Skip to content

Operate Caracal

Use Operations when Caracal is running as infrastructure: Docker Compose for self-hosted installs, Helm for Kubernetes, managed Postgres and Redis, production secrets, rollout gates, observability, incident handling, upgrades, and platform handoff.

flowchart LR
  Operator[Operator or platform team] --> Runtime[Runtime surface]
  Runtime --> Compose[Docker Compose]
  Runtime --> Helm[Helm release]
  Runtime --> Secrets[Runtime secrets]
  Runtime --> Checks[Health, readiness, smoke tests]
  Checks --> Services[Web, API, STS, Gateway, Audit, Coordinator]
  Services --> Postgres[(PostgreSQL)]
  Services --> Redis[(Redis Streams)]
RoleStart with
Local or self-hosted operatorDeploy with Docker Compose
Kubernetes platform teamDeploy with Helm and Deploy on Managed Kubernetes
Security reviewerHarden Production and Rotate Keys and Secrets
SRE or on-call engineerMonitor Health and Metrics, Configure Alerts, Recover from Failures, and Run Failure Drills
Release ownerPlan a Platform Rollout, Deploy Policy Changes, and Upgrade Caracal
EnvironmentRecommended pathNotes
Local developmentcaracal up / infra/docker/docker-compose.ymlBuilds local images, binds service ports to 127.0.0.1, writes local secrets, and serves the packaged web console at http://localhost:3001.
Self-hosted runtimeinfra/docker/runtime-compose.ymlUses versioned GHCR images, mounted secrets, and the caracal-web browser entrypoint.
Kubernetesinfra/helm/caracalUses Deployments/StatefulSets, pre-install/pre-upgrade migration Job, ClusterIP Services, web Ingress by default, optional API/Gateway Ingress, NetworkPolicy, PDBs, HPAs, ServiceMonitor, and PrometheusRule.
  • Postgres is the durable control-plane store.
  • Redis Streams move audit, policy invalidation, session revocation, key invalidation, agent, invocation, and delegation events.
  • STS and Gateway keep audit replay directories so audit emission can drain after Redis/Audit recovery.
  • Published modes are rc and stable; they require production-grade HMAC keys and reject unsafe fallbacks.
  • Product-management operations happen through the web console, Admin SDK, or Control API; the top-level runtime CLI only manages local lifecycle, the development web launcher, and caracal run.
NeedPage
Compose deploymentDeploy with Docker Compose
Helm deploymentDeploy with Helm
Runtime profilesConfigure Service Environment and Choose a Cloud Profile
Cloud deploymentDeploy on Managed Kubernetes
StorageOperate PostgreSQL and Operate Redis Streams
HardeningHarden Production
RotationRotate Keys and Secrets
ScalingScale Capacity
ObservabilityMonitor Health and Metrics and Configure Alerts
RecoveryRecover from Failures, Run Failure Drills, Back Up and Retain Data, and Respond to Incidents