Skip to main content
Version: 0.2.x

Choose the deployment path

Choose the tenancy model, security posture, bootstrap flow, and install path for a new deployment. The default path is multi-tenant, Hardened, self-init, and the standard install flow.

Default starting point

  • multi-tenant mode
  • Hardened profile
  • self-init enabled
  • External or ACME TLS
  • admission policies enabled
  • RollingUpdate until you need blue-green cutover control

Decision matrix

Default deployment decisions and exceptions

Default deployment decisions and exceptions.
Decision areaDefaultUse an alternative whenGo deeper
Tenancy modelMulti-tenantOne team directly owns one namespace and does not need the default tenant-onboarding model.Single-tenant mode
Security profileHardenedThis environment is strictly local development, CI, or short-lived evaluation.Security profiles
Bootstrap flowSelf-initYou are intentionally carrying a compatibility or controlled manual-bootstrap workflow.Self-initialization
TLS modeExternal or ACMEYou are in a non-Hardened environment and temporary operator-managed TLS convenience matters more than production trust requirements.TLS and identity
Installation pathHelmYou need raw-manifest overlays, source-based rendering, or install-time identity customization.Operator installation
Upgrade strategyRollingUpdateYou need parallel validation, manual promotion, or stronger cutover control than rolling upgrades provide.Cluster upgrades
Operator auth is not human auth

spec.selfInit.oidc.enabled: true bootstraps operator authentication only. Decide which human login path will be created as part of spec.selfInit.requests during bootstrap, then finalize the cluster design.

Exceptions that change the default path

  1. A

    Single-tenant mode

    Use this when one team owns one namespace and wants direct namespace-scoped operator control.

    Review
  2. B

    Operator identity and access

    Use this when you customize names, namespaces, JWT audience, or raw-manifest identity wiring.

    Review
  3. C

    Validated deployments

    Use a tested architecture or recipe when you want a validated starting point instead of building the path from scratch.

    Open

Check these decisions

  • Am I running multi-tenant or single-tenant mode?
  • Is this environment Hardened or Development?
  • If I stay multi-tenant, who creates the first OpenBaoTenant and in which namespace?
  • How will humans authenticate after the first cluster comes up?
  • Does Helm or raw manifests own the rendered operator identity?
  • What is my backup plan before the first production upgrade?

Continue the guided path

Install the operatorUse the supported install flow and verify the rendered controller identity.Onboard the target namespaceIn the default multi-tenant path, introduce the namespace through OpenBaoTenant, then create the first cluster.
Published release documentation

You are reading docs for version 0.2.x. Use the version menu to switch to next or another archived release.

Edit this page
Last updated on by openbao-operator-release-pr[bot]

Was this page helpful?

Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.

Needs work