Kubernetes
Use theacornops-platform Helm chart to deploy the central platform into a Kubernetes cluster. The chart deploys:
- management console,
- control plane,
- execution engine,
- LLM gateway,
- database migration Jobs.
Required platform inputs
Prepare these inputs before installing the chart:
Review these value groups before installing or upgrading:
Internal service TLS
The chart can harden control-plane, execution-engine, and LLM gateway traffic with operator-supplied HTTPS/mTLS. It is disabled by default. AcornOps does not generate or chart-manage the CA or certificates. Create a CA Secret and one TLS Secret per service:acornops-platform-control-plane.acornops-platform.svc.
If you use a different release name or namespace, render the chart and use the
service DNS names from your deployment.
Public ingress stays on the control-plane HTTP service port. Existing bearer
tokens and run-scoped JWT checks remain required.
cert-manager can create the same Secrets, but it is optional. A representative
control-plane certificate looks like this:
Workspace roles
Configure deployment-supported workspace roles withworkspaceRoles in chart values:
enabledBuiltIns is omitted, all built-ins are enabled. If it is provided, it must include owner. Custom roles may only use supported workspace capabilities and cannot include owner-only governance capabilities. Every workspace inherits the same catalog.
Example install:
Production exposure
Expose only the management console and control-plane public routes:https://console.example.com/https://api.example.com/api/v1wss://api.example.com/api/v1/agent/connect
Replicas
The chart defaults to multiple replicas for stateless or Redis-coordinated services where supported:
During a control-plane rollout, connected agents reconnect to an available pod. Commands that are active during the rollout can fail or time out and should be retried.
VM Compose
Use the VM Compose stack for a single-machine central platform installation. This path is useful for smaller environments and production-style testing with separate Kubernetes clusters and VM targets. Typical flow:- Generate unique internal service tokens and encryption keys.
- Set production hostnames and OIDC settings.
- Keep
TRUST_PROXY=1when the edge proxy owns TLS and forwarded host headers. - Point database and Redis settings at durable services.
- Review JWKS readiness, request-size, rate-limit, and MCP egress variables.
- Pin image tags instead of using mutable tags.
- Confirm the reverse proxy terminates TLS for the console and API hosts.
Kubernetes clusters
Each connected Kubernetes cluster gets theacornops-agentk Helm chart. Register the cluster in the management console, then run the generated install command returned by the control plane.
The agent:
- connects outbound to the control plane,
- authenticates with the generated agent key,
- reports heartbeats and snapshots,
- advertises builtin Kubernetes tools,
- executes allowed tool calls during troubleshooting runs.
VM targets
Each Linux/systemd VM gets theacornops-agentv systemd service. Register the VM in the management console, then run the generated install instructions returned by the control plane.
The AgentV:
- connects outbound to the control plane,
- authenticates with the generated agent key,
- reports heartbeats and host snapshots,
- advertises read-only Linux/systemd tools,
- executes allowed read-only tool calls during troubleshooting runs.
Validation
Before using a deployment for production operations, verify:- the management console loads from your console host, such as
https://console.example.com/, - OIDC login returns to the expected callback route,
GET /api/v1/mereturns the current user from the same host used by the management console session,- the first workspace can be created,
- a registered AgentK shows as connected,
- a registered AgentV shows as connected and reports host inventory,
- a read-only troubleshooting run can stream events to the management console,
- internal execution-engine and LLM-gateway endpoints are not publicly reachable,
- Kubernetes high availability behavior has been exercised in a non-production environment when you run multiple replicas.