Install

The whole platform is one Helm chart with one values file. You set a base domain, choose a TLS mode, pick a few high-level toggles, and install. The chart brings up the gateway, control plane, database, identity, observability, and console together.

Prerequisite

Make sure your cluster meets the Requirements first — Kubernetes ≥ 1.28, a default StorageClass, a base domain, and a way to issue a wildcard certificate.

Deployment topology

1. Add the chart repository

The chart is published as an OCI artifact. Authenticate to the registry if required, then you can install directly from the OCI reference.

helm registry login ghcr.io   # if your registry requires auth

2. Write your values file

Create a values.yaml that captures the decisions for this environment. The minimum is your domain, a TLS mode, identity, and a bootstrap admin:

global:
  baseDomain: ai-gateway.example.com
  subdomainSeparator: "."        # "." for two-level names, "-" for single-level under a parent wildcard
  highAvailability: false        # true for production multi-replica

tls:
  mode: letsencrypt              # letsencrypt | provided | selfsigned
  letsencrypt:
    email: platform@example.com
    dns01:
      provider: cloudflare
      dnsZone: example.com

sso:
  mode: google                   # google | mock (mock is dev/test only)
  emailDomain: example.com

controlPlane:
  enabled: true
  bootstrapAdmin:
    enabled: true
    email: admin@example.com     # the first person who can sign in and configure everything
postgres:
  enabled: true                  # control plane needs its database

Secrets (provider keys, OIDC client secret, database passwords) live in a separate, git-ignored values file or in pre-existing Kubernetes Secrets — never in the file you commit. See Configuration and Hardening.

Keep secrets out of git

Set secrets.createFromValues: true and supply a local secrets file, or set it to false and reference existing Secrets managed by Vault/sealed-secrets. Do not put credentials in your main values.yaml.

3. Install

helm install opsta-ai-gateway oci://ghcr.io/opsta/charts/opsta-ai-gateway \
  --namespace opsta-ai-gateway --create-namespace \
  -f values.yaml -f secrets-values.yaml

The chart installs the required operators (cert-manager, CloudNativePG, Redis operator) unless you tell it to reuse existing ones.

4. Wait for readiness

The control plane runs database migrations and a first reconcile before it reports ready — this guarantees the gateway is never half-configured.

kubectl -n opsta-ai-gateway rollout status deploy/control-plane
kubectl -n opsta-ai-gateway get pods

$ kubectl -n opsta-ai-gateway get pods
NAME                                    READY   STATUS    RESTARTS   AGE
console-7c9b8c476f-9q4md                1/1     Running   0          12m
console-oauth2-proxy-6b746965fd-2xk8p   1/1     Running   0          12m
control-plane-5d5bf75cc8-hg82g          1/1     Running   0          12m
gateway-higress-7d8c9b6f54-p7w2n        1/1     Running   0          14m
keycloak-0                              1/1     Running   0          13m
opsta-pg-1                              1/1     Running   0          13m
redis-0                                 1/1     Running   0          13m

5. Point DNS and sign in

Create a wildcard DNS record for *.your-domain pointing at the gateway's ingress (or configure the Cloudflare Tunnel). Then open https://console.your-domain and sign in as the bootstrap admin.

Next steps

• Configuration — the full config surface, grouped by concern.
• TLS & domains — certificates and subdomains in detail.
• High availability — turn on multi-replica production mode.