Platform Components
Portefaix assembles a curated set of CNCF and open-source components into a coherent, production-ready platform. Components are organised into seven architecture layers, each with a distinct operational concern.
🔍 Click to zoom
GitOps Foundation
Declarative delivery engine and progressive rollout controllers. All platform state is reconciled from Git.
| Component | Role |
|---|---|
| ArgoCD | GitOps engine — application delivery and cluster sync |
| Argo Workflows | Kubernetes-native DAG workflow engine for CI pipelines |
| Argo Rollouts | Progressive delivery — canary, blue/green, analysis |
| Argo Events | Event-driven automation and sensor-based triggers |
| Kargo | Environment promotion workflows across staging and production |
Networking
CNI, ingress, DNS, zero-trust access, and messaging. Cilium provides eBPF-accelerated networking and network policies.
| Component | Role |
|---|---|
| Cilium eBPF | eBPF-based CNI, network policies, Hubble observability |
| Kubernetes Gateway | Next-generation ingress and traffic routing (Gateway API) |
| Envoy Gateway | Envoy-based Gateway API implementation |
| cert-manager | Automated TLS certificate lifecycle (Let's Encrypt, ACME) |
| external-dns | Automatic DNS record management from Kubernetes resources |
| Cloudflare Tunnel | Zero-trust inbound connectivity without opening firewall ports |
| NATS | Cloud-native messaging and event streaming |
Security
Identity, compliance, runtime security, secrets management, and supply-chain scanning.
| Component | Role |
|---|---|
| Authentik | Identity provider — SSO, OIDC, SAML, user lifecycle |
| Dex | Federated OIDC identity provider for Kubernetes API and apps |
| kube-bench | CIS Kubernetes Benchmark compliance scanner |
| Tetragon eBPF | eBPF-based runtime security enforcement and observability |
| External Secrets | Sync secrets from Vault, AWS SM, GCP SM into Kubernetes |
| Sealed Secrets | Encrypt secrets for safe GitOps storage |
| Trivy Operator | Continuous vulnerability and misconfiguration scanning |
| SBOM Operator | Automated Software Bill of Materials generation per workload |
| Paralus | Zero-trust Kubernetes access management and audit |
Observability
Full-stack observability: metrics, logs, traces, continuous profiling, SLO management, and eBPF auto-instrumentation.
| Component | Role |
|---|---|
| Prometheus | Metrics collection, alerting rules, and recording rules |
| Alertmanager | Alert routing, grouping, silencing, and notification dispatch |
| Mimir | Horizontally scalable long-term Prometheus metrics storage |
| Grafana | Dashboards, data exploration, and alert visualisation |
| Grafana Operator | Kubernetes-native Grafana instance and dashboard management |
| SignOz | Open-source full-stack observability platform (APM alternative) |
| Loki | Log aggregation and LogQL query engine |
| Alloy | OpenTelemetry-native collector (Grafana Agent successor) |
| Tempo | Distributed tracing backend (Jaeger/Zipkin compatible) |
| Pyroscope | Continuous profiling — CPU, memory, goroutine profiles |
| Beyla eBPF | eBPF auto-instrumentation — traces without code changes |
| OTel Operator | Kubernetes operator for OpenTelemetry Collector lifecycle |
| OTel Collector | Vendor-neutral telemetry pipeline (receive, process, export) |
| Pyrra | SLO definition, burn-rate alerting, and error-budget tracking |
| Sloth | SLO-as-code generator for Prometheus recording and alert rules |
System & Data
Managed database operators, vector stores, event-driven autoscaling, persistent storage, and node lifecycle.
| Component | Role |
|---|---|
| CloudNativePG | PostgreSQL operator — HA clusters, streaming replication |
| Dragonfly | Redis-compatible in-memory data store (high throughput) |
| MariaDB | MariaDB operator for Kubernetes-managed SQL databases |
| ClickHouse | Column-oriented OLAP database for analytics workloads |
| Qdrant | Vector database for semantic search and AI embeddings |
| Meilisearch | Fast full-text search engine with typo tolerance |
| KEDA | Event-driven autoscaling based on external metrics (Kafka, queues…) |
| Karpenter | Just-in-time node provisioning based on pending pod requirements |
| VPA | Vertical Pod Autoscaler — right-size CPU/memory requests |
| Descheduler | Rebalance pod placement after scheduling constraints change |
| Longhorn | Cloud-native distributed block storage for persistent volumes |
| Kured | Automatic node reboot coordinator for kernel/OS updates |
Platform Tools
FinOps, internal developer portal, AI-powered diagnostics, and local LLM runtime.
| Component | Role |
|---|---|
| OpenCost | Real-time Kubernetes cost visibility and FinOps attribution |
| Homepage | Centralised service dashboard for platform teams |
| Port (IDP) | Internal Developer Portal — software catalog and self-service |
| K8sGPT | AI-powered Kubernetes diagnostics and runbook suggestions |
| Ollama | Local LLM runtime for air-gapped or privacy-sensitive AI workloads |
Chaos Engineering
Controlled fault injection to validate platform resilience and test recovery procedures.
| Component | Role |
|---|---|
| Litmus Chaos | Cloud-native chaos engineering platform with experiment hub |
| Chaos Mesh | Kubernetes-native chaos experimentation with fine-grained fault types |
CNCF Landscape Alignment
Portefaix deliberately chooses components from the CNCF landscape where possible, prioritising projects that are either CNCF Graduated or Incubating. This ensures long-term community support, security audits, and interoperability.
Versioning: Specific component versions and Helm chart versions are tracked in the portefaix-hub repository and updated automatically via Renovate Bot.