DevSecOps Teams - With self-service, automation and visibility to let them take full-service ownership

• Scan source code for vulnerabilities
• Build OCI compliant images from application code and store them in a private registry
• Deploy containerized workloads using a catalog with pre-filled golden path templates
• Automatically update container images of workloads
• Publicly expose applications
• Get instant access to logs, metrics and traces, vulnerabilities, threads and policy violations
• Configure network policies, response headers and CNAMEs
• Manage secrets

Platform teams - To setup a Kubernetes-based platform for DevOps teams and provide them a paved road to production

• Create a platform profile and deploy to any Kubernetes cluster
• Onboard DevSecOps teams in a comprehensive multi-tenant setup and allow them to take full ownership over their applications
• Get all the required capabilities in an integrated and automated way
• Ensure governance with security policies
• Implement zero-trust networking
• Change the desired state of the platform based on Configuration-as-Code
• Support multi- and hybrid cloud scenarios
• Prevent cloud provider lock-in
• Implement full observability (metrics, logs, traces, alerts)
• Create Golden path templates and offer them to teams on the platform through a catalog

To install Otomi, make sure to have a K8s cluster running with at least:

• Version 1.25, 1.26 or 1.27
• A node pool with at least 8 vCPU and 16GB+ RAM (more resources might be required based on the activated capabilities)
• Calico CNI installed (or any other CNI that supports K8s network policies)
• A default storage class configured
• When using the custom provider, make sure the K8s LoadBalancer Service created by Otomi can obtain an external IP (using a cloud load balancer or MetalLB)

NOTE: Install Otomi with DNS to unlock it's full potential. Check otomi.io for more info.

Add the Helm repository:

helm repo add otomi https://otomi.io/otomi-core
helm repo update

and then install the Helm chart:

helm install otomi otomi/otomi \
--set cluster.name=$CLUSTERNAME \
--set cluster.provider=$PROVIDER # use 'azure', 'aws', 'google', 'digitalocean', 'ovh', 'vultr', 'scaleway', 'civo', 'linode', or 'custom' for any other cloud or onprem infrastructure

When the installer job is completed, follow the activation steps.

Otomi consists out of the following components:

The otomi-console self-service portal offers a seamless user experience for DevSecOps teams and platform administrators. Platform administrators can use Otomi Console to enable and configure platform capabilities and onboard development teams. DevOps teams can use Otomi Console to build images, deploy and expose Workloads, configure CNAMEs, configure network policies and manage secrets. Otomi Console also provides context aware access to platform capabilities like code repositories, registries, logs, metrics, traces, dashboards, etc. Next to the web based self-service, both teams and admins can start a Cloud Shell and run CLI commands.

All changes made through the Console are validated by the platform control plane (otomi-api) and then committed as code in Git. This will automatically trigger the platform to synchronize the desired state to the Kubernetes state of the platform based on GitOps.

A Catalog with reusable templates to create workloads. The Catalog is pre-filled with a set of templates maintained in the otomi/charts repo. You can also add your own charts and offer them to the teams on the platform.

The automation (a set of Kubernetes operators) is used to synchronize the desired state to the state of applications like Keycloak, Harbor and Gitea.

Otomi offers a set of integrated Kubernetes applications (using upstream open source projects) for all the required platform capabilities. Core applications are always installed, optional applications can be activated on-demand. When an application is activated, the application will be installed based on a configuration profile that contains defaults, best-practices and platform integrations. Default configuration can be adjusted using the Console.

Core Applications (that are always installed):

• Istio: The service mesh framework with end-to-end transit encryption
• Argo CD: Declarative Continuous Deployment
• Keycloak: Identity and access management for modern applications and services
• Cert Manager - Bring your own wildcard certificate or request one from Let's Encrypt
• Nginx Ingress Controller: Ingress controller for Kubernetes
• External DNS: Synchronize exposed ingresses with DNS providers
• Tekton Pipeline: K8s-style resources for declaring CI/CD pipelines
• Tekton Triggers: Trigger pipelines from event payloads
• Tekton dashboard: Web-based UI for Tekton Pipelines and Tekton Triggers
• Gitea: Self-hosted Git service
• Cloudnative-pg: Open source operator designed to manage PostgreSQL workloads
• Paketo build packs: Cloud Native Buildpack implementations for popular programming
• Kaniko: Build container images from a Dockerfile

Optional Applications (that you can activate to compose your ideal platform):

• Velero: Back up and restore your Kubernetes cluster resources and persistent volumes
• Knative: Deploy and manage serverless workloads
• Drone: Continuous integration platform built on Docker
• Prometheus: Collecting container application metrics
• Grafana: Visualize metrics, logs, and traces from multiple sources
• Grafana Loki: Collecting container application logs
• Harbor: Container image registry with role-based access control, image scanning, and image signing
• HashiCorp Vault: Manage Secrets and Protect Sensitive Data
• OPA/Gatekeeper: Policy-based control for cloud-native environments
• Jaeger: End-to-end distributed tracing and monitor for complex distributed systems
• Kiali: Observe Istio service mesh relations and connections
• Minio: High performance Object Storage compatible with Amazon S3 cloud storage service
• Trivy: Kubernetes-native security toolkit
• Thanos: HA Prometheus setup with long term storage capabilities
• Falco: Cloud Native Runtime Security
• Opencost: Cost monitoring for Kubernetes language ecosystems
• Grafana Tempo: High-scale distributed tracing backend
• OpenTelemetry: Instrument, generate, collect, and export telemetry data to help you analyze your software’s performance and behavior

Otomi can be installed on any Kubernetes cluster. At this time, the following providers are supported:

• aws for AWS Elastic Kubernetes Service
• azure for Azure Kubernetes Service
• google for Google Kubernetes Engine
• linode for Linode Kubernetes Engine
• ovh for OVH Cloud
• vultr for Vultr Kubernetes Engine
• scaleway for Scaleway Kapsule
• civo for Civo Cloud K3S
• custom for any other cloud/infrastructure

Otomi open source consists out of the following projects:

• Otomi Core (this project): The heart of Otomi
• Otomi Tasks: Autonomous jobs orchestrated by Otomi Core
• Otomi Clients: Factory to build and publish openapi clients used in by otomi-tasks
• Otomi Charts: Quickstart Helm templates offered in the Catalog

Check out the dev docs index for developer documentation or go to otomi.io for more detailed documentation.

If you wish to contribute please read our Contributor Code of Conduct and Contribution Guidelines.

If you want to say thank you or/and support the active development of Otomi:

• Star the Otomi project on Github
• Feel free to write articles about the project on dev.to, medium or on your personal blog and share your experiences

This project exists thanks to all the people who have contributed

Otomi is licensed under the Apache 2.0 License.