Infrastructure as Code and GitOps for an ArubaCloud-based control plane with managed Kubernetes, Argo CD, Vault, the ArubaCloud Resource Operator, and Backstage as the Internal Developer Platform (IDP).
The control plane runs on ArubaCloud Managed Kubernetes (KaaS). All cloud resources are provisioned with the ArubaCloud Terraform provider. The cluster is then managed by:
| Component | Role |
|---|---|
| Argo CD | GitOps: syncs applications from this repo. A bootstrap app watches argocd/applications/ and creates an Application per YAML file (App of Apps). |
| ArubaCloud Resource Operator | Reconciles ArubaCloud custom resources (e.g. Project) in the cluster. Uses Vault (AppRole) to obtain tenant API credentials. |
| Vault | Stores tenant credentials (e.g. API key/secret per tenant). The operator reads from Vault; Backstage and other IDP flows do not hold credentials. |
| Backstage | Internal Developer Platform frontend: catalog, software templates, and custom resource UIs (e.g. create ArubaCloud Project CR and open a PR to this GitOps repo). |
┌─────────────────────────────────────────────────────────────────────────┐
│ ArubaCloud (Terraform) │
│ • Project, VPC, Subnet, KaaS cluster, kubeconfig │
└─────────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────┐
│ Control plane (Kubernetes on ArubaCloud KaaS) │
│ ┌─────────────┐ ┌──────────────────────────┐ ┌─────────────────────┐ │
│ │ Argo CD │ │ ArubaCloud Resource │ │ Vault │ │
│ │ (GitOps) │ │ Operator (CRs → API) │◄─┤ (tenant credentials)│ │
│ └──────┬──────┘ └──────────────────────────┘ └─────────────────────┘ │
│ │ │
│ │ syncs argocd/applications/ │
│ ▼ │
│ ┌─────────────┐ │
│ │ Backstage │ IDP: catalog, templates, CR UIs (e.g. Project → PR) │
│ └─────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘
-
Prerequisites
-
Configure variables
- Go to
terraform/controlplane. - Copy the example vars and fill in your values:
cp terraform.tfvars.example terraform.tfvars
- Edit
terraform.tfvars: setarubacloud_api_key,arubacloud_api_secret, and any KaaS options (name, location, node pool, etc.). Seevariables.tfand the example file for all options.
- Go to
-
Provision the control plane
- From the repo root:
cd terraform/controlplane terraform init terraform apply - Terraform will create the ArubaCloud project/network, the KaaS cluster, install Argo CD, run the bootstrap script (apply
argocd/projects/, configure repo, apply App of Apps). When it finishes, use the printed commands to get the Argo CD admin password and port-forward to the UI.
- From the repo root:
-
After apply
- Argo CD will sync applications from this repo (Vault, vault-config, ArubaCloud operator, Backstage, etc.).
- Use Backstage to create ArubaCloud Project CRs via the template; it will open a PR to this repo and, after merge, Argo CD will apply the resource.
terraform/controlplane/– Terraform for ArubaCloud project, VPC, KaaS, Argo CD install + bootstrap.argocd/projects/– AppProject definitions (applied by bootstrap script).argocd/bootstrap/– Root Application that watchesargocd/applications/.argocd/applications/– One Argo CD Application per file (Vault, operator, Backstage, etc.).others/backstage/– Backstage templates and GitOps skeleton (e.g. ArubaCloud Project CR).
Contributions are welcome. This is a reference control plane and IDP setup that you can adapt to your needs.
For issues, check Terraform and Kubernetes logs or the documentation above.