{"id":51025492,"url":"https://github.com/altikva/elpio","last_synced_at":"2026-06-21T19:30:37.105Z","repository":{"id":362546249,"uuid":"1259358416","full_name":"altikva/elpio","owner":"altikva","description":"Turn any Kubernetes cluster into a private serverless platform — self-hosted Cloud Run / Functions / Tasks. An Altikva product (formerly A4C).","archived":false,"fork":false,"pushed_at":"2026-06-04T21:01:15.000Z","size":21,"stargazers_count":0,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-04T21:18:20.007Z","etag":null,"topics":["altikva","cloud-run","cncf","faas","keda","knative","kubernetes","kubernetes-operator","platform-engineering","scale-to-zero","serverless"],"latest_commit_sha":null,"homepage":"https://elpio.io","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/altikva.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-04T12:33:21.000Z","updated_at":"2026-06-04T20:40:55.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/altikva/elpio","commit_stats":null,"previous_names":["altikva/elpio"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/altikva/elpio","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/altikva%2Felpio","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/altikva%2Felpio/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/altikva%2Felpio/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/altikva%2Felpio/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/altikva","download_url":"https://codeload.github.com/altikva/elpio/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/altikva%2Felpio/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34623906,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-21T02:00:05.568Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["altikva","cloud-run","cncf","faas","keda","knative","kubernetes","kubernetes-operator","platform-engineering","scale-to-zero","serverless"],"created_at":"2026-06-21T19:30:36.712Z","updated_at":"2026-06-21T19:30:37.100Z","avatar_url":"https://github.com/altikva.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/img/elpio-cli.svg\" alt=\"The elpio CLI landing screen: banner, command list, and examples\" width=\"760\"\u003e\n\u003c/p\u003e\n\n**Turn any Kubernetes cluster into a private serverless platform.**\n\n---\n\n**Elpio** is an installable, self-hosted **Cloud Run / Cloud Functions / Cloud Tasks** for\nyour own Kubernetes — scale-to-zero, request-driven autoscaling, simplified cluster + node\nautoscaling, and a clean multi-tenant model. GKE-first, **portable by design** (EKS / AKS / k3s).\n\nElpio is an [Altikva](https://altikva.com) open-source product (MIT for code, CC-BY-4.0 for\ndocs). The name is a coined mark rooted in Greek *elpis* (\"hope\") — part of the Altikva family\nlineage *ha-tikva* (Hebrew) → *Spero* (Latin) → *Elpio*.\n\n\u003e **Status: alpha (v0.1.0).** All four reconcilers ship: `ElpioService` (Knative/KEDA serving),\n\u003e `ElpioFunction` (Tekton + Buildpacks), `ElpioTask` (KEDA + broker), and `ElpioTenant` (namespace,\n\u003e RBAC, quotas, network isolation). Alongside them: OIDC auth, an admission webhook, a multi-cluster\n\u003e management API, a Helm chart, and CI. The operator emits Prometheus metrics and Kubernetes Events,\n\u003e and every CR carries `status.conditions`, so the sibling agent\n\u003e [Spero](https://github.com/altikva/spero) can supervise and heal them. Released images are signed\n\u003e (keyless cosign) and ship an SBOM. The kind-based e2e harness runs per engine in CI behind\n\u003e `ELPIO_E2E=1`.\n\n## Why\n\nElpio does **not** reimplement a serverless runtime. It's the opinionated, enterprise control\nplane that assembles proven CNCF primitives — **Knative**, **KEDA**, **Tekton**, **cert-manager**,\n**Karpenter** — behind a declarative CRD/operator model. Its value is the enterprise wrapper the\npublic clouds don't give you: on-prem security integration, hard multi-tenancy, golden-path\nconfig, fleet management, and a one-command installer.\n\n## How it works\n\nYou declare an `ElpioService`; the **operator** reconciles it onto a serving engine. No SSH, no\nimperative `kubectl apply` scripts — just Kubernetes-native reconciliation.\n\n```yaml\napiVersion: elpio.io/v1alpha1\nkind: ElpioService\nmetadata:\n  name: hello\nspec:\n  image: ghcr.io/knative/helloworld-go:latest\n  scaling: { minScale: 0, maxScale: 10, target: 100, metric: concurrency }\n```\n\nThe operator renders the engine objects, owns them (so they garbage-collect with the CR), and\nwrites back `.status`:\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/img/elpio-operator.svg\" alt=\"elpio operator reconcile log: rendering Knative Services and reporting success\" width=\"720\"\u003e\n\u003c/p\u003e\n\n| CRD | Equivalent | Engine |\n|-----|-----------|--------|\n| `ElpioService` | Cloud Run | Knative Serving (default) or KEDA |\n| `ElpioFunction` | Cloud Functions | Tekton + Buildpacks → `ElpioService` |\n| `ElpioTask` | Cloud Tasks | KEDA + broker + dispatcher |\n\nThe serving engine is a **strategy** (`ELPIO_ENGINE=knative|keda`) behind one stable CRD —\nKnative for the highest Cloud Run parity, KEDA for a lighter footprint.\n\nEach `ElpioService` also supports:\n\n- **Env from secrets** — `env[].valueFrom` (Secret / ConfigMap keys), bulk `envFrom`, and\n  `externalSecrets` synced from an external store via the External Secrets Operator, so nothing\n  sensitive lives inline in the spec.\n- **Custom domains + automatic TLS** — set `ingress.host` (and `ingress.tls: true`) to get a\n  Knative `DomainMapping` plus a cert-manager `Certificate` for the host.\n- **Traffic splitting** — pin `traffic` percentages across named revisions (Knative engine).\n\n```yaml\nspec:\n  image: ghcr.io/acme/api:1.4.0\n  env:\n    - name: DB_PASSWORD\n      valueFrom: { secretKeyRef: { name: db-creds, key: password } }\n  ingress: { host: api.example.com, tls: true }\n  traffic:\n    - { revisionName: api-00002, percent: 80 }\n    - { latestRevision: true, percent: 20 }\n```\n\n## Observability\n\nThe operator emits Kubernetes **Events** on reconcile transitions and, when `ELPIO_METRICS=1`,\nexposes **Prometheus** metrics on `:9095` (`ELPIO_METRICS_PORT` to change it):\n`elpio_reconcile_total{kind,result}`, `elpio_reconcile_duration_seconds`, and\n`elpio_services_ready`. An `ElpioService` only reports `Ready` once its rendered child (Knative\nService or KEDA `ScaledObject`) is itself Ready. Because every CR exposes `status.conditions`, you\ncan run the bundled in-cluster [Spero](https://github.com/altikva/spero) supervisor with\n`--set spero.enabled=true` on the Helm chart.\n\n## Security\n\nA few install-time knobs harden a deployment:\n\n- **Restrict images.** Set `webhook.allowedRegistries` to a comma-separated allowlist (for\n  example, `ghcr.io/altikva,registry.mycorp.io`) so the admission webhook only admits images\n  from registries you trust. Leaving it empty accepts images from any registry, which is the\n  default for the base install.\n- **Tighten admission further.** Opt in to `ELPIO_BAN_LATEST=1` to reject mutable `:latest` image\n  tags, and `ELPIO_REQUIRE_REQUESTS=1` to require CPU/memory requests on every service.\n- **Admission webhook needs cert-manager.** The webhook serves over TLS, so the cluster must\n  have cert-manager installed for `webhook.enabled: true` to work.\n- **Management API requires OIDC.** The fleet management API fails closed: without\n  `ELPIO_OIDC_JWKS_URI` (and the matching issuer and audience) configured, it rejects requests\n  rather than running unauthenticated. Cluster credentials are never returned in API responses,\n  and cluster bearer tokens can be sourced from a Secret (`tokenSecretRef`) instead of inline.\n- **Least-privilege operator RBAC.** The operator's `bind`/`escalate` rights are scoped to the\n  built-in `admin`/`edit`/`view` ClusterRoles a Tenant binds, so it can never grant an arbitrary\n  role.\n- **Verify what you run.** Released images are signed with keyless **cosign** and ship an **SBOM**,\n  so you can verify provenance before deploying.\n\n## Quickstart\n\n```bash\npip install elpio                  # the elpio CLI\n\n# point kubectl at any cluster (kind, minikube, GKE, EKS, ...) that has a\n# serving engine installed — Knative Serving (default) or KEDA.\nelpio install                      # applies the CRDs + operator\nelpio deploy -f hello.yaml         # the ElpioService shown above\nelpio services                     # list ElpioServices\nelpio status hello                 # readiness, conditions, URL\nelpio logs hello                   # stream the service's logs\nelpio delete hello\n```\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/img/elpio-usage.svg\" alt=\"elpio services and elpio status listing two ready ElpioServices with their engine and URL\" width=\"800\"\u003e\n\u003c/p\u003e\n\nWorking from a clone instead? `task e2e-up` provisions kind + Knative/KEDA, and\n`task operator-run` runs the operator locally (`kopf run -m elpio.operator.handlers`).\n\n## Development\n\n```bash\ntask dev      # editable install + dev deps\ntask unit     # unit tests (no cluster)\ntask lint     # ruff\ntask e2e      # end-to-end (needs a kind cluster + Knative/KEDA)\n```\n\n## Layout\n\n```\nsrc/elpio/\n  models/      ElpioService / Task spec (Pydantic mirror of the CRDs)\n  engines/     serving-engine strategy: base + knative + keda\n  providers/   portability seams: StateStore (in-memory / file), IdentityProvider (OIDC)\n  operator/    kopf reconcilers + Events/metrics\n  webhook/     admission policy (image allowlist, ban :latest, require requests)\n  api/         multi-cluster fleet management API (OIDC-gated)\n  dispatcher/  ElpioTask brokers (Redis / RabbitMQ / NATS) with creds + TLS\n  tenant.py    ElpioTenant rendering (namespace, RBAC, quotas, NetworkPolicy)\n  cli.py       the `elpio` command\ndeploy/        CRDs + operator manifests (+ Helm chart, optional Spero)\ndocs/          architecture \u0026 guides\n```\n\n## License\n\nCode: [MIT](LICENSE). Docs \u0026 branding: [CC-BY-4.0](LICENSE-docs).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faltikva%2Felpio","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faltikva%2Felpio","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faltikva%2Felpio/lists"}