This guide deploys the Carbide REST control plane running on an existing Kubernetes cluster. For a full explanation of each component and production configuration options, see INSTALLATION.md.
Prerequisites:
- Kubernetes cluster (v1.27+) with cluster-admin access
- cert-manager installed (v1.13+)
helmv3,kubectl,docker,make
REGISTRY=my-registry.example.com/carbide
TAG=v1.0.0
make docker-build IMAGE_REGISTRY=$REGISTRY IMAGE_TAG=$TAG
for image in carbide-rest-api carbide-rest-workflow carbide-rest-site-manager \
carbide-rest-site-agent carbide-rest-db carbide-rest-cert-manager; do
docker push "$REGISTRY/$image:$TAG"
doneThen update the images: stanza in each overlay under deploy/kustomize/overlays/ with your registry and tag.
kubectl create namespace carbide-rest
kubectl apply -f deploy/kustomize/base/postgres/namespace.yaml
kubectl apply -f deploy/kustomize/base/temporal-helm/namespace.yaml./scripts/gen-site-ca.shCreates ca-signing-secret in both carbide-rest and cert-manager namespaces. This is the trust anchor for all TLS in the deployment — every certificate issued to Carbide REST workloads traces back to it.
To bring your own CA instead, see INSTALLATION.md — Step 2.
If you already have a PostgreSQL instance, skip the PostgreSQL apply and go straight to Step 7 (migrations). See INSTALLATION.md — Step 3 for the databases and users that must exist.
# PostgreSQL
kubectl apply -k deploy/kustomize/base/postgres
kubectl rollout status statefulset/postgres -n postgres
# Keycloak
kubectl apply -k deploy/kustomize/base/keycloak# Internal PKI service
kubectl kustomize --load-restrictor LoadRestrictionsNone \
deploy/kustomize/overlays/cert-manager | kubectl apply -f -
# ClusterIssuer for cert-manager.io
kubectl apply -k deploy/kustomize/base/cert-manager-io
# Shared secrets and Temporal client certificate
kubectl apply -k deploy/kustomize/base/common# Apply namespace, DB credentials, and TLS Certificate resources
kubectl apply -k deploy/kustomize/base/temporal-helm
# Wait for cert-manager to issue the three Temporal TLS secrets
kubectl get secret server-interservice-certs server-cloud-certs server-site-certs -n temporal
# Install via the Helm chart vendored in this repo
helm install temporal temporal-helm/temporal \
--namespace temporal \
--values temporal-helm/temporal/values-kind.yaml
# Create cloud and site Temporal namespaces
kubectl exec -it -n temporal deployment/temporal-admintools -- \
temporal operator namespace create cloud --address temporal-frontend.temporal:7233
kubectl exec -it -n temporal deployment/temporal-admintools -- \
temporal operator namespace create site --address temporal-frontend.temporal:7233kubectl kustomize --load-restrictor LoadRestrictionsNone \
deploy/kustomize/overlays/db | kubectl apply -f -
kubectl wait --for=condition=complete job/carbide-rest-db-migration \
-n carbide-rest --timeout=120s# Site CRD must be applied before site-manager
kubectl apply -f deploy/kustomize/base/site-manager/site-crd.yaml
kubectl kustomize --load-restrictor LoadRestrictionsNone \
deploy/kustomize/overlays/site-manager | kubectl apply -f -
kubectl kustomize --load-restrictor LoadRestrictionsNone \
deploy/kustomize/overlays/api | kubectl apply -f -
kubectl kustomize --load-restrictor LoadRestrictionsNone \
deploy/kustomize/overlays/workflow | kubectl apply -f -
kubectl kustomize --load-restrictor LoadRestrictionsNone \
deploy/kustomize/overlays/site-agent | kubectl apply -f -kubectl get pods -n carbide-rest
kubectl get pods -n temporal
kubectl get pods -n postgresThe API is available at http://<node-ip>:30388 (NodePort) or carbide-rest-api.carbide-rest:8388 within the cluster.
curl http://<node-ip>:30388/healthz- Site agent bootstrap — register a site via the API and configure the site agent with the resulting UUID and OTP. See INSTALLATION.md — Step 13.
- Production hardening — change default credentials, replace
start-devKeycloak mode, tune Temporal resource limits. See INSTALLATION.md for per-component configuration details. - CLI — install
carbideclito interact with the deployed cluster. See cli/README.md.