Portefaix docs GitHub

Scaleway

Portefaix deploys a managed Kubernetes cluster on Scaleway using Kapsule — Scaleway's managed K8s service — backed by a private VPC with a public gateway, Cilium CNI, and the full LGTM observability stack using Scaleway Object Storage as the backend.

Environment: The Scaleway deployment currently targets a sandbox environment, making it ideal for experimentation, development, and platform testing before committing to a full multi-environment rollout.

Architecture

// infrastructure blueprint · fr-par · Kapsule · Cilium · LGTM + Cockpit
Portefaix Scaleway Infrastructure Architecture — Kapsule, private VPC, LGTM observability, ESO, Spacelift
Component Scaleway Service Purpose
Kubernetes cluster Kapsule Managed container orchestration
Networking VPC Private Network, Public Gateway Private cluster networking + NAT egress
CNI Cilium eBPF-based networking and network policy
Secrets Scaleway Secret Manager + ESO External Secrets Operator integration
Registry Scaleway Container Registry Container image namespaces (public/private)
Storage Scaleway Object Storage Mimir, Loki, and Tempo backends
Observability dashboard Scaleway Cockpit Managed metrics and log dashboard (SaaS)
IaC orchestration Spacelift / Terraform Cloud Stack-based IaC pipeline with OpenTofu

Prerequisites

  • Scaleway account with a project created
  • Scaleway CLI installed: brew install scaleway-cli or see scaleway.com/en/cli
  • CLI configured: scw init
  • Terraform ≥ 1.5
  • kubectl and helm

Deploying Infrastructure

1. Configure Variables

# infrastructure/scaleway/sandbox/terraform.tfvars
region      = "fr-par"
zone        = "fr-par-1"
environment = "sandbox"
project_id  = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
cluster_name = "portefaix-sandbox"

2. Deploy VPC First, then Kapsule

Components are deployed in dependency order: VPC → Kapsule → Observability → Registry → ESO. Each lives in its own Terraform root under scaleway/<component>/sandbox/. 

cd infrastructure/scaleway/kapsule/sandbox

terraform init \
  -backend-config="bucket=portefaix-tfstate" \
  -backend-config="key=scaleway/kapsule/sandbox/terraform.tfstate" \
  -backend-config="region=fr-par"

terraform plan -out=tfplan
terraform apply tfplan

3. Configure kubectl

# Install the Scaleway CLI plugin for kubectl
scw k8s kubeconfig install <cluster-id>

# Or export kubeconfig directly
scw k8s kubeconfig get <cluster-id> > ~/.kube/config-scaleway
export KUBECONFIG=~/.kube/config-scaleway

External Secrets Operator

Portefaix uses the External Secrets Operator (ESO) to sync secrets from Scaleway Secret Manager into Kubernetes — no static credentials are stored in the cluster or in Git. 

# SecretStore — Scaleway Secret Manager backend
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: scaleway-store
  namespace: my-app
spec:
  provider:
    scaleway:
      region: fr-par
      projectId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
      accessKey:
        secretRef:
          name: scaleway-credentials
          key: access-key
      secretKey:
        secretRef:
          name: scaleway-credentials
          key: secret-key

Spacelift Orchestration

The Scaleway infrastructure uses Spacelift as the primary IaC orchestration layer, with OpenTofu as the workflow tool. Stacks are organised in a three-tier space hierarchy: root → project → {environment}, with explicit dependency chains to enforce deployment ordering. 

# spacelift/tfvars/sandbox.auto.tfvars
environment  = "sandbox"
region       = "fr-par"
zone         = "fr-par-1"
project_id   = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

stacks = {
  vpc = {
    project_root = "terraform/scaleway/vpc/sandbox"
    branch       = "main"
    labels       = ["vpc"]
    environment  = "sandbox"
    dependencies = []
  }
  kapsule = {
    project_root = "terraform/scaleway/kapsule/sandbox"
    branch       = "main"
    labels       = ["kapsule"]
    environment  = "sandbox"
    dependencies = ["vpc"]
  }
}

Tip: Spacelift's autodeploy: false default means all applies require manual approval — set it to true on non-production stacks to speed up iteration. Terraform Cloud workspaces are also provided as an alternative IaC backend.

Observability Stack

The LGTM stack is deployed to the Kapsule cluster via the nlamirault/observability/scaleway Terraform module (v1.2.2):

  • Prometheus / Mimir — metrics collection and long-term storage in Scaleway Object Storage
  • Loki — log aggregation with Object Storage backend
  • Tempo — distributed tracing with Object Storage backend
  • Scaleway Cockpit — managed dashboard SaaS, available at no extra cost with your Scaleway account

API credentials for each component are injected at runtime via the External Secrets Operator — no long-lived credentials are baked into Helm values.