Skip to main content

Overview

High-level design

What is Haven+

Haven+ is a reference architecture and implementation that adds extra platform services to the standard Haven Kubernetes environment. It focuses on quickly providing essential building blocks for production environments, such as monitoring, authentication, certificate management, and database services.

Haven+ makes it easier for municipalities to set up a secure, manageable, and scalable cloud environment in line with modern DevOps practices, GitOps, and open standards.

With Haven+, you quickly gain access to monitoring (metrics, logging, and tracing), authentication, databases, certificate management, policy management and secret management.

What is Haven

Haven is a standard for platform-independent cloud hosting, developed by the Association of Dutch Municipalities (VNG). The goal of Haven is to enable municipalities to host applications in a uniform way without having to adapt their existing IT infrastructure. This allows applications developed for one municipality to be easily reused by others, promoting collaboration and cost savings.

Cloud Independence

Haven(+) and cloud independence go hand in hand: by using open standards and container technology based on Kubernetes, Haven(+) enables municipal applications to run on any cloud environment—from major American hyperscalers to European or Dutch clouds. This allows municipalities to retain control over their data and infrastructure and easily switch or combine as needed. This aligns with the ambition for digital sovereignty.

Contents of the Haven+ Reference Implementation

Using the reference implementation, the following components are deployed:

  • Alloy: Collects, processes, and forwards logs, metrics, and traces (telemetry) to observability tools.
  • Cert-Manager: Automates the issuance and renewal of TLS certificates.
  • CloudNative-PG: Manages PostgreSQL clusters on Kubernetes.
  • ECK Operator: Manages Elasticsearch clusters and related components within Kubernetes.
  • External DNS: Automates the lifecycle of DNS records in various DNS Providers.
  • External Secrets Operator: Sync secrets in external secrets providers to native Kubernetes Secret resources.
  • Grafana: Visualizes metrics, logs, and traces in comprehensive dashboards.
  • Istio Gateway: Manages incoming traffic to services via configurable ingress policies.
  • Istio: Handles service-to-service communication, security, and observability within a service mesh.
  • Keycloak: Provides identity and access management with support for SSO, OpenID Connect, and more.
  • Loki: Stores log files and makes them searchable.
  • Mimir: Scalably stores time series (metrics).
  • Pinniped: Ensures secure authentication in Kubernetes environments via existing identity providers.
  • Sealed Secrets: Allows encrypted secrets to be safely stored in Git.
  • Tempo: Processes and visualizes tracing data to provide insights into dependencies and performance.
  • Velero: gives you tools to back up and restore your Kubernetes cluster resources and persistent volumes

By standardizing on these components, we implicitly standardise on OpenTelemetry, OpenID Connect, and the Gateway API.

Getting Started

We have created a reference implementation for Haven+ for the two most popular GitOps solutions:

You can find the implementation in the infrastructure and platform-services directories, respectively.