Licensing & reference
Every component is upstream open source. This page documents the license, category, and upstream link for every component in the platform.
Core platform components
Core components ship with every OpenOva deployment. They form the operational foundation: networking, security, GitOps, observability, storage, and scaling.
| Component | Purpose | License | Upstream |
|---|---|---|---|
| OpenTofu | Bootstrap IaC (MPL 2.0) | MPL 2.0 | Link |
| Crossplane | Day-2 cloud resource provisioning | Apache 2.0 | Link |
| Cilium | CNI + Service Mesh (eBPF, mTLS, L7) | Apache 2.0 | Link |
| Envoy | L7 proxy (embedded in Cilium) | Apache 2.0 | Link |
| Coraza | WAF (OWASP CRS) | Apache 2.0 | Link |
| ExternalDNS | DNS sync to provider | Apache 2.0 | Link |
| k8gb | GSLB (authoritative DNS) | Apache 2.0 | Link |
| Flux | GitOps engine | Apache 2.0 | Link |
| Gitea | Internal Git + CI/CD | MIT | Link |
| cert-manager | TLS certificates | Apache 2.0 | Link |
| External Secrets | Secrets operator | Apache 2.0 | Link |
| OpenBao | Secrets backend (per cluster, MPL 2.0) | MPL 2.0 | Link |
| Trivy | Security scanning | Apache 2.0 | Link |
| Falco | Runtime security (eBPF) | Apache 2.0 | Link |
| Sigstore | Container image signing + verification | Apache 2.0 | Link |
| Syft + Grype | SBOM generation + vulnerability matching | Apache 2.0 | Link |
| Kyverno | Policy engine (validation, mutation, generation) | Apache 2.0 | Link |
| VPA | Vertical autoscaling | Apache 2.0 | Link |
| KEDA | Event-driven horizontal autoscaling | Apache 2.0 | Link |
| Reloader | Auto-restart on ConfigMap/Secret changes | Apache 2.0 | Link |
| Grafana Stack | Alloy, Loki, Mimir, Tempo, Grafana | AGPL 3.0 | Link |
| OpenTelemetry | Application tracing (auto-instrumentation) | Apache 2.0 | Link |
| OpenSearch | Hot SIEM backend | Apache 2.0 | Link |
| Harbor | Container/artifact registry | Apache 2.0 | Link |
| MinIO | Object storage | AGPL 3.0 | Link |
| Velero | Backup/restore | Apache 2.0 | Link |
| Continuum | Continuous availability orchestration | Apache 2.0 | — |
A la carte components
A la carte components are optional services deployed based on workload requirements. Data, AI/ML, communication, identity, workflow, and analytics services.
| Component | Purpose | License | Upstream |
|---|---|---|---|
| CNPG | PostgreSQL operator | Apache 2.0 | Link |
| FerretDB | MongoDB wire protocol on PostgreSQL | Apache 2.0 | Link |
| Strimzi | Apache Kafka streaming | Apache 2.0 | Link |
| Valkey | Redis-compatible cache | BSD 3-Clause | Link |
| ClickHouse | OLAP analytics | Apache 2.0 | Link |
| Stalwart | Email server (JMAP/IMAP/SMTP) | AGPL 3.0 | Link |
| STUNner | K8s-native TURN/STUN (WebRTC) | MIT | Link |
| LiveKit | Video/audio (WebRTC SFU) | Apache 2.0 | Link |
| Matrix | Team chat (federation) | Apache 2.0 | Link |
| Ntfy | Push notifications (HTTP/SSE/WebSocket) | Apache 2.0 / GPL 2.0 | Link |
| Temporal | Saga orchestration | MIT | Link |
| Flink | Stream + batch processing | Apache 2.0 | Link |
| Debezium | Change data capture (CDC) | Apache 2.0 | Link |
| Iceberg | Open table format (data lakehouse) | Apache 2.0 | Link |
| Superset | BI dashboards and data exploration | Apache 2.0 | — |
| KServe | Model serving | Apache 2.0 | Link |
| Knative | Serverless platform | Apache 2.0 | Link |
| vLLM | LLM inference | Apache 2.0 | Link |
| Milvus | Vector database | Apache 2.0 | Link |
| Neo4j | Graph database | GPL 3.0 (CE) | Link |
| LibreChat | Chat UI | MIT | Link |
| BGE | Embeddings + reranking | MIT | Link |
| LLM Gateway | Subscription proxy for Claude Code | Apache 2.0 | — |
| Anthropic Adapter | OpenAI-to-Anthropic translation | Apache 2.0 | — |
| NeMo Guardrails | AI safety firewall | Apache 2.0 | Link |
| LangFuse | LLM observability (traces, cost, eval) | MIT | Link |
| Keycloak | FAPI Authorization Server | Apache 2.0 | Link |
| OpenMeter | Usage metering | Apache 2.0 | Link |
| Litmus Chaos | Chaos engineering experiments | Apache 2.0 | Link |
Support model
All software free
- Every platform component — free forever
- All blueprints and manifests — open source
- Community edition = enterprise edition
- Self-service deployment — no gates
Per-vCPU-core subscription
- — Platform support SLA
- — Upgrade lifecycle management
- — Specter AI operational agents
- — Expert network access
Quick start
Common questions
Is all the software really free?
Yes. Every component, every blueprint, every manifest is free and open source. We charge only for per-vCPU-core platform support subscriptions. There is no feature gating, no open-core model, no freemium trap.
What happens if I stop paying for support?
Nothing breaks. Everything keeps running. You keep all code, all configurations, all blueprints. You lose the support SLA, Specter AI agents, upgrade lifecycle management, and expert network access. That is the exit strategy: do nothing.
Why per-vCPU-core pricing?
It scales linearly with actual infrastructure. No per-component charges, no per-node gotchas, no per-seat surprises. One metric covers the entire platform — every component for one subscription price.
Can I deploy without OpenOva support?
Absolutely. All blueprints are public. You can deploy the entire platform yourself. Many organizations start self-service and add support later when they need operational guarantees.
What licenses should I be aware of?
Most components use Apache 2.0. Notable exceptions: Grafana and MinIO (AGPL 3.0), OpenTofu and OpenBao (MPL 2.0), Neo4j Community Edition (GPL 3.0), Gitea (MIT). See the tables above for the full list.
How does OpenOva differ from Red Hat OpenShift?
OpenOva curates upstream open-source components — we don't fork or wrap them. You use the actual projects. We add proven interoperability blueprints and AI-native operations (Specter). You don't pay more for using more components.
Need something specific?
This documentation will grow. For now, the fastest way to get answers is to talk to us directly.