Classification: INTERNAL ONLY
System Status: PRODUCTION-READY
Owner: Platform Engineering
Version: 1.0.0
The Enterprise Self-Hosted Internal Developer Platform (IDP) is a mission-critical infrastructure framework designed to provide a secure, automated, and governed environment for deploying and operating applications. Engineered for a single-node Kubernetes architecture (RKE2), this platform enforces strict DevSecOps rigor, disaster recovery tiering, and zero-trust security boundaries without the overhead of traditional multi-node high availability.
- Compute: Single-Node RKE2 cluster (
groot-server) optimized for high-density workload scheduling. - Storage: Longhorn distributed block storage providing persistent volumes with automated snapshot capabilities.
- Network & Edge: Cloudflare Zero Trust Tunnels serve as the exclusive ingress controller, eliminating inbound public ports and enforcing strict Identity-Aware Proxy (IAP) policies.
- Identity & Secret Management: HashiCorp Vault OSS acts as the authoritative secrets engine, integrated directly into Kubernetes via the External Secrets Operator (ESO).
- Runtime Defense: Container workloads are continuously audited via Trivy (vulnerability scanning) and protected by Falco (runtime threat detection).
- Access Control: Strict Role-Based Access Control (RBAC) and NetworkPolicies enforce a default-deny architecture.
- Tiered Strategy: Implements a deterministic RPO/RTO framework ranging from Tier 0 (etcd state) to Tier 4 (Observability data).
- Tooling: Automated cluster and namespace state backups via Velero, coupled with Longhorn volume snapshots to guarantee full-cluster recovery.
This repository acts as the single source of truth for the IDP's architectural design, operational runbooks, and generative intelligence.
idp/
├── README.md
├── prompts/
│ ├── 00-master-prompt.md # Core intelligence and generative governance rules
│ ├── 01-document-generation.md # Component documentation blueprints
│ ├── 02-review-and-audit.md # DevSecOps auditing criteria
│ └── 03-handbook-consistency-audit.md
└── handbook/
├── 00-index.md # Master Index and Platform Catalog
├── adrs/ # Architecture Decision Records (ADRs)
├── registries/ # Global Naming, Standards, and Inventory Registries
├── artifacts/ # Global Changelogs and Terraform Ownership Matrices
├── developer-journey/ # Developer onboarding and Golden Path workflows
└── phases/ # Component runbooks mapped by deployment phase
Every component documented within this handbook strictly adheres to the platform's 99.9% Enterprise-Grade operational standard. Governance is enforced via automated auditing pipelines to guarantee:
- Semantic Versioning: Strict adherence to
vMAJOR.MINOR.PATCHlifecycle tracking. - Security Controls Matrix: Mandatory implementation and auditing of IAM, Network Segmentation, Encryption (At-Rest/In-Transit), and Vulnerability Scanning for every deployed service.
- Golden Path Reviews: Enforced quarterly review cadences for all operational Golden Paths.
- Deterministic Naming: CI/CD validated naming conventions to prevent configuration drift and namespace collisions.
- Infrastructure as Code (IaC): Explicitly mapped Terraform module ownership across Platform, Security, Network, and SRE teams.
Engineers, SREs, and Auditors should reference the following documentation to navigate the platform architecture:
- Master Platform Index: The authoritative catalog of all platform components and statuses.
- Architecture Decision Records (ADRs): Contextual history of critical engineering decisions (e.g., ADR-0001: Single-Node Architecture).
- Backup and Disaster Recovery Runbook: Mandatory reading for incident response and platform operations.
- Developer Golden Paths: Standardized workflows for application deployment and secret management.
All modifications to the platform architecture, governance policies, or infrastructure components must be proposed via pull request and require explicit approval from the Platform Engineering Architecture Review Board (ARB). Unaudited modifications to the handbook or prompts directories are strictly prohibited.
CONFIDENTIALITY NOTICE: This repository and its contents are proprietary and confidential. Unauthorized distribution or deployment outside approved environments is prohibited.