Tools deployed across DC and DR
Single KVM host (dl385) running two RKE2 clusters
(rke2 = DC, rke2-dr = DR) plus a small set of
shared infrastructure VMs on the br30 app subnet.
Every catalogued component is deployed in both
DC and DR unless explicitly noted as DR-only or shared infra.
Overview
The BRAC proof-of-concept demonstrates an active/standby DC/DR posture
for a Kubernetes-hosted application platform on a single physical
host. Argo CD drives GitOps from infra/gitops-rke2;
identity is centralised on Keycloak; data is replicated DC→DR via
Kafka MirrorMaker 2; cutover is performed at the edge HAProxy using
backup backends with no DNS movement.
| Layer | Components |
|---|---|
| Foundation | Argo CD, cert-manager, Longhorn, webhook-pdns (cert-manager) |
| Identity & secrets | Keycloak, HashiCorp Vault |
| Data & streaming | Strimzi operator, Apache Kafka (KRaft), MirrorMaker 2, Redis operator (Spotahome), Redis (RedisFailover), redis-applier, RedisInsight |
| CI / CD & IaC | Sonatype Nexus 3, Jenkins, Ansible AWX, Terrakube, GitLab |
| Observability | SigNoz |
| Edge / network & shared | HAProxy (edge), PowerDNS, MinIO |
Topology
- DC cluster — RKE2 on three VMs (
rke2-1/2/3). - DR cluster — RKE2 on three VMs (
rke2-dr-1/2/3). - Shared infra VMs on
br30— HAProxy (edge), PowerDNS (auth DNS), GitLab, MinIO. - Edge ingress — HAProxy with
backupbackends; DC primary, DR backup. Failover proven for Vault, Keycloak, Terrakube, AWX. - GitOps source of truth —
infra/gitops-rke2on the lab GitLab; Argo CD in each cluster reconciles its own scope.
Foundation
Argo CD
GitOps controller per cluster — reconciles the live state of DC and DR from a single Git repo.
Open page →cert-manager
TLS certificate lifecycle for in-cluster Ingresses and internal services.
Open page →Longhorn
Distributed block storage — the default StorageClass for every stateful workload in the platform.
Open page →webhook-pdns (cert-manager)
cert-manager DNS-01 ACME solver that talks to the lab PowerDNS over the API.
Open page →Identity & secrets
Keycloak
Central OIDC identity provider for the platform — Vault, Argo CD, AWX, Terrakube, GitLab, Jenkins, Nexus all federate here.
Open page →HashiCorp Vault
Secrets store per cluster — Raft-3, transit auto-unseal, initialised and unsealed.
Open page →Data & streaming
Strimzi operator
Kafka operator — manages KRaft Kafka, KafkaUsers, topics, and (on DR) MirrorMaker 2.
Open page →Apache Kafka (KRaft)
3 brokers + 3 controllers in KRaft mode per cluster — backbone of the cross-cluster replication path.
Open page →MirrorMaker 2
Cross-cluster Kafka replication — runs on DR, pulls from DC.
Open page →Redis operator (Spotahome)
Reconciles RedisFailover CRs — Sentinel-managed Redis primaries with replica failover.
Open page →Redis (RedisFailover)
3 Redis + 3 Sentinel pods per cluster — the platform's KV store, fed by the Kafka WAL.
Open page →redis-applier
Custom Go consumer that reads redis-writes from local Kafka and applies into local Redis.
RedisInsight
Redis admin UI — raw manifests, exposed via the edge HAProxy.
Open page →CI / CD & IaC
Sonatype Nexus 3
Artifact and container registry for the lab — hosts redis-applier, will mirror Quay/Docker Hub.
Jenkins
Per-cluster Jenkins LTS controller — pipeline runner for the platform.
Open page →Ansible AWX
Ansible automation platform — operator-managed, OIDC against Keycloak.
Open page →Terrakube
Self-hosted Terraform / OpenTofu collaboration platform — UI, API, executor, registry; OIDC via Keycloak.
Open page →GitLab
Self-managed GitLab on a dedicated VM — hosts the GitOps repo and POC docs.
Open page →Observability
Edge / network & shared
HAProxy (edge)
L7 edge ingress for the lab — implements DC/DR failover via backup backends.
PowerDNS
Authoritative DNS for the lab zone — drives ACME DNS-01 challenges through cert-manager.
Open page →MinIO
S3-compatible object storage — backs Terrakube remote state and (planned) snapshot buckets.
Open page →