| CRD | Purpose |
|---|---|
RunlayerInstance | Tenant platform stack (backend, frontend, worker, migrations, optional components) |
MCPServer | Hosted MCP server Deployments (Runlayer Deploy) |
anysource-chart) path remains supported until you cut over.
Prerequisites
- Kubernetes 1.24+ (EKS recommended)
- Helm 3.8+
- External platform dependencies provisioned per tenant: RDS/Aurora, Redis, IAM roles, ingress/TLS, Secrets
- Cluster admin access to install CRDs and a cluster-scoped
ClusterRole
Install the operator
crds/ on first install. Helm does not upgrade CRDs on subsequent releases — apply CRD updates explicitly before upgrading when the schema changes:
cd runlayer-operator && make sync-helm-crds.
Configure the operator
Copy and customize values:| Values key | Purpose |
|---|---|
image.repository / image.tag | Operator container image |
telemetryProxy.* | Cluster-wide default MCP telemetry proxy sidecar (overridable per tenant on RunlayerInstance.spec.deploy.telemetryProxy) |
mcpWorkloads.dedicatedNodes.* | Fallback MCP node scheduling when MCPServer.spec.infrastructure.scheduling is unset |
otel.* | Operator OpenTelemetry traces |
metrics.* | Controller-runtime metrics + optional Prometheus ServiceMonitor |
Create a tenant
- Provision external resources for the tenant (database, Redis, WorkOS credentials, TLS cert Secret, optional S3/IAM).
- Create platform-namespace Secrets in the tenant platform namespace (default
runlayer-<customerId>) — the operator never reads Secret payloads; it only references names/keys.
| Secret | Required keys | Referenced in CR |
|---|---|---|
runlayer-db | username, password | database.credentials.*From |
runlayer-redis | password or REDIS_URL | redis.credentials.passwordFrom or urlFrom |
runlayer-auth | AUTH_CLIENT_ID, AUTH_API_KEY | auth.clientIdFrom, auth.apiKeyFrom |
runlayer-app | SECRET_KEY, MASTER_SALT (+ optional keys) | appSecretRef.name |
- Apply a
RunlayerInstanceinrunlayer-system:
- Wait for
status.phase: Readyon theRunlayerInstance. - Create MCP env Secrets in the tenant MCP namespace, then create
MCPServerCRs (runlayer-<customerId>-mcpsby default) or enable backend-managed deploy (RUNLAYER_DEPLOY=K8S, ENG-3531).
- RunlayerInstance — all spec fields, status, and platform Secrets
- MCPServer — MCP env Secrets and scheduling
Namespace layout
| Namespace | Contents |
|---|---|
runlayer-system | Operator Deployment, RunlayerInstance CRs |
runlayer-<customerId> | Platform workloads for one tenant |
runlayer-<customerId>-mcps | MCP Deployments and MCPServer CRs for that tenant |
Migration from legacy charts
Per-cluster cutover (high level):- Provision unified-path prerequisites if missing.
- Install
runlayer-operatoron a greenfield cluster or during a maintenance window. - Create
RunlayerInstance; verify platform Ready. - Migrate MCP workloads to
MCPServerCRs in the tenant MCP namespace. - Switch DNS/traffic to the unified platform ingress.
- Uninstall legacy
runlayer-deploy-operatorandanysource-charton that cluster only.
Related docs
Legacy Helm (single tenant)
anysource-chart for traditional single-tenant installs
EKS + Terraform
Provision EKS, RDS, and Redis before Helm