Orchestrating SaaS Deployments

June 2025

James Lazo

Cutting Costs, Scaling Fast

Are you struggling with high cloud hosting costs or slow, unreliable deployment cycles for your customer applications or internal tools?

We recently helped an e-learning organization solve exactly these problems by building a powerful, automated platform. This platform allows them to instantly spin up secure, isolated training environments for thousands of students, drastically cutting their infrastructure costs and improving reliability.

This approach isn’t just for education. We can use this modern framework to help your business:

  • Launch new software (SaaS) features faster.
  • Onboard new clients seamlessly with dedicated, secure environments.
  • Reduce your monthly cloud bill by using resources more efficiently.

This post shows you the key technologies we use and, more importantly, what they achieve for your business.

Key Components

  • Kubernetes: With Kubernetes, your software runs reliably anywhere, just like a highly efficient, automated office building. It ensures maximum uptime.
  • ArgoCD (GitOps): Automated Reliability: Every update, feature, or fix is deployed perfectly and automatically, every time. This eliminates human error and ensures zero deployment stress.
  • Rancher Server: A single management dashboard to manage all your applications and cloud environments from one user-friendly place, ensuring consistency and security across your entire business.
  • vClusters: Instead of renting a whole new, expensive server for every customer or test project, we create isolated, secure ‘virtual offices’ within one shared space. This results in massive cost savings and flexibility.
  • Keycloak: A rock-solid security layer. Your employees or customers use one secure login to safely access all your applications, meeting modern security and compliance standards.

How they work together

This section explains the end-to-end flow and responsibilities of each component and how they integrate to provide isolated, repeatable lab environments.

  1. GitOps source of truth (ArgoCD)

    • All cluster-level and application-level manifests (Helm charts, Kustomize overlays, YAML) live in Git. ArgoCD watches those repositories and continuously reconciles the desired state into one or more target clusters.
    • For Rancher itself we typically deploy the Rancher Helm chart as an ArgoCD Application that targets a management cluster namespace (for example cattle-system). ArgoCD ensures Rancher is upgraded or rolled back using the same declarative manifests.

  2. Rancher as the management plane

    • Rancher Server provides a user-friendly control plane to register and manage multiple Kubernetes clusters, including importing existing clusters and creating new ones through cloud providers or cluster API providers.
    • In this architecture Rancher runs as a workload in the management cluster. Students (or tenant teams) access the Rancher UI/API to browse clusters, create projects/namespaces, and view logs and workloads.

  3. vClusters for per-tenant isolation

    • vCluster creates a virtual Kubernetes control plane running inside a namespace on a host (physical) Kubernetes cluster. Each vCluster appears to users and toolchains like a standard Kubernetes cluster but shares the host resources and node pool.
    • Use-cases: ephemeral student clusters, safe experiments, and cost-efficient multi-tenancy without provisioning full clusters.
    • Provisioning flow: either use a job/operator (triggered by a Rancher custom action or an external controller) that creates a vCluster in a specified namespace, or keep vCluster manifests in Git and let ArgoCD reconcile per-tenant vCluster instances.

  4. Authentication and SSO (Keycloak)

    • Keycloak provides OIDC/SAML identity brokering. Rancher is configured as an OIDC client to Keycloak; users authenticate with Keycloak and Rancher maps their identity to Rancher roles.
    • For lab environments integrate Keycloak with an identity source (LDAP/AD or GitHub) as needed, and create realm/clients for Rancher and optionally for ArgoCD (so users can view ArgoCD via SSO).

  5. Typical GitOps workflow (student or instructor)

    • Instructor updates a course repo: adds a new vCluster Application overlay, or updates Helm values for a sample app.
    • ArgoCD reconciles and creates/updates the vCluster and sample workloads.
    • The student logs into Rancher (Keycloak SSO), selects their vCluster project/namespace, and interacts with workloads via the UI or kubectl (using the vCluster kubeconfig).

Future Development

This deployment solved the community’s needs to launch a highly customizable vCluster environments and has the potential to be further developed into a Kubernetes e-learning SaaS for other businesses in the education sector. ACS Tech is committed to helping your teams achieve their goals and unlock new paths forward.