Skip to main content
Version: next

Provision the tenant boundary before any cluster exists.

Day 0 is the namespace and tenancy setup phase. The provisioner controller takes an OpenBaoTenant request, applies tenant-scoped RBAC and policy defaults, and leaves behind a namespace that is safe for later OpenBaoCluster creation.

At a glance

Starts with

  • OpenBaoTenant creation and target namespace selection
  • operator ServiceAccount identity and tenant policy defaults
  • admission dependencies that must exist before Secret access is widened

Primary owners

  • internal/controller/provisioner
  • internal/app/provisioner
  • internal/service/provisioner

Writes

  • tenant Role and RoleBinding resources
  • Secret reader and writer allowlist roles
  • Pod Security labels plus optional ResourceQuota and LimitRange defaults

Hands off to

  • a namespace that is ready for OpenBaoCluster creation
  • tenant operators who can now move into Day 1 cluster creation
  • later Secret allowlist sync as clusters appear or disappear

Architectural Placement

Day 0 provisioning uses the dedicated tenant-controller path:

  1. A cluster admin or namespace owner creates OpenBaoTenant.
  2. internal/controller/provisioner receives the reconcile event and delegates into internal/app/provisioner.
  3. internal/service/provisioner applies namespace-scoped RBAC, policy labels, allowlists, and quota defaults.

This keeps tenant onboarding separate from steady-state cluster reconciliation and makes the tenant boundary explicit before any workload resources exist.

Diagram

Day 0 provisioning flow

Provisioning establishes the namespace boundary first, then keeps Secret access aligned with the managed clusters that later appear in that namespace.

Reference table

Day 0 responsibilities

Day 0 responsibilities.
StagePrimary ownerWhy it matters
Namespace targetingProvisioner controller and app layer.Tenant provisioning must decide which namespace is allowed before any RBAC or policy defaults are applied.
Operator tenant RBACProvisioner manager.The operator needs enough namespace-scoped access to manage OpenBao resources there without defaulting to broad cluster-wide permissions.
Secret allowlistsProvisioner manager plus tenant Secret RBAC sync.Multi-tenant safety depends on explicit Secret access derived from actual managed cluster references.
Policy defaultsProvisioner manager.Pod Security labels and optional quotas give the namespace a safe baseline before a cluster is created.

Reference table

Safety boundaries

Safety boundaries.
ConcernProvisioning behavior
Self-service namespace scopeSelf-service tenants may target only their own namespace; cross-namespace provisioning is reserved for trusted centrally managed cases.
Admission readinessTenant Secret allowlists wait for admission-policy dependencies so Secret access is not widened before enforcement is available.
Shared RBAC lifecycleTenant RBAC avoids OwnerReferences that would let a single cluster deletion garbage-collect shared namespace permissions.
Cleanup timingProvisioned RBAC remains in place until managed clusters are gone, then the tenant finalizer can be released safely.

Continue the lifecycle

Day 1 creationFollow how a provisioned namespace hands off into first-cluster bootstrap and initialization.Provisioner managerOpen the deep dive for the exact namespace-scoped RBAC, allowlist, and cleanup contract.Tenant onboarding guideCompare the internal provisioning flow with the operator-facing onboarding steps.
Next release documentation

You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.

Was this page helpful?

Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.

Needs work