Skip to content

Platform Setup#

KubeStack+ uses two GitOps repositories as the source of truth for your entire platform — one for cluster-level infrastructure (tenants, quotas, namespaces) and one for application workloads (deployments, environments). Setting these up is the first thing you do after your cluster is provisioned.

This section covers the one-time bootstrap sequence and the ongoing self-service tasks for managing access, networking, and teams.

Concepts#

Read these before you start if you are new to the GitOps model KubeStack+ uses:

Bootstrap#

Run these steps once, in order, when your cluster is first provisioned:

  1. Configure the infra GitOps repository — define tenants, quotas, and cluster-level resources
  2. Configure the apps GitOps repository — register your applications and environments for GitOps delivery
  3. Connect your identity provider — federate your existing IdP into your Keycloak realm
  4. Configure user access — assign roles to your teams

Identity & Access#

Identity providers#

Federate your organization's existing accounts so users can log in without a separate password:

Provider Guides
Keycloak Connect Keycloak
Google Connect Google
Azure AD Azure AD overview — connect + group sync
SAML Connect SAML

Access control#

Define what authenticated users are allowed to do:

Networking#

By default, applications are reachable on the cluster's built-in domain. Configure networking when you need your own domain name, TLS certificates, or automated DNS management.

Scenario Guide
Serve an application on your own domain Configure custom domains
Add TLS to a public single hostname (no DNS credentials needed) Use http-01 certificate challenges
Wildcard certificate or cluster without public internet access Configure TLS certificates

Day-2 Operations#

Recurring tasks for managing your platform after bootstrap:

Once your platform is set up, head to Deploy to deploy your first application.