>_ kunobi-forge

Coming Soon

Your infrastructure graph, resolved

A reactive infrastructure control plane for Kubernetes. Declare OpenTofu and Pulumi modules as CRDs — Forge builds the DAG, runs waves in parallel, and cascades on every output change

100%CRD-first

2IaC engines

0glue code

Connects to everything you run

app-db.yaml

kind: Template
spec:
 inputsFrom:
 subnet_ids: cluster.subnet_ids
 bucket: bucket.arn
 perRequest:
 selector: { has: team }

clusterProvision · active

OpenTofuoutputs: 4singleton

app-db3 Provisions · per team

×N

team-αteam-βteam-γ

declare · resolve · cascade

app-db.yaml

kind: Template
spec:
 inputsFrom:
 subnet_ids: cluster.subnet_ids
 bucket: bucket.arn
 perRequest:
 selector: { has: team }

clusterProvision · active

OpenTofuoutputs: 4singleton

app-db3 Provisions · per team

×N

team-αteam-βteam-γ

declare · resolve · cascade

>_ the-problem

IaC is powerful. Wiring it together is not

Hidden dependencies

Your VPC module outputs a cidr_block. Your subnet module needs it. You write the glue. Someone renames the output — you find out at apply time.

Unknown blast radius

You're about to change a shared networking module. Fourteen environments depend on it. You learn that at 2am when something breaks.

IaC isn't reactive

When a dependency changes, nothing downstream re-plans automatically. Drift builds up silently. You're always one missed run behind.

>_ architecture

One control plane. Six Kubernetes-native resources

Every concept is a real CRD or a real runtime object. There is no proprietary workflow engine hiding behind the scenes — kubectl sees everything.

step . 01

Template

OpenTofu / Pulumi module as CRD

step . 02

Request

dev submits . GitOps or API

step . 03

Policy

auto-approve or gate by label

step . 04

Provision

singleton or per-request

step . 05

Executor

plan + apply . destructive gated

step . 06

Cascade

output change → downstream re-plan

runs in your cluster.CRDs are the API.not a SaaS

>_ zero-new-languages

You write YAML. We handle the rest

Just Kubernetes YAML — no new DSL. Declare a schema and Forge validates inputsFrom references before any plan runs; type errors surface as K8s Events. Opt into CUE when you want typed patterns.

Dependency graph inferred from inputsFrom

Typed schemas validated before apply

Secrets resolved from K8s Secrets

One Provision per Request (per-team, per-env)

subnet-template.yaml

>_ per-request

One Template. N tenants. Zero duplicated YAML

Declare a Template once with perRequest.selector and Forge materialises an isolated Provision per matching Request — per team, per environment, per cluster.

1 Template

app-db.yaml

kind: Template
metadata:
 name: app-db
spec:
 perRequest:
 selector:
 has: team
  # one Provision
  # per matching Request

N Requests

Requestteam: alpha

Requestteam: beta

Requestteam: gamma

N Provisions

app-db-aisolated state

app-db-bisolated state

app-db-cisolated state

→ separate cloud resources→ separate state backend→ separate blast radius

Stop thinking about dependencies. Start shipping infrastructure

Deploy it to your cluster in minutes.

Available for:

macOSWindowsLinux