Skip to main content
Version: next

Choose the path you want to keep operating.

Make the main operating decisions before you install anything. Most teams should stay on the default production path and only branch when namespace ownership, local evaluation, or platform constraints give you a real reason.

Default production path

  • multi-tenant mode
  • Hardened profile
  • self-init enabled
  • External or ACME TLS
  • admission policies enabled
  • RollingUpdate until you need blue-green cutover control

Decision matrix

Stay on the default path unless one of these is true

Stay on the default path unless one of these is true.
Decision areaDefaultBranch only whenGo deeper
Tenancy modelMulti-tenantOne team directly owns one namespace and does not need the default tenant-onboarding model.Single-tenant mode
Security profileHardenedThis environment is strictly local development, CI, or short-lived evaluation.Security profiles
Bootstrap flowSelf-initYou are intentionally carrying a compatibility or controlled manual-bootstrap workflow.Self-initialization
TLS modeExternal or ACMEYou are in a non-Hardened environment and temporary operator-managed TLS convenience matters more than production trust requirements.TLS and identity
Installation pathHelmYou need raw-manifest overlays, source-based rendering, or install-time identity customization.Operator installation
Upgrade strategyRollingUpdateYou need parallel validation, manual promotion, or stronger cutover control than rolling upgrades provide.Cluster upgrades
Operator auth is not human auth

spec.selfInit.oidc.enabled: true bootstraps operator authentication only. Before you move on, decide which human login path will be created as part of spec.selfInit.requests during bootstrap.

Branch only when you need one of these exceptions

  1. A

    Single-tenant mode

    Use this when one team owns one namespace and wants direct namespace-scoped operator control.

    Review
  2. B

    Operator identity and access

    Use this when you customize names, namespaces, JWT audience, or raw-manifest identity wiring.

    Review
  3. C

    Validated deployments

    Use a tested architecture or recipe when you want a known-good starting point instead of building a path from scratch.

    Open

Do not move on until you can answer these plainly

  • Am I running multi-tenant or single-tenant mode?
  • Is this environment Hardened or Development?
  • If I stay multi-tenant, who creates the first OpenBaoTenant and in which namespace?
  • How will humans authenticate after the first cluster comes up?
  • Does Helm or raw manifests own the rendered operator identity?
  • What is my backup plan before the first production upgrade?

Continue the guided path

Install the operatorUse the supported install flow and verify the rendered controller identity before you continue.Onboard the target namespaceIn the default multi-tenant path, introduce the namespace through OpenBaoTenant before you create the first cluster.
Next release documentation

You are reading the unreleased main docs. Use the version menu for the newest published release, or check the release notes for what is already out.

Was this page helpful?

Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.

Needs work