Split-controller control plane

Focused controllers, app-layer orchestration, narrow domain managers, and shared platform contracts keep workload churn, long-running operations, and status writes separated.

Controller split

Diagram

Controller split

Workload, admin operations, and status are separated so high-churn reconciliation, long-running workflows, and API status writes do not block each other.

Reference table

Controller responsibilities

Controller responsibilities.

Controller	Primary role	Why it stays separate
Workload	Reconciles workload-side certificate, bootstrap, networking, identity, initialization, and StatefulSet resources.	It handles high-churn pod and platform state and needs to react quickly.
AdminOps	Runs upgrades and backups.	Long-running workflows should not block pod recovery or normal reconciliation.
Status	Aggregates state and writes status updates.	Serializing status writes avoids ResourceVersion conflicts and keeps conditions stable.
OpenBaoRestore	Reconciles destructive restore workflows.	Restore needs its own lock-aware control surface instead of riding on normal cluster reconcile loops.
Provisioner	Reconciles OpenBaoTenant onboarding and namespace scaffolding.	Tenant guardrails belong to Day 0 provisioning, not to workload reconciliation.

Restore controller

Restores are reconciled through the separate OpenBaoRestore controller, which orchestrates restore Jobs and acquires the cluster operation lock before destructive work starts.

App orchestration and managers

Diagram

App-layer orchestration

Controllers hand off to narrow app-layer facades first, then into focused managers and shared lifecycle services. This keeps import surfaces small and responsibilities explicit.

Reference table

Manager boundaries

Manager boundaries.

Manager	Scope	Key reason for separation
Bootstrap manager	Renders config and prepares bootstrap prerequisites.	Config rendering and seal or self-init prerequisites change for different reasons than networking or StatefulSet mutation.
Networking manager	Owns Services, Gateway or Ingress resources, and workload network policy.	Reachability and network contract changes should not be coupled to config rendering or RBAC wiring.
Identity manager	Owns the workload ServiceAccount and tenant-scoped RBAC.	Workload identity and RBAC should evolve independently from networking and StatefulSet behavior.
Workload manager	Owns StatefulSet, PodDisruptionBudget, and rollout-safe workload mutation.	Replica intent, pod-template mutation, and rollout triggers belong close to the StatefulSet contract.
Cert manager	Handles operator-managed, ACME, and external TLS interactions.	TLS integration has its own dependency model and readiness surface.
Init manager	Coordinates initialization when self-init is disabled or needs confirmation.	Bootstrap logic is security-sensitive and distinct from normal steady-state reconcile work.
Upgrade / Backup / Restore managers	Run lock-aware disruptive operations.	These workflows share lifecycle helpers but own different risk profiles and side effects.
Provisioner manager	Onboards tenant namespaces and guardrails.	Tenant governance belongs to provisioning time, not to the cluster workload loop.

Shared contracts below managers

The controller and app layers coordinate managers, but some semantics stay below the manager boundary because they must stay uniform across multiple services.

Reference table

Shared contracts

Shared contracts.

Contract	Used by	Why it stays separate
Configuration service	Bootstrap manager and blue-green upgrade startup.	config.hcl semantics should stay in one place even though both workload bootstrap and upgrade orchestration need them.
Resource identity	Bootstrap, networking, identity, and workload managers.	Names, labels, and selectors define the managed-resource contract and should not drift across services.
Owned apply	Bootstrap, networking, identity, and workload managers.	Generic owner-ref-aware SSA apply behavior is a platform concern; object-specific exceptions still stay in the owning service.
Architecture boundary policy	Controllers, app packages, services, and selected platform packages.	Explicit service and adapter allowlists keep layered architecture rules enforced in CI instead of implied by convention alone.

Boundary contract

Controller, app, service, and selected platform import surfaces are intentionally narrow and enforced by generated architecture-boundary rules from .ast-grep/policy/architecture-boundaries.yml.

Deep dives

Workload managersBootstrap, networking, identity, and StatefulSet ownership on the workload reconcile path.Upgrade managerRollingUpdate and BlueGreen state transitions.Restore managerDestructive restore path and lock lifecycle behind OpenBaoRestore.Lifecycle architectureDay-by-day lifecycle flows that use these components.