RIG-Cluster is a Kubernetes platform for RIG projects in ODC-Noord, supporting POC, Pilot, and Production environments.
At its core is ZAD (Zelfservice Applicatie Deployment) - a self-service portal where developers define what their project needs in a single declarative file. ZAD provisions the infrastructure (PostgreSQL, Keycloak, MinIO, Redis), generates credentials, creates Kubernetes deployments, and configures everything end-to-end. It integrates into CI/CD through a GitHub Action and exposes an API for controlling deployments, updating images, creating backups, spinning up feature branch environments, and cleaning up.
The recommended way to get started is the sandboxed-local setup, which runs a fully self-contained cluster on your machine. See:
- Getting Started Guide - step-by-step setup instructions
Quick start:
# Install required tools
brew install go-task kind kubectl kustomize sops age ksops pwgen jq yq rsync skaffold
# Run the setup (interactive, takes ~5-10 minutes)
task sandbox:setupYou will need the developer AGE private key to decrypt the TLS certificates. Ask the ZAD developers if you don't have it.
The platform uses a GitOps approach with ArgoCD. The Operations Manager (ZAD) drives three Git repositories:
- zad-projects - declarative project definitions (one file per project: services, configuration, user accounts, SSO setup)
- zad-argo-user-applications - ArgoCD Application manifests, generated from project definitions
- zad-deployments - Kubernetes manifests (secrets, configmaps, deployments) generated for each project
Project definitions go in, ArgoCD applications and deployment manifests come out, and ArgoCD deploys them to the cluster.
| Type | Description |
|---|---|
sandboxed-local |
Self-contained Kind cluster with in-cluster Forgejo, real TLS (*.sandbox.rijksapp.dev) |
local |
Kind cluster with external Git (GitHub + git daemon), self-signed CA |
odcn-production |
Production cluster in ODC-Noord |
| Service | Purpose |
|---|---|
| ArgoCD | GitOps deployment controller |
| Forgejo | In-cluster Git server (sandboxed-local) |
| PostgreSQL | CNPG-managed database cluster |
| Keycloak | Identity and access management, SSO |
| MinIO | S3-compatible object storage |
| Operations Manager | ZAD self-service portal and API |
- Getting Started - local setup guide
- Local Kind Cluster Setup - alternative local setup with external Git
- Keycloak Configuration - Keycloak administration
- Keycloak YAML Configuration - declarative Keycloak setup
Feature-specific documentation is in the features/ directory. Key features:
- Sandboxed Local Development - sandbox architecture and configuration
- Sandbox SSO Setup - connecting to production Keycloak for SSO
- Backup System - PVC backup and restore
- Bootstrap API Actions - API operations
- Namespace PostgreSQL Database - per-project database provisioning
All operations use Taskfile. Key commands:
task sandbox:setup # Full sandbox setup
task sandbox:sync # Sync infrastructure changes to Forgejo
task sandbox:skaffold-dev # Hot-reload development
task sandbox:update-operations-manager # Rebuild and deploy Operations Manager
task sandbox:destroy # Tear down sandboxSecrets are managed with SOPS and AGE encryption. Templates in the infrastructure overlays use @secret-gen:random:XX annotations for automatic password generation. The sandbox uses a per-setup AGE key (security/sandbox-key.txt), while shared secrets (TLS certificates) use a developer AGE key distributed out-of-band.