🌐 เอกสารภาษาไทยกำลังจัดทำ — เนื้อหาด้านล่างเป็นภาษาอังกฤษชั่วคราว จนกว่าจะมีการแปล. This page is not yet translated; English content is shown temporarily.
Install
The whole platform is one Helm chart with one values file. You set a base domain, choose a TLS mode, pick a few high-level toggles, and install. The chart brings up the gateway, control plane, database, identity, observability, and console together.
Prerequisite
Make sure your cluster meets the Requirements first — Kubernetes ≥ 1.28, a default StorageClass, a base domain, and a way to issue a wildcard certificate.
Deployment topology
1. Add the chart repository
The chart is published as an OCI artifact. Authenticate to the registry if required, then you can install directly from the OCI reference.
helm registry login ghcr.io # if your registry requires auth2. Write your values file
Create a values.yaml that captures the decisions for this environment. The minimum is your domain, a TLS mode, identity, and a bootstrap admin:
global:
baseDomain: ai-gateway.example.com
subdomainSeparator: "." # "." for two-level names, "-" for single-level under a parent wildcard
highAvailability: false # true for production multi-replica
tls:
mode: letsencrypt # letsencrypt | provided | selfsigned
letsencrypt:
email: platform@example.com
dns01:
provider: cloudflare
dnsZone: example.com
sso:
mode: google # google | mock (mock is dev/test only)
emailDomain: example.com
controlPlane:
enabled: true
bootstrapAdmin:
enabled: true
email: admin@example.com # the first person who can sign in and configure everything
postgres:
enabled: true # control plane needs its databaseSecrets (provider keys, OIDC client secret, database passwords) live in a separate, git-ignored values file or in pre-existing Kubernetes Secrets — never in the file you commit. See Configuration and Hardening.
Keep secrets out of git
Set secrets.createFromValues: true and supply a local secrets file, or set it to false and reference existing Secrets managed by Vault/sealed-secrets. Do not put credentials in your main values.yaml.
3. Install
helm install opsta-ai-gateway oci://ghcr.io/opsta/charts/opsta-ai-gateway \
--namespace opsta-ai-gateway --create-namespace \
-f values.yaml -f secrets-values.yamlThe chart installs the required operators (cert-manager, CloudNativePG, Redis operator) unless you tell it to reuse existing ones.
4. Wait for readiness
The control plane runs database migrations and a first reconcile before it reports ready — this guarantees the gateway is never half-configured.
kubectl -n opsta-ai-gateway rollout status deploy/control-plane
kubectl -n opsta-ai-gateway get pods$ kubectl -n opsta-ai-gateway get pods
NAME READY STATUS RESTARTS AGE
console-7c9b8c476f-9q4md 1/1 Running 0 12m
console-oauth2-proxy-6b746965fd-2xk8p 1/1 Running 0 12m
control-plane-5d5bf75cc8-hg82g 1/1 Running 0 12m
gateway-higress-7d8c9b6f54-p7w2n 1/1 Running 0 14m
keycloak-0 1/1 Running 0 13m
opsta-pg-1 1/1 Running 0 13m
redis-0 1/1 Running 0 13m5. Point DNS and sign in
Create a wildcard DNS record for *.your-domain pointing at the gateway's ingress (or configure the Cloudflare Tunnel). Then open https://console.your-domain and sign in as the bootstrap admin.
Next steps
- Configuration — the full config surface, grouped by concern.
- TLS & domains — certificates and subdomains in detail.
- High availability — turn on multi-replica production mode.