A monorepo for packaging cloud-native applications as OCM (Open Component Model) components.
This repository packages various cloud-native applications as OCM components, including operators, Helm charts, container images, and extensive configuration options. Each directory represents a single cloud-native application packaged for deployment in Kubernetes environments.
Components can reference each other to fulfill dependencies rather than duplicating resources. For example, the Keycloak component can reference the CloudNativePG component for its database requirements instead of bundling a database solution directly.
Identity and Access Management
- Status: ✅ Ready
- Operator: Official Keycloak Operator (Quarkus-based)
- License: Apache 2.0
- Configurations:
- Minimal (dev/test with ephemeral PostgreSQL)
- Production (HA with 3 replicas, external database)
- Documentation: keycloak/README.md
- Dependencies: PostgreSQL (CloudNativePG recommended for production)
Quick Start:
# Install operator
kubectl apply -f keycloak/operator/keycloaks-crd.yml
kubectl apply -f keycloak/operator/keycloakrealmimports-crd.yml
kubectl apply -f keycloak/operator/operator.yml
# Deploy minimal config
kubectl apply -f keycloak/configs/minimal/keycloak.ymlPostgreSQL Operator for Kubernetes
- Status: ✅ Ready
- Operator: Official CloudNativePG Operator
- License: Apache 2.0
- CNCF: Sandbox Project
- Configurations:
- Minimal (single instance for dev/test)
- Production (HA with 3 replicas, backups, monitoring)
- Documentation: cloudnative-pg/README.md
- Features: Streaming replication, automated backups, PITR, PgBouncer pooling
Quick Start:
# Install operator
kubectl apply --server-side -f cloudnative-pg/operator/cnpg-operator.yml
# Deploy minimal cluster
kubectl apply -f cloudnative-pg/configs/minimal/cluster.yamlKubernetes-native Artifact Gateway for Secure Cross-Zone Transfers
- Status:
⚠️ Early Stage (Pre-release) - License: Apache 2.0
- Configurations:
- Minimal (single instance for dev/test)
- Production (HA with 3 replicas, metrics enabled)
- Documentation: artifact-conduit/README.md
- Dependencies: cert-manager (required), Argo Workflows (required)
- Features: Multi-source artifact procurement (OCI, Helm, S3, HTTP), security validation (CVE scanning, malware detection, license checks), policy enforcement, audit trails
Quick Start:
# Install prerequisites
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.0/cert-manager.yaml
kubectl apply -n argo -f https://github.com/argoproj/argo-workflows/releases/latest/download/install.yaml
# Install with Helm
helm install artifact-conduit artifact-conduit/arc-0.1.0.tgz \
--namespace arc-system \
--create-namespace \
--values artifact-conduit/configs/minimal/values.yamlNote: Artifact Conduit is an early-stage project (356+ commits, 8 contributors) not yet recommended for production without thorough testing. It provides a declarative way to transfer artifacts across security boundaries with automated scanning and policy compliance.
See suggested-components.md for a list of additional components that are candidates for inclusion in this monorepo based on common dependencies and use cases.
High Priority:
- CloudNativePG (PostgreSQL operator)
- cert-manager (TLS certificate management)
- External Secrets Operator
- Prometheus Operator
- Traefik Ingress Controller
ocm-monorepo/
├── keycloak/ # Keycloak component
│ ├── operator/ # Operator manifests and CRDs
│ ├── configs/ # Configuration examples
│ │ ├── minimal/ # Dev/test configuration
│ │ └── production/ # Production HA configuration
│ ├── tests/ # Test scripts
│ ├── component-constructor.yaml # OCM component descriptor
│ └── README.md # Component documentation
├── .github/
│ └── workflows/ # CI/CD pipelines for releases
├── suggested-components.md # List of suggested components
├── CLAUDE.md # Development guidelines
└── README.md # This file
Each component can be built into a Common Transport Format (CTF) archive:
cd keycloak
ocm add componentversions --create --file ../keycloak-component.ctf component-constructor.yaml# Transfer to OCI registry
ocm transfer ctf keycloak-component.ctf oci://your-registry/ocm-components
# In air-gapped environment, pull from registry
ocm transfer oci://your-registry/ocm-components ctf keycloak-airgapped.ctfEach component has a GitHub Actions workflow that creates offline packages for air-gapped deployments. These are available in the Releases section.
See CLAUDE.md for detailed development guidelines including:
- How to add new components
- Required configurations (minimal and production)
- Testing requirements
- Documentation standards
- Release pipeline requirements
When adding a new component:
- Research official Helm charts and operators
- Create component directory structure
- Package operator manifests and CRDs
- Create minimal and production configurations
- Write comprehensive documentation
- Create tests for deployment on kind cluster
- Set up GitHub release pipeline
- Update this README and suggested-components.md
- Kubernetes 1.24+
- kubectl
- OCM CLI (for building components)
- kind (for local testing)
Each component includes test scripts for validation:
cd keycloak/tests
./test-minimal.shTests are designed to run on local kind clusters and verify:
- Operator installation
- Component deployment
- Health checks
- Basic functionality
Components are released independently using semantic versioning:
- Component releases:
<component-name>-v<version>(e.g.,keycloak-v26.4.5) - Each release includes an offline package (tar.gz) with all manifests and images
- Checksums are provided for verification
Individual components retain their original licenses (typically Apache 2.0). See each component's README for specific license information.