Platforms Toolkit
Toolkit Track | 3 Modules | ~2.5 hours total
Overview
Section titled “Overview”The Platforms Toolkit covers the building blocks of Internal Developer Platforms. Backstage provides the developer portal, Crossplane enables self-service infrastructure, and cert-manager automates TLS certificate management. Together, they form the foundation of a modern platform engineering stack.
This toolkit applies concepts from Platform Engineering Discipline.
Prerequisites
Section titled “Prerequisites”Before starting this toolkit:
- Platform Engineering Discipline
- Kubernetes CRD concepts
- Basic cloud provider knowledge
- TLS/PKI fundamentals
Modules
Section titled “Modules”| # | Module | Complexity | Time |
|---|---|---|---|
| 7.1 | Backstage | [COMPLEX] | 50-60 min |
| 7.2 | Crossplane | [COMPLEX] | 50-60 min |
| 7.3 | cert-manager | [MEDIUM] | 40-45 min |
| 3.4 | Kubebuilder | [COMPLEX] | 55 min |
| 3.5 | Cluster API | [COMPLEX] | 50 min |
| 3.6 | vCluster | [MEDIUM] | 40 min |
Learning Outcomes
Section titled “Learning Outcomes”After completing this toolkit, you will be able to:
- Deploy Backstage — Software catalog, TechDocs, templates
- Configure Crossplane — Self-service infrastructure APIs
- Manage certificates — Automated TLS with cert-manager
- Build platform foundations — Combine tools for developer experience
Tool Selection Guide
Section titled “Tool Selection Guide”WHICH PLATFORM TOOL?─────────────────────────────────────────────────────────────────
"I need a developer portal / service catalog"└──▶ Backstage • Service ownership • Documentation hub • Golden path templates • Plugin ecosystem
"I need self-service infrastructure for developers"└──▶ Crossplane • Kubernetes-native IaC (see [IaC Discipline](../../../disciplines/delivery-automation/iac/)) • Custom APIs with Compositions • GitOps-friendly • Multi-cloud
"I need automated TLS certificate management"└──▶ cert-manager • Let's Encrypt automation • Internal PKI • Certificate lifecycle • Ingress integration
PLATFORM STACK:───────────────────────────────────────────────────────────────── Developer Self-Service───────────────────────────────────────────────────────────────── │ ┌────────────────────┼────────────────────┐ │ │ │ ▼ ▼ ▼┌─────────┐ ┌─────────────┐ ┌─────────┐│Backstage│ │ Crossplane │ │cert-mgr ││ Portal │ │ Infra │ │ TLS │└─────────┘ └─────────────┘ └─────────┘ │ │ │ ▼ ▼ ▼Templates Cloud Resources CertificatesDocs (RDS, S3, etc) (Auto-renewal)CatalogThe Platform Stack
Section titled “The Platform Stack”┌─────────────────────────────────────────────────────────────────┐│ INTERNAL DEVELOPER PLATFORM (IDP) │├─────────────────────────────────────────────────────────────────┤│ ││ DEVELOPER PORTAL ││ ┌───────────────────────────────────────────────────────────┐ ││ │ Backstage │ ││ │ • Service Catalog • TechDocs • Templates • Plugins │ ││ └───────────────────────────────────────────────────────────┘ ││ │ ││ SELF-SERVICE APIs ││ ┌───────────────────────────────────────────────────────────┐ ││ │ Crossplane Compositions │ ││ │ "Database" → RDS + Security Group + Monitoring │ ││ │ "Queue" → SQS + DLQ + Alerts │ ││ └───────────────────────────────────────────────────────────┘ ││ │ ││ INFRASTRUCTURE ││ ┌───────────────────────────────────────────────────────────┐ ││ │ cert-manager │ External Secrets │ Ingress Controller │ ││ │ (TLS) (Secrets sync) (Traffic routing) │ ││ └───────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────┘Study Path
Section titled “Study Path”Module 7.1: Backstage │ │ Developer portal foundation │ Service catalog, docs, templates ▼Module 7.2: Crossplane │ │ Self-service infrastructure │ Custom APIs, GitOps ▼Module 7.3: cert-manager │ │ Automated TLS │ Certificate lifecycle ▼[Toolkit Complete] → Developer Experience ToolkitKey Concepts
Section titled “Key Concepts”Platform Engineering Principles
Section titled “Platform Engineering Principles”| Principle | Tool | Implementation |
|---|---|---|
| Self-service | Crossplane | Custom APIs for infrastructure |
| Golden paths | Backstage | Software templates |
| Discoverability | Backstage | Service catalog |
| Automation | cert-manager | Certificate lifecycle |
Building Blocks
Section titled “Building Blocks”PLATFORM BUILDING BLOCKS─────────────────────────────────────────────────────────────────
PORTAL (Backstage)├── Service Catalog - What services exist?├── Ownership - Who owns what?├── Documentation - How do I use it?├── Templates - How do I create new things?└── Plugins - Kubernetes, CI/CD, monitoring
INFRASTRUCTURE (Crossplane)├── Providers - AWS, GCP, Azure├── Managed Resources - Direct cloud resources├── Compositions - Custom APIs└── Claims - Self-service requests
SECURITY (cert-manager)├── Issuers - Let's Encrypt, internal CA├── Certificates - TLS for services├── Auto-renewal - No manual intervention└── Integration - Ingress annotationsIntegration Patterns
Section titled “Integration Patterns”Backstage + Crossplane
Section titled “Backstage + Crossplane”# Backstage template that creates Crossplane resourcesapiVersion: scaffolder.backstage.io/v1beta3kind: Templatemetadata: name: microservice-with-databasespec: steps: - id: create-database name: Create Database action: kubernetes:apply input: manifest: apiVersion: platform.example.com/v1alpha1 kind: DatabaseClaim metadata: name: ${{ parameters.name }}-db spec: size: smallCrossplane + cert-manager
Section titled “Crossplane + cert-manager”# Crossplane composition that includes certificateapiVersion: apiextensions.crossplane.io/v1kind: Compositionspec: resources: - name: ingress base: apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prodCommon Architectures
Section titled “Common Architectures”Full Platform Stack
Section titled “Full Platform Stack”COMPLETE PLATFORM ARCHITECTURE─────────────────────────────────────────────────────────────────
Developer │ │ Backstage UI ▼ ┌─────────────────┐ │ Backstage │ │ (Portal) │ └────────┬────────┘ │ ┌──────────────┼──────────────┐ │ │ │ ▼ ▼ ▼┌───────────┐ ┌───────────┐ ┌───────────┐│ Template │ │ Catalog │ │ Plugins ││ (create) │ │ (view) │ │ (extend) │└─────┬─────┘ └───────────┘ └───────────┘ │ │ Creates resources ▼┌─────────────────────────────────────────┐│ Kubernetes ││ ││ ┌───────────┐ ┌───────────┐ ││ │Crossplane │ │cert-manager│ ││ │ Claim │ │Certificate │ ││ └─────┬─────┘ └─────┬─────┘ ││ │ │ │└────────┼──────────────┼─────────────────┘ │ │ ▼ ▼ Cloud Resources TLS Certs (RDS, S3, etc) (auto-renewed)Hands-On Focus
Section titled “Hands-On Focus”| Module | Key Exercise |
|---|---|
| Backstage | Deploy portal, register service, create template |
| Crossplane | Create composition, provision cloud resource |
| cert-manager | Configure issuer, create certificate |
Related Tracks
Section titled “Related Tracks”- Before: Platform Engineering Discipline
- Before: IaC Discipline — Infrastructure as Code fundamentals
- Related: GitOps & Deployments — Deploy platform resources
- Related: Security Tools — Secure the platform
- Related: IaC Tools — Terraform, OpenTofu, Pulumi hands-on
- After: Developer Experience — Day-to-day tools
“A platform is successful when developers don’t need to think about infrastructure. These tools make that possible.”