Plexsphere makes a heterogeneous, multi-provider substrate (bare-metal, VMs, Kubernetes, and edge gateways, across clouds and on-prem) behave as one sovereign, coherent fabric. Identity, policy, secrets, mediated access, and provisioning, on open standards, over an encrypted WireGuard mesh of plexd agents: the socket an ecosystem of services plugs into, with no provider lock-in.
Infrastructure you can't move is infrastructure you don't control. A sovereign control plane: multi-provider, portable, no lock-in.
On top, the services you build. In the middle, plexsphere — one identity, one network, one policy, one secret store, one mediated-access and one provisioning model. Underneath, any substrate, from sovereign cloud to hyperscaler to the bare-metal rack in the back. Swap the bottom layer; the top never notices.
Identity
OIDC federation · ReBAC · per-Domain trust
Network
Encrypted WireGuard mesh across providers
Policy
L3/L4 rules · signed events · per-node enforcement
Secrets
OpenBao-backed · NSK-wrapped · no plaintext on nodes
Mediated access
SSH · kubectl · TCP · JWT-bounded, audited
Provisioning
KRM / Crossplane Blueprints, portable across clouds
Every cloud, every edge tier, every cluster exposes a different surface. Without a unifying control plane, each service has to be qualified per provider, so reach fragments, and the few players who can absorb that cost win. Plexsphere makes the substrate homogeneous enough to build on once and run anywhere.
Provider APIs, identity systems, network models and credential stores all differ. The abstraction always leaks (GPUs, storage classes, IAM), and the leak lands on whoever builds on top.
One identity model, one policy model, one provisioning model, one mediated-access model, across bare-metal, VMs, Kubernetes and edge, on any provider. The differences are reconciled below the line.
Services target the Plexsphere substrate, not a vendor. Near-zero cost of qualification, portable across providers and jurisdictions, self-hostable end to end.
Where lock-in hides, and where Plexsphere removes it
Provider IAM owns your users and roles. Plexsphere federates identity via OIDC and delegates auth to your IdP: no passwords, no per-cloud rewrite.
Provider VPCs and SDN own your topology. Plexsphere runs its own end-to-end encrypted WireGuard mesh: the same fabric on any provider.
Secrets pinned to one provider's KMS lock you in. Plexsphere keeps OpenBao as the root of trust: synced out, never stored in plexsphere's DB.
Proprietary IaC ties you to one API. Plexsphere provisions through versioned KRM / Crossplane Compositions: portable Blueprints, not vendor scripts.
VMs in a sovereign cloud VPC. Bare-metal in a national colo. Kubernetes clusters across providers. Edge devices behind residential NAT. On-prem, far edge, near edge, regional edge, cloud. Plexsphere treats every tier and every provider as one first-class Resource model.
Token-driven enrollment for racks plexsphere doesn't provision itself. Systemd guidance, reconciliation target, no surprises.
Cloud-Init injects the bootstrap token. Full lifecycle when provisioned via a Blueprint, plain enrollment when adopted.
DaemonSet rollout, PlexdHook CRD discovery, audit-log ingestion. Optional managed-push per Domain.
Relay fallback for NAT-bound peers, public-ingress, site-to-site VPN, and operator-grade user-access providers.
The distinction matters: claims like "plexsphere never sits in the data plane" are only precise under this taxonomy, and the browser-based terminal sits firmly in the session plane, not the data plane.
Config, signed events, policy, capability reports, session issuance, observability ingest, audit. Low bandwidth, high sensitivity.
Operator-initiated access of kind ssh · k8s · tcp. JWT-authenticated, ReBAC-checked, short-lived, audited.
Workload traffic between mesh members, encrypted end-to-end via WireGuard. Plexsphere has neither the keys nor the routing to participate.
Inspired by OpenStack Keystone. One Domain owns one mesh fabric, one identity realm, and (in SaaS) its own Ed25519 signing key. Below that, Projects are the day-to-day unit of ownership and policy.
Permissions are (subject, relation, object) tuples that flow along the Domain → Project → Resource hierarchy. Identities can span Domains. Groups are first-class: manually managed or IdP-synced from the OIDC groups claim.
Plexsphere never stores passwords and never runs its own second factor. 2FA, OTP, WebAuthn, and step-up auth are always handled by the IdP and consumed via the standard amr/acr claims.
Crossplane drives cloud APIs on plexsphere's behalf inside a Project-dedicated namespace of an assigned management cluster. OpenBao is the root of trust for cloud credentials; ESO syncs them into the namespace. Rotation in OpenBao propagates without human hands.
New Resources enrol into the mesh the moment they boot; the Blueprint bakes the bootstrap token into Cloud-Init, DaemonSet, or Helm values.
hetzner-vm-node, aws-eks-cluster-daemonset, openstack-vm-node, bridge-gateway-public-ipv4, …bootstrap-token.Plexsphere is not the destination; it is the standardized interface between the services people actually run and the infrastructure underneath. Build a service against the substrate once; it stays portable across providers, regions, and jurisdictions.
OIDC-federated identities and ReBAC authorisation flow Domain → Project → Resource. Services consume the same identity model on any provider, with no per-cloud IAM rewrite.
KRM / Crossplane provisioning, signed events over SSE, an OpenAPI surface generated from the source of truth. The same contract whether the substrate is one provider or many.
Per-Domain signing keys, IdP-delegated auth, secrets wrapped per node, full self-host. No provider, and no platform operator, sits in the data path or owns the trust anchors.
Everything the Dashboard can do, plexctl and the REST API can do too. No second-class surface, no behind-the-scenes private endpoints.
A full-featured operator UI built on one design system. Identities, Resources, Policies, Sessions, Audit, Provisioning: every quadrant of the platform.
Scriptable, predictable. Same authorisation model as the dashboard. Pipe outputs, drive CI, automate the boring parts.
Versioned under /v1, with an OpenAPI surface generated from the source of truth. Signed-event semantics surface as a normal SSE stream.
Deliberately boring at the edge. Opinionated in the center. plexd is a thin, deterministic reconciliation agent; plexsphere owns the model, the schedule, and the trust anchors. Bounded contexts, not a tangle of services.
Issue Domain-scoped identities and short-TTL bootstrap tokens. Resources enrol on first boot via Cloud-Init, DaemonSet, or manual injection.
Pairwise PSKs, Curve25519 rotation, NAT endpoint tracking, and pre-computed relay-fallback assignments per node.
Per-node long-lived SSE streams with Ed25519-signed envelopes, nonce/timestamp replay protection, and reconciliation-pull fallback.
Per-Domain Ed25519 signing key (SaaS) or shared platform key (self-hosted). HSM / KMS-backed. Rotation with transition window.
Declarative L3/L4 policy scoped to a Domain's mesh IPs, compiled to per-node rulesets and pushed via signed policy_updated events.
Short-lived, JWT-bound, audited access of kind ssh / k8s / tcp, through the mesh, never via public exposure.
Trigger built-in or hook-based actions on one node or a label-selected fleet. Collect results, track per-node capability inventories.
Per-node capability manifests (built-in actions, declared hooks, PlexdHook CRDs). Drift detection gates scheduling.
Secrets are stored encrypted at rest and delivered wrapped in the target node's NSK. Plaintext is never persisted on the node side.
Platform-owned metadata + data, agent-owned reports. Delivered over signed SSE with reconciliation-pull fallback.
Schema'd labels at Platform / Domain / Project scope. Selectors target policies, bulk actions, observability scopes, and cloud-tag propagation.
Batched metrics, logs, and audit events flow inbound. Dashboards, alerting, and long-term retention sit on top of one consistent stream.
Versioned plexd binaries, Sigstore-signed, with Fulcio cert + Rekor inclusion proof. Drives the service.upgrade action.
Every administrative action recorded. Tamper-evident chain. Built for SIEM export, not retro-fitted.
No provider owns the fabric, the identity realm, or the keys. Build your ecosystem on a substrate you can self-host, audit, and move across providers and jurisdictions, on open standards, with no lock-in.