Introduce namespaces deliberately instead of letting the operator discover them.

OpenBaoTenant is the namespace-introduction contract in the default multi-tenant model. It tells the operator which namespace should become an authorized tenant and lets the control plane create the RBAC and guardrails that make shared operation safe.

Diagram

OpenBaoTenant is the namespace introduction point

The Provisioner reacts to OpenBaoTenant, introduces the namespace boundary, and only then can the rest of the operator safely manage cluster resources there.

Decision matrix

What OpenBaoTenant owns

What OpenBaoTenant owns.

Surface	Why it exists	What it is not
Namespace introduction	The operator only acts on namespaces that were introduced explicitly.	It is not broad namespace discovery or a cluster-wide wildcard.
Tenant RBAC	The Provisioner creates the namespace-scoped RBAC the operator needs to manage OpenBao resources there.	It is not a request to grant arbitrary Secret access to tenant users.
Default guardrails	Tenant quotas, limit ranges, and namespace guardrail labels can be introduced as part of onboarding.	It is not per-cluster tuning for the OpenBao workload itself.

Decision matrix

Choose the governance model

Choose the governance model.

Model	Who creates the request	Best fit	Tradeoff
Self-service	Namespace owners create OpenBaoTenant in their own namespace.	High-trust platform environments where teams already own namespace boundaries.	The request can only target the same namespace and uses default guardrails.
Centrally managed	Platform admins create OpenBaoTenant from the operator namespace.	Stricter environments that want review, auditability, or custom tenant guardrails.	The platform team owns more of the namespace introduction workflow.

API contract

spec.targetNamespace is immutable after creation. If the target namespace changes, delete and recreate the OpenBaoTenant instead of trying to mutate it in place.

Continue from the concept into the task

Onboard the target namespaceUse the step-by-step task page when you are ready to create the OpenBaoTenant request.Create your first clusterReturn to the main path once the namespace introduction is complete.Open multi-tenant securityGo deeper on the isolation model when you need the security reasoning behind the shared-operator path.