Operations Overview
Summary
The Operations section covers everything you need to deploy, operate, monitor, and secure the Keymate platform. It follows the natural flow of a production deployment: choose a deployment model, install the platform, optionally provision cloud infrastructure, then operate, observe, and harden the running system.
This page helps you find the right starting point based on your current stage and role.
Why It Exists
Keymate is a multi-component platform that runs on Kubernetes. Deploying and operating it involves decisions about deployment topology, installation method, runtime scaling, telemetry configuration, and security hardening. These topics span multiple teams (platform engineering, operations, security) and multiple lifecycle stages (initial setup, day-2 operations, ongoing monitoring).
This overview provides a single entry point that connects all operational topics and guides you to the right section.
Where It Fits in Keymate
Operations is one of the top-level documentation areas. While Architecture describes how Keymate is designed and Concepts explains the authorization and identity models, Operations focuses on the practical work of running Keymate in production.
Boundaries
This section covers:
- Deployment model selection and platform installation
- Cloud infrastructure provisioning (optional)
- Runtime operations: scaling, upgrades, snapshots, business continuity
- Observability: logs, metrics, traces, telemetry export
- Security hardening for production environments
This section does not cover:
- Application development with Keymate APIs (see Developer Guides)
- Authorization model design and policy authoring (see Concepts)
- Troubleshooting specific error conditions (see Troubleshooting)
How It Works
The Operations section follows a customer decision flow. Each stage builds on the previous one:
-
Choose a deployment model. Decide how you want to run Keymate based on your environment: standard Kubernetes with Helm, GitOps with ArgoCD, OpenShift, air-gapped, or private cloud.
-
Install the platform. Follow the installation guide for your chosen path. Verify prerequisites, deploy components in the correct order, and validate the result.
-
Provision infrastructure (optional). If you use a public cloud provider and want automated cluster provisioning, configure the cloud provisioning layer. This step is not required if you bring your own Kubernetes cluster.
-
Operate the running platform. Scale components based on workload, plan and execute upgrades, manage authorization snapshots, and establish business continuity procedures.
-
Monitor and observe. Set up log collection, metrics dashboards, distributed tracing, and alerts. Export telemetry data to your existing monitoring tools if needed.
-
Harden for production. Apply security best practices including identity provider hardening, service mesh encryption, TLS automation, and network isolation.
Diagram
Start by Role
| Role | Where to start |
|---|---|
| Platform Engineer setting up a new environment | Deployment Models to choose your path, then Platform Deployment for installation |
| Operator running an existing deployment | Runtime for scaling and upgrades, Observability for monitoring |
| Architect evaluating deployment options | Deployment Models for model comparison, Infrastructure Provisioning for cloud automation |
| Security Engineer hardening production | Security for production hardening guidance |
Section Map
| Section | Purpose | Key question it answers |
|---|---|---|
| Deployment Models | Choose a deployment topology | "Which deployment model fits my environment?" |
| Platform Deployment | Install and configure the platform | "How do I set up Keymate?" |
| Infrastructure Provisioning | Automate cloud cluster creation (optional) | "Can I automate cluster provisioning?" |
| Runtime | Scale, upgrade, and maintain | "How do I keep Keymate running well?" |
| Observability | Monitor logs, metrics, and traces | "How do I monitor my deployment?" |
| Security | Harden for production | "How do I secure my deployment?" |
Common Misunderstandings
- "I need ArgoCD to deploy Keymate." ArgoCD is one deployment option, not a requirement. Keymate can be installed with Helm charts directly on any Kubernetes cluster.
- "Cloud provisioning is mandatory." Cloud provisioning automates cluster creation for public cloud environments. If you bring your own Kubernetes cluster, you can skip this step entirely.
- "All components must be deployed at once." Components follow a dependency order (infrastructure first, then data layer, then applications), but you control the pace and can validate each stage before proceeding.
Do not skip the Pre-Deployment Checklist before a production installation. Verifying resource capacity, DNS, TLS certificates, and credentials upfront prevents common deployment failures.
Design Notes
- The Operations section follows the customer decision flow, not internal tooling. Whether you use Helm, ArgoCD, or another method, the same sections apply.
- Observability uses an OpenTelemetry-first approach. You can use the built-in monitoring stack, export telemetry to your own tools (your preferred observability platform), or run both simultaneously.
- The platform keeps infrastructure provisioning separate and optional. Many customers bring existing Kubernetes clusters and do not need automated provisioning.