Choose a Cloud Profile
Cloud-native Caracal deployments should use the Helm chart with externalized state: managed Postgres, managed Redis, platform secrets, ingress, NetworkPolicy, and cluster observability.
For a concrete, copy-paste version of this profile — including External Secrets manifests, a production overlay, cert-manager TLS ingress, and a per-cloud (EKS/GKE/AKS) substitution table — see Deploy on Managed Kubernetes.
Profile Map
Section titled “Profile Map”| Profile | Values to adjust |
|---|---|
| Evaluation | global.mode=rc, short retention, limited replicas, temporary secrets, no public ingress unless required. |
| Production | global.mode=stable, managed Postgres/Redis, TLS ingress, NetworkPolicy, PDB/HPA, ServiceMonitor, PrometheusRule. |
| Private cluster | Disable public ingress; expose API/Gateway through internal load balancers or service mesh. |
| Regulated workload | Enforce external secret manager, immutable backups, audit export, restricted egress, and incident evidence retention. |
Managed Dependency Contract
Section titled “Managed Dependency Contract”| Dependency | Requirements |
|---|---|
| Postgres | TLS-capable connection, migration role, durable backups, point-in-time recovery, sufficient connection capacity. |
| Redis | Streams support, authentication, memory policy sized for audit/revocation/outbox traffic, persistence according to recovery goals. |
| Secrets | Runtime Secret with database, Redis, admin, Coordinator, zone KEK, audit HMAC, stream HMAC, and Gateway-STS HMAC keys. |
| Observability | Metrics scraping for all services and alerts equivalent to the chart PrometheusRule. |
Network Stance
Section titled “Network Stance”The chart NetworkPolicy allows Caracal pod-to-pod traffic and storage egress. Add explicit DNS, HTTPS, identity provider, object store, and provider API egress only as needed.
networkPolicy: enabled: true allowOpenDns: false allowOpenHttps: false dnsEgress: [] extraEgress: [] extraIngress: []Ingress Stance
Section titled “Ingress Stance”Expose only the endpoints required by your environment:
| Endpoint | When to expose |
|---|---|
| Gateway | Required for protected resource traffic through Caracal Gateway. |
| API | Required for Console/Admin clients outside the cluster. |
| STS | Expose only when token exchange clients cannot reach it privately. |
| Audit/Coordinator/Control | Prefer private access. |
The chart currently has optional Ingress templates for Gateway and API.
Validation
Section titled “Validation”- Render manifests with production values.
- Confirm no plaintext secrets are committed.
- Confirm NetworkPolicy egress covers required provider APIs and object stores.
- Confirm ServiceMonitor or equivalent metrics scraping is active.
- Confirm backup and restore evidence exists for Postgres and runtime secrets.
Next Step
Section titled “Next Step”Use Deploy on Managed Kubernetes for a concrete External Secrets, cert-manager, managed Postgres, and managed Redis deployment.