IDP Blueprint

This IDP exposes stack‑level toggles (“fuses”) so you can shape a deployment before syncing anything. Start simple with stack switches, then evolve toward finer‑grained controls per component.

Stack fuses

Defined in config.toml under [fuses]:

[fuses]
policies = true        # Kyverno + Policies app
security = true        # Security stack (Trivy Operator)
observability = true   # Prometheus + Grafana + Loki + Fluent-bit (+ Pyrra)
cicd = true            # Argo Workflows + templates
backstage = true       # Backstage developer portal
prod = false           # Hardened profile (HA switches)

Runtime behavior:

  • task stacks:deploy reads fuses and applies only the enabled stacks (events are always on).
  • fuses.prod = true enables production hardening (today: HA for ArgoCD; future: more dials).

Try it:

Terminal window
# Show effective values
task config:print


# Example: disable security stack, enable everything else
uv run dasel put -r toml -f config.toml fuses.security false >/dev/null
task deploy

Profiles — concept to practice

Three reference profiles to guide safe defaults:

  • Demo (current defaults)

    • Fuses: all stacks on
    • Kyverno: audit (no enforce)
    • HA: off; minimal persistence
    • Retentions: short (Prometheus 6h)

  • Staging (candidate; not wired yet)

    • Fuses: all stacks on
    • Kyverno: audit (plus extra checks)
    • HA: selective (ArgoCD on, others optional)
    • Retentions: medium; basic alerting receivers

  • Prod (partial today via fuses.prod=true)

    • Fuses: on per need
    • Kyverno: audit (today); plan to move critical to enforce
    • HA: enable for control planes (ArgoCD done; extend to ESO/cert-manager as needed)
    • Retentions/persistence: real PVCs; longer retention; tuned resources

Suggested TOML extension (future):

[profiles]
active = "demo" # or staging/prod


[profiles.staging]
observability.retention = "24h"
argocd.ha = true
alerts.enabled = true

Kyverno mode

By design (for now), policies use validationFailureAction: audit. This keeps the road paved without blocking deploys. Candidates to enforce later:

  • Namespace labels (already enforced)
  • Component labels on Deployments/StatefulSets
  • PriorityClass required for workloads
  • ESO creationPolicy: Merge for sensitive targets

Fine‑grained toggles

Useful switches inside big stacks:

  • Observability: alertmanager.enabled, loki.enabled, fluent-bit.enabled, pyrra.enabled
  • Security: trivy.enabled, image-policy.enabled
  • Delivery: rollouts.enabled, kargo.enabled

Implementation options:

  • Pass --set enabled=<bool> when charts support it (Tasks detect fuses and add flags).
  • Split subcomponents into separate Application folders and gate per‑folder.

Reference