Upstream Templates
Summary
Konstruct ships upstream provisioning templates that define the complete set of platform applications installed on each cluster type. Templates use Argo CD sync waves to orchestrate deployment order, ensuring dependencies are satisfied before dependent apps are installed.
All templates are maintained in the konstruct-templates repository.
Cluster Hierarchy
Control Plane Cluster (1 per platform)
└── Management Clusters (1 per team, aka "project clusters")
├── Workload Clusters (physical clusters for applications)
└── Virtual Clusters (lightweight vcluster-based environments)
Template Types
| Template | Cloud Providers | Description |
|---|---|---|
| Control Plane | AWS | Platform control plane with Argo CD, cert-manager, Crossplane, and full GitOps platform stack |
| Management Cluster | AWS, Civo | Per-team management cluster with infrastructure provisioning and GitOps capabilities |
| Workload Cluster | AWS, Civo, GCP | Application workload clusters with core platform services |
| Virtual Cluster | AWS | Lightweight vcluster-based environments sharing a host workload cluster |
How Sync Waves Work
Each Argo CD Application in a template has a sync-wave annotation that controls deployment order:
metadata:
annotations:
argocd.argoproj.io/sync-wave: '30'
Lower wave numbers deploy first. Apps within the same wave deploy concurrently. Argo CD waits for all apps in a wave to become healthy before proceeding to the next wave.
Platform Component Versions by Template
| Component | Control Plane | AWS Mgmt | Civo Mgmt | AWS Workload | Civo Workload | GCP Workload | AWS vCluster |
|---|---|---|---|---|---|---|---|
cert-manager | GitOps | v1.14.4 | v1.20.1 | v1.14.4 | v1.16.5 | v1.14.4 | v1.14.4 |
ingress-nginx | GitOps | 4.12.1 | — | 4.12.1 | — | 4.10.0 | 4.10.0 |
| envoy-gateway | — | — | v1.7.0 | — | v1.7.0 | — | — |
external-dns | GitOps | 1.14.4 | 1.20.0 | 1.14.4 | — | — | 1.14.4 |
| external-secrets | GitOps | 0.19.2 | 0.19.2 | 0.19.2 | — | — | 0.19.2 |
reloader | GitOps | v1.0.10 | 2.2.8 | v1.0.10 | v1.0.10 | v1.0.10 | v1.0.10 |
| crossplane | GitOps | 1.17.0 | 1.17.0 | — | — | — | — |
| actions-runner | GitOps | 0.20.2 | — | — | — | — | — |
Civo templates use Envoy Gateway instead of NGINX ingress, and newer component versions. AWS templates include more infrastructure tooling (external-dns, external-secrets, RBAC) at the workload cluster level.