secretRef:
            name: k8s-client-cert
            key: tls.crt
        clientKey:
          secretRef:
            name: k8s-client-cert
            key: tls.key

  # Gateway configuration
  gateway:
    publicVirtualHost: api.example.com
    organizationVirtualHost: internal.example.com

  # Observer API (optional)
  observer:
    url: https://observer.example.com
    authentication:
      basicAuth:
        username: admin
        password: secretpassword

DataPlane with Bearer Token Authentication​

This example shows a DataPlane using bearer token authentication instead of mTLS.

apiVersion: openchoreo.dev/v1alpha1
kind: DataPlane
metadata:
  name: dev-dataplane
  namespace: my-org
spec:
  kubernetesCluster:
    server: https://k8s-dev.example.com:6443
    tls:
      ca:
        secretRef:
          name: k8s-ca-cert
          key: ca.crt
    auth:
      bearerToken:
        secretRef:
          name: k8s-token
          key: token

  gateway:
    publicVirtualHost: dev-api.example.com
    organizationVirtualHost: dev-internal.example.com

DataPlane with External Secrets Integration​

This example demonstrates using External Secrets Operator for managing secrets and image pull credentials.

apiVersion: openchoreo.dev/v1alpha1
kind: DataPlane
metadata:
  name: secure-dataplane
  namespace: my-org
spec:
  # Agent-based communication
  agent:
    enabled: true
    clientCA:
      secretRef:
        name: agent-ca-cert
        namespace: openchoreo-system
        key: ca.crt

  # External Secrets Operator ClusterSecretStore reference
  secretStoreRef:
    name: vault-backend

  # References to SecretReference resources
  # These will be converted to ExternalSecrets and added as imagePullSecrets
  imagePullSecretRefs:
    - docker-hub-credentials
    - gcr-credentials
    - private-registry-credentials

  gateway:
    publicVirtualHost: secure-api.example.com
    organizationVirtualHost: secure-internal.example.com

Annotations​

DataPlanes support the following annotations:

AnnotationDescription
openchoreo.dev/display-nameHuman-readable name for UI display
openchoreo.dev/descriptionDetailed description of the DataPlane
  • Environment - Runtime environments deployed on DataPlanes
  • Organization - Contains DataPlane definitions
  • Project - Applications deployed to DataPlanes