App Platform
The Problem
Deploying an application to Kubernetes requires a long checklist of infrastructure work before your first pod runs:
- Create a GitHub repo for Kubernetes manifests
- Generate SSH deploy keys and register them on GitHub
- Set up Flux GitOps configuration (GitRepository, Kustomization, encrypted secrets)
- Create namespaces with correct labels
- Configure RBAC so your team can access their namespaces but not others
- Set up SOPS encryption keys for secrets
- Register an OIDC client if your app needs SSO
- Wire it all together and hope nothing drifts
Every team does this differently. Keys get shared, namespaces get misconfigured, RBAC gets copy-pasted wrong, and secrets end up in plaintext. Scaling to 10+ applications means repeating this work — and maintaining it — for each one.
What the App Platform Does
The App Platform replaces that checklist with a single Kubernetes resource:
apiVersion: labrats.work/v1alpha1
kind: AppPlatformRegistration
metadata:
name: my-app
spec:
displayName: My Application
access:
- group: myapp-ops
role: admin
- group: myapp-devs
role: developer
namespaces:
- my-app-prod
- my-app-devOIDC clients are registered separately via labeled Secrets in the <app>-platform namespace — see the Developer Guide.
Apply this, and the operator provisions everything:
| What | How |
|---|---|
| GitHub repo | Private my-app-platform repo created in your org |
| Deploy keys | Ed25519 SSH key generated, registered on GitHub, stored as K8s Secret |
| AGE encryption | Per-app X25519 keypair for SOPS — each app gets its own key |
| Flux GitOps | GitRepository + Kustomization committed to the flux repo |
| Namespaces | Created with correct labels (labrats.work/app, labrats.work/namespace-role) |
| RBAC | Roles + RoleBindings in every namespace based on spec.access |
| OIDC | Client registered in Authelia with generated secret |
Delete the registration, and the operator cleans up everything it created.
How It Works
You declare intent: Operator provisions infrastructure:
AppPlatformRegistration GitHub repo + deploy key
"Register my-app on the AGE encryption key
platform with SSO and Flux GitOps config
3 environments" RBAC in all namespaces
OIDC client in Authelia
|
v
Your team pushes K8s Flux applies manifests
manifests to the to each namespace
platform repo automaticallyThe platform repo is the bridge between your application code and the cluster. You control what gets deployed and where — the operator handles everything else.
The Dashboard
The dashboard is how your team interacts with the platform day-to-day:
- Sidebar shows all your apps with health dots — green means all deployments are ready, yellow means something needs attention
- App Dashboard shows the deployment pipeline (which repos, which kustomizations, which namespaces, what status), managed secrets, and registration details
- Deployments page shows expanded detail for each deployment with source revision, path, interval, and error messages
- Secrets page lets admins create, edit, and delete managed secrets — the operator encrypts and commits them to Git automatically
Platform admins see all apps. Developers see only the apps their groups have access to.
Key Concepts
| Concept | What it means |
|---|---|
| Platform namespace | <app>-platform — holds deploy keys, AGE keys, Flux config, managed secrets. Hidden from developers. |
| App namespaces | <app>-dev, <app>-prod, etc. — where your workloads run. Declared in spec.namespaces. |
| Platform repo | <app>-platform GitHub repo — you put Flux Kustomization manifests here that tell Flux what to deploy where. |
| Managed secrets | Secrets created via the dashboard. The operator SOPS-encrypts and commits them to Git. Flux decrypts at apply time. |
| Per-app AGE key | Each app gets its own encryption key. Blast radius is limited — compromising one key doesn't expose other apps' secrets. |
Where to Go Next
| I want to... | Read |
|---|---|
| Deploy something in 2 minutes | Hello World Guide |
| Understand the full setup process | App Onboarding |
| Set up secrets for my app | Secret Management |
| Understand who can do what | Access Control |
| See a real-world example | Case: my-diet |
| Operate the platform itself | Operator Guide |