Steven's Knowledge

Internal Developer Platforms

Backstage, Port, Cortex, Humanitec - service catalogs, golden paths, and self-service portals that turn infrastructure into a product for developers

Internal Developer Platforms

An Internal Developer Platform (IDP) is the product you build for your engineers. Not the cluster. Not the CI pipeline. The portal through which engineers discover, create, deploy, observe, and own software — without becoming Kubernetes experts.

The term "platform engineering" gained currency around 2022 as the industry realized that "give every team kubectl and good luck" produces neither productivity nor consistency. An IDP packages cluster, pipeline, monitoring, secrets, and policies into a small set of self-service paths.

Why an IDP

Without IDPWith IDP
Each team writes their own Helm chart from scratchGolden path templates generate the chart
"How do I create a new service?" → 3-week Slack journey"Create new service" button + 5 min
Production access through DM-ing the SRE on callSelf-service via signed-off workflows
Service docs scattered or absentService catalog with single page per service
Onboarding new engineer = 2 weeks of context-gatheringNew engineer ships first PR day 2
Platform team is a bottleneck for every teamPlatform team builds the product; teams self-serve
Compliance state requires hand-built auditsCatalog is the compliance answer

The IDP doesn't replace the underlying tools (Kubernetes, CI, Vault, monitoring). It composes them into the experience engineers want.

The Three Layers

A real IDP has three layers:

┌────────────────────────────────────────────┐
│  Developer Portal (Backstage / Port)       │  ← what engineers see
│  - Catalog, docs, scaffolders, dashboards  │
├────────────────────────────────────────────┤
│  Platform Orchestrator (Crossplane / Humanitec / Kratix)
│  - Templates → real resources             │
│  - One API for "create a service"          │
├────────────────────────────────────────────┤
│  Underlying tools                          │
│  - Kubernetes, CI/CD, secrets, monitoring  │
└────────────────────────────────────────────┘

Some teams skip the orchestrator and call cloud / cluster APIs directly. Some skip the portal and ship CLI tools. The full stack is more powerful but you don't need it on day one.

The Players

Developer portals

ToolBest for
Backstage (Spotify)Most popular OSS portal; CNCF; plugin ecosystem; needs investment
PortSaaS / hosted; no-code config; fast time-to-value
CortexSaaS; strong service catalog + scorecards; opinionated
OpsLevelSaaS; catalog + maturity tracking
RoadieHosted Backstage
Configure8Newer; auto-discovery focus

Platform orchestrators

ToolBest for
CrossplaneCloud resources as K8s CRDs; GitOps-friendly
HumanitecWorkload abstraction; multi-environment
KratixPromise-based; aligned with platform-as-product
ScoreWorkload spec, vendor-neutral

Scaffolders / golden paths

Many portals include scaffolding. Standalone:

  • Cookiecutter — Python-based templating
  • Yeoman — Node-based
  • Backstage Templates — most popular today

For a fresh stack: Backstage + Crossplane is the OSS reference architecture. Port + your existing cluster is the fast-start commercial alternative.

What a Golden Path Provides

A "golden path" or "paved road" is a template that handles the 80% case end-to-end. Example for a new Go HTTP service:

  1. Scaffold a repo with directory structure, Dockerfile, README
  2. Add CI workflow with linting, tests, image build, push
  3. Generate Kubernetes manifests (Deployment, Service, Ingress, NetworkPolicy)
  4. Wire OpenTelemetry instrumentation
  5. Create dashboards in Grafana (auto-template per service)
  6. Configure secrets template in Vault
  7. Add to service catalog
  8. Open a PR to the GitOps repo to start deploying

The engineer fills in a form (service name, language, team), clicks "create," and the platform produces all of that in a few minutes. Day one of a new service, ready.

Service Catalog

The catalog is the map of your software. For each service:

apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
  name: checkout-service
  description: Handles checkout flow
  tags: [golang, payments, public-facing]
  annotations:
    github.com/project-slug: my-org/checkout-service
    pagerduty.com/integration-key: ...
    grafana/dashboard-selector: 'service=checkout'
    backstage.io/techdocs-ref: dir:.
spec:
  type: service
  lifecycle: production
  owner: team-payments
  system: payments-platform
  dependsOn:
    - resource:postgres-checkout-db
    - component:user-service
  consumesApis:
    - user-service-api

From this, the portal shows:

  • Owner + on-call rotation
  • Repos and pipelines
  • Live dashboards
  • Open incidents
  • Dependencies (visual graph)
  • API contracts
  • Documentation (TechDocs)
  • SLO status

A new engineer landing on the page understands the service in 5 minutes instead of 5 weeks.

Scorecards and Maturity

Most IDPs include scorecards that grade each service against standards:

CheckService AService B
Has on-call rotation
README has runbook section
80%+ test coverage
All endpoints have SLOs
No critical CVEs in image
Last deployment < 30 days

Teams see their gaps. Leadership sees fleet-wide trends. Compliance auditors get evidence. Cortex makes this its core product; Backstage has plugins for it.

Don't make scorecards punitive at first. Make them visible. Teams self-correct when their service stands out.

Learning Path

1. Getting Started

Stand up Backstage locally; register a service in the catalog; create a scaffolder template; deploy a generated service

2. Patterns

Golden paths, scorecards, RBAC, secrets workflows, Crossplane for cloud resources, multi-cluster routing

3. Best Practices

Platform as product, adoption, scaling the platform team, common pitfalls, when not to build an IDP

When Not to Build an IDP

Honest cases:

  • Under ~10 engineers. A wiki + a CLI tool serves you. Building Backstage is overhead until you have multiple teams to align.
  • Single product team. IDP is most valuable when teams need to find each other's stuff. If everyone knows everything, no IDP needed.
  • You think it's a tool not a product. Installing Backstage doesn't make an IDP. The IDP is the templates, paths, and policies — they need a product owner.
  • Without platform team buy-in. An IDP without a team that maintains it goes stale in 6 months; engineers route around it.

The IDP industry has burned through a generation of failed Backstage installs because of this last one. The tool is 20% of the work; the product is 80%.

Backstage in 60 Seconds

The architecture:

  • Catalog — services, APIs, websites, resources, users, groups
  • Scaffolder — runs templates to bootstrap things
  • TechDocs — docs in markdown next to code, rendered in portal
  • Plugins — everything else (CI status, Datadog, PagerDuty, GitHub, …)

Catalog entries live in catalog-info.yaml files in each service repo; Backstage discovers and ingests them. Templates live in template repos; the portal calls them.

The plugin ecosystem is enormous (50+) — and uneven. Curate carefully.

The IDP paradox: the more invisible the platform, the more successful it is. Engineers shouldn't think "I'm using the IDP" — they should think "I shipped a service this morning, it took 10 minutes." The IDP succeeds when it disappears into the work. If you find yourself selling the IDP internally with slide decks, the product probably isn't fit yet.

On this page

Internal Developer PlatformsWhy an IDPThe Three LayersThe PlayersDeveloper portalsPlatform orchestratorsScaffolders / golden pathsWhat a Golden Path ProvidesService CatalogScorecards and MaturityLearning PathWhen Not to Build an IDPBackstage in 60 Seconds