How kubara Enables Rapid, Production‑Ready Kubernetes Platforms in 30 Minutes

What is kubara?

kubara is a Go‑written single‑binary CLI that provides a lightweight framework for quickly bootstrapping a production‑grade Kubernetes platform. It implements a GitOps‑driven workflow that provisions infrastructure, creates multi‑tenant environments, and integrates core third‑party tools.

General Distro

The “general distro” is a production‑ready baseline that builds a hub‑and‑spoke multi‑cluster architecture driven entirely by Git. Argo CD synchronises deployments across one to hundreds of clusters, delivering a secure, reproducible platform for platform‑engineering teams.

Kubernetes Platform Architecture and Use Cases

1. Bootstrap the control plane

Requires a running Kubernetes cluster and kubeconfig access. After configuring a secrets manager and an SSO provider, the control plane can be bootstrapped.

Argo CD ApplicationSet

Cluster Generator

Label‑based deployments

Example label cert-manager: enabled triggers an ApplicationSet to create an Application.

Tools running on the control plane

Argo CD – GitOps engine

Kyverno – policy engine (audit mode)

Kyverno Policy Reporter – dashboard

Homer Dashboard – list of exposed apps

Prometheus + Alertmanager – metrics & alerts

Grafana – visualisation

Loki – log aggregation

Traefik – Ingress controller (supports CRD routes)

OAuth2 Proxy – protects Ingress with OAuth2

External Secrets Operator – declarative secret management

External DNS – automatic DNS records

Cert‑Manager – TLS certificates

Default security

Default security enforces many best‑practice policies, but the distro does not yet implement every possible feature.

All Ingress resources are protected by OAuth2 Proxy; the default admin account is disabled; Argo CD uses projects and RBAC; baseline Kyverno policies are installed.

2. Add data‑plane spokes

Spokes host workload clusters and require core services such as Cert‑Manager, External DNS, and Traefik.

When a new spoke cluster (e.g., dataplane-0) is created, the following steps are required:

Store its kubeconfig in the secrets manager.

Extend argocd/values.yaml to create an ExternalSecret and add labels.

ApplicationSet detects the new label and creates one or more Applications.

Argo CD deploys and manages components on the new cluster(s).

bootstrapValues:
  cluster:
    - additionalLabels:
        cert-manager: "enabled"
        traefik: "enabled"
      name: vcluster-2
      project: pe-gitops-prod
      remoteRef:
        remoteKey: vcluster-2
        remoteKeyProperty: vcluster-2
      secretStoreRef:
        kind: ClusterSecretStore
        name: vcluster-prod

If you need a custom overlay for a plugin such as Cert‑Manager, kubara can generate it.

3. Deploy custom applications securely

Argo CD Projects define the allowed source repositories, resource types, and destination clusters, providing a self‑service model for developers while platform teams retain governance.

Bootstrapping kubara

1. Generate preparation files

kubara init --prep

This creates a .gitignore and a .env template. Fill in the placeholders in .env before proceeding.

2. Initialise configuration

kubara init

Commit and push the generated files to a Git repository.

3. Bootstrap the control plane and install Argo CD

kubectl create namespace external-secrets

kubectl -n external-secrets create secret generic bitwarden-access-token \
  --from-literal=token="<BITWARDEN_MACHINE_ACCOUNT_TOKEN>"

If cluster-secret-store.yaml is not present, create it (example for Bitwarden shown).

apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: "{{ .cluster.name }}-{{ .cluster.stage }}"
spec:
  provider:
    bitwardensecretsmanager:
      apiURL: https://vault.bitwarden.com/api
      auth:
        secretRef:
          credentials:
            key: token
            name: bitwarden-access-token
            namespace: external-secrets
      bitwardenServerSDKURL: https://bitwarden-sdk-server.external-secrets.svc.cluster.local:9998
      caProvider:
        key: ca.crt
        name: bitwarden-tls-certs
        namespace: external-secrets
        type: Secret
      identityURL: https://vault.bitwarden.com/identity
      organizationID: <...>
      projectID: <...>

kubara bootstrap <cluster-name> \
  --kubeconfig k8s.yaml \
  --with-es-css-file cluster-secret-store.yaml \
  --with-es-crds

The bootstrap installs Argo CD, External Secrets Operator, required CRDs, and hands over control to the Git‑managed platform. Wait 5‑10 minutes for the components to become ready.

Why open‑source platform engineering matters

In less than 30 minutes you obtain a production‑ready platform built on years of real‑world experience from STACKIT, iits‑consulting and other contributors. The project started as an internal initiative, became an inner‑source effort, and is now fully open source.

FAQ

Is kubara just a Kubernetes distro?

No. It is an open‑source framework that can generate custom distros; the general distro is only one possible implementation.

Do I have to use the General Distro?

No. You can start from the General Distro or build a completely custom distribution using the kubara framework.

What is the difference between the Framework and the General Distro?

The Framework defines the GitOps hierarchy, bootstrap process, and cluster management logic. The General Distro is a concrete implementation that bundles a curated toolset such as Argo CD, Kyverno, and Prometheus.

Can I replace tools in the General Distro?

Yes. The framework allows you to swap any component (e.g., replace Traefik with Istio) while preserving the deployment, scaling, and multi‑tenant logic.

Why use the framework instead of building my own GitOps repo?

kubara solves the “blank‑page” problem by providing a battle‑tested architecture that eliminates redundant Helm charts and Terraform modules, enabling you to launch a standardized platform in minutes rather than months.

Is kubara an Internal Developer Platform (IDP)?

kubara can serve as the foundation for an IDP, offering the Platform‑as‑a‑Product infrastructure and GitOps workflow required by solutions like Backstage.

Where is the repository?

The repository, documentation, project homepage, and community channels are all publicly available on GitHub.

Is kubara owned by iits‑consulting?

No. It is a STACKIT‑initiated open‑source project with contributions from multiple companies, including iits‑consulting.