ArchitectureDiagram.ai logoArchitectureDiagram.ai
Back to blog

Internal Developer Platform Architecture: Backstage, Crossplane & ArgoCD (2026)

How to design and diagram an Internal Developer Platform (IDP). Covers the Backstage developer portal, Crossplane for infrastructure provisioning, ArgoCD for GitOps delivery, golden paths, and the five IDP planes — with AI prompt templates.

R
Ryan·Senior AI Engineer
·

Internal Developer Platform (IDP) architecture diagrams represent the most significant evolution in DevOps tooling in 2026. Where the previous decade was defined by teams assembling DIY pipelines from individual tools, the IDP pattern formalizes the platform as a product with an explicit self-service interface, reducing cognitive load on application developers. Gartner projects that 80% of large software engineering organizations will have platform engineering teams by 2026. An IDP architecture diagram needs to capture the full stack: the developer-facing portal, the infrastructure control plane, the delivery plane, security controls, and the observability layer — not just the CI/CD pipeline alone. This guide covers the IDP reference architecture built on the “Golden Triangle” of Backstage + Crossplane + ArgoCD and how to diagram each layer.

The five planes of an IDP architecture

A mature IDP is organized into five functional planes, each addressing a different concern. Your architecture diagram should show all five and how they interact:

  • Developer Control Plane: The self-service interface developers interact with — the Backstage portal (software catalog, scaffolder templates, TechDocs, plugin ecosystem). Developers create new services, provision infrastructure, check service health, and find documentation here — without opening a ticket to the platform team.
  • Integration & Delivery Plane: The CI/CD infrastructure that takes code from commit to production — GitHub Actions, Tekton, or Jenkins for CI; ArgoCD or Flux for GitOps delivery to Kubernetes. The delivery plane is triggered by the scaffolder's golden path templates.
  • Resource Plane: The infrastructure control plane that provisions cloud resources on demand — Crossplane (XRDs/Compositions for self-service databases, buckets, queues), Terraform Cloud/Atlantis, or Pulumi Automation API. Developers request “a PostgreSQL database” from a catalog template; the resource plane provisions it without manual intervention.
  • Security Plane: Policy enforcement and secrets management integrated into the platform — OPA/Gatekeeper or Kyverno for Kubernetes admission policies, Vault or AWS Secrets Manager for dynamic secrets, SAST/SCA in the CI pipeline (enforced, not advisory), and image scanning with policy gates (Trivy + Cosign image signing).
  • Monitoring & Observability Plane: Automatic instrumentation for every service created via the platform — OpenTelemetry SDK injected via a sidecar or init container, traces forwarded to Tempo/Jaeger, metrics to Prometheus/Thanos, logs to Loki. Backstage's Grafana plugin surfaces this data in the catalog.

The Golden Triangle: Backstage + Crossplane + ArgoCD

  • Backstage (Developer Control Plane): The developer portal and software catalog. CNCF graduated project (2022), adopted by Spotify, Netflix, American Airlines, and thousands of enterprises. Key components: Software Catalog (service registry), Scaffolder (golden path templates that generate new repos, provision infrastructure), TechDocs (markdown docs as code, rendered in the portal), plugins (hundreds of integrations: GitHub, PagerDuty, Kubernetes, Datadog, Vault).
  • Crossplane (Resource Plane): Kubernetes-native infrastructure provisioning using the same declarative API model as Kubernetes. Platform engineers define Composite Resource Definitions (XRDs) — abstract resources like “AppDatabase” or “MessageQueue” — which compose lower-level provider resources (AWS RDS, Azure Service Bus). Developers request these abstract resources and Crossplane fulfills them. Providers exist for AWS, Azure, GCP, and dozens of other services.
  • ArgoCD (Delivery Plane): GitOps continuous delivery. ArgoCD watches Git repositories and reconciles the cluster state to match the declared manifests. Platform teams use ApplicationSets to automatically create ArgoCD Applications for every new service registered in Backstage. App-of-apps patterns let the platform define which teams own which cluster namespaces.

The golden path flow: developer to production

The “golden path” is the IDP's core value proposition — a paved road that gets developers from idea to deployed service without toil. Diagramming the golden path flow shows how the five planes interact:

  • Developer opens Backstage and uses a Scaffolder template (“Create New Service”)
  • Scaffolder creates a GitHub repository from the template, pre-configured with CI pipeline, Dockerfile, Helm chart, OpenTelemetry instrumentation, and catalog-info.yaml
  • Scaffolder calls Crossplane to provision required infrastructure (a PostgreSQL database XRD, an S3 bucket)
  • Crossplane creates the actual AWS RDS instance and S3 bucket; credentials injected into Kubernetes secrets via External Secrets Operator + Vault
  • ArgoCD ApplicationSet detects the new catalog-info.yaml and creates an ArgoCD Application for the new service
  • Developer pushes code; GitHub Actions runs CI (build, test, SAST, image scan, push to ECR with Cosign signature)
  • ArgoCD detects the new image tag in the Helm values file (updated by CI) and syncs the deployment to staging
  • After testing, developer approves promotion; ArgoCD syncs to production
  • Backstage catalog shows the service health, deployment status, docs, and Grafana dashboards — all in one place

Prompt examples for IDP architecture diagrams

Full IDP reference architecture

"Internal Developer Platform architecture on Kubernetes (EKS). Five planes: (1) Developer Control Plane: Backstage portal (deployed in platform-tools namespace) — Software Catalog fed by GitHub catalog-info.yaml autodiscovery, Scaffolder with 5 golden path templates (microservice, lambda function, data pipeline, ML model service, static site), TechDocs, and plugins: GitHub, ArgoCD, Kubernetes, Grafana, PagerDuty. (2) Integration & Delivery Plane: GitHub Actions for CI (build → test → SAST with Semgrep → Trivy image scan → Cosign sign → push to ECR). ArgoCD for GitOps delivery, ApplicationSets for auto-creating applications from catalog-info.yaml. Three clusters: dev, staging, prod. (3) Resource Plane: Crossplane with provider-aws installed, XRDs: AppDatabase (provisions RDS PostgreSQL), MessageQueue (provisions SQS), ObjectStore (provisions S3 + CloudFront). External Secrets Operator syncs credentials from AWS Secrets Manager to Kubernetes secrets. (4) Security Plane: Kyverno policies (require resource limits, disallow privileged containers, require approved base images), OPA/Gatekeeper for cost tags. Vault for dynamic database credentials. (5) Observability Plane: OpenTelemetry Collector (DaemonSet) → traces to Tempo, metrics to Prometheus → Thanos for long-term storage, logs to Loki. Grafana with pre-provisioned dashboards per service. Show all five planes, the golden path flow from Backstage scaffolder to production deployment, and the data flows between planes."

Backstage software catalog architecture

"Backstage Software Catalog architecture showing the entity graph. Entity types: Services (microservices, APIs), Components (frontend apps, libraries, data pipelines), Resources (databases, queues, S3 buckets), Systems (logical groupings of components), Domains (business capability groupings), Users and Groups (org structure from Okta sync). Discovery: GitHub App scans all repos for catalog-info.yaml files → ingested into Backstage catalog backend (PostgreSQL DB). Entity relationships: Service A 'dependsOn' Resource (RDS database); Service A 'partOf' System; System 'partOf' Domain; Service A 'ownedBy' Group. Show the Backstage backend processing pipeline: GitHub → catalog processor → entity validator → PostgreSQL catalog DB → Backstage frontend. Annotate the catalog refresh interval (15 minutes) and manual refresh via GitHub webhook. Include: TechDocs rendering pipeline (MkDocs → S3 → served via Backstage TechDocs plugin)."

Crossplane infrastructure composition

"Crossplane architecture for self-service infrastructure. Platform layer: Crossplane installed in platform-system namespace. Provider: provider-aws (manages IAM, RDS, S3, SQS, ElastiCache). Composite Resource Definitions (XRDs): (1) AppDatabase — developer requests this abstract resource; Crossplane Composition creates: RDS PostgreSQL instance, parameter group, subnet group, security group, random password in Secrets Manager, ExternalSecret to sync password to app namespace. (2) AppCache — Crossplane creates ElastiCache Redis replication group, security group, parameter group. (3) AppQueue — Crossplane creates SQS FIFO queue with DLQ, IAM policy, IRSA role binding. Developer workflow: Scaffolder template generates Kubernetes manifest requesting an AppDatabase claim → applied via ArgoCD → Crossplane reconciles and creates AWS resources → credentials auto-injected into app's namespace. Show: developer claim → XRD → Composition → managed resources (in AWS), and the credential injection path through External Secrets Operator."

IDP vs traditional DevOps tooling

ConcernTraditional DevOps (2020)IDP approach (2026)
New service creationManual: copy template repo, file Jira ticket for infra, configure CI manuallySelf-service: Backstage scaffolder creates repo + infra in <5 minutes
Infrastructure provisioningManual Terraform runs by infra team, ticket-basedSelf-service via Crossplane XRD claims in Git
Service discoverySpreadsheets, Confluence, word-of-mouthBackstage software catalog with real-time health data
Security policyChecklists, PR reviews, manual compliance sign-offAutomated policy enforcement via Kyverno/OPA, mandatory in pipeline
Observability setupManual: add SDK, configure exporter, create dashboard per serviceAuto-instrumented at platform layer; dashboards provisioned from templates

What to annotate on an IDP architecture diagram

  • Plane boundaries: Clearly label each of the five planes. Platform engineers need to understand which team owns which plane and where responsibility boundaries lie.
  • Golden path vs escape hatch: Show both the golden path (the supported, opinionated route) and the escape hatch (direct access to underlying tools for teams that need it). An IDP without an escape hatch becomes a bottleneck.
  • Kubernetes cluster topology: Show how many clusters exist (platform management cluster vs. workload clusters), what runs in each, and how ArgoCD manages cross-cluster deployments.
  • Team topology alignment: Annotate which team owns which plane — typically platform engineering owns Developer Control + Resource planes, SRE owns Observability, Security owns the Security plane. This prevents “platform team as bottleneck” anti-patterns.
  • Developer journey time: The most compelling IDP metric is “time from idea to production for a new service.” Annotate the target time on the golden path flow diagram (e.g., “<30 minutes”). This makes the platform's value proposition tangible.

Related guides: platform engineering diagrams, GitOps architecture diagrams, Kubernetes architecture diagrams, OpenTelemetry architecture, and platform engineering use cases.

Ready to try it yourself?

Start Creating - Free