The Helm umbrella chart that bootstraps the Plinth substrate on a Kubernetes cluster. v0.1.0 is a walking skeleton: CloudNativePG for Postgres, Cerbos for authorisation, and the OpenTelemetry Collector. The full reference architecture lands incrementally — see Roadmap below.
helm repo add cnpg https://cloudnative-pg.github.io/charts
helm repo add cerbos https://download.cerbos.dev/helm-charts
helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts
git clone https://github.com/plinth-dev/platform && cd platform
helm dependency build .
helm install plinth . --namespace plinth --create-namespace --values values/dev.values.yamlOnce the install settles, you'll have:
- A 1-instance CloudNativePG
Clusternamedplinth-postgresexposing Serviceplinth-postgres-rw:5432 - A 1-replica Cerbos PDP at
plinth-cerbos:3592(HTTP) and:3593(gRPC), with a placeholderitemspolicy - A 1-replica OpenTelemetry Collector at
plinth-opentelemetry-collector:4317(gRPC) and:4318(HTTP), exporting traces/metrics/logs to stdout
Pointing the starter-api at this substrate is one env block:
DATABASE_URL=postgresql://plinth@plinth-postgres-rw:5432/plinth
CERBOS_ADDR=plinth-cerbos:3593
OTEL_EXPORTER_OTLP_ENDPOINT=http://plinth-opentelemetry-collector:4318| Concern | Component | Sub-chart | Version |
|---|---|---|---|
| Data | CloudNativePG operator + Cluster CR |
cnpg/cloudnative-pg |
0.28.0 |
| Authorisation | Cerbos PDP | cerbos/cerbos |
0.52.1 |
| Observability | OpenTelemetry Collector | open-telemetry/opentelemetry-collector |
0.153.0 |
The umbrella adds two Plinth-specific resources: a Cluster CR (bootstrapped database + role) and a plinth-cerbos-policies ConfigMap that's mounted into the Cerbos pod at /policies.
| Profile | Status | Shape |
|---|---|---|
dev |
shipped | Single node, no HA, all defaults turned on |
staging |
stub — see values/staging.values.yaml |
3 nodes, no DR, full feature set |
prod |
stub — see values/prod.values.yaml |
Full HA, DR site replication, hardened defaults |
values/staging.values.yaml and values/prod.values.yaml carry comments describing the intended shape; the actual values land in subsequent chart versions.
Plinth-specific knobs live under the top-level plinth key in values.yaml:
plinth:
name: plinth
postgres:
enabled: true
instances: 1
storage:
size: 5Gi
database: plinth
owner: plinth
cerbosPoliciesEnabled: true
cerbosPolicies:
items.yaml: |
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: default
resource: items
rules: # ...Sub-chart values (e.g. cerbos.replicaCount, opentelemetry-collector.config.exporters) are forwarded directly to upstream charts — see each upstream chart's README for the full schema.
Tracked in the umbrella's GitHub Issues. Planned for subsequent versions:
| Concern | Components |
|---|---|
| Identity | Vault (HA Raft), Authentik, Ory Oathkeeper, cert-manager |
| Data | MinIO, NATS JetStream, Redis Sentinel, OpenSearch |
| Observability | SigNoz (ClickHouse-backed), kube-prometheus-stack |
| Security | Wazuh, Falco, Trivy Operator, Kyverno |
| GitOps + DevX | Argo CD, Argo Rollouts, Backstage |
| Bootstrap | Talos manifests + Omni link, Argo app-of-apps |
| Release | OCI publish to oci://ghcr.io/plinth-dev/platform |
Optional sub-charts (default off): Temporal, GitLab CE.
helm dependency build .
helm lint .
helm template plinth . --values values/dev.values.yaml | lessCI runs the same three steps plus a smoke check that asserts the rendered output contains the expected kind: Cluster, kind: CustomResourceDefinition, and Plinth-specific ConfigMap.
plinth.run— full architecture reference, tutorials, ADRs.- Manifesto — the six commitments.
starter-web/starter-api— clone-ready module starters that target this substrate.cli—plinth newfor scaffolding modules.
MIT — see LICENSE.