Vitro Architecture

Architecture of the Federal Frontier Vitro platform — Kolla-Ansible deployment, CAPO workload clusters, K-ORC GitOps resource provisioning, and FMC fleet management integration.

Vitro Architecture

Vitro is a layered platform. Kolla-Ansible deploys OpenStack services as Docker containers on bare-metal hosts. CAPO (Cluster API Provider OpenStack) provisions RKE2 Kubernetes workload clusters on top of OpenStack VMs. K-ORC manages ad-hoc OpenStack resources through ArgoCD GitOps. The Fleet Management Cluster (FMC) ties it all together.

Architecture Diagram

Kolla-Ansible Deployment Model

Kolla-Ansible deploys all OpenStack services as Docker containers across bare-metal hosts. Each service runs in its own container with health checks, restart policies, and log forwarding. This is not Kubernetes-based — the containers are managed directly by Docker on the host OS.

Deployment topology:

In converged (HCI) mode, all roles run on the same physical servers. A minimum Vitro deployment requires 3 servers with 6 OSDs for Ceph quorum and HA.

CAPO — Kubernetes on OpenStack

Cluster API Provider OpenStack (CAPO) provisions RKE2 Kubernetes clusters as OpenStack VMs. The CAPO controller runs on the FMC and creates:

• OpenStack VMs with pre-baked RKE2 node images (built with Packer)
• Security groups for Kubernetes API, etcd, and node communication
• Floating IPs for API server access
• Cinder volumes for persistent storage

Workload clusters are declared as YAML manifests and managed through ArgoCD GitOps. Adding a cluster = merging a manifest. Deleting a cluster = removing it. CAPO reconciles the desired state.

Pre-baked VM images are critical for air-gapped deployments. The Packer build includes:

• RKE2 binaries and server/agent artifacts
• All CNI container images pre-pulled (Canal/Calico, CoreDNS, metrics-server)
• System packages (open-iscsi, nfs-common, cryptsetup)
• CIS benchmark hardening and FIPS kernel parameters

No image is pulled from the internet at boot time. The cluster starts from local disk.

K-ORC — OpenStack Resource Controller

Kubernetes OpenStack Resource Controller (K-ORC) extends the Kubernetes API with OpenStack resource types. It allows operators to declare OpenStack resources (VMs, networks, security groups, volumes) as Kubernetes custom resources and manage them through ArgoCD GitOps.

apiVersion: openstack.k-orc.cloud/v1alpha1
kind: Server
metadata:
  name: web-server-01
spec:
  flavor: m1.medium
  image: ubuntu-22.04
  network: production-network
  securityGroups:
    - web-tier

K-ORC reconciles the desired state against OpenStack APIs. If a VM is deleted manually, K-ORC recreates it. If a security group rule is changed, K-ORC reverts it. This is GitOps for OpenStack — the Git repository is the source of truth, not the OpenStack dashboard.

Fleet Management Cluster (FMC)

The FMC is an RKE2 Kubernetes cluster running directly on bare metal (not on OpenStack VMs). It hosts the control plane for the entire platform:

The FMC is the only cluster that must survive infrastructure failures. Workload clusters can be destroyed and recreated from manifests. The FMC cannot — it holds the state that defines everything else.

Integration with FKP

The Frontier Kubernetes Platform (FKP) provides multi-cluster lifecycle management on top of Vitro. FKP operators use the Frontier CLI or OutpostAI GUI to:

• Create workload clusters (CAPO provisions VMs, installs RKE2)
• Scale worker node pools (CAPO MachineDeployment scaling)
• Install add-ons (CNI, CSI, ingress, monitoring)
• Manage cluster lifecycle (upgrade, drain, cordon, delete)

FKP abstracts the infrastructure provider. The same FKP workflow that creates clusters on Vitro (OpenStack) also creates clusters on AWS (EKS), Azure (AKS), or bare metal (Tinkerbell). The operator doesn’t need to know OpenStack APIs.

Related

• Vitro Overview — What is Vitro, compliance posture, technology stack
• F3Iai Agent Integration — AI agent management of Vitro infrastructure
• Deployment Guide — Installation steps
• Frontier Kubernetes Platform — Multi-cluster management